You are not logged in.
- Topics: Active | Unanswered
#1 2021-09-22 20:49:55
- LouisDK
- Member
- Registered: 2013-10-06
- Posts: 12
Can't SSH from WAN IP (via port forward) when connected to OpenVPN
Hi
I have an Arch Linux box behind NAT which due to port forwarding can be reached from the WAN side.
However the minute I start my OpenVPN connection on the machine I can only ssh from the LAN side into it and the SSH connections from WAN just timeout.
I've tried searching but didn't find any guides which would help me solve this. If you need any further info please let me know.
[user@hostname ~]$ ip route
0.0.0.0/1 via 10.5.0.1 dev tun0
default via 192.168.1.1 dev enp2s0 proto dhcp src 192.168.1.114 metric 1002
10.5.0.0/16 dev tun0 proto kernel scope link src 10.5.0.6
91.193.4.34 via 192.168.1.1 dev enp2s0
128.0.0.0/1 via 10.5.0.1 dev tun0
192.168.1.0/24 dev enp2s0 proto dhcp scope link src 192.168.1.114 metric 1002Content of my openvpn conf:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
remote-random
remote ch-zrh-001.mullvad.net 443
remote ch-zrh-305.mullvad.net 443
remote ch-zrh-303.mullvad.net 443
remote ch-zrh-302.mullvad.net 443
remote ch-zrh-002.mullvad.net 443
remote ch-zrh-202.mullvad.net 443
remote ch-zrh-004.mullvad.net 443
remote ch-zrh-301.mullvad.net 443
remote ch-zrh-201.mullvad.net 443
remote ch-zrh-304.mullvad.net 443
remote ch-zrh-003.mullvad.net 443UPDATE:
Looking at my routers' logs it seems like it tries to forward the traffic to my box when OpenVPN is running on it, however it's not shown in "journalctl -u sshd -n 100" only if I SSH from another machine on the LAN side.
Log when trying to connect from my laptop (also running Arch):
[laptopuser@hostname ~]$ ssh PUBLIC_IP -p2222 -vvv
OpenSSH_8.7p1, OpenSSL 1.1.1l 24 Aug 2021
debug1: Reading configuration data /home/laptopuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/laptopuser/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/laptopuser/.ssh/known_hosts2'
debug2: resolving "PUBLIC_IP" port 2222
debug3: ssh_connect_direct: entering
debug1: Connecting to PUBLIC_IP [ipv4_adr] port 2222.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48Last edited by LouisDK (2021-09-22 20:58:54)
Offline
#2 2021-09-22 21:00:45
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: Can't SSH from WAN IP (via port forward) when connected to OpenVPN
Offline
#3 2021-09-22 23:04:42
- LouisDK
- Member
- Registered: 2013-10-06
- Posts: 12
Re: Can't SSH from WAN IP (via port forward) when connected to OpenVPN
[root@server ~]# ip rule add fwmark 65 table novpn
Error: argument "novpn" is wrong: invalid table IDI modified the commands and ran as root:
ip rule add fwmark 65 table 4000
ip route add default via 192.168.1.1 dev enp2s0 table 4000
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROPI'm sure that the gateway and ethernet interface is correct, however I still can't SSH from the WAN side.
I'm unsure if setting the table to "4000" is a good idea.
[user@server ~]$ ip route
default via 192.168.1.1 dev enp2s0 proto dhcp src 192.168.1.114 metric 1002
10.9.0.0/16 dev tun0 proto kernel scope link src 10.9.0.5
192.168.1.0/24 dev enp2s0 proto dhcp scope link src 192.168.1.114 metric 1002
[user@server ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationOffline