2

Sorry, if title is unclear, here is the setup:

There is machine A, running Linux. A is part of university network and has single network interface with real IP. But connections from outside of campus to port 22 (and some others) are blocked at switch level, and this is impossible to change.

A is running pptpd (localip {realip}, remoteip 10.0.0.100-200), and is NATing all connected clients (via iptables rule iptables -t nat -A POSTROUTING -o eth1 -s 10.55.248.0/24 -j MASQUERADE).

It's possible to ssh to any of university machines via VPN-tunnel to A, except A itself, from outside (B)

I understand that we cannot simply change the routing table on B, since it would break the tunnel, but I'd really like to be able to ssh to A from B via VPN tunnel, since we cannot have a dedicated server for VPN, but instead use one of computational nodes, which itself needs to be accessible via ssh.

So the question is: is it possible to somehow force part of traffic to VPN-server to go through vpn-tunnel to said server?

I understand, that it's possible to change ssh listening port, or add iptables rule on B, but B is not a single machine, so it can be nearly any OS (well, unlikely something else than Windows or Linux, but anyway) and can be used by a person not willing to meddle with manually adding routing rules.

aland
  • 141
  • 1
  • 5

1 Answers1

0

Please correct me if I am understanding this incorrectly. A and B are on the same network and A is accessible from the internet. You want to connect to B though A?

If this is correct you may be able to use a socks proxy, which if you're running ssh on A you could use by typing ssh -D 9999 hostnameA. You could then set the app of choice to use your socks proxy on 127.0.0.1 port 9999.

I use this quite often to get to networks in remote locations.

Hope this helps.

Sean Milheim
  • 176
  • 2
  • Nope. `B` is from another network (even from other continent), and `B` can connect only to certain ports of machines in A's network (including 1723, excluding 22 and many others). I can set up VPN connection from `B` to `A` and then use it to connect to any machine on A's network without restrictions. But I cannot make ssh connection from `B` to `A` to go through tunnel, since doing it simply via routng table would break the tunnel itself – aland Oct 14 '11 at 06:00
  • Sorry if I'm misunderstanding; the difficulty here is that you can't connect to A's internal IP through the VPN because pptpd/NATing? Can you set up another port on A for SSH connections that can get through the switch and connect using the external IP? – Demelziraptor Oct 14 '11 at 09:12
  • @Demelziraptor Yes, it is possible to use another port for ssh, but I'd like to avoid such things (for example, when using svn+ssh it's quite troublesome to use port other than 22) – aland Oct 14 '11 at 10:23
  • Could you add an additional internal IP (one that the VPN connection at B will route through the VPN) to A, bind SSH to that IP and don't have the iptables nat rule apply for connections to that IP? – Demelziraptor Oct 14 '11 at 10:36
  • @Demelziraptor By "internal IP" you mean fake ethernet device created like `ip link set name eth99 dev dummy0`, or what? – aland Oct 14 '11 at 16:30