Menu
What's new
By:
Filters Better Search

SSH over OpenVPN client on router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I

ironclad

Occasional Visitor
I'm trying to set up a SOCKS5 proxy on my router that tunnels traffic through an OpenVPN client so I can selectively tunnel some of my programs. How can I do this? Here's what I want to do

Computer -> SSH - > Router -> OpenVPN -> Internet

I'm currently SSHing to a spare machine which is being tunneled by the router. It works but I'd like to get rid of the overhead. I don't need that machine running all the time. Here's the current configuration

Computer -> SSH -> SSH Box - > Router -> OpenVPN - > Internet

I hope the answer is not something obvious. Thank you in advance :eek:

Edit: I'm using Merlin-WRT and an Asus RT-AC68U.
 
Last edited:
I'm going to make several assumptions here. Correct me if I'm wrong.

I assume what you've done is configure an SSH server on some other machine on the same local network (let's say your PC is 192.168.1.100, and that other machine is 192.168.1.200). You've configured the SSH client on 192.168.1.100 w/ a local SOCK5 proxy (127.0.0.1) and connected it to the SSH server on 192.168.1.200. And you've configured some of your applications on 192.168.1.100 to use that local SOCK5 proxy. The net effect is that it *appears* to the router that your traffic is sourced from 192.168.1.200, when in fact it is actually sourced from 192.168.1.100. And you're using PBR (policy based routing) to limit the use of the VPN to 192.168.1.200.

Am I close?

While I've never attempted either your current configuration, or your proposed configuration, I'm guessing that if you use the router's SSH server, you could specify the localhost (127.0.0.1) in PBR. IOW, you're telling the router via PBR to always route local processes through the VPN. But that might have some negative consequences since *all* local processes will use the VPN. To prevent that, you may need to use a finer grained form of PBR that considers ports (e.g., 22), not just the source IP. I'm not sure whether Merlin supports it. But it could certainly be done via scripting.

Again, I've never attempted this before. I'm just thinking off the top of my head and speculating a bit. Not until I attempt it myself could I say this would work for sure.
 
Yes that is exactly what I'm doing. :)

Yesterday I tried adding 127.0.0.1 or 192.168.1.1 to the VPN policy list, didn't work. The system logs said something about refusing to recursively route or something.
 
Ok, something just came to mind (I'm thinking more clearly now that morning is here).

In this particular case, the traffic from the SSH server on the router is NOT actually being routed from the local network (at least not from the perspective of PBR). IOW, it's seen as a local process to PBR, and therefore we need a form of PBR that checks packets leaving the local SSH port (22) and headed out over the OUTPUT chain of the firewall. Normally PBR is only implemented for traffic originating from the LAN and passing through the FORWARD chain.

That might not make a lot of sense at the moment, esp. if you don't understand how PBR is implemented by the router, but the bottom line is, the PBR of the Merlin router is unlikely to support what you need. AFAIK, Merlin does NOT support port-based PBR.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Quoting from the above document,

You CANNOT configure a policy that will be based on a port through the webui - only on IPs (or subnets). If you need more flexibility in your rules, you can look at this alternate manual method. Note that this method might interfere with other features, such as Adaptive QoS.

The alternate manual method is described in the following document.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)

Although the above solution is both IP and port based, it still has a problem. Just like Merlin's IP-only based PBR, it only routes packets over the VPN for devices on the LAN, i.e., those that pass through the PREROUTING chain of the mangle table. In order to force *local* processes on the router through the VPN, you would have to instead mark packets from the SSH port (22) using the OUTPUT chain of that same mangle table (note, there's no need to reference the IP when using the OUTPUT chain since the IP is implied, it's always that of the router).

I realize all of this may be Greek to you if you're not familiar w/ how PBR is implemented, and esp. port-based PBR. But I recommend you at least try making the modifications yourself, and if you run into problems, let me know.

I just don't see any other way to do it at the moment. You need that differentiation provided by the SSH port to solve the problem, and that means a form of port-based PBR, and one which will work w/ local processes on the router, NOT just devices being routed through the router.
 
Yeah, I know. That's why it's often easier to use additional hardware to solve the problem. And that's just what you did when you used that other machine to host the SSH server. Even though you didn't perhaps understand how PBR worked, you understood enough to use another machine as a proxy so you could specify its source IP in PBR rather than that of the your own PC. But once you decide to NOT use additional hardware, you're forced to solve it via software changes, and now you need to understand the inner workings of PBR.

What I just noticed about that GitHub script is that it doesn't affect the router's local processes. Once connected to the OpenVPN server of your provider, those local processes should use the VPN, but by default, for all devices behind the router, they will use the WAN unless you add PREROUTING rules (as shown at the end of the script) to force them to use the VPN.

IOW, if you install the script as directed, it should fix the problem. Then just add PREROUTING rules for any cases where you want some device on the LAN (wired or wireless) to use the VPN.

That said, if you prefer local processes on the router to default to the WAN (just like LAN devices), then we'd have to make further changes to the script to force only certain processes (like the SSH server) to use the VPN.
 
You must log in or register to reply here.

Similar threads

M
VPN (WireGuard) Client (& a Proxy Server?) on Router, use (Proxied) VPN for FFOX-Proxy ONLY
Replies
4
Views
1K
Patrick01
P
R
How to route/bridge OpenVPN TUN Client to LAN/BR0?
Replies
0
Views
517
RandomUser777
R
A
openvpn on tp-link behind isp router
Replies
0
Views
408
alcin
A
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
318
elorimer
E
B
OpenVPN tunnel up but the connection resets all the time
Replies
6
Views
638
bortek
B
Similar threads
Thread starter Title Forum Replies Date
O TV with OpenVPN client VPN 15
M Help Me Understand OpenVPN VPN 5
S Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site? VPN 2
R How to route/bridge OpenVPN TUN Client to LAN/BR0? VPN 0
I Hardening Asus Merlin built in OpenVPN server VPN 1
B Does Asus AC5300 OpenVPN server support connect with IPV6 network? VPN 2
A openvpn on tp-link behind isp router VPN 0
T OpenVPN through Asus ET12 works on all my devices except for one... I can't figure out why, can anyone make sense of these logs? VPN 2
dougm [solved] PFSense+OpenVPN: Problems Routing Specific VLAN traffic out VPN VPN 1
JemTheWire OpenVPN on pfSense v2.6.0. **** Solved **** VPN 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 768 (members: 32, guests: 736)
Top