Route everything through VPN except SSH on Port 22
Solution 1
You need to add routing to your server so ssh packets get routed via the server's public ip not the vpn. Failing to do that means the ssh return packet gets routed via openvpn. This is why you get locked out of your server after you've inititated an openvpn client session.
Lets assume your server's:
- Public IP is
a.b.c.d - Public IP Subnet is
a.b.c.0/24 - Default Gateway is
x.x.x.1 eth0is device to gateway
iproute2 is your friend here. Do the following:
ip rule add table 128 from a.b.c.d
ip route add table 128 to a.b.c.0/24 dev eth0
ip route add table 128 default via x.x.x.1
Do route -n to confirm new routing table shows up.
Above commands won't persists if you reboot the server. You'll need to add them to your network interface config file.
Then run your openvpn client config
openvpn --config youropenvpn-configfile.ovpn &
Added bonus
Also, should you wish to restrict traffic to your public IP to ssh and only ssh then you'll need to add iptables filtering as follows:
iptables -A INPUT -d a.b.c.d -p tcp --dport <*ssh port number*> -j ACCEPT
iptables -A INPUT -d a.b.c.d -j DROP
ps: I recall first learning about this in the Linode's forum - google it and you should be able to find a post on this.
Solution 2
Assuming your VPS Server Public IP is 1.2.3.4 and your VPN Public IP is 5.6.7.8
I would edit file /etc/ssh/sshd_config and add a line:
ListenAddress 1.2.3.4
So SSHd would be accessible from outside the VPN connection.
Related videos on Youtube
06 : 04
04 : 11
01 : 39
02 : 14
05 : 32
02 : 34
b-m-f
Updated on September 18, 2022Comments
-
b-m-f over 1 year
I have a server and I want to setup a VPN on it to route all traffic.
Of course I don't want to block myself out when establishing the OpenVPN connection (already did that!) so I want port 22 to be unaffected and be reachable as usual.
Is this possible? And if so, how can I set this up?
-
b-m-f about 9 yearsThe problem is that the outgoing packages are blocked. The SSH connection just times out on connecting.
-
x-yuri about 6 yearsDo I need the second command (
ip route add table 128 to a.b.c.0/24 dev eth0) if I'm renting just one server from my hosting provider? Why doestracerouteshow that packets originating from my server are going through vpn network with your setup? Although, my server stays accessible when connected to VPN. -
conradkleinespel about 5 yearsYou can have just
ip route add table 128 to a.b.c.dinstead ofip route add table 128 to a.b.c.0/24 dev eth0if you only have 1 assigned IP, from what I understand. -
ma3oun almost 5 yearsMake sure you're using openvpn. I use the nordvpn binary to connect and this didn't work. When I connect to the NordVPN servers through openvpn, this works fine. -
cjbottaro almost 5 years"You'll need to add them to your network interface config file." How to do that? How to make these changes persist?
