Has anyone gotten SSH over WAN to work on VPN device?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

CODYQX4

Occasional Visitor
I seem to have tried and tweaked several bastardizations of scripts.

I'd like to be able to have my main workstation VPN everything, except SSH (as that doesn't work at all with VPN).

This client has an IP address of 192.168.2.3 (Static/Manual DHCP), and Port 22003 is forwarded to go to Port 22. This works fine without VPN.

These would be the scripts, if no port bypass were needed, and that seemed to work (however, this can be achieved without scripts via Policy Routing in the GUI). This will VPN all of 192.168.2.3 but SSH into that machine over WAN will fail.

Script: /jffs/scripts/openvpn-event
Code:
#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.3 -j MARK --set-mark 0

exit 1
Script: /jffs/scripts/firewall-start
Code:
#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.2.3 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
Permissions are fine and JFFS is setup as needed, and all port forwards and connection works without VPN enabled. So far, nothing I've tried by marking Port 22 (or 22003) as source or destination seems to work (but I'm not sure if I'm being burned by priority of the rules or something).

I would like to expand this to multiple SSH machines. I use PIA as VPN, and they only allow one port, and it should be possible to avoid that if my router will just not use the VPN for specific ports. Several topics I've browsed indicate that this is possible
 

Mikeyy

Regular Contributor
I seem to have tried and tweaked several bastardizations of scripts...
Did you manage to solve it?

Maybe something like this can work:
Code:
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 22 -m iprange --src-range 192.168.2.3 -j MARK --set-mark 1
I need same thing for my self (not for ssh on port 22) so I was researching it, but couldn't test it.

Not sure if Policy routing in GUI uses same script as one you quoted (from Merlin wiki).
 

CODYQX4

Occasional Visitor
Yes, and I thought I posted it but it didn't go through I guess..

This is my openvpn-event script. I don't use any other to achieve this.

Code:
#!/bin/sh

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#

# SSH Traffic: Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark 1

# Vuze Web Remote: Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 9091 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 9091 -j MARK --set-mark 1
I had issue with port+IP and once I got this working, said "Good Enough".

I setup all VPN stuff using the GUI. My desktop is set to use VPN, all traffic, and drop if VPN is down (all done through GUI), and this script allows SSH to work even if VPN is dead, and work when VPN is active.
 

Mikeyy

Regular Contributor
I had issue with port+IP and once I got this working, said "Good Enough".
Thank you for this, it works! :)
I deleted all -dport rules since they aren't needed for outside access and I also don't need any udp rules so I deleted that also.

Here are working rules for you to use:
Code:
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 --match iprange --src-range 192.168.1.25 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp --match multiport --sports 10510:10515,11699 --match iprange --src-range 192.168.1.26 -j MARK --set-mark 1
In first rule, port is 22, IP of device is 192.168.1.25.
In second rule you have multiple ports, first there is range from 10510 to 10515 (10510:10515), and after that there is port 11699. IP of device is 192.168.1.26

Tested this on my setup, working perfectly!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top