1

I would like to forward all traffic from a server (Linux) to another server (Linux) without losing ssh access to first server. Authorities (government) have been shutting down the Internet, we have a hard time accessing outside of the country's Internet.

I have configured Server B with OpenConnect Server and I can connect successfully from local to Server B

Local Machine === (via vpn) ===> Server B

But sometimes Server B is not reachable form local and I only can access it from Server A (only thought A to B)

Local Machine === (ssh) ===> Server A === (ssh) ===> Server B

Here is the workflow I try to get it right in order to redirect (or forward) all traffic from Server A to Server B

Local Machine === (via vpn) ===> Server A === (via vpn) ===> Server B

So I can connect from local to Server B, while Server A is a helper and

  • it is a OpenConnect server (so I can connect from local to this)
  • all traffic is forwarded to Server B (via opencoonect client)
  • I can SSH to Server A to manage it (which is is connected to Server B)

I try to use OpenConnect client to make a connection from Server A to Server B.
And I know this operation cuts my SSH connectivity and Server B incoming traffic.

Question 1. Is it possible using OpenConnect to solve this issue or no, another solution like using a MicroTik is better, or turning Server A into a router ...

Question 2. if using OpenCoonect can get it done, how to configure Server A?

I have tried some ip command as well as iptables on Server A, but did not work.

Server A (VM, Debian 11)

  • has public IP address (inside my country)
  • has only one interface (eth0)

Server B (VM, Ubuntu 20)

  • has public IP address (outside of my country)
  • has only one interface (eth0)
  • is an OpenCooenct Server

Regards.

Shakiba Moshiri
  • 231
  • 2
  • 7

2 Answers2

0

Can you elaborate on the desired outcome vs the perceived issue please? Like what is the specific goal. A router that tunnels all WAN traffic encrypted, to exit elsewhere like TOR. IS it just for web browsing (HTTP proxy) or other application (SoCKS proxy), etc?

IF that is the case, I do this at home to bypass my cell provider's bandwidth steering. I use a cellular modem ATT thinks is a phone for home internet. They can be very finicky about what sites they allow full barrel and what they like to nanny. I have a very basic linux router that does a proxy to an SSH server on another network I control elsewhere and not ATT. Then I use that for the whole LAN by setting up SOCAT As a service, and relaying that through the SSH proxy listening on 127.0.0.1.

My LAN clients set the firewall as their proxy, and the internet thinks all the clients are on the other network when they reach the world.

So in your case you would need someone in a non restricted area, and a port/protocol that would pass whatever they are filtering. From there all your traffic would go through that tunnel, and NOT be subject to inspection.

IS this what you are going for, if so I could provide instruction on how to do that....

SSH tunneling https://www.baeldung.com/linux/ssh-tunneling-and-proxying

SOCAT socket forwarding (relay to and from proxy at 127.0.0.1 to LAN accessible interface IP) https://www.redhat.com/sysadmin/getting-started-socat

Very basic linux router to wrap it into. https://gridscale.io/en/community/tutorials/debian-router-gateway/

If you do the minimal install “Expert install” your router/firewall will be very small. Can do the same for the remote endpoint, really it is just an SSH server that allows dynamic forwarding, again, bare minimum linux install required, and very meager resources.’ Easy to preconfigure and ship to someone out of the country to run in something like KVM or virtualbox.

Use Pubkey at least for SSH authentication if you plan on putting on the internet. Suggested pubkey + password to be safer, and if you are comfortable use MFA like google authenticator as well. https://kb.iu.edu/d/aews https://goteleport.com/blog/ssh-2fa-tutorial/

Then all you have to do is trust whomever is running the remote side.

Sabre
  • 425
  • 2
  • 15
  • I updated the question, adding more info about servers A, B. Governments have block the outside of the country Internet for home users (by ISP). so I bought I server (inside the country) that has access to outside. With the help of this Server A, I would like to get access to outside. Using ssh I can do it. Buy I would to have this using a VPN not just socks5 or others – Shakiba Moshiri Oct 24 '22 at 20:03
  • One more thing, with SSH port forwarding and I am able to reach out, outer network which has been blocked by the ISP. I would like to have this with a VPN so I can configure my Phone, Laptop, PC etc on my local machine suing OpenConnect client to access Server B while traffic goes from Server A to Server B . – Shakiba Moshiri Oct 24 '22 at 20:10
  • You can configure all of those, IOS and Android support proxy config, as does windows and linux. Openconnect is an SSL vpn, essentially the same as what I am suggesting it is just a convenience wrapper around it. It is just an atypical way of doing so and may not raise alarms. Another option would be run something like openvpn in virtualbox on server A and server B, set server A's bridged adapter to be the VPN to B. Can deploy that with the OVA from turnkey very fast. https://www.turnkeylinux.org/openvpn that would achieve the above workflow. – Sabre Oct 24 '22 at 20:30
0

After more searching, I found there are two ways to solve this issue

  1. site to site VPN (e.g. using MikroTik RouterOS)
  2. client to server VPN (e.g using OpenConnect or SoftEther)

In site to site VPN, the tunnel is created from a network gateway (to another network gateway), so we have no issue SSH-ing to our VM.

But in client to client/site VPN, since we run the VPN client within the VM we have SSH-ed into, the traffic of our SSH session is blocked, since the whole VM traffic is routed thought the VPN client interface (e.g tun0).
For solving this issue, simply we can add a static route for our SSH session before running the VPN client. See the answer

Now I am able to SSH to a VM, from there run the VPN client, bypassing all network restriction (in my country) while my SSH session is active and functioning.

Finally I could solved the issue.
From my local machine to ServerA (a VPN server) using one of these protocols:

  • OpenVPN
  • WireGuard
  • SSTP
  • OpenConnect

and from there (Server A) to Server B (second VPN server) using SoftEther SSTP.

So I am able to do this:

Local Machine === (via vpn) ===> Server A === (via vpn) ===> Server B
# and finally 
# local machine IP = Server B IP
Shakiba Moshiri
  • 231
  • 2
  • 7