OpenVPN connection through SSH tunnel

iptablesnetworkingopenvpnsshvpn

I'm currently visiting China, so I have some options for VPNs set up. However, my VPN servers have a habit of suddenly disappearing from the network after I've used them for a while.

I thought it might be an option to use an SSH tunnel to another server, and to connect the VPN through that, to prevent the VPN traffic from being detected. That way, presumbly, the traffic just reads as an SSH connection to the provider.

So, I connect to a server like this:

ssh peter@some-server -L 4444:vpn-server:1194 -N

And then add this to my openvpn client configuration:

remote localhost 1194

Sadly, this doesn't work. The connection authenticates, but afterwards, I can't connect to either the inside of the VPN (ping 10.8.0.1) or the outside (ping 8.8.8.8). Should this work, or am I misunderstanding something?

Is there some iptables nat rule I should add? The only nat rule I've added so far is:

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Best Answer

The simplistic approach to setting up your VPN connection through an SSH tunnel will not work. First problem: you are only tunneling the connection to the VPN server itself, which does not then allow all other traffic to be routed through the VPN server OVER the ssh connection (thus obfuscating the connection). The fix for this is to use a dynamic SOCKS[5] proxy and tell OpenVPN to connect via that proxy. Add to your OpenVPN config file:

socks-proxy localhost 6886
socks-proxy-retry

Then, start your ssh session with a dynamic SOCKS proxy:

ssh -D 6886 -N REMOTE

Then you can start your OpenVPN connection. However, this still has one more failing, at least assuming you want to redirect all traffic through the VPN (OpenVPN directive redirect-gateway def1). For that to work, you need to maintain a route to the SOCKS proxy end point that does not get masked by the routes added by the OpenVPN client. To do this, add another directive to your OpenVPN config that looks like this:

route REMOTE-IP 255.255.255.255 net_gateway default

You might be able to to use the hostname REMOTE in that directive, but you might need to resolve it to an IP address manually.

That should work, at least for ipv4 traffic. A quick google search turns up this blog post which does essentially the same thing, has good descriptions of what's going on, but seems to be more complicated in the solution (using a connection script)

Alternatively, you might also look at using obfs4proxy (e.g. this and this or packaged for ubuntu)

Related Question