Arktos kai Mennos

Arun Vijayshankar's blog

View My GitHub Profile

Tags

programming mathematics rust python permutations networking linearalgebra embedded linux device-drivers cpp c vpn ssh settheory mindfulness digital-circuits counting

SSH over an OpenVPN connection

Published on 02 Apr 2022, under:  | networking |  ssh |  vpn |   

TL;DR

If you have an active OpenVPN connection to a remote linux machine, and are finding that you cannot ssh to it, try setting up port forwarding on your router config page to forward traffic from the OpenVPN port to the ssh port on your box. Configure the device IP on the config page to point to the local ip address of the linux machine. Connect over ssh with: ssh host@local_ip_address

/TL;DR

About two years ago I bought a cheap desktop computer and installed Linux (Ubuntu, because I’m a noob) on it. I decided that I wanted to learn software development, and I wanted to do it on Linux. Setup was not without issues, and I still haven’t managed to get wifi working on it, but overall it was easy. I thought I would use the box for learning and writing code only, but it has become my primary home PC. I’m using it right now in writing this. The PC serves me very well, but almost immediately after setting it up, I realized I wanted to ssh into it from a remote host. Mainly from my laptop for when I work from bed.

I looked up how to get ssh running on ubuntu and found lots of great guides on the topic. I configured the server, and added key based authentication for extra security. This was super easy and I was able to ssh into the linux box from my laptop. But because I am greedy, I wanted to be able to ssh into from outside my home network too. I looked up how to do that and when I saw that it meant I had to expose the ssh port to the internet at large, I was sufficiently put off to abandon the idea altogether. It also seemed to involve something called “port forwarding” which I don’t think I will ever truly understand. If anyone reading this post has any resources that explain port forwarding in a easy to understand fashion, I would appreciate it if you could send it my way.

Now that I am a little older, and with about the same amount of wisdom, I decided to take another stab at it. Having worked from home for the past two years, and having acquired a better understanding of what VPNs are and how they work, I wondered if I could set up a home VPN and connect to that remotely. If I could do that, then I could ssh into the linux box from anywhere. Easy-peasy. After a bit of reading, I learnt that you can setup a VPN using your home router. I checked mine and found that it could setup a VPN. Mine has a couple of options for VPNs, but I choose OpenVPN becuase I had heard of it and becuase it said “secure” in the description. I intend to look into PPTP and L2TP/IPSec (the other options) a little later. I configured OpenVPN by following the online guide published for TP-Link routers. Configuring it on your router might be a little different. Searching for router_name VPN setup should return setup guides for your router, if you wish to set one up. I also downloaded and installed the OpenVPN client on my laptop. I configured the client with the OpenVPN config file I generated on the Linux box (which is now the OpenVPN server).

With all of this setup, I connected my laptop to a mobile hotspot using my phone to simulate an external network and tried to connect to the VPN. After a little bit of fiddling around with the server settings, I could connect to it. I tried pinging the server, and once I confirmed that it was working, I tried to connect over ssh. Which did not work. Server was rejecting my connections. So I went back to the internet. I found that while this is not a very common issue, it has been faced by quite a few people. The common diagnosis was that all traffic gets tunneled over the VPN, and we have to let the server know to deal with SSH traffic separately. Most fixes I read involved changing the ip table rules to do… something. I can’t say I understood what that was all about. Still, in true sw engineer fashion, I tried out the commands to edit the ip table. This did not work either, as the syntax for editing the ip table has either changed, or is different for ubuntu for some reason.

I did find one post that specified allowing ssh over the OpenVPN port (which was configured when I set OpenVPN up) through the firewall. That seemed promising, so I tried it out. Still no luck. The server kept rejecting my ssh connections. I was about to give up once again, when I remembered one particular comment in one of the posts which suggested setting up NAT forwarding. I was still reluctant to try changing anything here, since, as mentioned earlier, I don’t really understand what port forwarding is. However, since I was grasping at straws at this point, I thought I’d give it a shot. And there it was, in the NAT forwarding tab in my router config page: “Port Forwarding”. The config page asked me to specify a device IP address, an internal port, and an external port. At first I tried the ssh port for both internal and external ports, which did not work at all. Then I realised that the external port was the port to which traffic was being sent, and the internal port was the port to which traffic was to be forwarded. The device IP address was to be set to the IP address of the device to which the traffic was to be forwarded. This became clear once I realized that when I connect to a VPN, I am essentially making a connection to my router, and not necessarily to any device on my home network. With port forwarding configured and enabled, I was able to ssh to my linux box from my laptop! I headed over to a cafe to try it out from an actual public networked and it worked there as well.

It seems a little unbelievable that I have finally managed to solve something that I have been unsuccessful at on so many attempts in the past two years. I guess the lesson is, if a problem is being difficult, set it aside and try again at a different time. You might have learned something that turns to be the key to solving it.

PS

An interesting aside: I can ssh over the VPN if I use the IP address on my home subnet, but not when I use the IP address provided to the box by OpenVPN. I’m guessing that this is because I provided the home subnet IP address when I configured port forwarding on the router. But if I try and configure the OpenVPN IP address for port forwarding, the router rejects it, saying that it should have the same netmask as the router. Not sure if I can get around this. If anyone knows any way to ssh over OpenVPN with the IP address assigned by OpenVPN, please let me know!