Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: SSH and OpenVPN

  1. #1
    Join Date
    Sep 2008
    Location
    England
    Beans
    Hidden!
    Distro
    Ubuntu

    SSH and OpenVPN

    Hello,

    I'm trying to SSH into my server which is using OpenVPN from an external location. SSH via Putty works when the Server is not on the VPN.

    When I connect to my router's IP I get an error, "Server unexpectedly closed network connection" and wont let me login just a blank screen.

    When I connect to the external IP my server thinks it has (the VPN IP), I get a login prompt but I can't get any further. I tried logging in normally, as root and also using my VPN account details.

    I can't find any documentation on how to SSH with a VPN connection. Could someone please explain what I need to do?

    Thank you.

  2. #2
    Join Date
    Nov 2012
    Beans
    12

    Re: SHH and OpenVPN

    Do you have ping from your openvpn virtual IP address.

  3. #3
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: SHH and OpenVPN

    Hold on, the explanation is confusing.
    So, is your server running the openvpn server or it connects to it as a client? You say "when the server is not on the vpn", does that mean it's a client?

    You also say "when I connect to the external IP my server THINKS it has". It can't think anything, not yet anyway. It either has some IP or not. And ranges used for vpn are not external, not public.

    You need to understand first how you have your system connected. Just follow the traffic. Imagine it going from your machine to the server. Where does it need to pass, imagine the whole route?
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  4. #4
    Join Date
    Sep 2008
    Location
    England
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: SHH and OpenVPN

    Pinging works.

    OK, I'm new to networking so I'll try to explain better: I have a home server (physically in my house) which which I can connect to via SSH using putty from my work computer (physically in my office).

    I then enable openVPN on my server in my house and connect to someones server in another country, then I SSH to my home server from my laptop connected to my home network and run this code;

    wget -q -O - checkip.dyndns.org | sed -e 's/[^[:digit:]|.]//g'

    I then goto my office and try to putty in with the same settings except I use the above IP address.

    Does that make sense, diagrams might be clearer.
    Last edited by AmbiguousOutlier; May 7th, 2013 at 08:48 PM.

  5. #5
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: SHH and OpenVPN

    So, you connect your server as a vpn client to another server running vpn? If that remote server has the vpn configuration set to become the gateway for all vpn clients, then your home server as a client starts using the remote server as gateway to the internet as soon as the vpn tunnel is established. So, when you check the public IP you actually get the public IP of the remote server location. Makes sense?

    So, when trying to ssh into that IP you are actually trying to ssh into the remote server, not your home server. And hence you are getting declined.

    That's what I think is happening.

    Under the assumption the above is true, you can try this:
    Find out your home server private IP after it connects to the vpn (you can still ssh to it from your home, right?). It will have a private IP on the tun0 interface it opens for the vpn. Or similar...
    Then at work, connect your computer to the same remote vpn server. That will put you into the same vpn network.
    After that you should be able to ssh into your home server using the private IP, since your work machine will have an IP in the same range too, being a client connected to the same vpn.

    Does that make sense?
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  6. #6
    Join Date
    Sep 2008
    Location
    England
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: SSH and OpenVPN

    That makes sense Darko.

    So are you basically saying I need to connect both my work pc and my home server as clients to the same vpn server? This way, they'll appear to be on the same local network and then I can connect as I do when I'm physically at home.

    However at work we have a proxy server and IT restrictions wont let me install any "proxy avoidance" software.

    Why am I not able to connect to my router's external IP address and just let that forward me to my home server?

  7. #7
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: SSH and OpenVPN

    Usually vpn clients are proxy aware. I wouldn't say any vpn client is proxy avoidance software although it might be considered as such since vpn will allow you to go out to the internet using a different route than your proxy.

    When trying to access your server from outside, you have to take two important things in account:
    1. Make sure you have the correct public IP. After you conenct your home server to the remote vpn its public IP might change since it might be routed through the vpn server. So, do not connect your home server to any vpn, and check the public IP. Or check it directly on the router.
    2. Make sure in the router configuration you have port 22 (or which ever port you use for SSH if you changed the default one) forwarded to the server private IP. Also make sure the router firewall is allowing incoming traffic on port 22. Sometimes forwarding a port creates the necessary firewall rule, sometimes not. So it's best to double check it.

    Also note that making your SSH publicly available will open your server to attacks. Expect people to start trying to enter your server immediately. Make sure you close SSH good. It's best to use key authentication, and in any case disable root SSH login.

    Also, if your office has a fixed public IP, make the port forwarding/firewall accept traffic on your SSH port originating only from your office IP. That will help block most of the attacks.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  8. #8
    Join Date
    Sep 2008
    Location
    England
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: SSH and OpenVPN

    So I have the public IP of my router. I also have the public IP of my server once it's connected to the VPN.

    The router and has port 22 forwarded to the Private IP of my home server. DHCP is disabled and a static IP has been created. Firewall on my router has the rules set up on port 22 and TCP. (although it's temporarily disabled until I understand how this all works)

    I have also disabled root and had keys set up but I've enabled password authentication (again until I understand how it all works).

    So If I connect to the public IP on my router using PuTTY and port 22 I get an error after about a minute, saying "Server unexpectedly closed network connection"

  9. #9
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,593
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: SSH and OpenVPN

    It should work, if all is set correctly. Double check everything. You are running sh on the default port 22 right?
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  10. #10
    Join Date
    Sep 2008
    Location
    England
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: SSH and OpenVPN

    This is /etc/ssh/sshd_config

    Code:
    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin no
    StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no
    
    # Change to no to disable tunnelled clear text passwords
    #PasswordAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    
    Subsystem sftp /usr/lib/openssh/sftp-server
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    Does this look correct to you?

    I've double checked everything else, and I restarted SSH, now back to work to see if it still doesn't let me login.

    EDIT: Still doesn't work.
    Last edited by AmbiguousOutlier; May 8th, 2013 at 01:50 PM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •