VPN – How to Connect to a Machine via SSH with Dynamic DNS

linuxremote-accesssshvpn

I have set up my router on my local network to use dynamic dns (no-ip) to get a "static" hostname. I have forwarded port 22 to my local pc and I can remotely log into it using ssh.
I also need the machine to connect to a vpn network to reach servers that I have to work with.
Unfortunately, as soon as I start vpn, I get disconnected and can no longer re-connect using the static hostname. I can still ping the hostname, since the router will answer, but I can not ssh to the machine I need to reach anymore.

 ssh: connect to host myhostname.no-ip.biz port 22: Connection timed out

I am using vpnc to connect to the vpn, however, it is a custom build provided by my university. They state that the usual vpnc client is not compatible.
They also provide a configuration file which looks like this

IPSec gateway vpn.uni-mannheim.de
IPSec ID doniluma
IPSec secret wlan
IKE Authmode hybrid
CA-File uni-ma.pem
Xauth username myusername

And a certificate file.
Is there a possibility to adjust routing or similar, so I can (re)connect after initialising the vpn with vpnc-connect ?

Best Answer

From the VPNC man page:

   The vpnc daemon by itself does not set any routes, but it calls vpnc-script to do this job. vpnc-script displays a connect banner.  If
   the  concentrator  supplies  a network list for split-tunneling these networks are added to the routing table.  Otherwise the default-
   route will be modified to point to the tunnel.  Further a host route to the concentrator is added in the later case.   If  the  client
   host needs DHCP, care must be taken to add another host route to the DHCP-Server around the tunnel.

So your traffic is likely being directed to your university, and if they have a restrictive firewall port 22 could be closed outside. So either you ask your network administrators to change VPN server settings in order not to set the default route for the connection or you have to change the behavior of your client. Apparently there's no option to do so (or at least I didn't spot it), but I found a workaround here. Make a copy of /etc/vpnc/vpnc-script and edit the original file. In my version I have two declarations of set_default_route() function. You have to change them in order not to change the default route. The first should look like this:

    set_default_route() {
        $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
#        $IPROUTE route replace default dev "$TUNDEV"
        $IPROUTE route flush cache
    }

and the second

set_default_route() {
    DEFAULTGW="`get_default_gw`"
    echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE"
#    route $route_syntax_del default $route_syntax_gw "$DEFAULTGW"
#    route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface
}

Beware, I didn't test those modifications, so you may need to change them a bit.

Related Topic