9
2
I recently found that when my workstation connects through a VPN connection then its SSH server can't be connected to from a remote site. I am sure it's a routing problem because the the VPN client changes the default gateway to its peer (VPN server) of the ppp connection.
Is there a solution to make SSH server and VPN client both happy?
btw0
Posted 2011-10-17T18:25:13.537
Reputation: 191
2
When you use a vpn generally the vpn network takes over your entire interface such that you are only routable from somewhere on the vpn network not the internet at large. Most people solve this problem by running a vm (virtualbox etc) and connecting to the vpn in that virtual machine so that it doesn't completely hose the main connection on the actual machine.
Stu
Posted 2011-10-17T18:25:13.537
Reputation: 1 044
2
Before adventuring through the network setups, check if the ssh server in question listens on the vpn interface. Maybe it is bound to a specific interface on your server.
Example netstat -a output:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
The ssh server in this example listens on all interfaces (indicated by the asterisk in *:ssh. If on your system there is a host address instead, the ssh server is bound to specific interfaces.
Edit /etc/ssh/sshd_config and set ListenAddress 0.0.0.0 to adjust this, if neccessary.
If sshd already listens to the correct interfaces, feel free to enter the routing dungeon :-)
ktf
Posted 2011-10-17T18:25:13.537
Reputation: 2 168
1To what address should ListenAddress be set? The IP of the server on the local interface? The IP of the router? Something else? – Psychonaut – 2015-08-20T08:58:14.663
0
You're talking split tunneling. If you're familiar enough with the command-line ROUTE.EXE tool, you may be able to examine the routes placed by the VPN client, and remove them. You'd then re-add one to allow just the traffic to your corporate LAN to flow through the VPN gateway.
Specifically, you'd use
route print
...to get a list of the routing entries. Without seeing the output, it sounds like your VPN client would have placed a default (0.0.0.0) entry with the gateway being the VPN peer gateway. You can use
route delete 10.*
...for example, to delete all entries pointing to a 10.x.x.x network.
You can then use
route add 10.0.0.0 mask 255.0.0.0 10.0.99.99
...where the first address (10.0.0.0 255.0.0.0) is your corporate network and mask, and the second address is the remote gateway.
You would need to run this each time you connect, so you may want to script it.
Side note: an alternative would be to convince your company to set up their VPN to use split tunneling; an argument for this is reduced bandwidth, and (IANAL) reduced liability for non-corporate web traffic flowing through their network.
Geoff
Posted 2011-10-17T18:25:13.537
Reputation: 2 335
I'm using VM stu, but what I'm not able to do is get assess the VPN in the host, as I need to do dev work. – Jamie Hutber – 2018-06-20T14:31:59.727
oh, I was suggesting the other way. Use the vpn solely in the vm and that leaves the reak machine for open and free internet. – Stu – 2018-06-23T11:59:53.043
You can do some routing tricks to route data from the vpn one way and other data the other way (different gateways etc) but it's really just a lot easier to use virtualbox. :-) – Stu – 2011-10-17T18:38:48.940
Thanks for the suggestion! I'd like to know what routing trick can achieve this. – btw0 – 2011-11-12T16:03:43.297