![]() ![]() You don't need to run some other VPN through ssh. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)Īlternatively, you might also look at using obfs4proxy (e.g. That should work, at least for ipv4 traffic. You might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually. ![]() To do this, add another directive to your OpenVPN config that looks like this: route REMOTE-IP 255.255.255.255 net_gateway default For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). Then you can start your OpenVPN connection. Then, start your ssh session with a dynamic SOCKS proxy: ssh -D 6886 -N REMOTE Add to your OpenVPN config file: socks-proxy localhost 6886 The fix for this is to use a dynamic SOCKS proxy and tell OpenVPN to connect via that proxy. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). Tcp 0 0 127.0.0.1:456 0.0.0.0:* LISTEN 2964/appnameīy the way, running the same command on the remote should show sshd listening on port 127.0.0.1:123.The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. You can check that it's listening on the correct port with this: local:~# netstat -tulpn | grep LISTEN | grep appname The tunnel is working! But what if you have an application, called appname, which is supposed to be listening on port 456 on the local machine? Terminate nc on both sides then run your application. You should see this being mirrored on the local terminal: local:~# nc -l 127.0.0.1:456 Tcp 0 0 localhost.localdo:33826 localhost.localdom:456 ESTABLISHEDīetter still, go ahead and type something on the remote: remote:~# nc 127.0.0.1 8888 Tcp 0 0 localhost.localdom:456 localhost.localdo:33826 ESTABLISHED Something like this: local:~# netstat | grep 456 If you open a second terminal to the local machine, you can see the connection. Then make a connection on the remote: remote:~# nc 127.0.0.1 123 On CentOS it can be installed with yum install nc.įirst, open a listening port on the local machine: local:~# nc -l 127.0.0.1:456 Would be nice to actually see some data going through from the remote to the host. We should get an output similar to this: tcp 0 0 10.0.3.12:ssh 10.0.0.1:45988 ESTABLISHED Next, we want to check that the tunnel is open on the remote: remote:~# netstat | grep 10.0.0.1 Note that excluding the username before the remote IP, makes ssh use the current username. Otherwise, check that the SSH key is installed in the remote. If you see the command in the output, we can proceed. To check that the process is running, we can do: local:~# ps aux | grep ssh This can be done with the following command, on the local machine: local:~# ssh -N -R 123:127.0.0.1:456 10.0.3.12 The goal is to create a tunnel that will forward TCP traffic from the loopback address on the remote machine on port 123 to the local machine on port 456. I will prepend these hostnames, to the commands below, so it's obvious where they're being executed. Assume there is a machine, which will be called local with IP address 10.0.0.1 and another, called remote, at 10.0.3.12. And I couldn't use nc -z because that option wasn't available on my incantation of netcat. ![]() Just grepping for the ssh process wasn't enough, as it was still there. I'm adding this answer because I had to troubleshoot the link between two applications after they stopped working. These are more detailed steps to test or troubleshoot an SSH tunnel. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |