Intermittent disconnections when using OpenVPN over SSH tunnel; possible iptables issue?


I've recently set up a Debian Wheezy server with OpenVPN to help out some friends in areas where internet censorship is a problem (including the blocking of VPN traffic in general). To overcome this, clients first create an SSH tunnel to the server, then connect to the VPN over that.

The server an open SSH port 40001, and port 40002 for an OpenVPN server with TCP protocol. Both of these seem to be properly configured on the router.

I give my clients a script that tunnels their localhost:8080 to myserver:40001, then connects to the VPN. Their client OpenVPN configuration has 'remote' set to 'localhost 8080' such that the VPN connection is directed over this SSH tunnel.

My trouble is that this tunnel seems to work sometimes (seemingly at random times) but often fails to hold a connection. I've also seen it simultaneously working on some computers (my own, chiefly) but not others. When it fails, the client will connect to the VPN, but will be unable to access the internet, and after about 30-40 seconds, the SSH tunnel process will simply end (opening the tunnel manually yields only "Write error: Broken pipe" when it dies). I can't find anything whatsoever in either server or client logs to suggest why this is happening or what is killing the tunnel.

I know it's not a fault of the VPN connection itself, because if I change the remote IP from localhost:8080 to the real public address and OpenVPN port of my server, it will consistently work properly.

My suspicion is that my iptables rules are such that incoming connections directly to the VPN are accommodated, but connections to the VPN coming from inside the server itself (due to the SSH tunnel) are treated differently. However, if this were the case, I don't see why it would work only occasionally. What else could be causing these connection drops? I can't find anything relevant in either /var/log/auth.log, /etc/openvpn/openvpn.log, or any client logs.

My /etc/iptables/rules.v4 is as follows:


:INPUT ACCEPT [7937:9042429]
:OUTPUT ACCEPT [10987:15593548]
:fail2ban-ssh - [0:0]
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A INPUT -p tcp -d localhost --destination-port 40001 -j ACCEPT

EDIT: I found what's causing the issue, but I don't know how to fix it yet. When the client runs the VPN, all traffic — including that of the SSH tunnel itself — is routed over it. This is circular, of course, and crashes the tunnel. I just need to somehow exclude the SSH tunnel from OpenVPN's routing...


Why are you running OpenVPN over SSH? One of the benefits of OpenVPN is it looks just like regular SSL (think HTTPS) traffic. Just setup your server to use TCP instead of UDP and listen on port 443 instead of the default port. There really is no reason to be doing both SSH and OpenVPN. – heavyd – 2014-07-23T04:25:03.043


Apparently not quite (see here or here for example). China's ISPs, for instance, use deep packet inspection to distinguish OpenVPN traffic from real SSL, and will block it. That's why I'm running it over SSH.

– user3145309 – 2014-07-23T17:13:47.003

1The Great Firewall of China can simply block all packets they don't like the look of based on any criteria they like .. so your intermittent problems suggest they are simply blocking you at their leisure. – dotvotdot – 2016-02-17T13:20:44.463

