Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Exclude SSH from a VPN set as default interface

  1. #11
    Join Date
    Nov 2007
    Beans
    23
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: Exclude SSH from a VPN set as default interface

    Luke,

    Same here... I feel like I'm stabbing in the dark with iptables sometimes. I switched from DD-WRT to OpenWRT earlier this year. I ran DD-WRT for years. OpenWRT starts to pay dividends when you have a USB on the router and can hang a large drive off of it.

    Please let me know how you make out with this problem. If I find any additional info I will be sure to post it on this thread.

  2. #12
    Join Date
    Nov 2007
    Beans
    23
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: Exclude SSH from a VPN set as default interface

    Bump.

  3. #13
    Join Date
    Oct 2007
    Beans
    11

    Re: Exclude SSH from a VPN set as default interface

    No luck thus far, and in fact all my messing around tangled up my network connections so bad I had to completely reset my IPtables setup.

    Here's what I think is happening:

    0. SSH traffic on port 22 comes into my home router from wherever I am on the Internet.

    1. My router forwards the traffic to my computer.

    2. Traffic back out goes through the primary gateway, which is set up to use my VPN connection (which is what I want normally, but not for SSH)

    So, all I have to do is figure out how to send just the SSH traffic through my home router via eth0 and not the network on tun0.

    Do I have that right?

  4. #14
    Join Date
    Nov 2007
    Beans
    23
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Re: Exclude SSH from a VPN set as default interface

    For some reason it's not that easy as saying ignore port 22 and route it to eth0...

    When I talk to people on #networking and #iptables in IRC they give me pretty complex examples of dual routed ISP's.

  5. #15
    Join Date
    Jul 2008
    Beans
    9

    Re: Exclude SSH from a VPN set as default interface

    Did you ever find a solution to this? I'm having the exact same problem.

    This is the closest I could find that might answer it. I'll have a go when I get home and see if it works.
    http://superuser.com/questions/34753...n-is-turned-on

  6. #16
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Exclude SSH from a VPN set as default interface

    This isn't an iptables problem, it's a routing issue.

    Suppose the remote SSH server is at 172.16.16.16, and your client is connected to an upstream router with address 192.168.1.1. Add the following entry to the routing table:

    Code:
    /sbin/ip route add 172.16.16.16/32 via 192.168.1.1
    Now traffic for the SSH server will be handed directly to your router and sent out over the Internet to the remote SSH server.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  7. #17
    Join Date
    Jul 2008
    Beans
    9

    Re: Exclude SSH from a VPN set as default interface

    Thanks for that SeijiSensei,

    A couple of question though if you can as i'm fairly inexperienced with these things:

    1) The ip address you mention 172.16.16.16, which ip address is that? Is that the external ip address that is assigned by the VPN service? Or some other ip address. Where would I find it? Also the /32 where does that come from?

    2) If I apply this and it doesn't work is there a way to reverse the changes?

    3) I also found this possible solution:
    https://bbs.archlinux.org/viewtopic.php?id=151870

    Which seems very similar to yours. Any comments on this solution? pros/cons differences?

    Thanks
    Last edited by puyanera; April 8th, 2013 at 06:08 PM.

  8. #18
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Exclude SSH from a VPN set as default interface

    172.16.16.16 is just a placeholder for the public Internet address of the remote SSH server to which you would like to connect. If you are trying to connect to a known SSH server, you should be able to determine its address. If you only know its hostname and not its IP address, use the command "host host.example.com" replacing "host.example.com" with the name of the remote server. For instance the command "host www.ubuntuforums.com" returns "www.ubuntuforums.com has address 91.189.94.12."

    Basically we are creating a route specifically to reach that machine outside the tunnel. When the VPN tunnel is active, the "default gateway" for your traffic usually becomes the remote end of the tunnel. To reach the remote server with SSH you need to have a separate route so that traffic for that server is not pushed through the tunnel.

    The /32 is a "CIDR" address mask. It's equivalent to the all-ones "netmask" 255.255.255.255. Any individual host has a /32 mask. A network subnet address like 192.168.1.0/24 has a mask of 255.255.255.0 (in binary, 24 ones followed by eight zeroes) and refers to all addresses between 192.168.1.0 and 192.168.1.255.

    You can remove the route simply by running the identical command replacing "add" with "del".

    The comments at Arch seem fairly similar to what I suggest here, yes.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #19
    Join Date
    Jul 2008
    Beans
    9

    Re: Exclude SSH from a VPN set as default interface

    Thanks again for the help. So because my SSH Server is behind a server I used the comments on ARCH specifically:

    Code:
    ip rule add from 192.168.1.11 table 128
    ip route add table 128 to 192.168.1.0/24 dev eth0
    ip route add table 128 default via 192.168.1.1
    That seems to have fixed the issue and now my box is connected to the 3rd part VPN server through which all the internet traffic flows but i'm finally able to SSH to the box from a remote location. Phew.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •