How to locally access (ie. ssh) my home server once it’s open an OpenVPN connection?

Posted on

Problem :

I’ve set up a Raspberry Pi (running Raspbian) at home as a media server which I access from outside my network via SSH and other ports (ie using Plex client from mobile through port 32400).
Recently, I’ve decided to subscribe to a commercial VPN service. I’ve installed and configured OpenVPN on Raspbian.

After long hours of searching, reading and testing, I found out how to remotely ssh into my server while it’s redirecting all traffic from eth0 to tun0. Simply by running:

ip rule add from <internal IP of SSH server/VPN client> table 10
ip route add default via <internal IP of gateway/router> table 10

I added a couple of scripts in /etc/init.d/ to open the VPN connection on boot, and another script that runs the two commands above once the VPN connection is established (seems these rules reset on restart). So, with the setup above, I can ssh into my server from work without a problem.

My problem is that with the environment described above, I can’t locally ssh into the Raspberry Pi. And therefore my Plex client on the PlayStation 4 can’t find the server anymore… However if I remove the rc.d scripts which 1/open the VPN connection and 2/ execute the two command lines above, I can connect to the server from home and outside – but have no VPN running šŸ™‚

I think I’m doing something wrong with ip routes, but can’t seem to figure out what. Or maybe it’s because the order at which scripts run isn’t right (although the ip route commands ‘Required-Start’ vpnconnection to be established)

Hope it all makes sense, and that you can put me in the right directions in regards to being able to ssh to the pi from both local and remote networks. I believe the answer resides in using either route or push, but Iā€™m not sure.

Below are some outputs that might be useful.

Thanks in advance for your help!

Output of route -n when tun0 created

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.109.1.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.109.1.1      10.109.1.5      255.255.255.255 UGH   0      0        0 tun0
10.109.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.109.1.5      128.0.0.0       UG    0      0        0 tun0
168.1.6.49      192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Output of iptables -L -v

Chain INPUT (policy DROP 44 packets, 5890 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  220  143K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 7062 1750K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32400
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5850
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4285
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:58846
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8112
    1    64 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:72
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   92 15173 ACCEPT     all  --  *      *       192.168.0.0/24       0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8071 packets, 1231K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

OpenVPN client config file

client
dev tun
proto udp
remote [xxx.yyy.com] [PORT]
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
auth-user-pass

Output of sysctl -a | grep .rp_filter

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tun0.rp_filter = 0

Output of ip route show

0:   from all lookup local
32765:   from 192.168.0.170 lookup 10
32766:   from all lookup main
32767:   from all lookup default

Output of ip route show table 10

default via 192.168.0.1 dev eth0

Solution :

By connecting a machine to a VPN network you’re effectively “isolate” it from the local LAN, it won’t see any other machines except those in the VPN network.

So I think you got the VPN setup backwards – you want to run the VPN client on your remote machine and the VPN server on your local LAN – to leave the local LAN unaffected and make the remote machine feel connected to it.

Leave a Reply

Your email address will not be published. Required fields are marked *