Menu
What's new
By:
Filters Better Search

Remotely access ssh of a device connected with a VPN client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

cowst

Senior Member
Hi,
I am setting up a RPi as access point routing all the traffic through a VPN, and in case the service doesn't work for some reason, the traffic is blocked.
There are 2 exceptions:
1 - traffice within a couple of LANs should work
2 - the RPi should be accessible through ssh from outside

The problem I am having is that ssh traffic comes in from eth0 but tries to get out from tun0 due to openvpn pushed routes.
I tried to mark the traffic in iptables mangle, the route to a table that force back eth0. (I also tried plenty of other things but obviously failed to hit the right one :) )

Can anybody suggest how to achieve what I need?
Following are the commands I am currently using, and the status of things.

Code: 
WAN_IP=$(wget -q -O - http://ipecho.net/plain)

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 22 -j MARK --set-mark 1
iptables -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A OUTPUT -o eth0 ! -d $WAN_IP -j DROP

ip rule add fwmark 1 table 1
ip route add 0.0.0.0/0 table 1 dev eth0

Code: 
pi@raspberrypi:~ $ ip route list
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.2.1 dev eth0
default via 192.168.2.1 dev eth0  metric 202
10.8.8.0/24 dev tun0  proto kernel  scope link  src 10.8.8.27
128.0.0.0/1 via 10.8.8.1 dev tun0
185.145.38.236 via 192.168.2.1 dev eth0
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.74  metric 202
192.168.3.0/24 dev wlan0  proto kernel  scope link  src 192.168.3.1

pi@raspberrypi:~ $ ip route list table 1
default dev eth0  scope link

pi@raspberrypi:~ $ ip rule
0:   from all lookup local
32765:   from all fwmark 0x1 lookup 1
32766:   from all lookup main
32767:   from all lookup default

pi@raspberrypi:~ $ sudo iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination
390 27656 MARK       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:22 MARK set 0x1

Chain INPUT (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 446 packets, 51142 bytes)
pkts bytes target     prot opt in     out     source               destination
419 29604 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
33  6533 ACCEPT     all  --  *      *       192.168.2.0/24       192.168.2.0/24
0     0 ACCEPT     all  --  *      *       192.168.1.0/24       192.168.1.0/24

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  --  wlan0  tun0    0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  tun0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 494 packets, 49499 bytes)
pkts bytes target     prot opt in     out     source               destination
324 36968 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
16  1723 ACCEPT     a
 
cowst said:
Hi,
I am setting up a RPi as access point routing all the traffic through a VPN, and in case the service doesn't work for some reason, the traffic is blocked.
There are 2 exceptions:
1 - traffice within a couple of LANs should work
2 - the RPi should be accessible through ssh from outside

The problem I am having is that ssh traffic comes in from eth0 but tries to get out from tun0 due to openvpn pushed routes.
I tried to mark the traffic in iptables mangle, the route to a table that force back eth0. (I also tried plenty of other things but obviously failed to hit the right one :) )

Can anybody suggest how to achieve what I need?
Following are the commands I am currently using, and the status of things.

Code: 
WAN_IP=$(wget -q -O - http://ipecho.net/plain)

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 22 -j MARK --set-mark 1
iptables -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A OUTPUT -o eth0 ! -d $WAN_IP -j DROP

ip rule add fwmark 1 table 1
ip route add 0.0.0.0/0 table 1 dev eth0

Code: 
pi@raspberrypi:~ $ ip route list
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.2.1 dev eth0
default via 192.168.2.1 dev eth0  metric 202
10.8.8.0/24 dev tun0  proto kernel  scope link  src 10.8.8.27
128.0.0.0/1 via 10.8.8.1 dev tun0
185.145.38.236 via 192.168.2.1 dev eth0
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.74  metric 202
192.168.3.0/24 dev wlan0  proto kernel  scope link  src 192.168.3.1

pi@raspberrypi:~ $ ip route list table 1
default dev eth0  scope link

pi@raspberrypi:~ $ ip rule
0:   from all lookup local
32765:   from all fwmark 0x1 lookup 1
32766:   from all lookup main
32767:   from all lookup default

pi@raspberrypi:~ $ sudo iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination
390 27656 MARK       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:22 MARK set 0x1

Chain INPUT (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 446 packets, 51142 bytes)
pkts bytes target     prot opt in     out     source               destination
419 29604 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
33  6533 ACCEPT     all  --  *      *       192.168.2.0/24       192.168.2.0/24
0     0 ACCEPT     all  --  *      *       192.168.1.0/24       192.168.1.0/24

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  --  wlan0  tun0    0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  tun0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 494 packets, 49499 bytes)
pkts bytes target     prot opt in     out     source               destination
324 36968 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
16  1723 ACCEPT     a
Click to expand...
cowst said:
Hi,
I am setting up a RPi as access point routing all the traffic through a VPN, and in case the service doesn't work for some reason, the traffic is blocked.
There are 2 exceptions:
1 - traffice within a couple of LANs should work
2 - the RPi should be accessible through ssh from outside

The problem I am having is that ssh traffic comes in from eth0 but tries to get out from tun0 due to openvpn pushed routes.
I tried to mark the traffic in iptables mangle, the route to a table that force back eth0. (I also tried plenty of other things but obviously failed to hit the right one :) )

Can anybody suggest how to achieve what I need?
Following are the commands I am currently using, and the status of things.

Code: 
WAN_IP=$(wget -q -O - http://ipecho.net/plain)

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 22 -j MARK --set-mark 1
iptables -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -A OUTPUT -o eth0 ! -d $WAN_IP -j DROP

ip rule add fwmark 1 table 1
ip route add 0.0.0.0/0 table 1 dev eth0

Code: 
pi@raspberrypi:~ $ ip route list
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.2.1 dev eth0
default via 192.168.2.1 dev eth0  metric 202
10.8.8.0/24 dev tun0  proto kernel  scope link  src 10.8.8.27
128.0.0.0/1 via 10.8.8.1 dev tun0
185.145.38.236 via 192.168.2.1 dev eth0
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.74  metric 202
192.168.3.0/24 dev wlan0  proto kernel  scope link  src 192.168.3.1

pi@raspberrypi:~ $ ip route list table 1
default dev eth0  scope link

pi@raspberrypi:~ $ ip rule
0:   from all lookup local
32765:   from all fwmark 0x1 lookup 1
32766:   from all lookup main
32767:   from all lookup default

pi@raspberrypi:~ $ sudo iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination
390 27656 MARK       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp
dpt:22 MARK set 0x1

Chain INPUT (policy ACCEPT 759 packets, 71678 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 709 packets, 74730 bytes)
pkts bytes target     prot opt in     out     source               destination

pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 446 packets, 51142 bytes)
pkts bytes target     prot opt in     out     source               destination
419 29604 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
33  6533 ACCEPT     all  --  *      *       192.168.2.0/24       192.168.2.0/24
0     0 ACCEPT     all  --  *      *       192.168.1.0/24       192.168.1.0/24

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  --  wlan0  tun0    0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  tun0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 494 packets, 49499 bytes)
pkts bytes target     prot opt in     out     source               destination
324 36968 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED
16  1723 ACCEPT     a
Click to expand...
You are better off setting up a VPN server less complicated
https://www.snbforums.com/threads/h...th-asus-routers-380-66-6-updated-07-05.33638/
 
Are you suggesting that I create an openvpn server in the router hiding the RPi?
In that case, it is a shirtty Vodafone Station Revolution that allows only a few protocols (not openvpn), and even they don't work properly.
That with DDNS was the first thing I tried.
I could connect with PPTP, but then nothing really worked, I could load google.com 1 time out of 10, it seemed to timeout most of the times, maybe DNS issues, couldn't figure because the amount of complaints about that router swallowed whatever I was searching :)
If I had my Asus N66U it would have been already done (I use it at home with both openvpn client and server)

If you suggested to install openvpn server on the RPi, it wouldn't work as well, because as my SSH enters from eth0 and goes out from tun0, the same would happen to the openvpn negotiation. So I have to make the routing work in order to do anything reaching it from eth0 (I could install a GUI on it and Teamviewer, but I would be just a coward :D ).

If somebody feels like helping with the PPTP on the crappy router, that would do for me as well :)
 
cowst said:
Are you suggesting that I create an openvpn server in the router hiding the RPi?
In that case, it is a shirtty Vodafone Station Revolution that allows only a few protocols (not openvpn), and even they don't work properly.
That with DDNS was the first thing I tried.
I could connect with PPTP, but then nothing really worked, I could load google.com 1 time out of 10, it seemed to timeout most of the times, maybe DNS issues, couldn't figure because the amount of complaints about that router swallowed whatever I was searching :)
If I had my Asus N66U it would have been already done (I use it at home with both openvpn client and server)

If you suggested to install openvpn server on the RPi, it wouldn't work as well, because as my SSH enters from eth0 and goes out from tun0, the same would happen to the openvpn negotiation. So I have to make the routing work in order to do anything reaching it from eth0 (I could install a GUI on it and Teamviewer, but I would be just a coward :D ).

If somebody feels like helping with the PPTP on the crappy router, that would do for me as well :)
Click to expand...
get a good router and install VPN server. Not over RPi
 
I appreciate the suggestion, but I am looking for a SW solution.
I know that money can work around this problem. :)
 
You must log in or register to reply here.

Similar threads

N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
929
nearlyheadlessarvie
N
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
octopus
  • Locked
Solved Can you connect to Wireguard server from wan side?
Replies
17
Views
2K
octopus
octopus
R
One router, two segments desired.
Replies
4
Views
874
Rombo
R
Similar threads
Thread starter Title Forum Replies Date
K Help with Wireguard Client set up, access local LAN & provider DNS VPN 1
gdgross Setting up VPN server (router?) for offsite access VPN 13
C Instant Guard IPsec VPN Log Showing Regular Access Attempts VPN 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 685 (members: 16, guests: 669)
Top