OpenVPN connection through SSH tunnel

I'm currently visiting China, so I have some options for VPNs set up. However, my VPN servers have a habit of suddenly disappearing from the network after I've used them for a while.

I thought it might be an option to use an SSH tunnel to another server, and to connect the VPN through that, to prevent the VPN traffic from being detected. That way, presumbly, the traffic just reads as an SSH connection to the provider.

So, I connect to a server like this:

ssh peter@some-server -L 4444:vpn-server:1194 -N

And then add this to my openvpn client configuration:

remote localhost 1194

Sadly, this doesn't work. The connection authenticates, but afterwards, I can't connect to either the inside of the VPN (ping 10.8.0.1) or the outside (ping 8.8.8.8). Should this work, or am I misunderstanding something?

Is there some iptables nat rule I should add? The only nat rule I've added so far is:

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Peter

Posted 2018-09-08T03:40:06.867

Reputation: 111

1The VPN´s servers disappear because the Chinese Government's servers identify that you're using a VPN. The question is, do you REALLY need this VPN? In spite of the technical challenges, is there a sufficient reason for doing something that can be illegal? If they track your VPN usage and get to you, they can arrest you for using a VPN. China is not the kind of foreign country where you would like to be arrested. They can jail you for months for almost nothing. Would it be worth? – mguima – 2019-02-18T18:38:04.853

@mguima I think you've seen too many movies. – Peter – 2019-02-19T09:59:10.493

Maybe. Remember, they're not Westerns. It's link another kind of world. – mguima – 2019-02-20T01:58:09.150

Answers

The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). The fix for this is to use a dynamic SOCKS[5] proxy and tell OpenVPN to connect via that proxy. Add to your OpenVPN config file:

socks-proxy localhost 6886
socks-proxy-retry

Then, start your ssh session with a dynamic SOCKS proxy:

ssh -D 6886 -N REMOTE

Then you can start your OpenVPN connection. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. To do this, add another directive to your OpenVPN config that looks like this:

route REMOTE-IP 255.255.255.255 net_gateway default

You might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually.

That should work, at least for ipv4 traffic. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)

Alternatively, you might also look at using obfs4proxy (e.g. this and this or packaged for ubuntu)

crimson-egret

Posted 2018-09-08T03:40:06.867

Reputation: 1 900

SSH tunnel with VPN works in China, albeit acceptably slow. Lowering the encryption settings will not boost the speed. I think the connection speed is generally throttled from China to any parts of the world.

How I do it is SSH tunnel with port forwarding enabled. And then use OpenVPN with SOCKS Proxy through that SSH tunnel. Non-default port numbers work too.

No need of firewall or route configuration. Works perfectly fine for me. :)

overseas.chinese

Posted 2018-09-08T03:40:06.867

Reputation: 21

I could successfully establish a connection to my Raspberry Pi (with PiVPN) over TCP and an external VPS. Then I did this:

allow the forwarding to public on your server (VPS/VPN). Change GatewayPorts to yes or add if it does not exists yet.

/etc/ssh/sshd_config:
GatewayPorts yes

Change proto udp to tcp (as ssh uses the tcp protocol)

/etc/openvpn/server.conf:
proto tcp

Again, change proto udp to tcp-client:

openvpn-client.ovpn:
proto tcp-client

Now start the ssh forwarding (0.0.0.0 to allow all IPv4 connections; -N to not start a bash on the server)

ssh -R 0.0.0.0:1194:localhost:1194 user@server -N

You should also check that your VPS/VPN-server allows the connection and has the right firewall settings. If you use ufw for iptables, simply do this:

ufw allow 1194/tcp
ufw enable

This may not be the fastest but it works for me.

Bostrot

Posted 2018-09-08T03:40:06.867

Reputation: 111