# SSH into VPN



## stream (Nov 23, 2020)

Hi,


I have a Freebsd server running remotely with VPN. I use openvpn.

I have Freebsd in my home machine as well.

Unfortunately, am not able to remotely ssh into the server when I start VPN on the server. 
Home machine has no VPN btw.
For now, I have turned off firewalls just to get this up and running. 

I saw some threads and some recommendations to set the route. However am not exactly certain how this to be done.

All addresses below are fictitious.

VPN public IP : 222.22.222.222
Server public IP: 111.11.111.111
Home public IP: 555.55.555.555

I have a VPN start script in the server that looks somethings like this:

#!/usr/bin/local/bash
sudo openvpn --mute-replay-warnings --config /home/bbk/my_vpn.conf &

sudo /sbin/route add -net 222.22.222.222  111.11.111.111 255.255.255.0

Can you please suggest specific commands to be added in this script or in the my_vpn.conf, in order to be able to ssh from home into the server when vpn is on.

Thank you.


----------



## Lamia (Nov 24, 2020)

stream said:


> VPN public IP : 222.22.222.222
> Server public IP: 111.11.111.111
> Home public IP: 555.55.555.555


These bogus addresses are one of the problems. Read about private IP addresses and their classes. 

And if you run a search on the Internet for "sample OpenVPN configurations in FreeBSD," you will likely see tons that you can choose from.


----------



## SirDice (Nov 24, 2020)

Lamia said:


> These bogus addresses are one of the problems.





stream said:


> *All addresses below are fictitious.*


I'm pretty sure he did that to hide his actual IP addresses.



stream said:


> Home machine has no VPN btw.


So you ssh from home directly to the external IP of the remote server? That's fine, I do that too. 



stream said:


> Unfortunately, am not able to remotely ssh into the server when I start VPN on the server.


Where is the server connecting to? Does it get different routes from the VPN connection? What does the routing table look like when the VPN is active? All outgoing traffic on the server may get routed through the VPN. So it receives the ssh connection on it's external addresses and then routes the reply through the VPN. That VPN end-point may not  know what to do with that reply and just drops it.


----------



## stream (Nov 24, 2020)

SirDice
Thank you. 
Yes, the server gets different routes when VPN is active.
Here is the netstat with VPN active. How do I setup the (return) routes so the server can be accessed from the external address. 
When VPN is active, neither the original server IP, nor the virtual IP set by VPN (here denoted by vv.vv.vv.5) is ping-able from the outside.

```
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          vv.vv.vv.1           UGS        tun0
default              xx.xx.xx.3           UGS        igb2
vv.vv.vv.5          link#10            UHS         lo0
```


----------



## SirDice (Nov 24, 2020)

What's the VPN for? Is is to connect to a remote site? Or is it to "hide" your server? That route 0.0.0.0/1 looks odd and may be the one that's interfering. If you just need the VPN to connect to a remote site the routes should only have the destination networks of the remote site. Everything else  (like the responses to your incoming SSH connection) will then get routed through the normal default gateway. Only traffic destined for the remote site should be routed through the VPN.


----------



## stream (Nov 24, 2020)

SirDice 
Yes, VPN is to hide the server. 

How do I implement your recommendation? Do you have a template for vpn and or routing setup?


----------



## SirDice (Nov 24, 2020)

I don't have a template. It's going to be different for every situation and thus requires a different approach. I tend to look at what's needed and go from there. 



stream said:


> Yes, VPN is to hide the server.


I was afraid of that. This is in direct conflict with your ssh issue. Because this 'hiding' requires that _everything_ is routed through the VPN. Instead of connecting to the "real" address with ssh you are going to need to connect to that "hidden" address because that's where your server is.

You may be able to poke a hole in things, just for your connection. Look at what your original gateway is on that server, I suspect it's that  xx.xx.xx.3 address in your routing table. Then add a specific route for your home IP address, forcing it to be routed through the normal gateway (stricter routes have precedence over less strict ones). Something like `route add <your home IP>/32 xx.xx.xx.3`. Adding this to rc.conf will be something like this:

```
static_routes="home"
route_home="<your home IP>/32 xx.xx.xx.3"
```

Starting the OpenVPN session itself should be done though the normal service, so `sysrc openvpn_enable="YES"` to make it start automatically. Your configuration should be in /usr/local/etc/openvpn/openvpn.conf.


----------



## stream (Nov 25, 2020)

SirDice 

Thank you sir.

The route fix in the rc works. Onwards and upwards


----------

