I'm currently visiting China, so I have some options for VPNs set up. However, my VPN servers have a habit of suddenly disappearing from the network after I've used them for a while.
I thought it might be an option to use an SSH tunnel to another server, and to connect the VPN through that, to prevent the VPN traffic from being detected. That way, presumbly, the traffic just reads as an SSH connection to the provider.
So, I connect to a server like this:
ssh peter@some-server -L 4444:vpn-server:1194 -NAnd then add this to my openvpn client configuration:
remote localhost 1194Sadly, this doesn't work. The connection authenticates, but afterwards, I can't connect to either the inside of the VPN (ping 10.8.0.1) or the outside (ping 8.8.8.8). Should this work, or am I misunderstanding something?
Is there some iptables nat rule I should add? The only nat rule I've added so far is:
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 3 4 Answers
The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). The fix for this is to use a dynamic SOCKS[5] proxy and tell OpenVPN to connect via that proxy. Add to your OpenVPN config file:
socks-proxy localhost 6886
socks-proxy-retryThen, start your ssh session with a dynamic SOCKS proxy:
ssh -D 6886 -N REMOTEThen you can start your OpenVPN connection. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. To do this, add another directive to your OpenVPN config that looks like this:
route REMOTE-IP 255.255.255.255 net_gateway defaultYou might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually.
That should work, at least for ipv4 traffic. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)
Alternatively, you might also look at using obfs4proxy (e.g. this and this or packaged for ubuntu)
I could successfully establish a connection to my Raspberry Pi (with PiVPN) over TCP and an external VPS. Then I did this:
allow the forwarding to public on your server (VPS/VPN). Change GatewayPorts to yes or add if it does not exists yet.
/etc/ssh/sshd_config:
GatewayPorts yesChange proto udp to tcp (as ssh uses the tcp protocol)
/etc/openvpn/server.conf:
proto tcpAgain, change proto udp to tcp-client:
openvpn-client.ovpn:
proto tcp-clientNow start the ssh forwarding (0.0.0.0 to allow all IPv4 connections; -N to not start a bash on the server)
ssh -R 0.0.0.0:1194:localhost:1194 user@server -NYou should also check that your VPS/VPN-server allows the connection and has the right firewall settings. If you use ufw for iptables, simply do this:
ufw allow 1194/tcp
ufw enableThis may not be the fastest but it works for me.
You don't need to run some other VPN through ssh. you can use ssh AS the VPN. see ssh's "-w X:Y" option.
This is a linux-centric answer. Presume a server, we'll call it "hub", to which ssh tunnel clients connect. They will use 172.17.2.0/24 as the VPN "carrier" network. Certain hosts are common and well known, we give them fixed configurations. Others can connect as well but must use other configurations.
#!/bin/sh -e
#
# make-ssh-tunnel HITHER YON INTERFACE GW
#
# HITHER ...... this host's VPN address.
# YON ......... $GW's VPN address.
# INTERFACE ... number of the tun device, same at both ends.
# GW .......... server host.
#
# /etc/ssh/sshd_config on $GW must include:
# PermitRootLogin yes
# PermitTunnel yes
# and clients must be able to ssh to $GW as root.
#
# this creates a star topology with $GW at center,
# which is generally the .1 address in the VPN /24 net.
# others connect and route through $GW to reach
# the other members of the /24 net.
# ________________________________________________
#
# the setup.
#
if [ "$#" = 0 ] ; then # automatic, for specific, known, regularly-connected hosts. case "`hostname -s`" in ThisHost) HITHER=172.17.2.2 IFACE=12 ;; ThatHost) HITHER=172.17.2.3 IFACE=13 ;; Another) HITHER=172.17.2.4 IFACE=14 ;; *) echo who are you? ; exit 1 ;; esac YON=172.17.2.1 GW=hub SUBNET=172.17.2.0
else # manual, for random, probably temporary connections. HITHER="${1:-172.17.2.5}" YON="${2:-172.17.2.1}" IFACE="${3:-15}" GW="${4:-hub}" SUBNET="${YON%.[0-9]*}".0 # [ "$HITHER" = "$YON" ] && echo "${0##*/}": identical addresses not allowed && exit 1
fi
#
# the business.
#
set -x
# 1st: do it there.
ssh -f -T -w $IFACE:$IFACE root@$GW \
"ifconfig tun$IFACE $YON pointopoint $HITHER netmask 255.255.255.255 ifconfig tun$IFACE route -n | grep tun$IFACE"
# 2nd: do it here. ifconfig tun$IFACE $HITHER pointopoint $YON netmask 255.255.255.255 ifconfig tun$IFACE route add -net $SUBNET/24 gw $YON route -n | grep tun$IFACE
#
# the afterthought.
#
# to make the tunnel a default route replacement:
#
# route add -host $GW gw 192.168.0.1 # that is, your real.defa.ult.route
# ip route add 0.0.0.0/1 via $YON
# ip route add 128.0.0.0/1 via $YON
#
# 1st preserves real route to $GW, avoiding route loop.
# 2nd and 3rd override default route without replacing it.
#
# in addition, $GW must NAT on behalf of the VPN hosts.
# iptables -t nat -A POSTROUTING -s 172.17.2.0/24 -o eth0 -j SNAT --to-source 11.22.33.44
# where --to-source is $GW's real external address.
#
# Embellish to taste. 1 SSH tunnel with VPN works in China, albeit acceptably slow. Lowering the encryption settings will not boost the speed. I think the connection speed is generally throttled from China to any parts of the world.
How I do it is SSH tunnel with port forwarding enabled. And then use OpenVPN with SOCKS Proxy through that SSH tunnel. Non-default port numbers work too.
No need of firewall or route configuration. Works perfectly fine for me. :)