Jump to content
Not connected, Your IP: 44.223.40.255
Terry Stanford

Running VPN on VPS - How the hell do you connect once VPN running?!!

Recommended Posts

I have rented a Linux VPS to try and learn a bit about linux, total noob. Learning fast but still very very green.

I want to run a VPN on it and before signing up for another AirVPN account I grabbed a one month subscription to mullvad mainly just cos it's cheap for only a month but also because they have good instructions on CLI commands.

I must have reiunstalled the VPS (Ubuntu 20.04) over 30 times in the past 3 days while I have tried and tried to solve this problem! I decided maybe a change of VPN is the cure.
The problem is that I can't connect (ssh) to the VPS after I connect the VPS to the VPN service installed on it. Obviously it changes the external IP address of my VPS, so i have to reboot the server to get back in, and then i am back to square one. It's a nightmare!

I have spent countless hours reading online threads about this problem and not seen a solution which works for everyone, most only work for a few (ip tables, add route, all sorts of ideas). I havent found one which works for me!

If I install AirVPN on the VPS with CLI (if there is guidance on that) then I can try it, but I will still have the problem of connecting after firing up the VPN. Can anyone help?
thanks

Share this post


Link to post

PS This looked promising, not that I could understand it all fully. https://unix.stackexchange.com/questions/237460/ssh-into-a-server-which-is-connected-to-a-vpn-service

But I now wonder if these fixes only work if using openvpn  rather than a dedicated VPN app like Eddie .I used Mullvad's app (albeit CLI), maybe I need to go with OpenVPN app, just scared of the setup to be honest. I have uninstalled Mullvad now and will just try with Eddie, off to see what linux help pages there are! Hope someone can point me in the right direction with setting up AirVPN on a VPS but keeping the ability to connect via SSH (ideally to the VPS's native public IP as, if the VPN connection breaks, I could get locked out again. Having said that, if that got me going, I could live with that at this point!)

Share this post


Link to post

Ok I have read about a thousand threads and some related specifically to my problem :)
However I am a bit too dumb to understand most of them, I have just learned what sudo apt update does :D
But I think the complex iptables stuff can be ignored, if I use a forwarded port. I understand a bit about ssh, that it uses 22 by default and I was going to change that but instead I THINK i am right in saying
I can just get a forwarded port from Air (superb page for doing that btw!) and then tell my sshd_config file to use that port to listen for ssh. If I had read that sentence a week ago I would think it was a developer, that's how green I am!
So... AM i right in thinking, that IF i do that (forward port and match it to ssh port on my VPS), I can forget about all the iptables commands?
If so, I will sign up for a new Air account and give that a try.
I have one more big question though - am I also right in thinking i MUST use OpenVPN rather than Eddie? I hope not as I would like to use Eddie (keep things simple as possible, never set up OVPN manually before)!
thanks

Share this post


Link to post

Thanks for your replies NaDre - unfortunately I have read that link several times and I can't make sense of it, I am not a linux coder, so when it says things like "put this in xx file" or "make these executable", i get the meaning but I have no clue how to actually do it. I was hoping there might be a beginner version somewhere, i.e. every step, every command to type into Ubuntu CLI so it works. Maybe that's asking a lot, but I have seen a lot of threads from beginners similarly asking how to do it in step by step commands.

However, I am now wondering if the port forwarding solution might be easier for me, do you think so?

So if I get a forwarded port from Air, let's say I get 8888, I am wondering if I could do it this way without the need for file edits and executables etc:

1. Install AirVPN linux version on ubuntu VPS
2. Tell ssh to listen on port 8888 (that is something I do now know how to do, and I would change from 22 default anyway for security)

The problem is that I then need to know what ip the VPS changes to when connected to AirVPN, but I am wondering if it's possible to set default server so the VPS only ever connects to the same server giving the same IP address every time after VPN connection is established, this would mean I could then ssh back in via port 8888 at that new IP.

This idea seems easier to me, however I still don't have a clue how to use AirVPN via CLI and haven't seen any guide pages for commands. Does anyone know if Air publish a guide of their CLI commands, something like Mullvad publish - https://mullvad.net/nl/help/how-use-mullvad-cli/

If so I MAY just manage to get this working

PS I still don't know which is best between Eddie CLI version, or OpenVPN using a downloaded configuration, both for security/privacy but more so for ease of use for me. I find all instructions for openvpn installation (CLI) very complex, whereas Mullvad was dead easy, just copy paste whichever functions I want to set like auto connect, wireguard on/off, default servers etc

PPS This is important so I should mention it - I run Eddie around the clock on my Mac here, which is my client machine to connect to the VPS from. Therefore I don't want to set up a fixed IP as the only authorised connection to the VPS (via ssh). My IP changes many times a day and I need it to for SEO research and similar stuff, so I need a port constantly open to ssh connection from any IP, I use rsa keys to secure it, password authentication off, root login will be off once I finish setting everything up.

Thanks again for replying, maybe The Don could chip in too :)

Share this post


Link to post

In my humble opinion, renting a VPS to learn Linux, then using a VPN on that same machine are incompatible goals. The latter already requires some basic knowledge of Linux networking, in addition to knowledge about the VPN protocol in use, here it's OpenVPN obviously. Combining them is the next step, after you learned the two prerequisites.
I got in the habit of always asking people why they are doing certain things with tech, just to understand the motivations, and I will do so here, too: Why do you want to run a VPN on a VPS if the primary goal is learning Linux?


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Thanks for reply, and sorry for multiposting, I was desperate after 4 days of stressing over this and thought I might get an answer quicker that way, wrong move, sorry!

I understand your motivation for asking why, however it's not going to help here but I know it usually does as often there's a better way to achieve a desired outcome.

I MUST run a VPS, and what I do on it MUST use a VPN service. I could explain in great detail but I am not making progress, and the truth is what I am doing is 100% necessary. Short version in case that doesn't satisfy your question - SEO research, running remote programs to scrape and analyse SERPS from different geolocations (VPN allows me to check SERPS in many EU countries and US etc too), and I need to do that remotely as my home computer will get bogged down doing that and I am moving around a lot too so one fixed location (VPS) to run from a good net connection, just makes sense. Yes I chose Linux because I do want to learn about it, but that's not the primary reason, cost is probably the first! But I can do everything I need with Linux, and a web browser, so I have Ubuntu 20.04 and XFCE which is sufficient for my needs. I also would never use ANY computer without a VPN these days, I haven't done so for 10+ years and I am not about to start trusting British Telecom now!! :D

So, with that said... Can I just ask a very quick question...

If I forward a port, and use DDNS too, am I right in thinking I can ssh to that port at that address (i.e. stanford.airvpn.org) and I should be able to access the server via the AirVPN exit IP of my VPS, rather than coding in tables and trying to manually route that port's traffic outside the VPN. Seems much simpler, if it should work at least in theory? A yes here would be great and I will dive into it. thanks! 



 

Share this post


Link to post

I connect to AirVPN from one of my VPSes. I only wanted to route particular apps through the VPN though (so eg. SSH connections and system updates still go to the internet directly) and ended up doing that via Docker. I was already using Docker for deployment of most apps on this particular server, so it worked out well.
If you're okay with using Docker, and the apps you want to route through the VPN are available as Docker containers (or you're okay learning how to create your own Docker containers), one approach is to use the openvpn-client Docker container (https://hub.docker.com/r/dperson/openvpn-client). This lets you selectively route only particular Docker containers through the VPN tunnel. If you go this route, I'd recommend using docker-compose to configure the containers.

Share this post


Link to post

Just out of curiosity. I wonder whether it would be best to use tcp or udp in Eddie on the VPS, considering I will have a remote GUI connection to it. I am thinking TCP would be safer, but given the media transfer going on (audio/video/screen), maybe udp would be better. Any votes welcome!

PS - If my approach works, would I be best to leave network lock OFF? (i read a thread somewhere that said this may be better). I would rather it was on to be honest so would like to run it if i can.

Share this post


Link to post

Could really do with an answer to question above if anyone knows?
I have now installed eddie on vps. I set up a forwarded port and ddns too. It was over an hour ago. I connected the vps to vpn and ssh connections dropped as expected. But I still can't get back in. If i knew whether this should work or not I would wait and keep trying.

Lets say the port is 8888. My understanding is the port is forwarded from any vpn server i connect to. To try and cheat and beat the ddns wait time, I got the IP of the server I connected to (guessed at it anyway) by connecting to it from another machine i have (same server name), and got the IP in my browser.

Now I would expect this to work:

ssh -p 8888 root@VPN-SERVER-IP-ADDRESS

Should that work?

If not, should it work once ddns propogates, for example:

ssh -p 8888 root@ddns-name-chose.airdns.org

?

thanks

Share this post


Link to post

I see. Now we understand why you're doing this. :)
 

4 hours ago, Terry Stanford said:
If I forward a port, and use DDNS too, am I right in thinking I can ssh to that port at that address (i.e. stanford.airvpn.org) and I should be able to access the server via the AirVPN exit IP of my VPS, rather than coding in tables and trying to manually route that port's traffic outside the VPN. Seems much simpler, if it should work at least in theory? A yes here would be great and I will dive into it. thanks! 

It works in practice, yes.
 
3 hours ago, Terry Stanford said:

Just out of curiosity. I wonder whether it would be best to use tcp or udp in Eddie on the VPS, considering I will have a remote GUI connection to it. I am thinking TCP would be safer, but given the media transfer going on (audio/video/screen), maybe udp would be better. Any votes welcome!


UDP, unless UDP is blocked. There are very few cases where TCP performs genuinely better.
 
3 hours ago, Terry Stanford said:

PS - If my approach works, would I be best to leave network lock OFF? (i read a thread somewhere that said this may be better). I would rather it was on to be honest so would like to run it if i can. 


NetLock prevents outgoing communication outside the tunnel, so if the communication comes from the AirVPN server, e.g. when you ssh via stanford.airdns.org, it will work. No need to turn off NetLock.
 
2 hours ago, Terry Stanford said:

ssh -p 8888 root@VPN-SERVER-IP-ADDRESS


This seems like the correct way, yes. On the port forwarding page, that port must be forwarded to local port 22. I hope you filled that in as well, because if not, the port will be forwarded to the VPN interface IP on port 8888. :)
 
2 hours ago, Terry Stanford said:

ssh -p 8888 root@ddns-name-chose.airdns.org


This shouldn't matter, that name resolves to VPN-SERVER-IP-ADDRESS.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Beautiful, VIELEN DANK!!
I went ahead and found it worked nicely. I changed my ssh listening port to the Air forwarded port, and i locked Eddie to only use one server (in case DDNS failed, at that point it hadn't updated so wasn't resolving).
I got IN!! HOOOOORAY!!!!  Thanks you so much. I love AirVPN :)

I have one follow up question..

I rebooted the server and logged in this morning to native IP (eddie doesn't autorun). I tried to run sudo apt update and I get lots of these:

"W: Failed to fetch http://ubuntu-archive.mirror.serveriai.lt/dists/focal-updates/InRelease Temporary failure resolving 'ubuntu-archive.mirror.serveriai.lt'"

I read a guide online to use this command to see nameservers - cat /etc/resolv.conf. That produces this result:

# Generated by Eddie v2.19.7 | https:
nameserver 10.26.166.1
nameserver fde6:7a:7d20:16a6::1


Any idea how to fix this? I went into VPS Control Panel where there's an option to change DNS servers. I changed them to DNSWatch addresses. Rebooted server (in case that's needed to take effect). But I still get those errors when running sudo apt update. Forgive my ignorance but I 'assumed' the server's chosen DNS would be used until/unless Eddie is running. After a reboot it is not running, so I can't see why it can't resolve hosts.
If you can help with this I would be grateful. thanks
(I did find that when connected to Eddie VPN server, the VPS resolves hosts perfectly fine, so I can probably work around this problem but would be good to know how to fix it so the VPS can resolve when not connected just in case Eddie goes down or whatever)

PS, sorry I have one other small issue. when I run Eddie client (GUI) on XFCE, I get a password prompt for the user account (which has sudo priveliges) - not sure why. I can live with it, but if there's a solution that would be handy.

Screenshot-2021-02-09-at-12-36-13.png
 

Share this post


Link to post
17 hours ago, Daniel15 said:

I connect to AirVPN from one of my VPSes. I only wanted to route particular apps through the VPN though (so eg. SSH connections and system updates still go to the internet directly) and ended up doing that via Docker. I was already using Docker for deployment of most apps on this particular server, so it worked out well.
If you're okay with using Docker, and the apps you want to route through the VPN are available as Docker containers (or you're okay learning how to create your own Docker containers), one approach is to use the openvpn-client Docker container (https://hub.docker.com/r/dperson/openvpn-client). This lets you selectively route only particular Docker containers through the VPN tunnel. If you go this route, I'd recommend using docker-compose to configure the containers.

Sorry I didn't see this post until now. Thanks for that. I don't know anything about Docker but will definitely keep this in mind if the current plan doens't work out, so far so good though! thanks again

Share this post


Link to post
4 hours ago, Terry Stanford said:
22 hours ago, Daniel15 said:

I connect to AirVPN from one of my VPSes. I only wanted to route particular apps through the VPN though (so eg. SSH connections and system updates still go to the internet directly) and ended up doing that via Docker. I was already using Docker for deployment of most apps on this particular server, so it worked out well.
If you're okay with using Docker, and the apps you want to route through the VPN are available as Docker containers (or you're okay learning how to create your own Docker containers), one approach is to use the openvpn-client Docker container (https://hub.docker.com/r/dperson/openvpn-client). This lets you selectively route only particular Docker containers through the VPN tunnel. If you go this route, I'd recommend using docker-compose to configure the containers.

Sorry I didn't see this post until now. Thanks for that. I don't know anything about Docker but will definitely keep this in mind if the current plan doens't work out, so far so good though! thanks again

You probably didn't see my post because all my posts seem to have to go through moderator approval (I guess because I'm a new user?) and that seems to take a day or two. I'm glad you figured out something that worked :)

Share this post


Link to post

Thanks, yes I wondered why I didn't spot it and that explains it! I remember it taking a while before my posts would appear immediately when I first joined.
Well I am happily using the VPS now, via my Air ddns address. What a brilliant system!
i still have the issue of my VPS not resolving hosts when not connected to VPN, but that's bearable. I tried to edit my hosts file as some guides online explained, but to no avail.
 

Share this post


Link to post

Sorry, I do actually have one more issue I just found:

When I am connected to VPS (native IP, before connecting to VPN), I have Eddie window logged in. The second I click login, I lose access and then quit my session and start a new one to the IP of the VPN (or ddns). Thats great. But I would quite like to activate network lock, however that does the same (of course), so I basically don't have TIME to select both network lock, AND connect to VPN.

It would be much easier to control these via CLI ssh session from my terminal on client machine, much quicker than opening a GUI session. I did read the CLI commands for Eddie but I struggled to understand most of it.

Could someone maybe drop me the CLI commands to do the following, when logged into VPS BEFORE Eddie is running:

- Start Eddie
- Turn on Network Lock
- Connect to VPN (as per my default profile, which is set to only ever connect to one server)

I do NOT want Eddie to run automatically at startup of machine, that would be a disaster as I would have to reset the server and start from Ubuntu installation all over again. :D
If there are some commands to do the above 3 things, I would be grateful for those. thanks

 

Share this post


Link to post

What would be really cool is a delayed connection button, or CLI command. A command/button which you submit and it waits 30 seconds or a minute then connects. Eddie is just too damn fast at connecting for me :D

Share this post


Link to post
@Terry Stanford

Hello!

If you run Eddie GUI, you can configure Eddie to activate Network Lock at startup, check "Activate Network Lock at start" in "Preferences" windows. You can also configure Eddie to connect when it is launched.

If you run Eddie CLI, in a screen or tmux session run something like "sleep n && eddie-cli <options here>" where n is in seconds.

Kind regards
 

Share this post


Link to post
20 hours ago, Terry Stanford said:

Any idea how to fix this? I went into VPS Control Panel where there's an option to change DNS servers. I changed them to DNSWatch addresses. Rebooted server (in case that's needed to take effect). But I still get those errors when running sudo apt update. Forgive my ignorance but I 'assumed' the server's chosen DNS would be used until/unless Eddie is running. After a reboot it is not running, so I can't see why it can't resolve hosts.
If you can help with this I would be grateful. thanks
(I did find that when connected to Eddie VPN server, the VPS resolves hosts perfectly fine, so I can probably work around this problem but would be good to know how to fix it so the VPS can resolve when not connected just in case Eddie goes down or whatever)


I think the problem is that DNS is not reset back to its original settings. Some versions of Eddie had this in the past. What is the Eddie version?
 
20 hours ago, Terry Stanford said:

PS, sorry I have one other small issue. when I run Eddie client (GUI) on XFCE, I get a password prompt for the user account (which has sudo priveliges) - not sure why. I can live with it, but if there's a solution that would be handy.


Well, OpenVPN needs privileges to edit the routing table and set NIC addresses, so Eddie naturally also asks for privileges. If you want to prevent being asked for the password, check Preferences > General > Don't ask elevation every run.
 
19 hours ago, Terry Stanford said:

Sorry I didn't see this post until now. Thanks for that. I don't know anything about Docker but will definitely keep this in mind if the current plan doens't work out, so far so good though! thanks again


Be careful because Docker is another feature monster :D so many things you can do with it.
 
11 hours ago, Terry Stanford said:

Could someone maybe drop me the CLI commands to do the following, when logged into VPS BEFORE Eddie is running:

 

# eddie-ui --cli --connect --netlock

.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
5 hours ago, Staff said:
@Terry Stanford

Hello!

If you run Eddie GUI, you can configure Eddie to activate Network Lock at startup, check "Activate Network Lock at start" in "Preferences" windows. You can also configure Eddie to connect when it is launched.

If you run Eddie CLI, in a screen or tmux session run something like "sleep n && eddie-cli <options here>" where n is in seconds.

Kind regards
 
Thanks, however I do not want Eddie to auto run.
That command though, that's great, if it does what I think? So if i inserted 30 (sleep 30....) then it will wait 30 seconds then start eddie? Thats nice, but it won't auto connect and I dont want it to, as I need to be able to access tyhe server on its native IP address so I never want eddie to auto run, although if I could set network lock to only be effecive WHEN the VPN is running, that would be cool! Not possible though i dont think?

Share this post


Link to post

Thanks O.S.

Eddie version is 2.19.7

"Don't ask elevation every run." - I had that ticked, it still does it. No big deal, thanks.
 

5 hours ago, OpenSourcerer said:

# eddie-ui --cli --connect --netlock 


Very cool thank you!

1. Will I see Eddie GUI running, or will it be hidden in GUI (XFCE) view?
2. Will it connect to my default profile chosen server? (run with sudo for that?)
3. Does the netlock command just run netlock THIS session, or does it turn it on permanently?

I need to be very careful not to make netlock on by default, I do not want that as it could block access to VPS some time and force me to reinstall and start all over again :D

Share this post


Link to post
35 minutes ago, Terry Stanford said:
Thanks, however I do not want Eddie to auto run.
That command though, that's great, if it does what I think? So if i inserted 30 (sleep 30....) then it will wait 30 seconds then start eddie? Thats nice, but it won't auto connect and I dont want it to, as I need to be able to access tyhe server on its native IP address so I never want eddie to auto run, although if I could set network lock to only be effecive WHEN the VPN is running, that would be cool! Not possible though i dont think?

Hello!

&& means the logical and in various shell languages, bash (Bourne Again Shell) included, therefore: if (and only if) a command (in this case sleep) is executed and exits successfully, then the command following && will be executed too. This is a short-circuit evaluation.

About sleep, enter the following command in a terminal
man sleep
for more information.
 
In our previous messages we never talked about auto running Eddie. Please re-read at your convenience.
Quote


if I could set network lock to only be effecive WHEN the VPN is running, that would be cool! Not possible though i dont think?



You can tell Eddie to activate Network Lock or not when Eddie itself is launched. You can tell Eddie to connect to some VPN server at startup.

Kind regards
 

Share this post


Link to post
2 minutes ago, Staff said:

You can tell Eddie to activate Network Lock or not when Eddie itself is launched. You can tell Eddie to connect to some VPN server at startup.

Yes I know this, but can you tell Eddie to only activate Network Lock when connected to VPN, and disconnect when disconnected?

Share this post


Link to post
Just now, Terry Stanford said:
3 minutes ago, Staff said:

You can tell Eddie to activate Network Lock or not when Eddie itself is launched. You can tell Eddie to connect to some VPN server at startup.

Yes I know this, but can you tell Eddie to only activate Network Lock when connected to VPN, and disconnect when disconnected?

Hello!

No, Network Lock needs activation BEFORE a VPN connection starts. Anyway Eddie allows "events", check "Preferences" > "Events". You can have a command/script when each event takes place. For security reasons, events linked items are NOT launched with root privileges, so if you need some operation needing root privileges you need take care yourself of it.
Quote


can you tell Eddie to disconnect when disconnected?


Only with an operator's input, by default. If you order a disconnection, Eddie will remain disconnected. But if the connection is lost for any reason other than explicit operator's order, Eddie will try to re-connect continuously in any case. You can modify this behavior only through events. For example, if you define an event at VPN disconnection that kills Eddie itself, you will have an approximation of what you want, i.e. "tell Eddie to disconnect when disconnected". However, if you kill Eddie, make sure to reset firewall rules too, because Eddie might fail to restore previous firewall rules (signal handling needs some improvement). You will need to gain root privileges in your script in order to kill Eddie backend and manipulate firewall rules.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...