OpenVPN over SSH

OpenVPN over SSH

Posted by Nejc Zupan at Feb 09, 2012 11:35 PM |
Filed under: , , ,

Prelude

I've recently moved to Barcelona to continue my Computer Science studies on UB. First thing I noticed walking into the University building was my mobile happily notifying me that it has found a known network. Ah, of course: eduroam. My Slovenian eduroam account from University of Ljubljana should be valid throughout Europe for accessing the eduroam wireless network. And indeed it is. Nice.

Troubles on the horizon

Alas ... there is a downside. Apparently the IT dept at UB is filtering OpenVPN and IPsec traffic. I'm soo used to having these that I feel "naked" using a public network without encrypting all my communications.

Now wait a minute, what do I see here, SSH traffic goes through without problems? If SSH goes through, then it should possible to tunnel basically anything through it. Even an OpenVPN tunnel. Yep, tunneling a tunnel over a tunnel, that's the idea :).

The solution

After some fiddling around, this is how I did it (referencing my original setup):

  1. Find a server somewhere on the net you can SSH to, so you can setup a SOCKS proxy:

    $ ssh <some_IP_on_the_net> -D 6666

  2. Change protocol in OpenVPN's server.conf to use TCP rather than UDP. Normally, using UDP is better, but if you want tunneling over SOCKS, you need TCP:

    proto tcp

  3. Change protocol in OpenVPN's iptables config:

    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT

  4. Now modify the client.conf to use TCP and to use SOCKS proxy:

    proto tcp
socks-proxy 127.0.0.1 6666
route <some_IP_on_the_net> 255.255.255.255 net_gateway

Notice the last line: it adds a specific rule to route traffic to your SSH server directly and not through OpenVPN. This keeps the SOCKS proxy alive and kicking. All other traffic is still routed through OpenVPN tunnel to keep your communications safe.

Powered by DISQUS comment system
Filed under: , , ,
Twitter
RT @ iElectric: [blog] Products.TinyMCE 1.3 status update http://t.co/HgLQNUeE May 16, 2012 06:03 PM
RT @ iElectric: We wish IRC protocol supported following bash feature http://t.co/sLa0j2nG May 13, 2012 10:42 AM
RT @ iElectric: Python 2.7.3 requires to recreate virtualenvs (with #ubuntu 12.04 for example) https://t.co/vNj1gfcl May 11, 2012 06:58 PM
RT @ BCSearch: Special offer for all current members - check the members area! http://t.co/fjqFsal5 May 10, 2012 04:42 PM
RT @ nzupan: I'm pretty sure I submitted an Event for the belgian beer sprint on http://t.co/zvuVSwxJ yesterday, anyone knows where i... May 08, 2012 10:35 PM
RT @ nzupan: Thanks to @vsomogyi, the Belgian Beer Sprint now has a sweet logo http://t.co/aoWmoLJy #plone May 07, 2012 09:53 PM
RT @ iElectric: Professor told me he will put together the exam for me in English and not Spanish/Catalan. Game over? #win May 07, 2012 01:07 PM
RT @ iElectric: This year goal: http://t.co/Y7zSIvsk May 04, 2012 03:40 PM
RT @ BCSearch: I just published my personal biz notes on http://t.co/VLL7diTN - Let me know your thoughts! May 03, 2012 02:54 PM
RT @ iElectric: I think I finally figured this one out. In worst case a few wasted months. May 01, 2012 05:30 PM
RT @ iElectric: fax over email http://t.co/fwtmH6sC May 01, 2012 01:48 PM
RT @ iElectric: I think I should start labeling my software "Built with the help and love of IPA" Apr 30, 2012 08:10 PM
RT @ iElectric: Adding gitsvn support to mr.developer is more fun than I expected Apr 26, 2012 07:51 PM
RT @ iElectric: Create debian packages with buildout http://t.co/BH18JTHG Apr 26, 2012 05:47 PM
RT @ nzupan: @iElectric had an idea to add "force-git" to mr.developer which would use git to co svn repos - let's have a few +1's so... Apr 26, 2012 12:01 PM