How does "making VPN accessible" works?
Hi,
I wasn't able to find the answer neither on Stack Overflow, nor on
OpenVPN forum. I had a server I had to connect to VPN, but make it
accessible over SSH (via it's physical NIC). I've found a solution,
but I don't really understand how it solves the issue. Just telling a
good place to ask this question is okay too.
The reason it became inaccessible are probably the following routes
that were pushed from VPN server:
0.0.0.0/1 via tun0.gw dev tun0
128.0.0.0/1 via tun0.gw dev tun0
To investigate I added the following rules to iptables:
iptables -A INPUT -p tcp --dport 443 -j LOG
iptables -A OUTPUT -p tcp --sport 443 -j LOG
Started tmux, in one console ran:
echo ------------------------ | tee /dev/tty | systemd-cat; sleep 60;
pkill openvpn
In the other:
openvpn vpn.conf
While it was running, I ran a https request to the server from my
local computer. It hang, I waited for a while, then interrupted it. It
didn't reach nginx running on the server, and there where no entries
from iptables in systemd journal.
Then I've found this solution
(https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client/793700#793700).
That is, I ran the following commands:
iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j
CONNMARK --set-mark 1234
iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321
ip route add default dev eth0 via eth0.gw table 3412
ip rule add fwmark 4321 table 3412
There were still no entries from iptables in systemd journal, and the
server remained inaccessible while openvpn was running.
Then, I found another solution
(https://unix.stackexchange.com/questions/182220/route-everything-through-vpn-except-ssh-on-port-22/242808#242808).
I undid the four commands above and ran:
ip rule add table 128 from eth0.ip
ip route add table 128 default via eth0.gw
This time it worked. And I saw log entries from iptables in systemd journal.
My understanding is that before tinkering with iptables and routing
table, packets from my computer arrived to the server, but the ones
coming back were routed via VPN server's gateway (tun0.gw). There they
were probably NAT'ed (different source IP), and as such were not
recognized as a response by my local computer. But why then were there
no entries from iptables in systemd journal?
The last solution supposedly made packets return via hoster's default
gateway (eth0.gw). But when I do "traceroute 8.8.8.8", I see them
going via tun0.gw. And "curl -sS ipinfo.io/ip" returns my VPN server's
public IP. So, some packets are going via eth0.gw, some via tun0.gw.
How does it decide? This is routing table before connecting to VPN
server:
default via eth0.gw dev eth0 onlink
eth0.subnet/25 dev eth0 proto kernel scope link src eth0.ip
This is what VPN server added:
vpn.server.ip via def.gw dev eth0
tun0.subnet/24 dev tun0 proto kernel scope link src tun0.ip
0.0.0.0/1 via tun0.gw dev tun0
128.0.0.0/1 via tun0.gw dev tun0
These lines seem like they should route most if not all packets
originating from the server to go via eth0.gw:
ip rule add table 128 from eth0.ip
ip route add table 128 default via eth0.gw
On second thought, it may depend on source IP chosen. But how does it choose?
To sum it up, I'm not sure if I understand what was off. And I
certainly don't understand how it works now. Any help is welcome.
Including suggestions where to ask for help, and what to read. Thanks
in advance.
Regards,
Yuri
Reply to: