0

I would like to ask a question:

How can I control a Raspberry remotely via ssh by routing traffic through a VPS with VPN (openvpn-server) installed?

Important condition: It's not possible to change the firewall and router rules in LAN-01 that's why I opted for a cloud VPS.

Premise, this is my current configuration:

  • RPI-01 = Raspberry (Raspbian)
  • PC-02 = Personal Laptop (Ubuntu desktop)
  • VPS = Amazon aws EC2 (Ubuntu server)
    • VPN = openvpn

The answer I gave myself that I should configure:

  1. VPS = openvpn-server
  2. RPI-01 & PC-02 = openvpn-clients.

Considering that the SSH protocol is (tcp) I should configure openvpn in such a way that it accepts ssh traffic but the issue is that I didn't quite understand how I can make VPS route traffic coming from PC-02 to RPI-01 and vice versa?.

PC-02(LAN1) <---VPN+SSH---> VPS(opepnvpn-server) <---VPN+SSH---> PC-01(LAN2)

Thanks u all

Improve this question

1 Answer 1

Reset to default
0

I modified your post and changed rotated to route, which I assume is what you mean and is a different question to what you asked.

The part you seem to be missing is that a VPN overlays a second network over the first, providing the devices with a second set of IP's. In order to communicate between the devices you use these second IP's to ensure the data is routed via the VPN. (You will want to ensure that the VPN is set up with an IP range, or IP ranges which are different to the ones assigned to your LAN. 172.16.x.x is a common choice)

once the OpenVPN server and clients are set up, you just need to ensure that the SSH server on the Pi does not block connections from the VPN range (and having this accessible would be the default behaviour). The key thing is when you want to access the device you use the IP assigned in the VPN network.

As an aside - you have specified openvpn-server. I've done this kind of thing with OpenVPN server and know it is indeed practical. That said, for a new install I would be using Wireguard instead - it is much easier to understand and configure and has way better performance. (OpenVPN has a lot of intuitive stuff around iroutes which relates to modifying routes in the kernel and which I've never gotten my head fully around, despite multiple attempts. Wireguard works as one would expect)

Improve this answer
4
  • Thank you for your reply, so these days I will try to study wireguard and try the infrastructure set-up. very last thing, it will be necessary to make a touting table on the VPS right? How can I make sure that incoming traffic from 192.168.1.X is forwarded to the 192.168.2.X network?
    – adiu11
    Commented Oct 28, 2023 at 19:23
  • is the logical connection correctly designed? Like this image
    – adiu11
    Commented Oct 28, 2023 at 19:53
  • You should not need to make a routing table on the VPS - once the VPS can see each of the clients it will have it in its routing table. You may need to enable ip_forwarding - and should google how to do this for your distro - "echo 1 > /proc/sys/net/ipv4/ip_forward" will work but there are likely better, slightly distro specific versions...
    – davidgo
    Commented Oct 28, 2023 at 23:23
  • You may need to add routes on the end devices depending on how your VPN is configured. You would do something like "ip route add 192.168.x.x via VPSVPNIP"
    – davidgo
    Commented Oct 28, 2023 at 23:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .