Solved Cannot SSH to server via OpenVPN

[fred974]

Hello all,

I have successfully installed OpenVPN on my FreeBSD 10 ZFS system. My Windows OpenVPN client gets an IP address and no error is reported on the server side.

My /ssh/sshd.conf file is set to listen on port 2205, on his own IP address as I've got jails set up, the SSH connection is also using public/private key authentication and no password is allowed, and I have specified which user can ssh to the server.

What I would like to know is how do I then connect to the server using OpenVPN and PuTTY on my Windows laptop via port 22.

When I use the IP: 10.8.20.5 (OpenVPN IP) with port 22 use the user sshUser and specifying the private key in PuTTY, I get the message:

Using username "sshUser".
Server refused our key
sshUser@10.8.20.5's password:

Could someone help me please?

Thank you in advance
Fred

 

[SirDice]

OpenVPN should be irrelevant in this case. It doesn't matter to which IP address you connect, your keys will always stay the same. So it looks like you simply have the wrong key.

NB. You said you configured sshd(8) to run on port 2205, yet you connect your client to port 22. This doesn't add up. Are you sure you're connecting to the correct sshd(8)?

 

[fred974]

Hi SirDice,

I can ssh to the server with no problem when I use my external IP address + public/private key + user sshUser on port 2205.

In PuTTY, when I simply load the connection to keep the connection details (port + keys + user etc..) and change only the IP address to the OpenVPN IP 10.8.20.5 I get

network error connection refused

When also changing the port to 22, I then get

Using username "sshUser".
Server refused our key
sshUser@10.8.20.5's password:

The reason for me to implement OpenVPN is because when I'm at work, the firewall does not allow a connection using non standard ports and to improve security.

So I must use port 22 to connect to the box.

Below is my /ssh/sshd.conf:

Port 2205
ListenAddress 192.168.0.195
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30s
PermitRootLogin no
AllowUsers sshUser
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
GatewayPorts no
X11Forwarding no
PrintMotd yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel yes
Banner /etc/ssh/ssh-banner
Subsystem   sftp   /usr/libexec/sftp-server

Thank you for your help.

 

[SirDice]

Look at the ListenAddress. That's the only address sshd(8) is listening on. So you should get a connection refused on the 10.8.20.5 address as there's no sshd(8) listening there.

Your company's firewall is also irrelevant, you already bypassed it with a VPN. They cannot see what's inside so you can connect to whichever port you want.

 

[fred974]

SirDice, my /ssh/sshd.conf file now has the following:

ListenAddress 192.168.0.195
ListenAddress 10.8.20.5

After restarting the sshd service with service sshd reload and service sshd restart I still get

network error connection refused

The /var/log/auth.log has the following:

Nov  5 11:33:51 FreeBSD sshd[2286]: Received SIGHUP; restarting.
Nov  5 11:33:51 FreeBSD sshd[5414]: Server listening on 10.8.20.1 port 2205.
Nov  5 11:33:51 FreeBSD sshd[5414]: error: Bind to port 2205 on 10.8.20.5 failed: Can't assign requested address.
Nov  5 11:33:51 FreeBSD sshd[5414]: Server listening on 192.168.1.185 port 2205.
Nov  5 11:34:04 FreeBSD sshd[5414]: Received signal 15; terminating.

 

[SirDice]

I assumed the VPN was terminated on the same host. This doesn't seem to be the case?

Once the VPN is up and running you should connect to 192.168.0.195 as that's the IP address of the FreeBSD server you want to connect to. The IP address 10.8.20.5 appears to be the VPN endpoint, i.e. the server that's running OpenVPN.

 

[fred974]

SirDice, does it matter that my LAN is set on 192.168.0.195 and the OpenVPN server on 10.8.20.5? Do they have to be on the same netmask?

 

[SirDice]

No, they should be different networks or you're going to have routing problems. But the host on 192.168.0.195 does need to know where to route traffic for 10.8.20.0/24 to.

 

[fred974]

I'm lost here. Sorry. Let me explain my problem a bit better.

At the moment, I ssh to the server only from home using PuTTY to make the connection to my server on port 2205, with user sshUser using a private key; password is not allowed.

HomePc -->--ExtIP 216.146.161.254:2205--->FreeBSD server

If I want to ssh to the server from work, I cannot do that has our firewall does not allow access to non standard port (2205 here). Therefore I have set a VPN connection using OpenVPN as a workaround as well as added security.

To make things easier I have set a static IP address for the OpenVNP server on both my homePC and OfficePC using client-config-dir option were:
HomePc has:

ifconfig-push 10.8.20.1 10.8.20.2

OfficePC has:

ifconfig-push 10.8.20.5 10.8.20.6

What I what to do is use the external IP and or the OpenVPN when at home to connect to the box and use OpenVPN ONLY when in the office. HomePc, OfficePC and the FreeBSD Server are on three different networks:

+----------+                           +------------+
|  HomePc  |                           |  OfficePC  |
|----+-----+                           +------+-----+
     |                                        |
     |OpenVPN 10.8.20.1                       |OpenVPN 10.8.20.5
     |  OR                                    |
     | 216.146.161.254:2205                   |
     |                                        |
     |-------------------+--------------------|
                         |
                         |
                +--------+---------+
                |  FreeBSD Server  |
                |  216.146.161.254 | <--Public IP
                +------------------+

When the VPN connection is established, HomePc has IP 10.8.20.1 and OfficePc has IP 10.8.20.5 (when I mouseover the the OpenVPN icon, I also have the right IPs)

My OpenVPN client on the windows PC has the following:
C:\Program Files\OpenVPN\config\client.ovpn

client
dev tun
proto udp
remote 216.146.161.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert cgb05122.crt
key cgb05122.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 6
mute 20

On the server side, my /etc/openvpn/openvpn.conf file look like this:

local 192.168.1.195
port 1194
client-config-dir clients
script-security 2
setenv-safe wan lagg0
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh
proto udp
dev tun
ca ca.crt
cert trinity.crt
key trinity.key
dh dh1024.pem
server 10.8.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 2
user nobody
group nobody
persist-key
persist-tun
status  openvpn-status.log
log-append  /var/log/openvpn.log
verb 6
mute 20

and my /ssh/sshd.conf now looks like this:

Port 2205
ListenAddress 192.168.0.195
ListenAddress 10.8.20.1
ListenAddress 10.8.20.5
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30s
PermitRootLogin no
AllowUsers sshUser
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
GatewayPorts no
X11Forwarding no
PrintMotd yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel yes
Banner /etc/ssh/ssh-banner
Subsystem  sftp  /usr/libexec/sftp-server

This my pf.conf file

### Interfaces ###
#ext_if="bce0"
ext_if="lagg0"
IP_FREEBSD_HOST="192.168.1.195"
IP_WEBJAIL="192.168.1.165"
IP_DBJAIL="192.168.1.198"
HOSTS= "{" $IP_FREEBSD_HOST $IP_WEBJAIL $IP_DBJAIL "}"
ICMP_TYPES="{echoreq,unreach}"
PORT_WEB="{80,443}"
PORT_SSH="{2923,2924,2205,1194,22}"
#PORT_ZABBIX="{10059}"
### Tables ###
table <workssh> {192.168.1.1/24,216.146.161.254,82.41.44.193,10.8.20.5}
table <sshguard> persist
# [options]
set skip on lo0
# [normalizaiton]
scrub in all
# [translation]
# [filtering]
pass out all
block in all
# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any
# Allow ssh traffic from authorise IPs only and set Stateful Tracking Options (STO)
pass log on $ext_if inet proto tcp from <workssh> to $HOSTS port $PORT_SSH \
  flags S/SA keep state \
  (max-src-conn 100, max-src-conn-rate 15/5, \
  overload <sshguard> flush global)
# Allow HTTP and HTTPS traffic
pass in quick proto tcp from any to $IP_WEBJAIL port $PORT_WEB

I get the error

network error connection refused

when using either of the following IP with port 2205:
IP: 10.8.20.5:2205
IP: 216.146.161.254:2205
IP: 192.168.1.195:2205

I get the error

Using username "sshUser".
Server refused our key
sshUser@10.8.20.5's password:

when using IP: 10.8.20.5:2205

Please could someone help me here? Is the problem with the firewall? Am I not using PuTTY correctly?

I saw that PuTTY has a tunnel menu. Am I supposed to use that instead?

Thank you in advance,
Fred

 

[fred974]

Could anyone help me please?
Thank you

 

[kpa]

I don't see any directives to set up routes on your clients to access the local network of the server over the VPN link. At minimum there should be this in your server configuration:

push "route 192.168.1.0 255.255.255.0"

This will direct the clients to access network 192.168.1.* over the VPN link instead of sending the traffic to their default gateway that is entirely clueless of where this network resides or if it does it has the wrong information. Once you have this set up you can SSH to 192.168.1.195 over the VPN link and you never have to use the 10.8.20.* addresses for connections.


Also do not try to make sshd(8) listen on any other address of the VPN address range other than the first one. You should use only this if you must use an explicit ListenAddress directive:

ListenAddress 10.8.20.1

I would just make sshd(8) listen on all interfaces by default and use PF to filter the unwanted traffic.

Do you have a good reason to use client-config-dir? In most cases it doesn't matter what addresses to VPN server hands to clients as long as they are distinct from all other addresses used and I suspect you don't really need fixed addresses for anything.

 

[fred974]

Thank you very much for your reply kpa,.

I removed the client-config-dir clients entry in the /etc/openvpn/openvpn.conf file and added

push "route 192.168.1.0 255.255.255.0"

I am now able to ssh to the server using OpenVPN