Hi all, I’ve seen questions about this, but no clear answer.
I have a server connected to a VPN , and I’m trying to SSH into it from the outside.
What’s the proper way to route the SSH traffic into that machine?
Split Tunneling is not an option for me because my provider doesn’t offer it. ZeroTier (or something similar) is also not an option. I need to find a solution where I can SSH into the server while it’s still connected to the VPN – is this possible?
Here’s what’s happening:
When connected to the VPN, Port 22 on the VPN’s IP shows as open, but I can’t connect. I get Permission denied (publickey).Port 22 on the router’s public IP shows as closed.
When not connected to the VPN, Port 22 on the public IP shows as open, and I can connect just fine.
VPNs all NAT which means that the inside VPN establishes ports on an outgoing basis VS using static port mappings.
What you need is a static port mapping, which is not a default with NAT.
Even better would be the ability to split tunnel or do application-based networking. I own a VPN provider *in beta) which does support this and your use case is exactly like this that I had in mind when creating these features.
In either case you should be able to do your own split tunneling, but if you’re on Linux you can go one step further and allow incoming SSH connections through your router with port forwarding while still routing all internet traffic out the VPN. Can go into detail if need be but I’m not sure if/how on a windows box.
Well the VPN provider would have to forward that port for you to access it with the public address of the VPN. If you want to SSH from the WAN address of the server and can’t split tunnel then add another interface.
“Permission denied (publickey)”
You’re obviously not talking to “your” server, you’re talking to your VPN’s ssh server.
The way you can connect back to your ssh server over VPN is to do a reverse SSH tunneling. for that you’ll need to run a ssh server on the client.
On the Server you would need to do:
“ssh -R 420:localhost:22 [email protected]”
And on the client you’ll do: ssh Server_User@localhost -p 420
Been there done that, that’s how I get SSH on my server over 5G because my Telecom provider never allowed port forwarding I had to forward the port to the client.
GamingVPN has something to sell and that’s their VPN, that user didn’t even mention the obvious “Permission denied (publickey)” why would that show up in the log? answer: You’re not using publickeys, and you’re not talking to your server.
One of the ways you can do, is installing miredo. This service adds a public IPv6 address to your machine that allows incoming connections, even if the device is behind a endpoint dependend firewall.
I typically combine this with DDNS solution, so the IP address changing gets tracked
All you need to do is “port forwarding”. Works for me. For example, PC on home WiFi on VPN. Select port forwarding on the router, external port = 2222, internal port = 22.
Then, even when PC is on VPN, external access is possible with command:
Well, my VPN isn’t NAT … it is straight onto my ISP connection
So I can SSH in ( and out ) as I like
OP should be more clear in the VPN explanation, is it a private VPN ( home ), a corporate VPN ( business where he works ) or the fake privacy ones, like the ones you pay per month 5$ to download your torrents
Yeah, the one I purchased doesn’t offer this kind of service. Mine’s pretty dumbed-down. If you don’t mind, can you PM me with what service you purchased?
Good idea, but my provider doesn’t allow for configuration with ovpn. I think what this is boiling down to is, I just don’t have the right VPN service for me.
Well, I’m actually using public keys for signing into the server, which is why It wasn’t so obvious, but what you’re saying makes sense – and It’s what I thought.
But how does this reverse-tunneling work if the connection is ever broken? if the client (a laptop) goes in and out of different networks (i.e. if they have non-static IP’s)?
I need to be able to SSH from the outside, from a series of different devices – the public keys of which will be added to the server beforehand, of course – independent of their IP’s. Is that possible?
I didn’t understand the NAT issue described by the other user, but if its not possible, I’ll just setup a Raspberry pi inside the LAN, SSH into that, and SSH from there into the server.
I just through that SSHin’g into the server behind the VPN would be more secure, that’s all.
I don’t something like that is an option because I’m trying to run the ssh script natively in an Apple Shortcut. I need it to work across multiple devices, and I don’t have admin privileges on some of them to install any third party tools
thank you, does Mired offer a release for Mac? I’m using a DDNS as well, but I didn’t want to bring it up and over-complicate things. one bridge at a time… lol
If you’re willing to learn the technical side of things, you could look into doing custom windows routing, effectively giving you a “split route” on your Windows OS. This might also give you what you’re looking for.
So you’d want to identify WHO is SSHing into you. For example, maybe it is AT&T mobile? Maybe your work? etc. Find all of their IP blocks that are used.
Then on your Windows OS, add network routes for those specific IP blocks to route it out of your non-VPN (default LAN/wifi). This will make those IP address blocks not be “VPN’d” so to speak.
Then, if a device on that IP block wants to SSH in, it would work. Provided your router/gateway does IP/NAT/PAT forwarding.
This topic in itself is very technical and detailed, definitely outside the realm of r/VPN, but I think it would work and what I said should give you some breadcrumbs to do more research on.
Or as I mentioned before, find a VPN provider that does this built into the service (mine does).