1 |
On 9/18/22 14:23, William Kenworthy wrote: |
2 |
> |
3 |
> On 18/9/22 16:26, n952162 wrote: |
4 |
>> |
5 |
>> On 9/18/22 09:52, William Kenworthy wrote: |
6 |
>>> |
7 |
>>> On 18/9/22 15:26, n952162 wrote: |
8 |
>>>> Hello all, |
9 |
>>>> |
10 |
>>>> I want to ssh over my openvpn connection, and I can't do it, the |
11 |
>>>> connection times out. |
12 |
>>>> |
13 |
>>>> I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and |
14 |
>>>> thought maybe somebody here knows something about this. |
15 |
>>>> |
16 |
>>>> Earlier my institution recommended openconnect, and I was able to use |
17 |
>>>> ssh to login in to a host with no problem. |
18 |
>>>> |
19 |
>>>> Then, for some reason (licensing?), we were switched to openvpn, which |
20 |
>>>> works for xfreerdp but not for ssh. |
21 |
>>>> |
22 |
>>>> I don't have control over the institution's firewall (but I do have |
23 |
>>>> for |
24 |
>>>> the host itself) |
25 |
>>>> |
26 |
>>>> Perhaps when installing the new service, they tightened up the |
27 |
>>>> firewall |
28 |
>>>> rules. But maybe there's a configuration screw I can turn, or ... |
29 |
>>>> maybe |
30 |
>>>> a USE flag? |
31 |
>>>> |
32 |
>>>> - - down-root : Enable the down-root plugin |
33 |
>>>> - - examples : Install examples, usually source code |
34 |
>>>> - - inotify : Enable inotify filesystem monitoring support |
35 |
>>>> - - iproute2 : Enabled iproute2 support instead of net-tools |
36 |
>>>> + + lz4 : Enable support for lz4 compression (as implemented in |
37 |
>>>> app-arch/lz4) |
38 |
>>>> + + lzo : Enable support for lzo compression |
39 |
>>>> - - mbedtls : Use mbed TLS as the backend crypto library |
40 |
>>>> + + openssl : Use OpenSSL as the backend crypto library |
41 |
>>>> + + pam : Add support for PAM (Pluggable Authentication |
42 |
>>>> Modules) |
43 |
>>>> - DANGEROUS to |
44 |
>>>> arbitrarily flip |
45 |
>>>> - - pkcs11 : Enable PKCS#11 smartcard support |
46 |
>>>> + + plugins : Enable the OpenVPN plugin system |
47 |
>>>> - - systemd : Enable use of systemd-specific libraries and features |
48 |
>>>> like socket |
49 |
>>>> activation or session tracking |
50 |
>>>> - - test : Enable dependencies and/or preparations necessary to |
51 |
>>>> run tests |
52 |
>>>> (usually controlled by FEATURES=test but can be |
53 |
>>>> toggled independently) |
54 |
>>>> |
55 |
>>>> TIA |
56 |
>>>> |
57 |
>>>> |
58 |
>>> ssh and openvpn work well together. However I am doing most of the |
59 |
>>> work using my own configs - gentoo tries to be too clever with its vpn |
60 |
>>> networking and Ive never been able to get it to work |
61 |
>>> reliably/acceptably. On some sites I have to use port 443 (https) to |
62 |
>>> get through, and in extreme cases double wrap in ssl (using a mix of |
63 |
>>> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn |
64 |
>>> but still separate it from regular https traffic on my firewall. You |
65 |
>>> will need to figure out where the ssh is getting blocked/stripped out |
66 |
>>> - is openvpn your endpoint or theirs? |
67 |
>>> |
68 |
>>> BillK |
69 |
>>> |
70 |
>>> |
71 |
>>> |
72 |
>> |
73 |
>> I don't understand that question: "is openvpn your endpoint or theirs" - |
74 |
>> don't both sides have an endpoint on the tunnel? |
75 |
>> |
76 |
>> That would have been a class idea, using the https port ... |
77 |
>> unfortunately, there's a web server running on that machine... it's not |
78 |
>> being used, however ... hmmm. |
79 |
>> |
80 |
>> Wow: "in extreme cases double wrap in ssl (using a mix of proxytunnel |
81 |
>> (windows host), stunnel and sslh) to disguise its a vpn but still |
82 |
>> separate it from regular https traffic on my firewall." - sounds totally |
83 |
>> cool, except I have no idea what it means... which concept should I |
84 |
>> start with? |
85 |
>> |
86 |
>> - proxytunnel |
87 |
>> |
88 |
>> - sslh |
89 |
>> |
90 |
>> - double wrapping in ssl |
91 |
>> |
92 |
> 1. Do you have control over both openvpn endpoints? Typically in a |
93 |
> roadwarrior setup the company IT dept owns one and you don't get |
94 |
> access to it which can make it very difficult to see whats going on - |
95 |
> if you can access the configs of both ends its much easier. The |
96 |
> firewall you mention might be dropping ssh packets exiting the tunnel |
97 |
> if its hosting an endpoint that is subject to the firewall? Routing |
98 |
> multiple hops past the vpn endpoint can be another issue with openvpn. |
99 |
> |
100 |
|
101 |
Ah, now I have a better understanding of the question - yes, |
102 |
unfortunately, the vpn goes to the institution's intranet. I control |
103 |
the client and the host, and the link to the institution, but the remote |
104 |
endpoint of the tunnel is not in my control. |
105 |
|
106 |
|
107 |
|
108 |
> 2. SSL packets have identifiers in the headers that indicate the type |
109 |
> of traffic within - sslh is a multiplexor that detects openvpn, |
110 |
> openssl, openssh etc. via the ssl packet headers (does not need to see |
111 |
> into the encryption to do this) and redirects the packets to different |
112 |
> hosts/ports as applicable - e.g, ssl web traffic to your web server |
113 |
> and openvpn ssl to to the vpn concentrator even though it all comes in |
114 |
> as ssl on port 443. |
115 |
|
116 |
|
117 |
Okay, that gets me a lot closer. Thank you. |
118 |
|
119 |
> |
120 |
> 3a. Before retiring I was working within various seriously locked down |
121 |
> networks and needed to reach my own home server - some of the |
122 |
> commercial firewalls are able to break and examine ssl streams, or |
123 |
> identify it was openvpn on port 443 and block it. If you are using a |
124 |
> commercial certificate with openvpn this may be happening. |
125 |
> |
126 |
> 3b. If you own/host both ends of the vpn tunnel on your own machines, |
127 |
> use the end-to-end encryption options, and a private certificate. By |
128 |
> feeding the openvpn ssl stream through something like proxytunnel you |
129 |
> are encrypting the stream a second time with https characteristics |
130 |
> which gets around this to some degree (if they do bother break out the |
131 |
> ssl, they are presented with the original encrypted data stream and |
132 |
> assume its just random data - so far!). To extract the data from the |
133 |
> original two times encrypted stream I use an sslh multiplexor instance |
134 |
> to split https from openvpn traffic coming in on port 443. The |
135 |
> openvpn goes to the vpn concentrator while the ssl goes to a stunnel |
136 |
> instance to strip that ssl layer after which its sent to a second sslh |
137 |
> instance to separate the now non-ssl http traffic to send to the |
138 |
> webserver, and the recovered original openvpn stream to the |
139 |
> concentrator. Ive had this working for years and performance is |
140 |
> actually quite good despite its convoluted configuration! |
141 |
|
142 |
|
143 |
Yeah, some heavy-duty lifting, I'll work on that incrementally ;-) |
144 |
|
145 |
|
146 |
> |
147 |
> It gets a lot more complex if firewall pin-holing and other techniques |
148 |
> are needed :) - firewalls are not all that secure these days! Hope I |
149 |
> have not totally lost you! |
150 |
> |
151 |
> BillK |
152 |
> |
153 |
> |
154 |
|
155 |
Thanks alot! Very concise and at the same time educational |
156 |
|
157 |
cts |