OpenVPN – Unable to SSH into OpenVPN Cloud Connector Machine Over VPN IP

I just started using OpenVPN cloud connectors for creating mesh VPN networks.
I deployed a connector and setup relvant IP forwarding and NAT protocols that allow me to access the LAN network behind the machine with runs the OpenVPN cloud connector. I was able to do that successfully. (my info is mostly from this link https://openvpn.net/cloud-docs/connecting-networks-to-openvpn-cloud-using-connectors/)

Now the problem is why am I not able to SSH into the machine that runs the cloud connector over its VPN IP of 100.96.1.18? Weirdly, I can ping it no problem.

~$ ssh [email protected]
ssh: connect to host 100.96.1.18 port 22: Network is unreachable

~$ ping 100.96.1.18 -c 4
PING 100.96.1.18 (100.96.1.18) 56(84) bytes of data.
64 bytes from 100.96.1.18: icmp_seq=1 ttl=62 time=209 ms
64 bytes from 100.96.1.18: icmp_seq=2 ttl=62 time=279 ms
64 bytes from 100.96.1.18: icmp_seq=3 ttl=62 time=208 ms
64 bytes from 100.96.1.18: icmp_seq=4 ttl=62 time=204 ms

--- 100.96.1.18 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 203.702/224.971/279.214/31.383 ms

Surprisingly, I can remotely (through a VPN client machine) SSH into the connector machine over its Local IP of 192.168.18.1

Here are the IP routes on the connector machine.

~$ ip route
default via 192.168.18.1 dev eno1 proto dhcp metric 100 
64.120.110.199 via 192.168.18.1 dev eno1 
100.80.0.0/12 via 100.96.1.17 dev tun0 
100.96.0.0/11 via 100.96.1.17 dev tun0 
100.96.1.16/30 dev tun0 proto kernel scope link src 100.96.1.18 
169.254.0.0/16 dev eno1 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.0.0/24 via 100.96.1.17 dev tun0 
192.168.18.0/24 dev eno1 proto kernel scope link src 192.168.18.88 metric 100 

~$ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 100.96.1.18  netmask 255.255.255.252  destination 100.96.1.18
        inet6 fd:0:0:8101::2  prefixlen 126  scopeid 0x0<global>
        inet6 fe80::5a84:3a5:f59b:d64f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 1682  bytes 451719 (451.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1755  bytes 637526 (637.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Also for debug here are the IP routes from a connected client machine

~$ ip route
default via 192.168.31.1 dev wlp2s0 proto dhcp metric 600 
25.0.0.0/8 dev ham0 proto kernel scope link src 25.56.7.62 
100.80.0.0/12 via 100.96.1.1 dev tun0 
100.96.0.0/11 via 100.96.1.1 dev tun0 
100.96.1.0/28 dev tun0 proto kernel scope link src 100.96.1.2 
169.254.0.0/16 dev wlp2s0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.107.213.76 via 192.168.31.1 dev wlp2s0 
192.168.0.0/24 via 100.96.1.1 dev tun0 
192.168.18.0/24 via 100.96.1.1 dev tun0 
192.168.31.0/24 dev wlp2s0 proto kernel scope link src 192.168.31.189 metric 600 

~$ traceroute 100.96.1.18
traceroute to 100.96.1.18 (100.96.1.18), 64 hops max
  1   100.96.1.18  265.200ms !N  109.653ms !N  105.821ms !N

My main point of contention is that since 100.96.0.0/11 via 100.96.1.1 dev tun0 route is being pushed to the client I should be able to reach the 100.96.1.18 IP and ssh or traceroute etc. to it.

P.S. Asking this here since OpenVPN support couldn't answer.

Best Answer

Just in case anyone gets into same trouble: this problem has nothing to do with firewall on your side as connection is dropped on cloud side. According to OpenVPN cloud idea you use "network connectors" to connect to some network as client and "host connectors" to allow clients to connect to you. So if you want to connect to your server via OpenVPN cloud that server has to be connected to VPN via "host connector" and not via "network connector" as only "host connector" will have firewall opened for incomming connections on cloud side.

To check whether this applies to you make sure your openssh server is listening on all interfaces (0.0.0.0:22 or :::22 for ipv6) using "netstat -pan | grep ssh" or at least at your VPN interface. Then use (assuming vpn is at tun0 interface) "tcpdump -pni tun0 tcp port 22" to see whether you are getting any ssh connect requests from vpn. You can drop "port 22" and try to ping your "server" to make sure traffic is going. Normally with "network connector" you will get your ping pass through but for ssh requests nothing will be visible as cloud will not allow ssh traffic. If you establish connection via cloud using "host connector" it will work.

https://openvpn.net/cloud-docs/owner/servers/hosts/adding-a-host.html

Best Answer

Related Solutions

SSH and OpenVPN – Allowing SSH on a Server with an Active OpenVPN Client

Openvpn – site to site openvpn with Merlin and DD-WRT

Related Topic