View previous topic :: View next topic |
Author |
Message |
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Tue Mar 24, 2015 4:56 pm Post subject: [SOLVED] OpenVPN client + NAT routing issue |
|
|
I have a PC with OpenVPN client connecting to PrivateInternetAccess servers. When it is connected (which is always), I am unable to SSH into the PC from the internet. I can SSH into the PC no problem on the local network. I am running some simple iptables rules, but I tested with iptables disabled and it does not fix it. I've tested with iptables running and OpenVPN disconnected and it works no problem.
It appears to be an issue with NAT and OpenVPN routing which I am trying to resolve.
I tried to use iptables to mark the SSH packets and force them to the NAT router, but it doesn't seem to work. Ideas?
Quote: | # iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1
# ip route add default via 10.2.1.1 dev eth0 table sshtable
# ip rule add from all fwmark 1 table sshtable
# tail /etc/iproute2/rt_tables
255 local
254 main
253 default
0 unspec
1 sshtable
# ip route show
0.0.0.0/1 via 10.168.1.5 dev tun0
default via 10.2.1.1 dev eth0 metric 2
10.2.1.0/24 dev eth0 proto kernel scope link src 10.2.1.12
10.168.1.1 via 10.168.1.5 dev tun0
10.168.1.5 dev tun0 proto kernel scope link src 10.168.1.6
108.61.19.6 via 10.2.1.1 dev eth0
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
128.0.0.0/1 via 10.168.1.5 dev tun0
# ip route show table sshtable
default via 10.2.1.1 dev eth0
# ip rule show
0: from all lookup local
32765: from all fwmark 0x1 lookup sshtable
32766: from all lookup main
32767: from all lookup default |
Last edited by BlueFusion on Tue Apr 07, 2015 9:13 pm; edited 1 time in total |
|
Back to top |
|
|
Klayman n00b
Joined: 10 Jun 2009 Posts: 10
|
Posted: Tue Mar 24, 2015 6:24 pm Post subject: |
|
|
When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.
This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon. _________________ cd /usr/src/life && ./configure && make |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Tue Mar 24, 2015 7:50 pm Post subject: |
|
|
Klayman wrote: | When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.
This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon. |
That's the problem. I can't SSH into the PC using the VPN IP. All inbound ports are blocked/firewalled by the OpenVPN server of which I have no control. I need to reach this PC remotely using my ISP's IP address (through my NAT router, which has port 22 port-forwarded, and confirmed working). |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21605
|
Posted: Wed Mar 25, 2015 1:26 am Post subject: |
|
|
When the VPN is up, is the route to the ssh client through the VPN or through the public Internet? If the former, then reverse path filtering will likely prevent the connection from working properly. |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Sat Mar 28, 2015 6:49 pm Post subject: |
|
|
Through public internet. There's no way to overcome this with iptables + ip route? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21605
|
Posted: Sat Mar 28, 2015 9:55 pm Post subject: |
|
|
If the VPN client's route to the ssh client is over the public Internet, then this should already work. Reverse path filtering would only be a problem if the route back to the ssh client was over the VPN. |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Tue Apr 07, 2015 9:12 pm Post subject: |
|
|
I figured it out.
Created /etc/openvpn/openvpn.pia-up.sh containing:
Quote: | sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.tun0.rp_filter=0
ip route add default via 10.2.1.1 dev eth0 table sshtable || exit 1
ip rule add from all fwmark 1 table sshtable || exit 1 |
Rule added to my iptables firewall:
Quote: | iptables -A OUTPUT -t mangle -p tcp --sport 22 -j MARK --set-mark=1 |
|
|
Back to top |
|
|
|