Connection to OpenSSH server fails via OpenVPN

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
thece
OpenVpn Newbie
Posts: 5
Joined: Thu Jan 26, 2017 10:37 pm

Connection to OpenSSH server fails via OpenVPN

Post by thece » Fri Jan 19, 2024 9:45 pm

Hi,

I can't connect to an (Open)SSH server if the SSH connection goes through an (Open)VPN connection.
The SSH connection works normally if the two hosts are in LAN, when the SSH connection is not encapsulated in a (Open)VPN connection.
Any idea?

TL;TR

Code: Select all

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY


Client

Code: Select all

lsb_release -a

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

Code: Select all

uname -a

Linux {REDACTED} 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux

Code: Select all

dpkg -l | grep -i openvpn

ii  openvpn                                                     2.6.3-1+deb12u2                         amd64        virtual private network daemo

Code: Select all

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether {REDACTED} brd ff:ff:ff:ff:ff:ff
    altname enp1s0
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether {REDACTED} brd ff:ff:ff:ff:ff:ff permaddr 74:29:af:9c:6c:25
    altname wlp2s0
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether {REDACTED} brd ff:ff:ff:ff:ff:ff
    inet 192.168.108.251/24 brd 192.168.108.255 scope global dynamic noprefixroute usb0
       valid_lft 2141sec preferred_lft 2141sec
    inet6 fe80::609c:73da:ab56:5dee/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.0.0.2/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::343e:25bf:e66b:b048/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Code: Select all

ip r

default via 192.168.108.33 dev usb0 proto dhcp src 192.168.108.251 metric 100 
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.2 
169.254.0.0/16 dev usb0 scope link metric 1000 
192.168.0.0/24 via 10.0.0.1 dev tun0 
192.168.108.0/24 dev usb0 proto kernel scope link src 192.168.108.251 metric 100

Code: Select all

nc -v 192.168.0.21 22

192.168.0.21: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.21] 22 (ssh) open
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2

Code: Select all

ssh -vvv {REDACTED}@192.168.0.21

OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.21 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/{REDACTED}/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/{REDACTED}/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.21 [192.168.0.21] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/{REDACTED}/.ssh/id_rsa type 0
debug1: identity file /home/{REDACTED}/.ssh/id_rsa-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ecdsa type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ed25519 type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ed25519-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ed25519_sk type -1
debug1: identity file /home/{REDACTED}/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_xmss type -1
debug1: identity file /home/{REDACTED}/.ssh/id_xmss-cert type -1
debug1: identity file /home/{REDACTED}/.ssh/id_dsa type -1
debug1: identity file /home/{REDACTED}/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u2
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.21:22 as '{REDACTED}'
debug3: record_hostkey: found key type ED25519 in file /home/{REDACTED}/.ssh/known_hosts:4
debug3: record_hostkey: found key type RSA in file /home/{REDACTED}/.ssh/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/{REDACTED}/.ssh/known_hosts:6
debug3: load_hostkeys_file: loaded 3 keys from 192.168.0.21
debug1: load_hostkeys: fopen /home/{REDACTED}/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY


Server (Raspberry PI)

Code: Select all

lsb_release -a

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

Code: Select all

uname -a

Linux {REDACTED} 6.1.0-rpi7-rpi-v8 #1 SMP PREEMPT Debian 1:6.1.63-1+rpt1 (2023-11-24) aarch64 GNU/Linux

Code: Select all

dpkg -l | grep -i openvpn

ii  openvpn                             2.6.3-1+deb12u2                      arm64        virtual private network daemon

Code: Select all

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether {REDACTED} brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.21/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
       valid_lft 73698sec preferred_lft 73698sec
    inet6 fd00::f63c:dc68:9dbe:dcdb/64 scope global dynamic noprefixroute 
       valid_lft 7100sec preferred_lft 3500sec
    inet6 fe80::4ef8:8a05:6b7f:8e4/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether {REDACTED} brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.0.0.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::39dd:cb18:3c46:ff11/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Code: Select all

ip r

default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.21 metric 100 
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.21 metric 100


I apologize if I posted the thread in the wrong section. Please, move it to the most appropriate section.

Thanks.
Top
Post Reply

Return to “Configuration”