Jump to content
Not connected, Your IP: 18.224.54.118

Recommended Posts

Hi,

 

I have a home network with private addresses (192.168.x.x), which are masqueraded, with one public IP.

 

Before I signed up here, I configured a server, some ports were forwarded, and available from the Internet. The VPN is now installed on this linux box, the ports are now closed (except the SSH port), and are now only forwarded via your VPN, it works wery well

 

On this box, there's a SSH server running. I'd like to continue to be able to access this SSH server directly (with the public IP) from the internet, outside the tunnel. But when the VPN is up, I cannot access it from the Internet. I tried to flush all iptable rules, just to be sure, and it still doesn't work. On my private network, it works as usual, VPN up or not.

 

That's why I think I have to tweak openvpn, do you know exactly how please? Thanks for any tip.

Share this post


Link to post

Generally speaking what you need to do is *not* to flush the default route after your OpenVPN connection is up,

and then configure policy based routing that will direct all outgoing traffic via the vpn interface.

First can be achieved by editing the .ovpn config, second implementation depends on what you use.

 

But you need to be more specific regarding the OS+Router+Firmware you are using, if you want someone to give

you specific tips that will cover that configuration.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The server OS is debian stable, with Shorewall firewall (which I disabled once to be sure the problem is not coming from its configuration). openvpn is installed with a standard (Direct, protocol UDP, port 443) ovpn config from the AirVPN generator.

 

The router is a xDSL "box" from my ISP (not a dd-wrt box, no "policy based routing" option). No VPN configuration has been done on it. Now only port 22 is forwarded to the private IP of the debian box.

Share this post


Link to post

So you have 2 options, either to run the OpenVPN client on the Shorewall appliance (recommended) or on your server.

In any case you will have to make sure that the VPN interface (10.0.0.0/8) is NOT your default route.

You need to configure policy based routing on either of them, fortunatelly, on Linux it's possible and quite easy.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The ssh server, openvpn and shorewall are on the same PC.

 

As a general principle, if this is possible, I'd like to keep the VPN as a default route, and make an exception for SSH, not the other way around.

 

Is it really mandatory to play with linux commands such as ip or route (which I would have to automate in some way, in order to keep the config after a computer restart), or is it possible to tweak the openvpn config file ?

Share this post


Link to post

Hi,

route and SSH work on completely different network layers. Your routing table is not aware of SSH and vice versa.

 

When you decide to keep your default route with VPN, you cannot reach your external IP anymore - since it will receive incoming

traffic on a gateway other than it's default.

 

Why port forwarding isn't an option?


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Hi zhang,

 

I'd like to skip port forwarding because

i) I'd like to connect to SSH even if the tunnel goes down (which happens every few days unfortunately, but maybe I could set up some kind of watchdog to restart openvpn when that occurs) and

ii) to avoid another layer that can fail to retrieve the IP, that can change: dynamic dns or connect to my client area on the airvpn site to see on which IP I am, which is a bit fastidious to me. I guess I could use the airvpn config generator to set up openvpn 1 single server, but if it goes down, I'm also screwed.

 

Do you think that port forwarding is the only way to go?

Share this post


Link to post

You probably can fix the first problem with a little reading on the forum or posting your logs, it's most certainly at your end.

The second part is easily solved - just remember the correct port and use Air's DDNS. something like airvpn88.airdns.org will

always point to the server IP you are currently connected to.

Then in case your port forwarded SSH, you should have no issues.

 

There is no such thing as "the only way to go"

It's a matter of configuration complexity, vs simplicity. Given the fact you don't own a policy based routing device there, makes your task

a little over-complex in my opinion.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Yeah, sure there's no one way to go, I'm just looking for the most reliable and elegant one ;-) I'm also starting to think that my original idea leads to overly complex configuration; I guess I'll stick with your hint, the port forwarding / DDNS option, it's now set up and works.

 

Thank you very much for your time and your valuable help.

 

For the tunnel stability problem, I found something in the logs (below). I will search on the forum and the Internets about that and start a new thread if I need to. My DSL router says I connected and stayed synchronized with the DSLAM for more than 15 days. Before the VPN, my IP connectivity was always perfectly stable. Unwisely I changed two other things when I started to use the VPN: I just received a new DSL router, and switched from ADSL to VDSL, so it will require a little bit more investigation…

 

Jul  3 15:38:36 host ovpn-air[1422]: TLS: tls_process: killed expiring key
Jul  3 15:38:40 host ovpn-air[1422]: TLS: soft reset sec=0 bytes=46148527/0 pkts=202174/0
Jul  3 15:39:40 host ovpn-air[1422]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul  3 15:39:40 host ovpn-air[1422]: TLS Error: TLS handshake failed
Jul  3 15:39:40 host ovpn-air[1422]: TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Jul  3 15:39:55 host ovpn-air[1422]: TLS: Initial packet from [AF_INET]213.152.161.39:443, sid=f4c26fe6 c78d2b93

Share this post


Link to post

Seems you have a severe packet loss or DSL sync loss if you couldn't make the TLS handshake within the 60 seconds.

Your VPN session will be dropped then.

You need to look for a possible pattern when it happens. Then, if possible, try not to connect to VPN and reproduce the pattern.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...