is there a way to keep the SSH connection alive while connecting to
the VPN?
No. That system's routing changes dramatically when you connect to the VPN, which breaks all established TCP sockets.
You should look into using a terminal multiplexer like screen or tmux in your ssh session - that way you can have a persistent shell that you can re-connect to.
You can use advanced routing to route packages incoming on your primary interface through the same interface. This way any traffic originating from the server will get routed through VPN, but the primary interface of your server will remain available for connections. The idea here is that if a packet comes through the primary interface, it will use a different routing table named "vpn", so it won't be affected by the routing settings of the VPN client.
In order to achieve this, do the following:
Edit the /etc/iproute2/rt_tables
file. It should contain something like this:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
Add this line to the end of the file:
1 vpn
To the /etc/network/interfaces
file, under the settings of your main interface (or to the appropriate file in /etc/network/interfaces.d/
), add the following lines:
up ip route add 0.0.0.0/0 via def.ault.gw table vpn
up ip rule add from the.primary.ip.addr table vpn
down ip route del 0.0.0.0/0 table vpn
down ip rule del from the.primary.ip.addr
Replace the.primary.ip.addr
with the IP address of your primary interface (that is, the IP you want your server to be available through), and def.ault.gw
with the default gateway address.
Best Answer
Let's consider following scenario:
In such a scenario, from your machine (let's suppose your machine is 9.8.7.6/24 with def-gw 9.8.7.254) you can successfully establish an SSH connection to 4.3.2.1. Hence both hosts 4.3.2.1 and 9.8.7.6 can succesfully reach each other.
Now, with such an SSH connection established, let's suppose:
At this stage:
IF no route will be pushed from remote OpenVPN server to your local VPS, then nothing will change in term of routing, and your SSH connection will survive with no problems at all. In this case, the only traffic traversing the VPN is the one directed towards the remote OpenVPN Server (10.10.10.1);
IF remote OpenVPN server will push back some route, and expecially if VPS default-gateway will be replaced with 10.10.10.1 (remote OpenVPN endpoint), THEN you're having problems. In this case you're tunneling ALL the outgoing IP traffic (with the exception of OpenVPN itself) within the VPN.
In this second case (replacing def-gw right after establishing VPN connection), your previous SSH connection will "hang", due to asymmetric routing:
In other words: as soon as the VPN link is established, your return route from VPS to your machine is going to change and... this is not a good thing (several network devices, along the return-path, might recognize such asymmetric path and simply drop packets).
Furthermore, chances are high that your remote OpenVPN server is acting as a NAT-box: all the traffic coming from the VPN will be NATted with the public IP-Address of the remote OpenVPN Server. If this is true, than things are no more... "not good", but definitely "bad", as for your SSH connection: return traffic, in addition to get back along a different route, is coming back to your machine with a different source IP (the one of the public interface of the VPN server).
How to solve this problem?
Quite easily, indeed.
Simply instructing your VPS server to not route traffic to your machine along the VPN, but, instead, relying on previous route. It should be as easy as adding, before starting OpenVPN:
where:
P.S.: by providing a much more detailed question, you would have gotten a much quicker answer :-)