SSH over VPN connection

ssh vpn pptp

Solution 1:

Let's suppose your AWS is reachable via SSH at IP "your.ec2.ip.address". Let's suppose your office network has Internet access via a router that apply some NAT translations and, as such, your office PCs are seen, on the Internet, with IP "your.office.external.ip".

Let's also suppose that you are located OUTSIDE of your office, with your laptop connected around the world, with:

  • a main IP address assigned by your local Internet provider (let's suppose 192.168.0.33 with netmask 255.255.255.0 and def-gw 192.168.0.1);
  • a PPP0 address, assigned to your laptop by your remote PPTP server (once your VPN tunnel is succesfully established). Let's suppose PPP0 is the.local.ppp0.ip with remote P2P the.remote.pptp.address. In other words, your laptop knows to be the.local.ppp0.ip and also knows that at the other side of the VPN tunnel there's your PPTP server reachable, over the VPN, at the.remote.pptp.address.

In such a scenario, if you are unable --from your notebook-- to reach your AWS at "your.ec2.ip.address" I bet the problem is --as you guess-- routing: your SSH traffic directed to "your.ec2.ip.address" is NOT leaving your netbook within the VPN, but, instead, is leaving along the common, external-VPN, path (aka: is sent to your local gateway: 192.168.0.1).

To diagnose this problem, a very easy check can be done with:

  • Linux: the tracepath command (es.: "tracepath -n your.ec2.ip.address")
  • windows: the "tracert" command (es.: "tracert -d your.ec2.ip.address")

From the output you can check if the second step report PPTP addresses, or not.

If your traffic is traveling along the wrong path, the easy fix to route it within the VPN is:

  • Linux: "route add -host your.ec2.ip.address gw the.remote.pptp.address"
  • Windows: "route add your.ec2.ip.address mask 255.255.255.255 the.remote.pptp.address"

After configuring the above route, you can check again the routing with tracert/tracepath

Once routing is properly configured, there is a minor probability that problems could arise within your office: if your PPTP server is NOT doing IP-forwarding and NAT-translations, there's an high probability that you'll experience "filtering", in case of missing ip-forwarding or "asymetric routing" (in case of missing NAT) between your notebook and your.ec2.ip.address:

  • traffic from you to amazon, travels along the VPN to your office and, from then, to Amazon;
  • return traffic from Amazon to you, gets routed along common internet path and... chance are high it's dropped somewhere.

Again: tracepath/tracert can help you checking the problem.

On linux boxes, another very useful friend is "tcpdump". Some useful tcpdump commands are:

  • "tcpdump -n -i interface icmp" to check incoming/outgoing PING request/response;
  • "tcpdump -n -i host an.ip.add.ress" to check traffic arriving/sent to an.ip.add.ress;

Related

Can't change the keyboard layout on Centos 7
How do I manually release a DHCP lease on the DHCP server itself?
non-cpu-intensive alternative to lsof?
Why should you not restore a DC that was backed up 6 months ago?
ECS cluster has no ecs instances but two ecs instances are visible in EC2
How to see debug logs for WireGuard (e.g. to see authentication attempts)
Prevent execution of Windows executables
Getting rsync to delete files from the *sender* after transfer
VMware in Linux breaks my ALT, CTRL and/or SHIFT keys. How do I fix it? [closed]
How to solve "ExpiresActive not allowed here" error message in .htaccess file?
Xen vs virtualbox?
Can you join a computer to two domains?