12

We have an AWS EC2 server that we've configured to be only accessible (via SSH) from within our office network. Obviously this isn't ideal for remote arrangements where someone has to connect to the EC2 instance and is working remotely outside the office such as during a business trip.

I've managed to set-up a VPN through PPTP and can connect to the office network (I have two local IP's one from wlan0 and one from ppp0) regardless of anywhere I am. However, when I SSH to the EC2 instance, it's still rejecting me most likely because it sees that I'm still trying to ssh from outside the network.

I guess the problem is that I can't route the ssh traffic to go through the VPN. Any ideas how I can accomplish this?

My other option is to ssh to a machine within the office network and then use that machine to ssh to the EC2 instance but I've been hesistant to do that as it seems excessive.

turntwo
  • 223
  • 1
  • 2
  • 5
  • The short answer is to route your SSH traffic through the VPN. And use something a bit more secure than PPTP. – Hyppy Dec 22 '14 at 16:18

1 Answers1

18

Let's suppose your AWS is reachable via SSH at IP "your.ec2.ip.address". Let's suppose your office network has Internet access via a router that apply some NAT translations and, as such, your office PCs are seen, on the Internet, with IP "your.office.external.ip".

Let's also suppose that you are located OUTSIDE of your office, with your laptop connected around the world, with:

  • a main IP address assigned by your local Internet provider (let's suppose 192.168.0.33 with netmask 255.255.255.0 and def-gw 192.168.0.1);
  • a PPP0 address, assigned to your laptop by your remote PPTP server (once your VPN tunnel is succesfully established). Let's suppose PPP0 is the.local.ppp0.ip with remote P2P the.remote.pptp.address. In other words, your laptop knows to be the.local.ppp0.ip and also knows that at the other side of the VPN tunnel there's your PPTP server reachable, over the VPN, at the.remote.pptp.address.

In such a scenario, if you are unable --from your notebook-- to reach your AWS at "your.ec2.ip.address" I bet the problem is --as you guess-- routing: your SSH traffic directed to "your.ec2.ip.address" is NOT leaving your netbook within the VPN, but, instead, is leaving along the common, external-VPN, path (aka: is sent to your local gateway: 192.168.0.1).

To diagnose this problem, a very easy check can be done with:

  • Linux: the tracepath command (es.: "tracepath -n your.ec2.ip.address")
  • windows: the "tracert" command (es.: "tracert -d your.ec2.ip.address")

From the output you can check if the second step report PPTP addresses, or not.

If your traffic is traveling along the wrong path, the easy fix to route it within the VPN is:

  • Linux: "route add -host your.ec2.ip.address gw the.remote.pptp.address"
  • Windows: "route add your.ec2.ip.address mask 255.255.255.255 the.remote.pptp.address"

After configuring the above route, you can check again the routing with tracert/tracepath

Once routing is properly configured, there is a minor probability that problems could arise within your office: if your PPTP server is NOT doing IP-forwarding and NAT-translations, there's an high probability that you'll experience "filtering", in case of missing ip-forwarding or "asymetric routing" (in case of missing NAT) between your notebook and your.ec2.ip.address:

  • traffic from you to amazon, travels along the VPN to your office and, from then, to Amazon;
  • return traffic from Amazon to you, gets routed along common internet path and... chance are high it's dropped somewhere.

Again: tracepath/tracert can help you checking the problem.

On linux boxes, another very useful friend is "tcpdump". Some useful tcpdump commands are:

  • "tcpdump -n -i interface icmp" to check incoming/outgoing PING request/response;
  • "tcpdump -n -i host an.ip.add.ress" to check traffic arriving/sent to an.ip.add.ress;
Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30