Wednesday, July 3, 2019

Allowing SSH on a server with an active OpenVPN client




I have a VPS running CentOS 7 that I connect to with SSH. I would like to run an OpenVPN client on the VPS so that internet traffic is routed through the VPN, but still allow me to connect to the server via SSH. When I start up OpenVPN, my SSH session gets disconnected and I can no longer connect to my VPS. How can I configure the VPS to allow incoming SSH (port 22) connections to be open on the VPS's actual IP (104.167.102.77), but still route outgoing traffic (like from a web browser on the VPS) through the VPN?



The OpenVPN service I use is PrivateInternetAccess, and an example config.ovpn file is:



client
dev tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind

persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem



VPS's ip addr:



1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever

2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:be:16:f7 brd ff:ff:ff:ff:ff:ff
inet 104.167.102.77/24 brd 104.167.102.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febe:16f7/64 scope link
valid_lft forever preferred_lft forever
4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.172.1.6 peer 10.172.1.5/32 scope global tun0
valid_lft forever preferred_lft forever



VPS's ip route:



0.0.0.0/1 via 10.172.1.5 dev tun0
default via 104.167.102.1 dev ens33 proto static metric 1024
10.172.1.1 via 10.172.1.5 dev tun0
10.172.1.5 dev tun0 proto kernel scope link src 10.172.1.6
104.167.102.0/24 dev ens33 proto kernel scope link src 104.167.102.77
109.201.154.177 via 104.167.102.1 dev ens33

128.0.0.0/1 via 10.172.1.5 dev tun0

Answer



I'm having a similar issue to this and have been attempting the fix described in this forum post.



The idea is that currently when you connect to your public IP address, the return packets are being routed over the VPN. You need to force these packets to be routed over your public interface.



These route commands will hopefully do the trick:




ip rule add from x.x.x.x table 128




ip route add table 128 to y.y.y.y/y dev ethX



ip route add table 128 default via z.z.z.z




Where x.x.x.x is your public IP, y.y.y.y/y should be the subnet of your public IP address, ethX should be your public Ethernet interface, and z.z.z.z should be the default gateway.



Note that this hasn't worked for me (using Debian and PrivateInternetAccess) but may help you out.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...