13

I have a server and I want to setup a VPN on it to route all traffic.

Of course I don't want to block myself out when establishing the OpenVPN connection (already did that!) so I want port 22 to be unaffected and be reachable as usual.

Is this possible? And if so, how can I set this up?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
b-m-f
  • 233
  • 1
  • 2
  • 6
  • See http://unix.stackexchange.com/a/145783/6761 – jasonwryan Jan 31 '15 at 20:03
  • Set it all up accordingly (just port 22) but I still cant SSH onto server and have to do a hard reboot. I am using Ubuntu 14.04 . Which OS did you use when u got it working? Also in your answer I think the part of echoing "201 novpn" into etc/iproute2/rt_tables is missing? – b-m-f Jan 31 '15 at 20:56
  • That's exactly how I set it up on Debian... – jasonwryan Jan 31 '15 at 21:10
  • Alright thx. Ill try it again with a fresh Debian install. – b-m-f Jan 31 '15 at 21:11
  • Using Ubuntu should make no difference. Did you open port 22 in your firewall? – jasonwryan Jan 31 '15 at 21:14
  • Im sshing onto the server on port 22. After setting everything up it still works fine. As soon as I start up OpenVPN though I only get TimeOuts when I try to connect to the server. – b-m-f Jan 31 '15 at 21:17
  • This is the script I run on boot: http://sprunge.us/XGCM – jasonwryan Jan 31 '15 at 21:21
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/20723/discussion-between-bananenmannfrau-and-jasonwryan). – b-m-f Jan 31 '15 at 21:38
  • besides , it is easier to write a route entry for the vpn host ip regardless of port . any reason we have to stick to the port ? – 把友情留在无盐 Feb 01 '15 at 11:56
  • Could you post your solution? The VPN host would be germany.privateinternetaccess.com (dont know the exact IP right now). – b-m-f Feb 01 '15 at 12:06

2 Answers2

16

You need to add routing to your server so ssh packets get routed via the server's public ip not the vpn. Failing to do that means the ssh return packet gets routed via openvpn. This is why you get locked out of your server after you've inititated an openvpn client session.

Lets assume your server's:

  • Public IP is a.b.c.d
  • Public IP Subnet is a.b.c.0/24
  • Default Gateway is x.x.x.1
  • eth0 is device to gateway

iproute2 is your friend here. Do the following:

ip rule add table 128 from a.b.c.d
ip route add table 128 to a.b.c.0/24 dev eth0
ip route add table 128 default via x.x.x.1

Do route -n to confirm new routing table shows up. Above commands won't persists if you reboot the server. You'll need to add them to your network interface config file.

Then run your openvpn client config openvpn --config youropenvpn-configfile.ovpn &

Added bonus

Also, should you wish to restrict traffic to your public IP to ssh and only ssh then you'll need to add iptables filtering as follows:

iptables -A INPUT -d a.b.c.d -p tcp --dport <*ssh port number*> -j ACCEPT
iptables -A INPUT -d a.b.c.d -j DROP

ps: I recall first learning about this in the Linode's forum - google it and you should be able to find a post on this.

techraf
  • 5,831
  • 10
  • 33
  • 51
hcb
  • 546
  • 4
  • 6
  • Do I need the second command (`ip route add table 128 to a.b.c.0/24 dev eth0`) if I'm renting just one server from my hosting provider? Why does `traceroute` show that packets originating from my server are going through vpn network with your setup? Although, my server stays accessible when connected to VPN. – x-yuri Apr 26 '18 at 15:29
  • You can have just `ip route add table 128 to a.b.c.d` instead of `ip route add table 128 to a.b.c.0/24 dev eth0` if you only have 1 assigned IP, from what I understand. – conradkleinespel Apr 02 '19 at 09:52
  • Make sure you're using openvpn. I use the nordvpn binary to connect and this didn't work. When I connect to the NordVPN servers through openvpn, this works fine. – ma3oun Jun 23 '19 at 20:26
  • "You'll need to add them to your network interface config file." How to do that? How to make these changes persist? – cjbottaro Jul 15 '19 at 22:13
1

Assuming your VPS Server Public IP is 1.2.3.4 and your VPN Public IP is 5.6.7.8

I would edit file /etc/ssh/sshd_config and add a line:

ListenAddress 1.2.3.4

So SSHd would be accessible from outside the VPN connection.

deepred
  • 23
  • 6
  • The problem is that the outgoing packages are blocked. The SSH connection just times out on connecting. – b-m-f Mar 14 '15 at 13:09