# [SOLVED] OpenVPN client + NAT routing issue

## BlueFusion

I have a PC with OpenVPN client connecting to PrivateInternetAccess servers.  When it is connected (which is always), I am unable to SSH into the PC from the internet.  I can SSH into the PC no problem on the local network.  I am running some simple iptables rules, but I tested with iptables disabled and it does not fix it.  I've tested with iptables running and OpenVPN disconnected and it works no problem.

It appears to be an issue with NAT and OpenVPN routing which I am trying to resolve.

I tried to use iptables to mark the SSH packets and force them to the NAT router, but it doesn't seem to work.  Ideas?

 *Quote:*   

> # iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1
> 
> # ip route add default via 10.2.1.1 dev eth0 table sshtable
> 
> # ip rule add from all fwmark 1 table sshtable
> ...

 Last edited by BlueFusion on Tue Apr 07, 2015 9:13 pm; edited 1 time in total

----------

## Klayman

When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.

This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon.

----------

## BlueFusion

 *Klayman wrote:*   

> When your PC is connected through VPN your public (Internet facing) IP address is what your VPN provider assigns to you and is different from what you got from the ISP. You should set up a dynamic DNS service and make your PC update the dynamic domain name to the VPN IP address.
> 
> This is because all your traffic is routed through the tunnel and by connecting to the ISP provided IP the packets never reach your SSH daemon.

 

That's the problem.  I can't SSH into the PC using the VPN IP.  All inbound ports are blocked/firewalled by the OpenVPN server of which I have no control.  I need to reach this PC remotely using my ISP's IP address (through my NAT router, which has port 22 port-forwarded, and confirmed working).

----------

## Hu

When the VPN is up, is the route to the ssh client through the VPN or through the public Internet?  If the former, then reverse path filtering will likely prevent the connection from working properly.

----------

## BlueFusion

Through public internet.  There's no way to overcome this with iptables + ip route?

----------

## Hu

If the VPN client's route to the ssh client is over the public Internet, then this should already work.  Reverse path filtering would only be a problem if the route back to the ssh client was over the VPN.

----------

## BlueFusion

I figured it out.

Created /etc/openvpn/openvpn.pia-up.sh containing:

 *Quote:*   

> sysctl -w net.ipv4.conf.all.rp_filter=0
> 
> sysctl -w net.ipv4.conf.eth0.rp_filter=0
> 
> sysctl -w net.ipv4.conf.tun0.rp_filter=0
> ...

 

Rule added to my iptables firewall:

 *Quote:*   

> iptables -A OUTPUT -t mangle -p tcp --sport 22 -j MARK --set-mark=1

 

----------

