13

I have a server and I want to setup a VPN on it to route all traffic.

Of course I don't want to block myself out when establishing the OpenVPN connection (already did that!) so I want port 22 to be unaffected and be reachable as usual.

Is this possible? And if so, how can I set this up?

Improve this question
10
  • See unix.stackexchange.com/a/145783/6761 Commented Jan 31, 2015 at 20:03
  • Set it all up accordingly (just port 22) but I still cant SSH onto server and have to do a hard reboot. I am using Ubuntu 14.04 . Which OS did you use when u got it working? Also in your answer I think the part of echoing "201 novpn" into etc/iproute2/rt_tables is missing? Commented Jan 31, 2015 at 20:56
  • That's exactly how I set it up on Debian... Commented Jan 31, 2015 at 21:10
  • Alright thx. Ill try it again with a fresh Debian install. Commented Jan 31, 2015 at 21:11
  • Using Ubuntu should make no difference. Did you open port 22 in your firewall? Commented Jan 31, 2015 at 21:14

2 Answers 2

Reset to default
17

You need to add routing to your server so ssh packets get routed via the server's public ip not the vpn. Failing to do that means the ssh return packet gets routed via openvpn. This is why you get locked out of your server after you've inititated an openvpn client session.

Lets assume your server's:

  • Public IP is a.b.c.d
  • Public IP Subnet is a.b.c.0/24
  • Default Gateway is x.x.x.1
  • eth0 is device to gateway

iproute2 is your friend here. Do the following:

ip rule add table 128 from a.b.c.d ip route add table 128 to a.b.c.0/24 dev eth0 ip route add table 128 default via x.x.x.1

Do route -n to confirm new routing table shows up. Above commands won't persists if you reboot the server. You'll need to add them to your network interface config file.

Then run your openvpn client config openvpn --config youropenvpn-configfile.ovpn &

Added bonus

Also, should you wish to restrict traffic to your public IP to ssh and only ssh then you'll need to add iptables filtering as follows:

iptables -A INPUT -d a.b.c.d -p tcp --dport <*ssh port number*> -j ACCEPT iptables -A INPUT -d a.b.c.d -j DROP

ps: I recall first learning about this in the Linode's forum - google it and you should be able to find a post on this.

Improve this answer
4
  • Do I need the second command (ip route add table 128 to a.b.c.0/24 dev eth0) if I'm renting just one server from my hosting provider? Why does traceroute show that packets originating from my server are going through vpn network with your setup? Although, my server stays accessible when connected to VPN. Commented Apr 26, 2018 at 15:29
  • You can have just ip route add table 128 to a.b.c.d instead of ip route add table 128 to a.b.c.0/24 dev eth0 if you only have 1 assigned IP, from what I understand. Commented Apr 2, 2019 at 9:52
  • Make sure you're using openvpn. I use the nordvpn binary to connect and this didn't work. When I connect to the NordVPN servers through openvpn, this works fine. Commented Jun 23, 2019 at 20:26
  • "You'll need to add them to your network interface config file." How to do that? How to make these changes persist? Commented Jul 15, 2019 at 22:13
1

Assuming your VPS Server Public IP is 1.2.3.4 and your VPN Public IP is 5.6.7.8

I would edit file /etc/ssh/sshd_config and add a line:

ListenAddress 1.2.3.4

So SSHd would be accessible from outside the VPN connection.

Improve this answer
1
  • The problem is that the outgoing packages are blocked. The SSH connection just times out on connecting. Commented Mar 14, 2015 at 13:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.