VPN for SSH, Internet for all the rest

Intro: Hi, I've been trying to get a VPN and ssh command to work together. And I've been successful to the point where I can get on the server with ssh user@hostname. But when the VPN is active, all of my internet passes trough that VPN.

Target: I'd like to use my own internet connection for everything other than that SSH connection.

Option breaks SSH > VPN: I've noticed that there is an option "Use this connection only for resources on its network" in the "Editing VPN" - "IPv4 settings" tab - "Routes..." button. It seemed like the solution, but if I enable that, I can't connect anymore with the "ssh user@hostname" command, it hangs till it times out.

Thoughts: My thoughts so far are that it does not work because the hostname(from ssh username@hostname) and the gateway(from the VPN settings) are different. But I don't know enough about ssh or VPN to know that.

Ideas? Is there like an option in ssh that I am overlooking? I tried ssh -b gatewayFromVPN username@hostname but this didn't seem to work (and I doubt it should). Or is there an option in the VPN settings or something that could solve this?

Thanks in advance.

Summary

  • browse etc > internet connection
  • (simultaneously with)
  • SSH > VPN connection

"Use this connection only for resources on its network" breaks SSH > VPN


Solution 1:

I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.

I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.

  • By port Only allow certain outbound traffic on certain interfaces
  • By user Can I limit a user (and their apps) to one network interface?

I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.

Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...

Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob  -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob  -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW

I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.

Solution 2:

I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04) This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.

Though this is not what I was aiming for, it will have to do for now.

Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...