| 1 |
On 9/18/22 14:23, William Kenworthy wrote: |
| 2 |
> |
| 3 |
> On 18/9/22 16:26, n952162 wrote: |
| 4 |
>> |
| 5 |
>> On 9/18/22 09:52, William Kenworthy wrote: |
| 6 |
>>> |
| 7 |
>>> On 18/9/22 15:26, n952162 wrote: |
| 8 |
>>>> Hello all, |
| 9 |
>>>> |
| 10 |
>>>> I want to ssh over my openvpn connection, and I can't do it, the |
| 11 |
>>>> connection times out. |
| 12 |
>>>> |
| 13 |
>>>> I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and |
| 14 |
>>>> thought maybe somebody here knows something about this. |
| 15 |
>>>> |
| 16 |
>>>> Earlier my institution recommended openconnect, and I was able to use |
| 17 |
>>>> ssh to login in to a host with no problem. |
| 18 |
>>>> |
| 19 |
>>>> Then, for some reason (licensing?), we were switched to openvpn, which |
| 20 |
>>>> works for xfreerdp but not for ssh. |
| 21 |
>>>> |
| 22 |
>>>> I don't have control over the institution's firewall (but I do have |
| 23 |
>>>> for |
| 24 |
>>>> the host itself) |
| 25 |
>>>> |
| 26 |
>>>> Perhaps when installing the new service, they tightened up the |
| 27 |
>>>> firewall |
| 28 |
>>>> rules. But maybe there's a configuration screw I can turn, or ... |
| 29 |
>>>> maybe |
| 30 |
>>>> a USE flag? |
| 31 |
>>>> |
| 32 |
>>>> - - down-root : Enable the down-root plugin |
| 33 |
>>>> - - examples : Install examples, usually source code |
| 34 |
>>>> - - inotify : Enable inotify filesystem monitoring support |
| 35 |
>>>> - - iproute2 : Enabled iproute2 support instead of net-tools |
| 36 |
>>>> + + lz4 : Enable support for lz4 compression (as implemented in |
| 37 |
>>>> app-arch/lz4) |
| 38 |
>>>> + + lzo : Enable support for lzo compression |
| 39 |
>>>> - - mbedtls : Use mbed TLS as the backend crypto library |
| 40 |
>>>> + + openssl : Use OpenSSL as the backend crypto library |
| 41 |
>>>> + + pam : Add support for PAM (Pluggable Authentication |
| 42 |
>>>> Modules) |
| 43 |
>>>> - DANGEROUS to |
| 44 |
>>>> arbitrarily flip |
| 45 |
>>>> - - pkcs11 : Enable PKCS#11 smartcard support |
| 46 |
>>>> + + plugins : Enable the OpenVPN plugin system |
| 47 |
>>>> - - systemd : Enable use of systemd-specific libraries and features |
| 48 |
>>>> like socket |
| 49 |
>>>> activation or session tracking |
| 50 |
>>>> - - test : Enable dependencies and/or preparations necessary to |
| 51 |
>>>> run tests |
| 52 |
>>>> (usually controlled by FEATURES=test but can be |
| 53 |
>>>> toggled independently) |
| 54 |
>>>> |
| 55 |
>>>> TIA |
| 56 |
>>>> |
| 57 |
>>>> |
| 58 |
>>> ssh and openvpn work well together. However I am doing most of the |
| 59 |
>>> work using my own configs - gentoo tries to be too clever with its vpn |
| 60 |
>>> networking and Ive never been able to get it to work |
| 61 |
>>> reliably/acceptably. On some sites I have to use port 443 (https) to |
| 62 |
>>> get through, and in extreme cases double wrap in ssl (using a mix of |
| 63 |
>>> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn |
| 64 |
>>> but still separate it from regular https traffic on my firewall. You |
| 65 |
>>> will need to figure out where the ssh is getting blocked/stripped out |
| 66 |
>>> - is openvpn your endpoint or theirs? |
| 67 |
>>> |
| 68 |
>>> BillK |
| 69 |
>>> |
| 70 |
>>> |
| 71 |
>>> |
| 72 |
>> |
| 73 |
>> I don't understand that question: "is openvpn your endpoint or theirs" - |
| 74 |
>> don't both sides have an endpoint on the tunnel? |
| 75 |
>> |
| 76 |
>> That would have been a class idea, using the https port ... |
| 77 |
>> unfortunately, there's a web server running on that machine... it's not |
| 78 |
>> being used, however ... hmmm. |
| 79 |
>> |
| 80 |
>> Wow: "in extreme cases double wrap in ssl (using a mix of proxytunnel |
| 81 |
>> (windows host), stunnel and sslh) to disguise its a vpn but still |
| 82 |
>> separate it from regular https traffic on my firewall." - sounds totally |
| 83 |
>> cool, except I have no idea what it means... which concept should I |
| 84 |
>> start with? |
| 85 |
>> |
| 86 |
>> - proxytunnel |
| 87 |
>> |
| 88 |
>> - sslh |
| 89 |
>> |
| 90 |
>> - double wrapping in ssl |
| 91 |
>> |
| 92 |
> 1. Do you have control over both openvpn endpoints? Typically in a |
| 93 |
> roadwarrior setup the company IT dept owns one and you don't get |
| 94 |
> access to it which can make it very difficult to see whats going on - |
| 95 |
> if you can access the configs of both ends its much easier. The |
| 96 |
> firewall you mention might be dropping ssh packets exiting the tunnel |
| 97 |
> if its hosting an endpoint that is subject to the firewall? Routing |
| 98 |
> multiple hops past the vpn endpoint can be another issue with openvpn. |
| 99 |
> |
| 100 |
|
| 101 |
Ah, now I have a better understanding of the question - yes, |
| 102 |
unfortunately, the vpn goes to the institution's intranet. I control |
| 103 |
the client and the host, and the link to the institution, but the remote |
| 104 |
endpoint of the tunnel is not in my control. |
| 105 |
|
| 106 |
|
| 107 |
|
| 108 |
> 2. SSL packets have identifiers in the headers that indicate the type |
| 109 |
> of traffic within - sslh is a multiplexor that detects openvpn, |
| 110 |
> openssl, openssh etc. via the ssl packet headers (does not need to see |
| 111 |
> into the encryption to do this) and redirects the packets to different |
| 112 |
> hosts/ports as applicable - e.g, ssl web traffic to your web server |
| 113 |
> and openvpn ssl to to the vpn concentrator even though it all comes in |
| 114 |
> as ssl on port 443. |
| 115 |
|
| 116 |
|
| 117 |
Okay, that gets me a lot closer. Thank you. |
| 118 |
|
| 119 |
> |
| 120 |
> 3a. Before retiring I was working within various seriously locked down |
| 121 |
> networks and needed to reach my own home server - some of the |
| 122 |
> commercial firewalls are able to break and examine ssl streams, or |
| 123 |
> identify it was openvpn on port 443 and block it. If you are using a |
| 124 |
> commercial certificate with openvpn this may be happening. |
| 125 |
> |
| 126 |
> 3b. If you own/host both ends of the vpn tunnel on your own machines, |
| 127 |
> use the end-to-end encryption options, and a private certificate. By |
| 128 |
> feeding the openvpn ssl stream through something like proxytunnel you |
| 129 |
> are encrypting the stream a second time with https characteristics |
| 130 |
> which gets around this to some degree (if they do bother break out the |
| 131 |
> ssl, they are presented with the original encrypted data stream and |
| 132 |
> assume its just random data - so far!). To extract the data from the |
| 133 |
> original two times encrypted stream I use an sslh multiplexor instance |
| 134 |
> to split https from openvpn traffic coming in on port 443. The |
| 135 |
> openvpn goes to the vpn concentrator while the ssl goes to a stunnel |
| 136 |
> instance to strip that ssl layer after which its sent to a second sslh |
| 137 |
> instance to separate the now non-ssl http traffic to send to the |
| 138 |
> webserver, and the recovered original openvpn stream to the |
| 139 |
> concentrator. Ive had this working for years and performance is |
| 140 |
> actually quite good despite its convoluted configuration! |
| 141 |
|
| 142 |
|
| 143 |
Yeah, some heavy-duty lifting, I'll work on that incrementally ;-) |
| 144 |
|
| 145 |
|
| 146 |
> |
| 147 |
> It gets a lot more complex if firewall pin-holing and other techniques |
| 148 |
> are needed :) - firewalls are not all that secure these days! Hope I |
| 149 |
> have not totally lost you! |
| 150 |
> |
| 151 |
> BillK |
| 152 |
> |
| 153 |
> |
| 154 |
|
| 155 |
Thanks alot! Very concise and at the same time educational |
| 156 |
|
| 157 |
cts |
Archives