How can I SSH into a server that is using a VPN?

Question

I have a Raspberry Pi server (rpi) with a static internal IP using a VPN service. My router has a static public IP and I have the NAT set up to forward SSH traffic to the rpi as I have other devices on the network.

I am able to SSH into the rpi server remotely (out of my network) when no VPN is used. I am able to SSH into the rpi internally (in my network) when the VPN is used. I am not able to remotely SSH into the rpi when the VPN is used.

I have seen other questions that are similar but I'm such a novice I couldn't quite understand fully what was explained or ascertain if the situation was the same as mine.

I don't believe I'm using a firewall on the server but am relying on the router to block connections and using NAT to forward connections. I don't understand what iproute is for or on which machine it should be configured.

@LouisWaweru I think it was some vector drawing program. – deanresin Jul 16 '21 at 01:32 — deanresin, Jul 16 '21 at 01:32

score 0 · Answer 1 · answered Nov 15 '21 at 02:03

You can do policy-based routing and using the fact that, when you access the RPi without going through the VPN, outgoint packets will use 192.168.1.4 as source because the incoming packets used 192.168.1.4 as destination.

See this answer on another thread: https://unix.stackexchange.com/a/23345

score 0 · Answer 2 · answered Dec 19 '18 at 04:04

0

Your Raspberry Pi has a direct connection to its local subnet 192.168.1.0/24, but the VPN ads a new route to 0.0.0.0/0, over the local default gateway. Therefore, packets back to the PC over the Internet uses the VPN route even when the incoming connection comes through the local gateway.

You could

add a new static route to the netblock of the PC via the router or
forward port 22 to another machine on your LAN, and connect to your Raspberry Pi from that machine, instead.

answered Dec 19 '18 at 04:04

Esa Jokinen

43,252
2
75
122

Oh cool. I didn't realize the return connection was the problem. Option 2 is not possible so I will have to "add a new static route to the netblock of the PC via the router". But I have many questions. Will this work if my PC will have a dynamic IP? Do I perform this action on the router or the server? – deanresin Dec 19 '18 at 04:10
You add the route to your Raspberry Pi. The dynamic public IP comes from a DHCP pool: even if it changes, you can probably predict it's still from the same netblock (`whois` the IP to see the range of your ISP). That only applies, if the PC always uses the same connection. Also keep in mind that all connections to that netblock will bypass the VPN. – Esa Jokinen Dec 19 '18 at 04:14
My PC is usually at home on the network. But I want to be able to ssh home to rpi when I am not home and on some random network/location. Does this make it impossible? – deanresin Dec 19 '18 at 04:20

How can I SSH into a server that is using a VPN?

2 Answers2