ANSWERED SSH remote administration without leaving AirVPN servers?

[f58189f403 0]

Both my home and remote servers connect to the internet through AirVPN tunnels. I use SSH to remotely admin and would like to connect to the remote server without leaving AirVPN's network. Bellow is an image I knocked together for example of what I want to do.

[Staff 9968]

Hello!

You can rely on inbound remote port forwarding used by the remote server, please see here:
https://airvpn.org/faq/port_forwarding/

Configure sshd to listen to the remotely forwarded port, preferably on all interfaces, in order to avoid a potential lock out of remote ssh connections (if the VPN connection is not established, sshd should remain reachable on the server's real IP address), and restart sshd.

Please make sure that your devices and the remote server connect to either different VPN servers (simpler solution), or by using different keys, in order to prevent conflicts with remote port forwarding. If you decide to connect different devices to the same VPN server, your remote server's ssh port should be remotely forwarded only for the key used by the remote server itself to connect to the VPN server. If necessary, please see here:
https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/

On the AirVPN account port panel you can link a port to a single specific "device".

Kind regards
 

[NaDre 157]

5 hours ago, Staff said:

... (if the VPN connection is not established, sshd should remain reachable on the server's real IP address), ...

For Linux, with proper routing/firewall rules, you can ensure that sshd is reachable on the real IP address even if the VPN is established.

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server

This might be helpful for trouble shooting.

If the OP just wants to be able to SSH to the server without stopping the VPN, rather than needing to go through the VPN, this might be a better solution?

 

[Staff 9968]

52 minutes ago, NaDre said:

If the OP just wants to be able to SSH to the server without stopping the VPN, rather than needing to go through the VPN, this might be a better solution?

Hello!

Maybe not for the OP as he/she wrote "without leaving AirVPN's network", but in general it could be, provided that the user is fine with Network Lock disabled.

With Network Lock engaged, the user wanting to adopt this solution and at same time wanting Network Lock can improve the setup by inserting on top a specific input rule allowing packets to sshd through the physical network interface after Network Lock has been applied (because at the activation the previous rules are flushed). Furthermore, to avoid correlations sshd listening port should not be remotely forwarded by the AirVPN account since incoming connections through the VPN interface wouldn't be needed anymore.

Kind regards
 

[f58189f403 0]

Still trying to work it out. How do I get the device in the Devices tab to bind to the server or home computer?

[Staff 9968]

On 9/20/2024 at 9:42 AM, f58189f403 said:

Still trying to work it out. How do I get the device in the Devices tab to bind to the server or home computer?

Hello!

We're not sure we understand the question. If you mean how to connect a machine through a specific certificate/key (i.e. a "device" in the user panel), then it's simple:

• on Eddie GUI's main window, just under the login credential fields, you have a combo box which will let you pick any certificate/key (if the box does not appear, log the account out and in again)
• on Eddie CLI, you can set it with the option --key=key_name
• on Bluetit, you may either specify the key on the bluetit.rc run control file (option airkey key_name) or on the Goldcrest configuration file or line option through the option air-key key_name

Kind regards