SSH and SFTP when connected to OpenVPN

[heisenberg1977 0]

AirVPN is awesome. I am a new user and got everything going successfully as far as establishing the initial connection goes. My internet is working along with port forwarding and Torrents etc. My routing knowledge with OpenVPN tunnels is weak however and would like some advice on configuring my LAN setup.

I use Ubuntu as my host and connect via NetworkManager to the AirVPN server.

I have a Windows box on a seperate LAN (Different subnet) and usually connect to this Ubuntu machine via SSH/SFTP (Putty and WinSCP) with no issue when the OpenVPN session is not running. As soon as I establish the OpenVPN session my SFTP and SSH sessions drop.

Is it possible to add routes that I can keep the the SSH sessions alive when connected to OpenVPN, keeping security in mind (i.e leak prevention)?

[heisenberg1977 0]

From what I gather from reading some other OpenVPN posts, some folks have achieved this using "Split Routing" or "Policy Routing" with OpenVPN. This is beyond my knowledge of networking so If somebody could confirm if this is possible or recommended, then I will look further into learning how to do this. I do not want any leaks and the sole feature that I want is to be able to connect to the OpenSSH features running on the server. Any links or tutorials would be greatly appreciated.

[Staff 9761]

From what I gather from reading some other OpenVPN posts, some folks have achieved this using "Split Routing" or "Policy Routing" with OpenVPN. This is beyond my knowledge of networking so If somebody could confirm if this is possible or recommended, then I will look further into learning how to do this. I do not want any leaks and the sole feature that I want is to be able to connect to the OpenSSH features running on the server. Any links or tutorials would be greatly appreciated.

Hello!

Your case does not require policy routing. If your server is connected to an Air VPN server but you want it to reachable via ssh NOT behind the VPN server, just bind sshd to the IP address of the network card you want it to listen to. In /etc/ssh/sshd_config locate the line ListenAddress and set it to the appropriate address. Then restart sshd. You can also specify multiple IP addresses with multiple "ListenAddress" lines.

On the contrary, if it's your client connected to an Air server, and your server is not, just use ssh normally.

Kind regards

[bardamatic 0]

I've had the same request as well and the option above didn't work for me for whatever reason. It still would not be able to login via ssh.

The solution that I discovered that works every time:

Have a script execute when the vpn connects. With openvpn you can put this at the end of your openvpn.conf file (or whatever it is called):

'up "/bin/bash /path/to/some/script.sh"

You might also have to set your script security level. Added this as well to the openvpn.conf file:

script-security 2

script.sh:

#!/bin/bash

ip rule add from <internal IP of SSH server/VPN client> table 10

ip route add default via <internal IP of gateway/router> table 10

check out this link:

https://forums.openvpn.net/topic7163-15.html

Maybe the admin can tell us if this solution is a security concern as you asked before.

[Staff 9761]

Maybe the admin can tell us if this solution is a security concern as you asked before.

Hello!

As long as you don't allow correlations no security concerns are apparent.

To make an example (it's a stupid example, but just to make it clear), assume that you want to run an FTP server behind an Air VPN server (for privacy reasons, for example), on a machine which also runs a web server which does not need that privacy. If you allow the web server to be reachable from the physical network interface and the FTP server only from the tun adapter, your machine may become vulnerable to correlations, i.e. it could be possible to discover that the web server runs on the same machine where the FTP server runs and therefore it would be possible to discover the real IP of the FTP server too.

Kind regards

[bardamatic 0]

Huh. This is interesting...I would love a little more detail on how this correlation can come about. Say for example, I have a webserver (authenticating https with 1 user (me)) that is directly accessible (i.e. not via the AirVPN exit) using the method I discussed above, and a torrent client that is bound to the tun adapter and is only using the designated ip address of the AirVPN server. i.e. I d/l a file with the torrent client that is then accessible to my personal webserver. Are correlations possible in this circumstance? If so how? Or are correlations more related to a publicly accessible webserver?

p.s. sorry for hijacking this thread...But I think it is still relevant especially if someone uses the method I mentioned above.

[Staff 9761]

Huh. This is interesting...I would love a little more detail on how this correlation can come about. Say for example, I have a webserver (authenticating https with 1 user (me)) that is directly accessible (i.e. not via the AirVPN exit) using the method I discussed above, and a torrent client that is bound to the tun adapter and is only using the designated ip address of the AirVPN server. i.e. I d/l a file with the torrent client that is then accessible to my personal webserver. Are correlations possible in this circumstance? If so how? Or are correlations more related to a publicly accessible webserver?

Hello!

In this case no possible correlation is visible to this admin. If anybody has some idea (which does not rely on web server intrusion/security breach) please feel free to post.

Kind regards

[heisenberg1977 0]

Back to my original topic of getting SSH to work. I tried binding eth0 ip address in sshd_config but it does not work for me.

ListenAddress 192.168.1.100

I then restarted SSH (alternate port) and did a netstat to make sure the port is listening which it is.

tcp 0 0 192.168.1.100:5140 *:* LISTEN

Bardamatic - I'll try your workaround when I get the chance to play around. I was hoping to find a cleaner solution but thanks for the suggestion.

[NaDre 154]

Since Google finds this page when you search "openvpn breaks ssh", I may as well put this post here too.

 

The problem is that the default gateway gets changed by OpenVPN, and that breaks your current SSH connection unless you set up appropriate routes before you start OpenVPN.

 

What follows works for me. It uses iptables and ip (iproute2). Below, it is assumed that the default gateway interface before OpenVPN is started is "eth0". The idea is to ensure that when a connection to eth0 is made, even if eth0 is not the default gateway interface anymore, response packets for the connection go back on eth0 again.

 

You could use the same number for the connection mark, firewall mark and routing table. I used distinct numbers to make the diffences between them more apparent.

 

# set "connection" mark of connection from eth0 when first packet of connection arrives
sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

# set "firewall" mark for response packets in connection with our connection mark
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 table 3412

# route packets with our firewall mark using our routing table
sudo ip rule add fwmark 4321 table 3412

===

 

UPDATE:

 

The above works fine for me on Debian Jessie. But on an older Wheezy system I have just found that I need to add "via" to the routing table entry:

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 via 12.345.67.89 table 3412

There "12.345.67.89" must be the original non-VPN gateway.