2

In my setup, first I need to connect to a VPN and then I am required to ssh into a server.

Currently I do like this:

openvpn myconfig.ovpn
ssh myuser@myserver

which makes all my network traffic go through that VPN.

However, I do not want all my data traffic to go through this VPN. Using GNU/Linux, which tools do I use to use a VPN only in one specific ssh connection?

That is, which tools can I use into a bash script to be able to do the following:

ssh-over-vpn.sh myuser.ovpn [email protected]

and to use the vpn config only for the ssh connect to [email protected] ?

My current myuser.ovpn configuration file has:

client                                                                                                                                                                                        
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 200.200.200.18 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
setenv opt block-outside-dns
key-direction 1
verb 3
<ca> ... </ca> <cert> ...<key> ...<tls-auth> ...
Improve this question
3
  • You should contact the VPN server operators to see if they can configure the VPN to permit what you want. They may have a policy requiring all traffic to go through the VPN. Otherwise, they might be able configure the VPN software so that only traffic to certain addresses is routed through the VPN, instead of all traffic.
    – Kenster
    Commented Jun 3, 2022 at 15:20
  • 1
    Alternately, some people would use a jump server instead of a VPN to allow access into a private network.
    – Kenster
    Commented Jun 3, 2022 at 15:21
  • @Kenster it's exactly that, they have a policy requiring all traffic to go through the VPN.
    – Marc Kees
    Commented Jun 3, 2022 at 20:06

2 Answers 2

Reset to default
2

However, I do not want all my data traffic to go through this VPN. Using GNU/Linux, which tools do I use to use a VPN only in one specific ssh connection?

Change your OpenVPN client configuration to not pull the 'default' route from the server; instead specify only the routes needed:

route-nopull
route 10.0.0.66 255.255.255.255 vpn_gateway

That is, which tools can I use into a bash script to be able to do the following:

There isn't much to choose from. Similar tools are relatively easy for SOCKS proxies (e.g. torify) as the transport-layer tunnels directly map to sockets that the wrapped program creates – it becomes a bit more difficult with IP-layer tunnels (VPNs) as then the wrapping tool would need to reimplement most of the operating system's network stack (generating IP packets, mapping received packets to the emulated sockets...) in addition to reimplementing the actual OpenVPN protocol.

The closest thing you could use is network namespaces (one of the building blocks for containers) which give the program a completely isolated set of interfaces and routing tables. It's easy to create a network namespace using unshare or ip netns and run programs within, but by default they're disconnected (the openvpn client wouldn't have access to the server) so you also need to link it to the "main" namespace using veth, etc.

All of this namespace setup ends up reimplementing parts of Docker/nspawn/etc, so it might be possible to just spin up a Docker container that runs your OpenVPN client and the SSH client.

Improve this answer
8
  • Then, should I just add these 2 lines in myuser.opvn configuration file ? (added configuration just now).
    – Marc Kees
    Commented Jun 3, 2022 at 20:15
  • I just tried but my computer could not access the server. Is this something related to the dev tun part?
    – Marc Kees
    Commented Jun 3, 2022 at 20:22
  • I.e. you can access if with "puled" routing setup, and you can't with this one? Please, show ip route when your computer just connected "pulled" setup, or set verb 5 in the OpenVPN config and show the client log when it just connected.
    – Nikita Kipriyanov
    Commented Jun 4, 2022 at 3:24
  • I retried what @user1686 suggested and found a mistake I did. This answer is good.
    – Marc Kees
    Commented Nov 2, 2022 at 14:07
  • Can I ask what is 10.0.0.66? I know that 10.0.0.0/8 is a reserved address block for internal network communications. is 10.0.0.66 something unique to using ssh?
    – Dylan Russell
    Commented May 4 at 18:32
0

So VPNs are inherently unaware of anything above the third layer of the OSI model, meaning they can't see what ports or protocols are being used. It may be possible to do some firewall magic to achieve the desired effect, but I would recommend you use SSH directly.

I'm making the assumption that all systems and networks involved are owned and managed by you. SSH is a very secure protocol when configured properly and should be just as safe to use over the internet as openvpn is. There are some great guides out there for "hardening" openssh. A few other recommendations for security:

  • Change the server port to something obscure. This doesn't actually make it more "secure" per se, but it does reduce the number of web scraping bots that flood logs with failed login attempts. I did this a few years ago and I haven't seen a single attempt since.
  • Look into fail2ban. This is a handy piece of software that monitors login attempts and "bans" IP addresses from accessing your server after a number of failures by adding a firewall rule in iptables. It's fantastic.

Once you do that, you can use the ProxyJump config option in openssh to use that connection as a tunnel for other connections on the LAN.

Hope this helps!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .