49

I'm using openconnect to connect to vpn. After entering my credentials, I get this:

POST https://domain.name/...
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 30
Connected tun0 as xxx.xxx.xxx.xxx, using SSL
Established DTLS connection

Running ifconfig shows I have a new network interface tun0 with a certain ip address.

Question: How do I make ssh use only the network interface tun0 so that I can access computers on that private network?

Edit:

My network configuration (route -n) seems to be this:

172.16.194.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet8
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.25.0     0.0.0.0         255.255.255.0   U     0      0        0 vmnet1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 eth0
Improve this question
1
  • Can you elaborate on your network configuration? With proper routing in place, any traffic destined for the network attached to tun0 will use that interface.
    – Eli Heady
    Commented Jul 4, 2011 at 18:34

3 Answers 3

Reset to default
52

It's not the ssh client that decides through which interface TCP packets should go, it's the kernel. In short, SSH asks the kernel to open a connection to a certain IP address, and the kernel decides which interface is to be used by consulting the routing tables.

(The following assumes you're on GNU/Linux; the general concept is the same for all Unices, but the specifics of the commands to run and the way the output is formatted may vary.)

You can display the kernel routing tables with the commands route -n and/or ip route show.

OpenConnect should have added a line for the tun0 interface; connections to any address matching that line will be routed through that interface. For example, running route -n on my laptop I get the following output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.30.0.1       0.0.0.0         UG    0      0        0 eth0
10.30.0.0       0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

This means that connections to hosts in the 192.168.122.0/24 (i.e., addresses 192.168.122.0 to 192.168.122.255 according to CIDR notation) network will be routed through interface virbr0; those to 169.254.0.0/16 and 10.30.0.0/24 will go through eth0, and anything else (the 0.0.0.0 line) will be routed through eth0 to the gateway host 10.30.0.1.

Improve this answer
3
  • Thanks for clarifying this for me - it seems that openconnect did not add a line for the tun0 interface. I suppose I should do this manually.
    – axel22
    Commented Jul 4, 2011 at 18:36
  • 1
    @axel22 You might have a look here: bbs.archlinux.org/viewtopic.php?id=69064 for a script that uses openconnect and sets up the routes.
    – Riccardo Murri
    Commented Jul 4, 2011 at 20:25
  • @RiccardoMurri Would you like to answer my question
    – Rahul Gautam
    Commented Dec 13, 2012 at 10:54
22

I don't know when it was introduced but the OpenSSH client on RHEL7 has this in its manpage:

 -b bind_address
         Use bind_address on the local machine as the source address of the connection.  Only useful on systems with more than one address.

Not as good as being able to choose the interface, but close.

Example:

ssh -b interface-ip remote-ip
ssh -b 10.11.22.40 10.11.22.38
Improve this answer
5
  • Also the -B flag, which appears to allow for specifying the name of the network interface to use.
    – Henrik
    Commented Dec 20, 2018 at 13:11
  • 1
    The option -b bind_address did not work for me, somehow. Changing routes temporarily should work. BTW: The -B option does not exist on the SSH version that comes with Ubuntu.
    – John
    Commented May 9, 2019 at 14:20
  • @John Even when bound to an interface, it still depends on the kernel routing table, except that it'll match iif (outgoing interface) routing rule entries (i.e. ip rule).
    – iBug
    Commented Feb 4, 2021 at 15:32
  • Just for info -b will not work if gateway is different on default NIC and the one you want to use route will need to be added.
    – Jean-Philippe
    Commented Nov 16, 2022 at 23:14
  • this flag did help in my case, to redirect my shh through another interface which was a vpn
    – DarkCygnus
    Commented Dec 15, 2022 at 17:45
2

If you are using Network Manager to manage your internet connections (as is the default manager on many systems), you may want to install both openconnect and network-manager-openconnect.

Once the OpenConnect plugin is installed for Network Manager, open Network Manager and click the + icon in the lower-left. You should be given a combo-box with the option VPN and then the ability to select OpenConnect Compatible VPN.

By using Network Manager to interface with OpenConnect, your routes will automagically appear and help you connect to the VPN. This is especially helpful for accessing servers over VPN, such as how FireHost does things.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .