Solved pf rule to ssh to host via OpenVPN

fred974

fred974

Hi guys,

I am not sure if this bellong here or in the Installation and Maintenance section of the forum...

I have installed security/openvpn in the aim of allowing ssh access from outside the office ONLY via OpenVPN for security reason.
My main FreeBSD host has a public IP 91.203.72.xxx and all my sysutils/iocage jails run on a clone interface lo1
/etc/rc.conf
Code: 
 ## Set gateway
  ifconfig_bce0="inet 91.203.72.xxx netmask 255.255.255.248"  # This server
  defaultrouter="91.203.72.xxx"
  gateway_enable="YES"

 ## Set jails aliace interface
  cloned_interfaces="${cloned_interfaces} lo1"  # allows loopback isolation in the jail
  ipv4_addrs_lo1="10.8.20.10-49/29"
I managed to get OpenVPN client to successfully connect to the OpenVPN server and I can ssh to all the jails with no problem but I cannot ssh to the FreeBSD host..
I have tried all sort of push route setting but nothing successfull so far..

To connect to the jail I do ssh admin@10.8.20.xx
To connect to the host I tried:
ssh admin@10.8.21.0
ssh admin@91.203.72.xxx
and always get
Code: 
ssh: connect to host 91.203.72.xxx port 22: Connection timed out
Code: 
ssh: connect to host 10.8.21.0 port 22: Connection timed out
Could someone please advise on what to add in order to get ssh access to the host via OpenVPN?
I added my config files bellow and I think I need to add a line in /etc/openvpn/up.sh but not sure what.?

Thank you

/etc/openvpn/server.conf
Code: 
# Which local IP address should OpenVPN listen on?
local 91.203.72.xxx

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# PF firewall integration
script-security 2
setenv-safe wan bce0
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
dev tun

# SSL/TLS certificate
ca  /usr/local/etc/openvpn/keys/ca.crt
cert  /usr/local/etc/openvpn/keys/vpnserver.crt
key  /usr/local/etc/openvpn/keys/vpnserver.key

# Diffie hellman parameters.
dh  /usr/local/etc/openvpn/keys/dh4096.pem

# Configure server mode and supply a VPN subnet
server 10.8.21.0 255.255.255.0

# Maintain a record of client <-> virtual IP address associations
ifconfig-pool-persist ipp.txt

# Push routes to client
push "route 91.203.72.xxx 255.255.255.248"
push "route 10.8.20.0 255.255.255.0"

# Assign specific IP addresses to clients
client-config-dir ccd
route 10.8.20.0 255.255.255.0

# The keepalive directive
keepalive 10 120

# Block DoS attacks and UDP port flooding.
tls-auth /usr/local/etc/openvpn/keys/ta.key 0

# Cryptographic cipher.
cipher AES-256-CBC

# Enable compression on the VPN link.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 2

# Reduce the OpenVPN daemon's privileges
user nobody
group nobody

# Set persist options
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# Set, log messages path
log  /var/log/openvpn/openvpn.log

# Set the log level
verb 3
mute 20
/etc/openvpn/up.sh
Code: 
#!/bin/sh

ANCHOR="openvpn"

/sbin/ifconfig ${dev} inet6 -ifdisabled

/sbin/pfctl -a ${ANCHOR} -F rules
/sbin/pfctl -a ${ANCHOR} -F nat
/sbin/pfctl -a ${ANCHOR} -f - <<EOT
nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
pass quick on ${dev} all
pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
EOT
 
Hi, you trying to connect to network, not the host (hosts cannot be with a dotted zero at end) - so you are getting
Code: 
ssh: connect to host 10.8.21.0 port 22: Connection timed out
I suppose you have installed security/openvpn on host machine and hope you have a running sshd daemon - if yes then you should connect to 10.8.21.1 (as openvpn service is running at this ip address) and host sshd daemon running there too.
 
Hi ab2k ,Yes I have installed security/openvpn on host machine.
I get the same error message when I try ssh admin@10.8.21.1
Code: 
ssh: connect to host 10.8.21.1 port 22: Connection refused
sudo service sshd status
Code: 
sshd is running as pid 1184
 
fred974 said:
I get the same error message when I try ssh admin@10.8.21.1
Code: 
ssh: connect to host 10.8.21.1 port 22: Connection refused
Click to expand...
No, this is NOT the same error message. Please note that there is a clear distinction between a "connection refused" and a "connection timed out".

You get a "connection refused" when the receiving end responds with a RST packet to indicate the port is closed (i.e. there's nothing listening).
You get a "connection timed out" when there's no response at all from the receiving end.
 
SirDice thank you for pointing it out. I didn't read the error correctly.
So based on that does it mean the firewall is not allowing traffic to this ip address or is it a problem with OpenVPN?
 
My guess would be that sshd(8) simply isn't listening on that address. If it's firewall related you usually get a "connection timed out".
 
SirDice
/etc/ssh/sshd_config
Code: 
 Port 22
 AddressFamily inet
 ListenAddress 91.203.72.235
My understanding is that if the host is listeneing to something other then self, It causes issue with the jails.. Does this not apply when using OpenVPN?
Should I change to
Code: 
ListenAddress 10.8.21.1
 
You can have multiple ListenAddress lines to have it listen on multiple, but specific, IP addresses.
 
Thank you SirDice
I added the second ListenAddress line and I successfully managed to login:)
Code: 
Port 22
AddressFamily inet
ListenAddress 91.203.72.xxx
ListenAddress 10.8.21.1
 
You must log in or register to reply here.
Back
Top