Ssh – Allowing SSH on a server with an active OpenVPN client

I have a VPS running CentOS 7 that I connect to with SSH. I would like to run an OpenVPN client on the VPS so that internet traffic is routed through the VPN, but still allow me to connect to the server via SSH. When I start up OpenVPN, my SSH session gets disconnected and I can no longer connect to my VPS. How can I configure the VPS to allow incoming SSH (port 22) connections to be open on the VPS's actual IP (104.167.102.77), but still route outgoing traffic (like from a web browser on the VPS) through the VPN?

The OpenVPN service I use is PrivateInternetAccess, and an example config.ovpn file is:

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem

VPS's ip addr:

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:be:16:f7 brd ff:ff:ff:ff:ff:ff
    inet 104.167.102.77/24 brd 104.167.102.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febe:16f7/64 scope link
       valid_lft forever preferred_lft forever
4: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.172.1.6 peer 10.172.1.5/32 scope global tun0
       valid_lft forever preferred_lft forever

VPS's ip route:

0.0.0.0/1 via 10.172.1.5 dev tun0
default via 104.167.102.1 dev ens33  proto static  metric 1024
10.172.1.1 via 10.172.1.5 dev tun0
10.172.1.5 dev tun0  proto kernel  scope link  src 10.172.1.6
104.167.102.0/24 dev ens33  proto kernel  scope link  src 104.167.102.77
109.201.154.177 via 104.167.102.1 dev ens33
128.0.0.0/1 via 10.172.1.5 dev tun0

Best Answer

I'm having a similar issue to this and have been attempting the fix described in this forum post.

The idea is that currently when you connect to your public IP address, the return packets are being routed over the VPN. You need to force these packets to be routed over your public interface.

These route commands will hopefully do the trick:

ip rule add from x.x.x.x table 128

ip route add table 128 to y.y.y.y/y dev ethX

ip route add table 128 default via z.z.z.z

Where x.x.x.x is your public IP, y.y.y.y/y should be the subnet of your public IP address, ethX should be your public Ethernet interface, and z.z.z.z should be the default gateway.

Note that this hasn't worked for me (using Debian and PrivateInternetAccess) but may help you out.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Linux – openvpn multiple instances route issue

Related Topic