Jump to content
Not connected, Your IP: 35.175.200.199
ky7ax

How to connect to a vpn-ed computer via ssh ?

Recommended Posts

Hello,

I would like to connect through ssh to a computer that is using the airvpn service.

Any idea how would I do that ?

I am using a GNU/Linux distro, if that's relevant...

Share this post


Link to post

Hi. Go go ‘https://airvpn.org/ports/’, and forward a TCP port. The first port you enter should be anything (although it must be above a certain number ­— read the text on the right to learn more about that). The second, local port should be ‘22’, unless your SSH daemon listens on another port.

Share this post


Link to post

Well, I tried with all available options for protocols (not at the same time) and even with different remote ports, but no success.

I tried to connect with gigolo [uvena.de/gigolo/]and remina [remmina.sourceforge.net/].

I must be missing something...

Share this post


Link to post

Well, I tried with all available options for protocols (not at the same time) and even with different remote ports, but no success.

I tried to connect with gigolo [uvena.de/gigolo/]and remina [remmina.sourceforge.net/].

I must be missing something...

Hello!

If you have already tried lolwhat suggestions, consider the following (just in case...):

- remote port forwarding must be enabled on the side of the account used by the server you're trying to reach and the SSH daemon must be started (or restarted) after OpenVPN has connected to an Air server;

- services of two clients behind the same VPN server can't communicate to each other. So if your server is behind a certain Air server, you can't reach it if you are connected to that same server

- make sure that you are trying to reach the SSH server on the proper IP address and port. Each Air server has different entry and exit IP addresses, so the listening SSH service is reachable on :. Please note that is not the remapped local port

- if you are using ssh to perform sftp, then you will have to consider some additional issues: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1700&Itemid=142

Please do not hesitate to contact us for any further information and support.

Kind regards

Share this post


Link to post

The thing is that I don't hear anything from the server only when the server is using the vpn so I guess is port related.

Also, what is 'Please note that <forwarded_port> is not the remapped local port' suppose to mean ?

Share this post


Link to post

The thing is that I don't hear anything from the server only when the server is using the vpn so I guess is port related. Also, what is 'Please note that is not the remapped local port' suppose to mean ?

Hello!

Suppose that the account used by your SSH server has forwarded port 12345 TCP and remapped it to local port 22. Then, when your server is running OpenVPN as a client connected to one of our Air servers, you will be able to reach the SSH service on your server on :12345, NOT :22

Perform a check from your panel (click "Check", wait for some seconds, then click "Refresh"). If you see a green token, then your service on your server is reachable. If you see a gray token, then your service is not responding (or not running). If you see a yellow token, then your server is responding on port 22 even when reached to its real IP address.

You might as well change the SSH listening port to a TCP port number>=2048 that matches one of the remotely forwarded TCP port numbers. In this case you will not need a remap to local port 22, and you should obtain a red token (evaluate if this can be a vulnerability exploitable for correlation attacks and if so solve it).

You should also make sure that once your server establishes a connection with an Air server, it can communicate with the Internet as usual (except for incoming connections on non-forwarded ports, of course).

Please do not hesitate to contact us for any further information.

Kind regards

Share this post


Link to post

Thanks for your clarifications, I was hoping that maybe I haven't understand something.

The problem persists thou, when is not 'under' vpn it responds correctly, when 'under' it doesn't .

I tried forward TCP, UDP, TCP/UDP; with the ssh 'server' connected to airvpn both TCP and UDP; with remapping to same local port and different local port but I get the same results.

Also, I must note that I get a green token on the 'forwarded ports' page...

Share this post


Link to post

Thanks for your clarifications, I was hoping that maybe I haven't understand something.

The problem persists thou, when is not 'under' vpn it responds correctly, when 'under' it doesn't .

I tried forward TCP, UDP, TCP/UDP; with the ssh 'server' connected to airvpn both TCP and UDP; with remapping to same local port and different local port but I get the same results.

Also, I must note that I get a green token on the 'forwarded ports' page... :huh:

Hello!

The green token shows that your service is reachable when behind the VPN. Let's try to make a step at a time, then.

Change the SSH daemon listening port. Set it to a TCP port you have remotely forwarded without local remap. Then connect your server to an AirVPN server. Check that ssh has a bind to the correct network interface: it must listen on the tun interface used by OpenVPN. Finally, make sure to start ssh. If the ssh service was already running, restart it, this is very important. After all that, try to connect to your server with ssh :, from a device NOT connected to the same Air server.

We're looking forward to hearing from you.

Kind regards

Share this post


Link to post
@harryhoudini

Hello!

1) You can use the ListenAddress option in the configuration file. Read the manual for details. Consider whether binding it to any interface (ListenAddress *) in order to make your system accessible even when it's not connected to the VPN. Restart sshd to apply the change. Your current ssh session will not be reset and you will remain connected.

2) We're sorry, maybe we don't understand the question, feel free to elaborate. Consider that if your machine is in a VPN, it's in it, regardless of the exact connection procedure.

3) AirVPN servers exit-IP addresses might change only under exceptional circumstances. Make sure that your machine connects always to the same VPN server, or the same defined range of servers, so you can rely on the same IP address to reach the ssh daemon. Check also https://airvpn.org/faq/servers_ip

Note that there is no catch 22. Configure and re-start sshd, see answer 1, then connect the VPN through a terminal multiplexer (consider using screen for example https://linux.die.net/man/1/screen or tmux https://linux.die.net/man/1/tmux.). Once the connection is established, your ssh socket is reset, and you must re-connect, (via the VPN server exit-IP address this time). screen or tmux will have detached the OpenVPN or Eddie process which will continue to run flawlessly even though your previous session is killed for the disconnection (if needed you can of course re-attach OpenVPN/Eddie to your own future session).

See also: https://www.shell-tips.com/linux/disown-a-running-shell-process-and-reattach-it-to-a-new-screen/

For a more general approach, check Nadre's articles:
https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server

Kind regards
 

Share this post


Link to post

Thanks for the reply.

I tried all of Nadre's commands when I was using mullvad VPN app, it didn't work for me, tried 3 times, reinstalled Ubuntu 3 times! My ssh connection always dies and wont reconnect as i dont know the new IP of the VPS after connecting to mullvad. I am about to try Airvpn, as I have a feeling its to do with mullvad app not being like openvpn so it may work with air's vpn app.

However, I THINK I found a much simpler idea (I am a linux noob) and would be very grateful if you could confirm it should work?...

1. Install Eddie on VPS
2. Set up a forwarded port in Air client area, AND enter a ddns name
3. Tell my sshd_config to only allow ssh on that port

I THINK that will then mean I can always get in, either on native IP of the VPS (if not connected to Air servers), or via the ddns address like this:

ssh -p portnumber user@ddnsaddress

and that should connect even if i change the server.

Does this sound like a viable solution?!

Thanks again for replying

Share this post


Link to post
1 hour ago, Terry Stanford said:

Thanks for the reply.

I tried all of Nadre's commands when I was using mullvad VPN app, it didn't work for me, tried 3 times, reinstalled Ubuntu 3 times! My ssh connection always dies and wont reconnect as i dont know the new IP of the VPS after connecting to mullvad. I am about to try Airvpn, as I have a feeling its to do with mullvad app not being like openvpn so it may work with air's vpn app.

...


I have used Mulvad. I never used their app though.

I assume you used "Wireguard"? Not OpenVPN? Without their Wireguard app, the obvious way to connect would be using "wg-quick" (https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html). I suspect that the Mulvad app uses wg-quick internally (or a modified version of wg-quick, which is a script).

The problem is that using wg-quick just as "wg-quick config_file" will cause a bunch of firewall rules to be added, that have a similar effect to the "network lock" that AirVPN's app sets up (if you do not disable it). This will stop an SSH connection coming in on the real interface, even if you do add the IP and NFT entries that my script adds.

I had to write my own connection script with a line like this in it :
wg-quick strip ~/wireguard_client_run/$f | sudo wg setconf $DEV /dev/stdin
I could share my script. When AirVPN starts offering Wireguard I probably will. But it would be harder to understand than the ones in my existing guide. And you would still have learn how to copy and paste commands into an SSH window. And how to use an editor like "nano". Or else how to upload files using an FTP client.

There are lots of web pages that set out to teach people how to use Linux. Is there a help forum or wiki at your VPS provider?

I am afraid I would not have the patience or skill needed to teach someone how to use Linux. I have been using it too long to remember what it is was like for me to learn it. Sorry.
 

Share this post


Link to post

Hi Nadre, thanks.

Firstly I am not asking for anyone to teach me, although it would be nice if services offered copy paste instructions for new linux users although I understand that's not always possible as some things are nuanced and don't work without deeper understand, however I have managed fairly well so far when I eventually find such guides online! For example nano - I can use that fine, I can edit files.

I am forgetting mullvad. For what its worth no i changed the protocol to openVPN but it defaults (upon install) to WG so maybe it set those firewall rules before i changed it to OVPN and therefore you're probably right about what caused the problem and why the script didn't work.

But I am now thinking I have an idea which should work. I reinstalled the server, fresh copy of Ubuntu 20.04. I did the updates, turned off root and password authentuication in ssh_config and various other bits to lock it down a fair bit.

I am now ready to install AirVPN as I want to use that anyway, I love AirVPN and mainly what it stands for even if other services offer better guidance for noobs sometimes. I would still rather support the services which I think are the best, in philosophy mainly. :)

I think the solution is to have an Air port forwarded, then set that as my ssh port in ssh_config.
Set up a ddns name also, which would then mean I can get to the new IP after connecting my VPS to Air servers (that was my main problem before, i could connect fine, I just couldn't login again to find out my new IP to ssh into!).
Then I think I should be able to get in without any complex stuff (for me) like routing tables etc.
Once working (if it works) I will set up ufw to block all ports except those needed, and I should be pretty locked down and good to go. I think!

The only thing
I am not sure of, is whether to install Eddie GUI (from a GUI login to VPS via X2GO), or Eddie CLI (if different), or openvpn with an Eddie .ovpn config file (complicated for me so would rather avoid that if poss). If you can answer this question that would be a great help :)

Thanks again

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...