# [Solved] OpenVPN through SSH Tunnel

## solamour

I have "BoxA" behind a firewall in "NetworkA", but thanks to port-forwarding, I'm able to ssh to BoxA from the outside world. Once I ssh to BoxA, I'm able to access all machines in NetworkA.

Now, I need to hookup a Windows machine "BoxB" to NetworkA via OpenVPN, but the only way to NetworkA is through SSH to BoxA, so I opened a SSH tunnel and let OpenVPN client in BoxB connect to "localhost:1194" instead of NetworkA directly.

BTW, if PuTTY can do something like "ssh -NTCf -w 0:0 NetworkA" (i.e. SSH VPN), that would make things easier, so please share if you know what to do.

Anyhow, OpenVPN through SSH tunnel seems to work, but BoxB can talk to only BoxA. When I add the following in BoxA's "/etc/openvpn/openvpn.conf", SSH gets disconnected as soon as OpenVPN is ready, because (I think) BoxB's default gateway is changed.

```
/etc/openvpn/openvpn.conf

push "redirect-gateway def1"
```

I'd like to know how to make OpenVPN through SSH tunnel work and let BoxB access all machines in NetworkA. Looks like I need to fiddle with BoxA's routing table, but I'm not sure where to start. Thank you.

__

solLast edited by solamour on Wed Oct 28, 2009 12:03 am; edited 1 time in total

----------

## nobspangle

1st up, why don't you forward UDP 1194 to BoxA, that way you don't need the ssh tunnel.

The routing however is going to be the same with or without the ssh tunnel.

On BoxB you need a route that directs traffic destined for NetworkA to the openvpn endpoint on BoxA

On the firewall in NetworkA you need a route that directs traffic destined for BoxB to BoxA

You need to make sure IP forwarding is enabled on BoxA

You should be able to set the openvpn script on BoxB to add the route for you on that box. You will have to deal with the firewall yourself.

----------

## solamour

Forwarding UDP 1194 to BoxA certainly would have made things easier, but I have very little control over NetworkA, so all I was able to convince our friendly IT guy was to forward a non-conventional SSH port to BoxA.

Just to see how things work, I booted BoxB to Gentoo and did the following.

```
BoxB (OpenVPN Client via SSH Tunnel)

route add NetworkA gw current_gateway eth0

route add default gw 10.8.0.6

route del default gw current_gateway eth0

```

Basically the traffic meant for NetworkA (i.e. SSH) should go to the current gateway as it does right now, because if it goes to somewhere else, my SSH will get disconnected. And then everything else goes to 10.8.0.1, which is OpenVPN server in BoxA.

I verified that BoxB was able to access all machines in NetworkA and SSH didn't get disconnected. That's good.

The problem was the same thing didn't work as expected when BoxB booted in Windows, possibly because the syntax for "route" command in Windows was a little different. Also I'm not sure how to automate it, so that the BoxB users don't need to type the commands manually. I'd appreciate any feedback. Thank you.

__

sol

----------

## solamour

The first thing I noticed in the routing table in BoxB (Windows) was "10.8.0.5". I'm not sure where it came from, but it certainly wasn't there when BoxB booted to Gentoo. Also when BoxB booted to Windows, the default gateway needed to be "10.8.0.5", while it had to be "10.8.0.6" (its own IP) when booted to Gentoo.

Also OpenVPN adapter in BoxB (TAP-Win32 Adapter) needs to have NetworkA's DNS. In order to make everything automatic, the following needs to be added.

```
/etc/openvpn/openvpn.conf (OpenVPN Server)

push "route NetworkA 255.255.255.255 current_gw"

push "redirect-gateway def1"

```

If I want to do it manually, I need to comment out "route" and "redirect-gateway" in OpenVPN Server configuration file and type the following in BoxB's command line.

```
BoxB (Windows)

route add NetworkA current_gw

route change 0.0.0.0 mask 0.0.0.0 10.8.0.5

```

Thanks everyone for suggestions and guide.

__

sol

----------

## solamour

I noticed that when "current_gw" doesn't change, it's easier to set it up in the server side (i.e. make changes to "/etc/openvpn/openvpn.conf"). But if the current gateway changes depending on where BoxB is connected, then it's better to let the server configuration alone and make changes in BoxB (i.e. "route add NetworkA current_gw"), because we don't want to update "openvpn.conf" whenever BoxB connects from a different location.

Also, if I decide to make changes in BoxB, "route change 0.0.0.0 mask 0.0.0.0 10.8.0.5" didn't seem to be necessary. So it looks like the following.

```
/etc/openvpn/openvpn.conf (OpenVPN Server)

# Not necessary if we are going to make changes in BoxB.

# push "route NetworkA 255.255.255.255 current_gw"

# Need to have it no matter what.

push "redirect-gateway def1" 

BoxB (Windows)

"24.152.x.x" is where ssh is connecting to from BoxB.

Only numeric IP address seems to be accepted by the "route" command. 

"192.168.0.254" is BoxB's current gateway.

route add 24.152.x.x 192.168.0.254 
```

__

sol

----------

