Make sshd listen to a specific interface
You can't do that directly as sshd only understands IP addresses. You may be able to knock something together using an openvpn up script
-up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel...
See also the --down
option to clean up and the relevant parts of the documentation detailing script security etc.
You'll find the IP address of the tun device is passed to the script as an environment variable. Also sshd takes options on the command line of the form
-oSomeOption=SomeValue
-o option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options, and their values, see sshd_config(5)
So you could use
-o ListenAddress=<some address>
Presumably you have some out of band method of talking to your VPS so that when this breaks you can contact the server.
Related videos on Youtube
Philipp
Updated on September 18, 2022Comments
-
Philipp over 1 year
On my machine I'm using OpenVPN which use the tun0 interface. I want sshd to listen only on this interface.
I know, I can specify the IP address to listen to in
/etc/ssh/sshd_config
with a
ListenAddress 0.0.0.0
directive. But my IP address will change, so I cannot choose an IP here which is always valid. I know that I can start the daemon only when the VPN is up - that's not the problem.
How can I make sshd only listen on a specific interface (tun0)?
-
Admin almost 10 yearsFirewall off port 22 on any ports that are not
tun0
?
-
-
pjz almost 10 yearsTry:
-o ListenAddress=$(ip addr | awk '/inet/ && /tun0/{sub(/\/.*$/,"",$2); print $2}')
-
user9517 almost 10 years@pjz I don't think you need to do that as I'm fairly sure that the IP address of the device is available as an environment variable to the up script. I just don't have the stuff to hand to test it.
-
Philipp almost 10 yearsExcellent! The IP is passed to the up script as ifconfig_local=10.xx.xx.xx. A whole bunch of other data (dev_type=tun, common_name=myservername, ifconfig_remote, route_gateway_1, untrusted_ip, ifconfig_local, proto_1, tls_serial_1, tls_serial_0 ...) are passed along.
-
user9517 almost 10 yearsYes I know and now you do too :)
-
Philipp almost 10 yearsMaybe you want to edit your answer and add the relevant env variable name? (for future readers)