-1

So I am using OpenVPN to connect to an internal network. I have some users that require access from a different country (India). I created an SSH user and generated VPN certs for them to connect.

  1. They are able to connect to the VPN with no issues
  2. They are able to ping the designated VM via its private static IP address
  3. I had them do an nmap and they do see port 22 but it says "filtered"
  4. I've added rules to my firewall appliance (Sophos) to let all incoming SSH traffic through for testing purposes
  5. They get a connection refused error when trying to connect to SSH
  6. I can connect just fine using their SSH user (while VPNed from my workstation)
  7. When I do a nmap from my workstation (in Canada), while VPNed in, I see the state of ssh to be "Open". When they do the same thing from India, they see "Filtered" as the SSH state.

I know that opening up SSH connections is a security issue but I'd prefer to get these guys connected, and then add in the necessary security measures to secure/limit SSH logins (no root password, ssh keys only, etc) after the fact.

I'm a budding sysadmin so sorry if this is total noob territory. Essentially, I need to know what else I can do to diagnose this situation and determine why they are unable to connect. I have a feeling it's firewall related, but I don't have any country blocking enabled, and SSH is wide open so I am unsure what the issue is.

Thanks!

jasonaburton
  • 263
  • 1
  • 4
  • 9
  • Just a note, when I am VPNed and do an nmap, I see the state as "Open", but they see the state as "Filtered" – jasonaburton Jan 09 '17 at 19:50
  • I don't see a question in your question, can you be explain exactly what part of the setup you need help with? – Nath Jan 09 '17 at 21:38
  • Apologies, my problem is that the user in India cannot connect to SSH and I am wondering what I can do to determine why this is the case. I've listed the steps I and they have already taken above. – jasonaburton Jan 09 '17 at 21:41
  • Sounds like the SSH server is behind some sort of NAT that you don't "see" since you test via the VPN. You need to either just get the VPN working for them (my recommendation), or do your own testing with your VPN *disconnected* to see the same thing they see. – alzee Jan 09 '17 at 22:04
  • 2
    Possible duplicate of [What causes the 'Connection Refused' message?](http://serverfault.com/questions/725262/what-causes-the-connection-refused-message) – user9517 Jan 09 '17 at 22:23

1 Answers1

0

Post a traceroute -n 1.2.3.4 where 1.2.3.4 is the destination SSH host and the source is one of your VPN users computers. We need to eliminate routing problems first.

I was going to do a lot of typing, but then I realized what we need is a network diagram showing this entire pathway, including firewalls, VPN servers, VPN clients and target servers, before we go any further.

T. B.
  • 313
  • 1
  • 2
  • 8