Connecting via SSH while VPN is connected

[skrewt]

I have a simple server setup at home running Ubuntu Server. That server is tunneling traffic through an OpenVPN connection to another remote server that I have no access to.

I would like to connect to my own server at home, from work, and have my internet traffic ultimately tunneled through my VPN. However, when the VPN is connected I am not able to connect via SSH, the connections just time out. When I disconnect the VPN, I am able to SSH in just fine. If I try to connect the VPN while SSH'd in, I lose my SSH connection.

How do I let my server take SSH connections and tunnel them through the VPN?

Also, as an added note, I am able to SSH into my router, then SSH into my server using the internal network IP and my traffic is funneled correctly and everything works. But that's not the ideal solution for me.

[Mimiko]

This is expected, when you redirect all web traffic thru tunnel. If your external IP at work does not change, then in the OpenVPN client config file on Ubuntu you can add:

Code: Select all

route a.b.c.d 255.255.255.255 net_gateway

where a.b.c.d is the external IP from work.

Or try something like this:

Code: Select all

iptables -t nat -A POSTROUTING -i eth0 --dport 22 -j SNAT --to-source e.f.g.h

where e.f.g.h is the ip of the ubuntu's default gw. I'm not sure if this will work.

[skrewt]

My work IP does change, but I would prefer to not be limited to specific incoming IP's. Ideally, I would like all incoming SSH connections routed through the VPN, that way I can remote in from more than just work, and have the same benefits. Is this possible?

[Mimiko]

Yes, you can use SSH thru tunnel. For this, on OpenVPN server you will have to NAT incoming connection to your Ubuntu, and use external IP of OpenVPN server.

[skrewt]

Ok, I almost have this working following the guidelines you provided. I added the line you gave to my openvpn.conf file. Using a laptop through a neighbors WiFi, I can connect when I specify an exact IP address of my laptop but it does not seem to work with any wildcards. Is there anyway around this without specifying the IP for each machine I want to be tunneled?

[Mimiko]

No, in config file you cannot specify all adresses, only netmask of addresses from which you may connect, it 192.168.1.0 255.255.255.0.
Try the second example with iptables. And try dnating thru tunnel.

[skrewt]

I get an error about --dport being an unknown option when I try the iptables command.

EDIT: Please excuse my ignorance, but what is dnating through the tunnel?

[Mimiko]

Code: Select all

I get an error about --dport being an unknown option when I try the iptables command.

Please read the man page about iptables. I dont use linux on bases, so I may be wrong in correct port defining.

what is dnating through the tunnel?

DNAT is when incomming packets from internet to public ip of router is forwarded to some server behind this router(firewall) using internal LAN ip address. Like: public_ip:22 -> 192.168.0.10:22.

[skrewt]

Code: Select all

I get an error about --dport being an unknown option when I try the iptables command.

Please read the man page about iptables. I dont use linux on bases, so I may be wrong in correct port defining.

what is dnating through the tunnel?

DNAT is when incomming packets from internet to public ip of router is forwarded to some server behind this router(firewall) using internal LAN ip address. Like: public_ip:22 -> 192.168.0.10:22.

Oh, ok. I do have DNAT setup then. Called it something else, though. I'm bouncing around on IRC channels looking to get help with the iptables command. Thanks Mimiko.