SSH into VPN

S

stream

Hi,


I have a Freebsd server running remotely with VPN. I use openvpn.

I have Freebsd in my home machine as well.

Unfortunately, am not able to remotely ssh into the server when I start VPN on the server.
Home machine has no VPN btw.
For now, I have turned off firewalls just to get this up and running.

I saw some threads and some recommendations to set the route. However am not exactly certain how this to be done.

All addresses below are fictitious.

VPN public IP : 222.22.222.222
Server public IP: 111.11.111.111
Home public IP: 555.55.555.555

I have a VPN start script in the server that looks somethings like this:

#!/usr/bin/local/bash
sudo openvpn --mute-replay-warnings --config /home/bbk/my_vpn.conf &

sudo /sbin/route add -net 222.22.222.222 111.11.111.111 255.255.255.0

Can you please suggest specific commands to be added in this script or in the my_vpn.conf, in order to be able to ssh from home into the server when vpn is on.

Thank you.
 
stream said:
VPN public IP : 222.22.222.222
Server public IP: 111.11.111.111
Home public IP: 555.55.555.555
Click to expand...
These bogus addresses are one of the problems. Read about private IP addresses and their classes.

And if you run a search on the Internet for "sample OpenVPN configurations in FreeBSD," you will likely see tons that you can choose from.
 
Lamia said:
These bogus addresses are one of the problems.
Click to expand...
stream said:
All addresses below are fictitious.
Click to expand...
I'm pretty sure he did that to hide his actual IP addresses.

stream said:
Home machine has no VPN btw.
Click to expand...
So you ssh from home directly to the external IP of the remote server? That's fine, I do that too.

stream said:
Unfortunately, am not able to remotely ssh into the server when I start VPN on the server.
Click to expand...
Where is the server connecting to? Does it get different routes from the VPN connection? What does the routing table look like when the VPN is active? All outgoing traffic on the server may get routed through the VPN. So it receives the ssh connection on it's external addresses and then routes the reply through the VPN. That VPN end-point may not know what to do with that reply and just drops it.
 
SirDice
Thank you.
Yes, the server gets different routes when VPN is active.
Here is the netstat with VPN active. How do I setup the (return) routes so the server can be accessed from the external address.
When VPN is active, neither the original server IP, nor the virtual IP set by VPN (here denoted by vv.vv.vv.5) is ping-able from the outside.
Code: 
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          vv.vv.vv.1           UGS        tun0
default              xx.xx.xx.3           UGS        igb2
vv.vv.vv.5          link#10            UHS         lo0
 
What's the VPN for? Is is to connect to a remote site? Or is it to "hide" your server? That route 0.0.0.0/1 looks odd and may be the one that's interfering. If you just need the VPN to connect to a remote site the routes should only have the destination networks of the remote site. Everything else (like the responses to your incoming SSH connection) will then get routed through the normal default gateway. Only traffic destined for the remote site should be routed through the VPN.
 
SirDice
Yes, VPN is to hide the server.

How do I implement your recommendation? Do you have a template for vpn and or routing setup?
 
I don't have a template. It's going to be different for every situation and thus requires a different approach. I tend to look at what's needed and go from there.

stream said:
Yes, VPN is to hide the server.
Click to expand...
I was afraid of that. This is in direct conflict with your ssh issue. Because this 'hiding' requires that everything is routed through the VPN. Instead of connecting to the "real" address with ssh you are going to need to connect to that "hidden" address because that's where your server is.

You may be able to poke a hole in things, just for your connection. Look at what your original gateway is on that server, I suspect it's that xx.xx.xx.3 address in your routing table. Then add a specific route for your home IP address, forcing it to be routed through the normal gateway (stricter routes have precedence over less strict ones). Something like route add <your home IP>/32 xx.xx.xx.3. Adding this to rc.conf will be something like this:
Code: 
static_routes="home"
route_home="<your home IP>/32 xx.xx.xx.3"

Starting the OpenVPN session itself should be done though the normal service, so sysrc openvpn_enable="YES" to make it start automatically. Your configuration should be in /usr/local/etc/openvpn/openvpn.conf.
 
You must log in or register to reply here.
Back
Top