The classy.dk kitchen server sits behind an ADSL router provided by my ISP. That router is sensibly almost closed with only FTP, HTTP, SMTP and DNS ports open by defaut and none of these mapped to NATted addreses that are assigned by default through DHCP on the router. I'm fine with that even if it is stupid ISP control of my actions - less security threats to worry about, and I can actually turn on windows on new machines without being owned by virus after 5 seconds.
The only server I have setup to listen to inbound traffic is the old warhorse classy.dk web server (and yes it is in fact located in my kitchen like it says on the blog.
Occasionally I'd like to access resources on other machines on the net though and that just blows. The problem is that the other machines sometimes run windows and most certainly shouldn't be listening to network traffic. I could use SSH tunneling via the webserver and then a terminal emulator to look at the hidden machines, but that's just annoying. I want full access with file browsing. The works.
A real VPN is needed but which one, how to set it up and how to pass it through an interface on the webserver?
Here's a way: OpenVPN with SSH tunneling.
Since I'm not talking more than one machine at a time I can just use the simple point to point setup with a static key. I want to modify the howto to work through an SSH tunnel.
proto tcp-serverremote localhost and adding the line proto tcp-clientssh -L1194:vpnserver:1194 user@webserverHow did you keep SSH from dropping the connection when the VPN was initiated? I'm trying to do essentially the same thing, but every time openvpn (on the client) opens the connection, eth0 goes down and ssh drops the connection, and the whole shebang fails.
Posted by: Roguelazer at September 28, 2006 12:48 AMIt's been pretty stable the times I've used it. The key thing for me has been to to remember to tunnel using TCP not UDP.
It's not a stability issue so much as SSH drops the connection as soon as OpenVPN tries to do the tap bridging (ie: disconnecting eth0, adding tap0, fiddling with routing tables, and whatever else it does). Are you doing anything funky with keep-alives to make that work?
I don't suppose you could e-mail me the (non-security-sensitive) sections of your openvpn.conf files from the server and client, could you?
Posted by: Roguelazer at September 28, 2006 8:19 AMI'd love to - except the machines I was using this for got wiped recently. But except for the changes listed above my configuration came straight out of the (mini) HOWTO.
Posted by: Claus at September 28, 2006 8:26 AMThanks for this small tutorial. All work fine. Big big thanks :))
Posted by: mac at January 2, 2007 10:40 PMYou're most welcome, mac. Glad if it helped.
Posted by: Claus at January 2, 2007 10:43 PMThanks a lot for this. Got it working easy, however the next step -- of routing all client traffic (except ssh) over the vpn tunnel -- had be stumped for a few hours. I'm in a country in which all net traffic leaving the country goes through government proxies and only http/s is permitted. I forgot about that when doing my route changes. But now all sorted.
It is so good to be able to use my email client, IM client, command line tools (such as ping, dig etc) again! So again, thanks.
Excellent, Peter!
I can't tell you how happy it makes me, if I can help you curb what should be illegal government babysitting of the internet, in whatever small way I helped.
Hello All,
Peter Could you please tell me how did you mange to do what you did, I mean "routing all client traffic (except ssh) over the vpn tunnel". I would appreciate any help as I face the same problem as you do.
Posted by: Salman at April 6, 2010 2:51 AM