OpenVPN connection through SSH tunnel

ssh networking iptables vpn openvpn

Solution 1:

The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). The fix for this is to use a dynamic SOCKS[5] proxy and tell OpenVPN to connect via that proxy. Add to your OpenVPN config file:

socks-proxy localhost 6886
socks-proxy-retry

Then, start your ssh session with a dynamic SOCKS proxy:

ssh -D 6886 -N REMOTE

Then you can start your OpenVPN connection. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. To do this, add another directive to your OpenVPN config that looks like this:

route REMOTE-IP 255.255.255.255 net_gateway default

You might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually.

That should work, at least for ipv4 traffic. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)

Alternatively, you might also look at using obfs4proxy (e.g. this and this or packaged for ubuntu)

Solution 2:

I could successfully establish a connection to my Raspberry Pi (with PiVPN) over TCP and an external VPS. Then I did this:

allow the forwarding to public on your server (VPS/VPN). Change GatewayPorts to yes or add if it does not exists yet.

/etc/ssh/sshd_config:
GatewayPorts yes

Change proto udp to tcp (as ssh uses the tcp protocol)

/etc/openvpn/server.conf:
proto tcp

Again, change proto udp to tcp-client:

openvpn-client.ovpn:
proto tcp-client

Now start the ssh forwarding (0.0.0.0 to allow all IPv4 connections; -N to not start a bash on the server)

ssh -R 0.0.0.0:1194:localhost:1194 user@server -N

You should also check that your VPS/VPN-server allows the connection and has the right firewall settings. If you use ufw for iptables, simply do this:

ufw allow 1194/tcp
ufw enable

This may not be the fastest but it works for me.

Solution 3:

You don't need to run some other VPN through ssh. you can use ssh AS the VPN. see ssh's "-w X:Y" option.

This is a linux-centric answer. Presume a server, we'll call it "hub", to which ssh tunnel clients connect. They will use 172.17.2.0/24 as the VPN "carrier" network. Certain hosts are common and well known, we give them fixed configurations. Others can connect as well but must use other configurations.

#!/bin/sh -e
#
# make-ssh-tunnel HITHER YON INTERFACE GW
#
# HITHER ...... this host's VPN address.
# YON ......... $GW's VPN address.
# INTERFACE ... number of the tun device, same at both ends.
# GW .......... server host.
#
# /etc/ssh/sshd_config on $GW must include:
#   PermitRootLogin yes
#   PermitTunnel yes
# and clients must be able to ssh to $GW as root.
#
# this creates a star topology with $GW at center,
# which is generally the .1 address in the VPN /24 net.
# others connect and route through $GW to reach
# the other members of the /24 net.
# ________________________________________________
#
# the setup.
#
if [ "$#" = 0 ] ; then
    # automatic, for specific, known, regularly-connected hosts.
    case "`hostname -s`" in
    ThisHost) HITHER=172.17.2.2 IFACE=12 ;;
    ThatHost) HITHER=172.17.2.3 IFACE=13 ;;
    Another)  HITHER=172.17.2.4 IFACE=14 ;;
    *)        echo who are you? ; exit 1 ;;
    esac
    YON=172.17.2.1
    GW=hub
    SUBNET=172.17.2.0
else
    # manual, for random, probably temporary connections.
    HITHER="${1:-172.17.2.5}"
    YON="${2:-172.17.2.1}"
    IFACE="${3:-15}"
    GW="${4:-hub}"
    SUBNET="${YON%.[0-9]*}".0
    #
    [ "$HITHER" = "$YON" ] && echo "${0##*/}": identical addresses not allowed && exit 1
fi
#
# the business.
#
set -x
# 1st: do it there.
ssh -f -T -w $IFACE:$IFACE root@$GW \
"ifconfig tun$IFACE $YON pointopoint $HITHER netmask 255.255.255.255
 ifconfig tun$IFACE
 route -n | grep tun$IFACE"
# 2nd: do it here.
 ifconfig tun$IFACE $HITHER pointopoint $YON netmask 255.255.255.255
 ifconfig tun$IFACE
 route add -net $SUBNET/24 gw $YON
 route -n | grep tun$IFACE
#
# the afterthought.
#
# to make the tunnel a default route replacement:
#
# route add -host $GW gw 192.168.0.1 # that is, your real.defa.ult.route
# ip route add   0.0.0.0/1 via $YON
# ip route add 128.0.0.0/1 via $YON
#
# 1st preserves real route to $GW, avoiding route loop.
# 2nd and 3rd override default route without replacing it.
#
# in addition, $GW must NAT on behalf of the VPN hosts.
# iptables -t nat -A POSTROUTING -s 172.17.2.0/24 -o eth0 -j SNAT --to-source 11.22.33.44
# where --to-source is $GW's real external address.
#
# Embellish to taste.

Related

How do I choose what shows up in PuTTY title bar from Linux?
Prevent specific application from using metered network connection
tar Cannot open: No such file or directory
Wireless router that supports Bonjour between wire- and wireless- connected machines
Turn off administrative share on Windows 7
Encrypt files before sending them to Cloud
Script to create folder with same name as file and move file into folder
Allowing access to localhost outside network
How can I change a file type's default program while keeping its current default icon on Windows 7
Change default location for Explorer opened via hotkey
Second monitor on Laptop -- external monitor keeps defaulting to the right side
Windows 7 desktop does not automatically refresh