16

On my machine I'm using OpenVPN which use the tun0 interface. I want sshd to listen only on this interface.

I know, I can specify the IP address to listen to in

/etc/ssh/sshd_config

with a

ListenAddress 0.0.0.0

directive. But my IP address will change, so I cannot choose an IP here which is always valid. I know that I can start the daemon only when the VPN is up - that's not the problem.

How can I make sshd only listen on a specific interface (tun0)?

Philipp
  • 515
  • 1
  • 5
  • 13

1 Answers1

7

You can't do that directly as sshd only understands IP addresses. You may be able to knock something together using an openvpn up script

-up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel...

See also the --down option to clean up and the relevant parts of the documentation detailing script security etc.

You'll find the IP address of the tun device is passed to the script as an environment variable. Also sshd takes options on the command line of the form

-oSomeOption=SomeValue

-o option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options, and their values, see sshd_config(5)

So you could use

-o ListenAddress=<some address>

Presumably you have some out of band method of talking to your VPS so that when this breaks you can contact the server.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • 1
    Try: `-o ListenAddress=$(ip addr | awk '/inet/ && /tun0/{sub(/\/.*$/,"",$2); print $2}')` – pjz Jun 16 '14 at 13:51
  • @pjz I don't think you need to do that as I'm fairly sure that the IP address of the device is available as an environment variable to the up script. I just don't have the stuff to hand to test it. – user9517 Jun 16 '14 at 13:54
  • 1
    Excellent! The IP is passed to the up script as ifconfig_local=10.xx.xx.xx. A whole bunch of other data (dev_type=tun, common_name=myservername, ifconfig_remote, route_gateway_1, untrusted_ip, ifconfig_local, proto_1, tls_serial_1, tls_serial_0 ...) are passed along. – Philipp Jun 19 '14 at 08:01
  • Yes I know and now you do too :) – user9517 Jun 19 '14 at 08:04
  • 3
    Maybe you want to edit your answer and add the relevant env variable name? (for future readers) – Philipp Jun 19 '14 at 08:19