To resolve this issue you will need to set up both iptables and routing rules. The specific problem you're encountering is that outgoing SSH packets are being routed via your anonymous VPN tunnel interface instead of your Ethernet interface. This is happening because your VPN software set up a routing rule to send any and all unhandled traffic via the tunnel interface. Good for anonymizing your network traffic; bad for establishing SSH connections to your computer.
There are a few ways to fix this problem, but I will share with you the one which worked for me in an identical situation. Here's what we need to do:
- Create a new IP rule table to handle non-VPN traffic
- Add an IP rule to lookup our no-VPN table for any packets marked with a specific netfilter mask
- Add an IP route which directs all traffic in our no-VPN table to use your Ethernet interface instead of the tunnel
- Add an iptables rule to mark all SSH traffic with our designated netfilter mask
Note: I was working with Raspbian while doing the following, so you might need to adjust the commands a little to fit your distro.
Creating a new IP rule table
Begin by inspecting iproute2's table definition file. We want to make sure we don't use the name or number of any existing rule tables.
cat /etc/iproute2/rt_tables
You'll likely see something along these lines:
# reserved values
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
Pick an arbitrary number and name for your new rule table -- anything not used above. I will use number 201 and name novpn
for the remainder of this answer.
Append a definition directly to the definition file or edit it in the text editor of your choice:
echo "201 novpn" >> /etc/iproute2/rt_tables
Add a new IP rule to lookup the no-VPN table
Check for any existing ip rules that deal with netfilter masks:
ip rule show | grep fwmark
If grep turns up nothing, you're in the clear. If it does print some lines, take note of the hexadecimal number to the right of the word fwmark
in each line. You will need to pick a number that is not currently in use. Since I had no existing fwmark rules, I chose the number 65.
ip rule add fwmark 65 table novpn
What this does is cause any packets with netfilter mask 65 to lookup our new novpn
table for instructions on how to route the packets.
Direct all traffic in our new table to use the Ethernet interface
ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn
The important thing to note here is dev eth0
. This forces all traffic that passes through the novpn
table to only use the hardware Ethernet interface, instead of the virtual tunnel interface that your VPN creates.
Now would be a good time to flush your iproute cache, to make sure your new rules and routes take immediate effect:
ip route flush cache
Instruct firewall rule to mark all SSH traffic with the designated netfilter mask
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
There are too many options here for me to explain in any great depth. I strongly encourage you to read the manual page for iptables to get a sense of what's going on here:
man iptables
In a nutshell: we are appending an output rule to the firewall's mangle table (for specialized packet handling) that instructs it to mark any TCP packets originating from source port 22 with our designated netfilter mask 65.
What next?
At this point, you should be ready to test SSH. If all goes well, you should be met with the happy "login as" prompt.
For security's sake, I recommend you instruct your firewall to drop any incoming SSH requests from the tunnel interface:
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
Note that the all of the instructions above are transient (except for the creation of the rule table ID) -- they will clear the next time you restart your computer. Making them permanent is an exercise I leave to you.
Best Answer
This way all traffic (including incomming from tun0) will be routed via tun1 except local traffic on ethernet (182.160.0.0/24) and local traffic on tun0 / "VPN1" (10.8.3.0/24).
With this routing table also all traffic comming from eth0 will be routed via tun1 which is not mentioned / requested in the question... Is this situation OK for you? In case the answer is yes then you can keep this setting.
In case this is not willing situation (you don't want to route traffic from eth0 to tun1 / tun0) you have (at least) two options how to deal it.
There can be more than just one routing table and based on the rule / policy you can manage which traffic would be handled by the other than default one. This way you can set custom routing table where the default GW would be tun1 and only traffic comming from tun0 would be pointed to this custom routing table.
This way you can isolate whole tun interfaces from eth0 (with internal routing between namespaces) so you can have simple (default) routing table set up in the namespace so only traffic from tun0 can reach tun1.