July 20, 2006

OpenVPN tunneling over SSH

The classy.dk kitchen server sits behind an ADSL router provided by my ISP. That router is sensibly almost closed with only FTP, HTTP, SMTP and DNS ports open by defaut and none of these mapped to NATted addreses that are assigned by default through DHCP on the router. I'm fine with that even if it is stupid ISP control of my actions - less security threats to worry about, and I can actually turn on windows on new machines without being owned by virus after 5 seconds.
The only server I have setup to listen to inbound traffic is the old warhorse classy.dk web server (and yes it is in fact located in my kitchen like it says on the blog.
Occasionally I'd like to access resources on other machines on the net though and that just blows. The problem is that the other machines sometimes run windows and most certainly shouldn't be listening to network traffic. I could use SSH tunneling via the webserver and then a terminal emulator to look at the hidden machines, but that's just annoying. I want full access with file browsing. The works.
A real VPN is needed but which one, how to set it up and how to pass it through an interface on the webserver?
Here's a way: OpenVPN with SSH tunneling.
Since I'm not talking more than one machine at a time I can just use the simple point to point setup with a static key. I want to modify the howto to work through an SSH tunnel.


  1. Modify the server vpn configuration file by adding proto tcp-server
  2. Start the VPN server
  3. Modify the client by changing the first line to remote localhost and adding the line proto tcp-client
  4. Tunnel your local port 1194 (what OpenVPN uses) to 1194 on the machine you want to access - via the web server hosting the SSH daemon:
    ssh -L1194:vpnserver:1194 user@webserver
  5. Start the VPN client

That's it. Great stuff I've been looking for. Now I can drop files to and from servers at home that are safely stashed away out of reach it the wild and dangerous internets.

Posted by Claus at July 20, 2006 12:10 AM
Comments

How did you keep SSH from dropping the connection when the VPN was initiated? I'm trying to do essentially the same thing, but every time openvpn (on the client) opens the connection, eth0 goes down and ssh drops the connection, and the whole shebang fails.

Posted by: Roguelazer at September 28, 2006 12:48 AM

It's been pretty stable the times I've used it. The key thing for me has been to to remember to tunnel using TCP not UDP.

Posted by: Claus at September 28, 2006 12:51 AM

It's not a stability issue so much as SSH drops the connection as soon as OpenVPN tries to do the tap bridging (ie: disconnecting eth0, adding tap0, fiddling with routing tables, and whatever else it does). Are you doing anything funky with keep-alives to make that work?

I don't suppose you could e-mail me the (non-security-sensitive) sections of your openvpn.conf files from the server and client, could you?

Posted by: Roguelazer at September 28, 2006 8:19 AM

I'd love to - except the machines I was using this for got wiped recently. But except for the changes listed above my configuration came straight out of the (mini) HOWTO.

Posted by: Claus at September 28, 2006 8:26 AM

Thanks for this small tutorial. All work fine. Big big thanks :))

Posted by: mac at January 2, 2007 10:40 PM

You're most welcome, mac. Glad if it helped.

Posted by: Claus at January 2, 2007 10:43 PM

Thanks a lot for this. Got it working easy, however the next step -- of routing all client traffic (except ssh) over the vpn tunnel -- had be stumped for a few hours. I'm in a country in which all net traffic leaving the country goes through government proxies and only http/s is permitted. I forgot about that when doing my route changes. But now all sorted.

It is so good to be able to use my email client, IM client, command line tools (such as ping, dig etc) again! So again, thanks.

Posted by: Peter at September 13, 2007 10:51 AM

Excellent, Peter!
I can't tell you how happy it makes me, if I can help you curb what should be illegal government babysitting of the internet, in whatever small way I helped.

Posted by: Claus at September 13, 2007 10:56 AM

Hello All,

Peter Could you please tell me how did you mange to do what you did, I mean "routing all client traffic (except ssh) over the vpn tunnel". I would appreciate any help as I face the same problem as you do.

Posted by: Salman at April 6, 2010 2:51 AM
Post a comment