New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
NEED HELP: Bypass certain ports on openvpn
Hi all!
I want to tunnel a vps of mine thru a vpn provider. But I want some certain ports (e.g. 22 and 5900) to bypass the vpn, so, allow me to control the vps from remote locations.
I know that it is more easy to route certain remote ip address to bypass the vpn, but because in the locations I am, the ips are dynamic and there are also different locations I work with random connections, I would be more comfortable to bypass ports instead of routing addresses.
Of course, a solution would to use vpn on my pc to have access to a static ip that will be routed to the vps with the vpn tunnel, so, the dynamic or random ips won;t be an issue.
But, again, I would be glad if someone could give me a valid solution to bypass ports.
Thanks all in advance!
Comments
looked into this myself a while ago and found it was just easier to use a socks5 proxy at the application level and just remote into the server normally. probably easier to do that what your describing
I guess what I am seeking for, is extremely tricky... Well, let's see if any gurus of networking here have any solution...
This is common for VPS' that have openvpn clients installed but you still need to SSH to manage.
The solution is using static route rules in the openvvpn config to do the routes when openvpn comes up or down. It basically means, traffic originating from server or incoming from tun goes over openvpn, but if it doesn't originate from that interface, use the regular interface to reply.
I'm not sure I've still got a box with the route rules handy, but should find guides. I haven't checked this page, but should get you on your way.
https://www.linode.com/community/questions/7381/openvpn-client-connected-to-a-server-while-listening-to-ssh
best way is to set up a vpn on your vps using https://github.com/Nyr/openvpn-install. It's super easy. Install the openvpn client on your PC then use the generated .ovpn file to attach.
if you don't want to route ALL traffic from your pc through the vps then delete the line
push "redirect-gateway def1 bypass-dhcp"
from /etc/openvpn/server/server.conf
piece 'o cake.
Edit: and if your vps is on dynamic IP, just use a DDNS service. There are tons of em.
@TimboJones The solution I currently use is having an owned openvpn server with static ip, connect my pc/tablet thru vpn to gain access to the static ip of the vpn server and, using this, getting access to my original server that is using a vpn client to a third party openvpn service. This is working like a charm.
It is as easy as adding a
route xxx.xx.x.xxx 255.255.255.255 yy.yyy.y.yyyto the file.ovpn . Wherexxxis my static ip address of the owned vpn server using for my pc andyyyis the ip address of the original server I want to have access to. And I can add as many routes as I want if i have more ips that I want to use for access.Linode thread's solution is having issues, as many commercial openvpn solutions will delete routing and I still had issues when tried to use a more complicated syntax.
Totally out of subject. The original server is having to use a third party anonymous openvpn service. In any case, I use the script (or, better, angristan's script that is based to Nyr's script but is more updated and flexible) to setup my own openvpn servers. This way I installed a new server in a NAT vps just to gain access to the original server.
You can add back the original route (via policy-based routing) so that the original IP address of your VPS is reachable from anywhere, to any port.
Say the IP address of your VPS is 11.22.33.44 and its default route (as shown by
ip route) isdefault via 11.22.33.1 dev eth0, tryIf you only want certain ports accessible, use a firewall. Alternatively, recent version of "ip rule" supports protocol selektor, so you can try this instead
You can add more rules of different ports, with same or different priority. This is effectively null-routing traffic that doesn't match these ports, so a firewall is better.
I believe your first route commands are along the same as the Linode thread that jvnadr tried and had issues (curious as to what issues, as I think this IS the best solution).
For the two paid services I use openvpn, both provided the config files so I just had to add my up/down routes to these files (the routes are to be deleted when VPN connection drops, so not sure what he means by commercial openvpn solutions deleting routes). I'm not running a commercial wrapper around openvpn and I would advise anyone else to ditch a commercial version of openvpn and use the open source stuff.
Oops, missed that link. Yes, it's the same, so I too am curious what issues OP had.
While it's possible that commercial openvpn wrappers delete every custom route from the kernel, including routes in non-main tables, but it's unlikely. In any case, these commands can be run at system startup instead of inside openvpn up/down scripts and they don't need to be removed after openvpn exits.
This problem doesn't make sense at first place given server IP will be bypassed by default if you doesn't set route outside openvpn config.
Yeah, I think some rules he's adding is complicating this. Don't have enough details.
You could do a ssh reverse portforwarding to map the VPS's port 22 to another VPS's port 2222, then connect another VPS's port 2222.