Remote SSH access doesn’t work when OpenVPN client is enabled on DD-WRT

dd-wrtnat;remote accessroutingvpn

I have a DD-WRT router which I would like access remotely via SSH. The DD-WRT is behind an ADSL router which has port forwarding for port 22 enabled, DD-WRT SSH access and service are set to port 22, as well. Remote access works fine. However, the DD-WRT is supposed to be permanently connected to a VPN server (using the built-in OpenVPN client).

The OpenVPN connection works fine but the remote SSH access only works when the VPN client is disabled.

I am reading that this may be related to all traffic being routed outbound through the VPN gateway, including traffic coming in through WAN. Is it correct that I would need to define a custom iptables setting for requests coming in through WAN to be responded via WAN, as well? If yes, how would I go about it? If no, what else could I do?

I am having a similar issue with the web GUI at port 8080 and a PPTP VPN server at port 1723, so I believe the issue is not related to SSH as such.

Here are the details of my setup:

Devices:

  • TP-Link W8151N ADSL router
  • TP-Link WR1043ND router with DD-WRT 25544

IP Addresses:

  • ADSL router external: 115.x.x.x
  • ADSL router internal: 192.168.1.1
  • DD-WRT WAN IP: 192.168.1.100 (from ADSL router)
  • DD-WRT IP: 192.168.10.1
  • DD-WRT IP external (VPN): 119.x.x.x
  • DDNS alias pointing at the ADSL router’s connection: 115.x.x.x

Configuration:

  • ADSL router with port forwarding activated for ports 22 / 8080, DDNS to 192.168.1.100
  • DD-WRT set to allow remote GUI management at 8080, also from remote IPs and SSH access at 22, SSH activated in services, also at 22.
  • DD-WRT connected to OpenVPN using built-in client feature in 'Services' tab

Edit 05 March: What I have tried in the meantime:

Adding the following to the Policy Based Routing field in OpenVPN client settings (idea: traffic that comes from the WAN ip should be routed back to the WAN interface, vlan2 or ppp0):

ip rule add from 192.168.1.1 table 200
ip route add default via 192.168.1.1 dev vlan2 table 200
ip route flush cache

Result: When VPN connection is established, I can no longer access the GUI and the web either. My router is set to reboot after three minutes of not being able to reach Google DNS, so after three minutes I have access to GUI and web again but only until the VPN connection is back up.

Am I completely on the wrong track with this approach?

Best Answer

I wasn't happy with the policy based routing so after a full weekend of research, I got to this.

Packages do arrive at the router if you try to SSH against the WAN IP, however, because all OUTPUT traffic is diverted through the VPN (interface tun0) SSH won't succeed.

What's missing is a OUTPUT rule on iptables to route traffic on port 22 through the vlan2 interface (that's the interface connected directly to the internet)

# Create table 202 via the Gateway Ip on the Interface VLAN2
ip route add default via $(nvram get wan_gateway) dev vlan2 table 202

# Apply the rule on table 202 to packages marked with 22
ip rule add fwmark 22 table 202

# Tag with 22 every output package on port 22 not coming from any  machine in the local network
iptables -t mangle -I OUTPUT -p tcp --sport 22 -d ! 192.168.1.0/24 -j  MARK --set-mark 22

Note that the last command skips packages from the local network in my case 192.168.1.0/24, reason being that when SSHing from a host in local, the packages should be routed through br0 and not vlan2.

First issue these commands in the command line of your router to ensure they work with you, if somehow they break your routing, a restart will clear them. Once you have made sure they work, you can add them to the firewall script of your router

DD-WRT Config Note that my config IP and port is different because I am not using the default values.

Related Question