When the OpenVPN client is on, remote ssh access don't works

Question

I'm a new user forum and I'm doing my first VPN setup.

I have purchased a VPN service with PrivateInternetAccess. I'm setting up a Linux VM (CentOS 6.5 server) on a VMware ESXi remote host. It's behind another VM, which makes NAT functions for multiple VMs. I have full access to the ESXi host and the NAT server, to make the necessary changes.

I have a openvpn client on the server and it works correctly.

My problem is that when I activate the client and tunnel works, I lose the connection to the server via ssh.

I guess I have to add a rule to separate config file or in Iptables to keep open the ssh port.

If you need any additional information, I will add it as soon as possible.

=============

Client config file:

client
dev tun
proto udp
remote xxx.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
crl-verify /etc/openvpn/crl.pem
tls-client
remote-cert-tls server
comp-lzo
reneg-sec 0
verb 4 # verbose mode
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn-log.log

auth-user-pass /etc/openvpn/login.pia

=============

the IPs client once connected to the VPN is (tunnel ips change every session):

eth1      Link encap:Ethernet  HWaddr 00:0C:29:6F:FA:48  
          inet addr:192.168.100.13  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
test 1:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.113.1.6  P-t-P:10.113.1.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
test 2:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.188.1.10  P-t-P:10.188.1.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

Tunnel vpn public IP: test 1: 93.115.83.16
                      test 2: 5.254.100.67
                      test 3: 93.115.85.39

=============

/etc/sysconfig/iptables file:

# Generated by iptables-save v1.4.7 on Fri Oct 24 08:19:30 2014
*mangle
:PREROUTING ACCEPT [3340:3277701]
:INPUT ACCEPT [3114:3220261]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2532:706816]
:POSTROUTING ACCEPT [2532:706816]
COMMIT
# Completed on Fri Oct 24 08:19:30 2014
# Generated by iptables-save v1.4.7 on Fri Oct 24 08:19:30 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Oct 24 08:19:30 2014
# Generated by iptables-save v1.4.7 on Fri Oct 24 08:19:30 2014
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Oct 24 08:19:30 2014

=============

Iptables allow all traffic, as the server with the vpn client is behind another, which makes routing, no filtering.

the output for "iptables -L -n -v" once connected to the VPN is:

Chain INPUT (policy ACCEPT 1185 packets, 1301K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1490 packets, 568K bytes)
 pkts bytes target     prot opt in     out     source               destination

for "iptables -L -n -v -t nat"

Chain PREROUTING (policy ACCEPT 18 packets, 1475 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination

=============

Routing before running the vpn client (netstat -rn)

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.100.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         192.168.100.10  0.0.0.0         UG        0 0          0 eth1

Routing after running the vpn client (netstat -rn)

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.110.1.5      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
93.115.85.39    192.168.100.10  255.255.255.255 UGH       0 0          0 eth1
10.110.1.1      10.110.1.5      255.255.255.255 UGH       0 0          0 tun0
192.168.100.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         10.110.1.5      128.0.0.0       UG        0 0          0 tun0
128.0.0.0       10.110.1.5      128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.100.10  0.0.0.0         UG        0 0          0 eth1

=============

What is the client IP once connected to the VPN ? And what is the output for `iptables -L -n -v` ? — krisFR, Oct 25 '14 at 17:39
Can we see the routing tables on the client once the tunnel's up (`netstat -rn`)? — MadHatter, Oct 25 '14 at 21:02
Is your problem that the current session stops working, or that you can't start a new connection once the VPN is up (and the current connection stops working). The current connection not working would be because you are changing your source IP address, so the TCP link breaks down - opening a new connection could fix this. If you can't start a new connection, could it be that /etc/ssh/sshd_config has an AllowUsers line or similar ? Can you ping across the VPN to the server ? — davidgo, Oct 26 '14 at 03:45
The current session stops and i can't start a new ssh or scp connection. With the vpn client running, it is possible to ping from my vm server to the outside (to google.com, for example). If I do a ping from the outside to the external ip to the vpn client (while running) ascribes to my VM, ping works. When I disconnected the client, the ping still works. I guess who answers to ping is the vpn server privateinternetaccess, not my VM. I can not access via ssh or the web server through the ip vpn tunnel. — antondepalacios, Oct 26 '14 at 14:19

score 2 · Accepted Answer · answered Oct 30 '14 at 05:43

2

I've solved using static routing between the server and the public ip that I use to login.

ip route add my.local.pc.ip/32 via 192.168.100.10 dev eth1

Best regards

answered Oct 30 '14 at 05:43

antondepalacios

51
1
1
5

score 0 · Answer 2 · edited Apr 13 '17 at 12:14

I found this previous post, I followed in his steps, changing my network settings, but I have not gotten it to work.

Anonymizing OpenVPN Allow SSH Access to Internal Server

I guess I'm missing something or privateinternetaccess settings (received via push) is blocking to take effect.

any idea how to continue testing?

openvpn client log, verb 4:

Mon Oct 27 17:54:14 2014 us=164352 Current Parameter Settings:
Mon Oct 27 17:54:14 2014 us=164412   config = '/etc/openvpn/client.conf'
Mon Oct 27 17:54:14 2014 us=164422   mode = 0
Mon Oct 27 17:54:14 2014 us=164429   persist_config = DISABLED
Mon Oct 27 17:54:14 2014 us=164436   persist_mode = 1
Mon Oct 27 17:54:14 2014 us=164443   show_ciphers = DISABLED
Mon Oct 27 17:54:14 2014 us=164449   show_digests = DISABLED
Mon Oct 27 17:54:14 2014 us=164455   show_engines = DISABLED
Mon Oct 27 17:54:14 2014 us=164461   genkey = DISABLED
Mon Oct 27 17:54:14 2014 us=164467   key_pass_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164473   show_tls_ciphers = DISABLED
Mon Oct 27 17:54:14 2014 us=164479 Connection profiles [default]:
Mon Oct 27 17:54:14 2014 us=164485   proto = udp
Mon Oct 27 17:54:14 2014 us=164491   local = '192.168.100.13'
Mon Oct 27 17:54:14 2014 us=164497   local_port = 1194
Mon Oct 27 17:54:14 2014 us=164503   remote = 'ro.privateinternetaccess.com'
Mon Oct 27 17:54:14 2014 us=164509   remote_port = 1194
Mon Oct 27 17:54:14 2014 us=164515   remote_float = DISABLED
Mon Oct 27 17:54:14 2014 us=164521   bind_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=164527   bind_local = ENABLED
Mon Oct 27 17:54:14 2014 us=164533   connect_retry_seconds = 5
Mon Oct 27 17:54:14 2014 us=164539   connect_timeout = 10
Mon Oct 27 17:54:14 2014 us=164545   connect_retry_max = 0
Mon Oct 27 17:54:14 2014 us=164551   socks_proxy_server = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164557   socks_proxy_port = 0
Mon Oct 27 17:54:14 2014 us=164563   socks_proxy_retry = DISABLED
Mon Oct 27 17:54:14 2014 us=164568   tun_mtu = 1500
Mon Oct 27 17:54:14 2014 us=164574   tun_mtu_defined = ENABLED
Mon Oct 27 17:54:14 2014 us=164580   link_mtu = 1500
Mon Oct 27 17:54:14 2014 us=164586   link_mtu_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=164592   tun_mtu_extra = 0
Mon Oct 27 17:54:14 2014 us=164598   tun_mtu_extra_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=164603   mtu_discover_type = -1
Mon Oct 27 17:54:14 2014 us=164609   fragment = 0
Mon Oct 27 17:54:14 2014 us=164615   mssfix = 1450
Mon Oct 27 17:54:14 2014 us=164621   explicit_exit_notification = 0
Mon Oct 27 17:54:14 2014 us=164628 Connection profiles END
Mon Oct 27 17:54:14 2014 us=164634   remote_random = DISABLED
Mon Oct 27 17:54:14 2014 us=164640   ipchange = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164646   dev = 'tun'
Mon Oct 27 17:54:14 2014 us=164651   dev_type = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164657   dev_node = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164663   lladdr = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164669   topology = 1
Mon Oct 27 17:54:14 2014 us=164675   tun_ipv6 = DISABLED
Mon Oct 27 17:54:14 2014 us=164681   ifconfig_local = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164686   ifconfig_remote_netmask = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164692   ifconfig_noexec = DISABLED
Mon Oct 27 17:54:14 2014 us=164698   ifconfig_nowarn = DISABLED
Mon Oct 27 17:54:14 2014 us=164704   ifconfig_ipv6_local = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164710   ifconfig_ipv6_netbits = 0
Mon Oct 27 17:54:14 2014 us=164715   ifconfig_ipv6_remote = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164721   shaper = 0
Mon Oct 27 17:54:14 2014 us=164727   mtu_test = 0
Mon Oct 27 17:54:14 2014 us=164733   mlock = DISABLED
Mon Oct 27 17:54:14 2014 us=164739   keepalive_ping = 0
Mon Oct 27 17:54:14 2014 us=164745   keepalive_timeout = 0
Mon Oct 27 17:54:14 2014 us=164750   inactivity_timeout = 0
Mon Oct 27 17:54:14 2014 us=164756   ping_send_timeout = 0
Mon Oct 27 17:54:14 2014 us=164762   ping_rec_timeout = 0
Mon Oct 27 17:54:14 2014 us=164769   ping_rec_timeout_action = 0
Mon Oct 27 17:54:14 2014 us=164775   ping_timer_remote = DISABLED
Mon Oct 27 17:54:14 2014 us=164781   remap_sigusr1 = 0
Mon Oct 27 17:54:14 2014 us=164787   persist_tun = ENABLED
Mon Oct 27 17:54:14 2014 us=164793   persist_local_ip = DISABLED
Mon Oct 27 17:54:14 2014 us=164798   persist_remote_ip = DISABLED
Mon Oct 27 17:54:14 2014 us=164804   persist_key = ENABLED
Mon Oct 27 17:54:14 2014 us=164810   passtos = DISABLED
Mon Oct 27 17:54:14 2014 us=164816   resolve_retry_seconds = 1000000000
Mon Oct 27 17:54:14 2014 us=164825   username = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164831   groupname = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164837   chroot_dir = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164843   cd_dir = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164849   writepid = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164854   up_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164860   down_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164866   down_pre = DISABLED
Mon Oct 27 17:54:14 2014 us=164872   up_restart = DISABLED
Mon Oct 27 17:54:14 2014 us=164878   up_delay = DISABLED
Mon Oct 27 17:54:14 2014 us=164883   daemon = DISABLED
Mon Oct 27 17:54:14 2014 us=164889   inetd = 0
Mon Oct 27 17:54:14 2014 us=164895   log = ENABLED
Mon Oct 27 17:54:14 2014 us=164901   suppress_timestamps = DISABLED
Mon Oct 27 17:54:14 2014 us=164907   nice = 0
Mon Oct 27 17:54:14 2014 us=164913   verbosity = 4
Mon Oct 27 17:54:14 2014 us=164918   mute = 0
Mon Oct 27 17:54:14 2014 us=164924   gremlin = 0
Mon Oct 27 17:54:14 2014 us=164930   status_file = '/etc/openvpn/openvpn-status.log'
Mon Oct 27 17:54:14 2014 us=164936   status_file_version = 1
Mon Oct 27 17:54:14 2014 us=164942   status_file_update_freq = 60
Mon Oct 27 17:54:14 2014 us=164948   occ = ENABLED
Mon Oct 27 17:54:14 2014 us=164954   rcvbuf = 65536
Mon Oct 27 17:54:14 2014 us=164960   sndbuf = 65536
Mon Oct 27 17:54:14 2014 us=164965   mark = 0
Mon Oct 27 17:54:14 2014 us=164971   sockflags = 0
Mon Oct 27 17:54:14 2014 us=164977   fast_io = DISABLED
Mon Oct 27 17:54:14 2014 us=164983   lzo = 7
Mon Oct 27 17:54:14 2014 us=164988   route_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=164994   route_default_gateway = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165000   route_default_metric = 0
Mon Oct 27 17:54:14 2014 us=165006   route_noexec = DISABLED
Mon Oct 27 17:54:14 2014 us=165012   route_delay = 0
Mon Oct 27 17:54:14 2014 us=165018   route_delay_window = 30
Mon Oct 27 17:54:14 2014 us=165024   route_delay_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=165030   route_nopull = DISABLED
Mon Oct 27 17:54:14 2014 us=165036   route_gateway_via_dhcp = DISABLED
Mon Oct 27 17:54:14 2014 us=165042   max_routes = 100
Mon Oct 27 17:54:14 2014 us=165048   allow_pull_fqdn = DISABLED
Mon Oct 27 17:54:14 2014 us=165054   management_addr = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165059   management_port = 0
Mon Oct 27 17:54:14 2014 us=165065   management_user_pass = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165071   management_log_history_cache = 250
Mon Oct 27 17:54:14 2014 us=165077   management_echo_buffer_size = 100
Mon Oct 27 17:54:14 2014 us=165083   management_write_peer_info_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165089   management_client_user = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165095   management_client_group = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165101   management_flags = 0
Mon Oct 27 17:54:14 2014 us=165107   shared_secret_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165113   key_direction = 0
Mon Oct 27 17:54:14 2014 us=165119   ciphername_defined = ENABLED
Mon Oct 27 17:54:14 2014 us=165125   ciphername = 'BF-CBC'
Mon Oct 27 17:54:14 2014 us=165131   authname_defined = ENABLED
Mon Oct 27 17:54:14 2014 us=165136   authname = 'SHA1'
Mon Oct 27 17:54:14 2014 us=165142   prng_hash = 'SHA1'
Mon Oct 27 17:54:14 2014 us=165148   prng_nonce_secret_len = 16
Mon Oct 27 17:54:14 2014 us=165154   keysize = 0
Mon Oct 27 17:54:14 2014 us=165160   engine = DISABLED
Mon Oct 27 17:54:14 2014 us=165166   replay = ENABLED
Mon Oct 27 17:54:14 2014 us=165172   mute_replay_warnings = DISABLED
Mon Oct 27 17:54:14 2014 us=165178   replay_window = 64
Mon Oct 27 17:54:14 2014 us=165184   replay_time = 15
Mon Oct 27 17:54:14 2014 us=165204   packet_id_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165211   use_iv = ENABLED
Mon Oct 27 17:54:14 2014 us=165217   test_crypto = DISABLED
Mon Oct 27 17:54:14 2014 us=165223   tls_server = DISABLED
Mon Oct 27 17:54:14 2014 us=165229   tls_client = ENABLED
Mon Oct 27 17:54:14 2014 us=165235   key_method = 2
Mon Oct 27 17:54:14 2014 us=165241   ca_file = '/etc/openvpn/ca.crt'
Mon Oct 27 17:54:14 2014 us=165253   ca_path = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165260   dh_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165266   cert_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165272   priv_key_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165278   pkcs12_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165284   cipher_list = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165290   tls_verify = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165296   tls_export_cert = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165302   verify_x509_type = 0
Mon Oct 27 17:54:14 2014 us=165308   verify_x509_name = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165313   crl_file = '/etc/openvpn/crl.pem'
Mon Oct 27 17:54:14 2014 us=165319   ns_cert_type = 0
Mon Oct 27 17:54:14 2014 us=165325   remote_cert_ku[i] = 160
Mon Oct 27 17:54:14 2014 us=165331   remote_cert_ku[i] = 136
Mon Oct 27 17:54:14 2014 us=165337   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165343   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165348   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165354   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165360   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165366   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165371   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165377   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165383   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165389   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165394   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165400   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165406   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165412   remote_cert_ku[i] = 0
Mon Oct 27 17:54:14 2014 us=165418   remote_cert_eku = 'TLS Web Server Authentication'
Mon Oct 27 17:54:14 2014 us=165424   ssl_flags = 0
Mon Oct 27 17:54:14 2014 us=165430   tls_timeout = 2
Mon Oct 27 17:54:14 2014 us=165436   renegotiate_bytes = 0
Mon Oct 27 17:54:14 2014 us=165442   renegotiate_packets = 0
Mon Oct 27 17:54:14 2014 us=165447   renegotiate_seconds = 0
Mon Oct 27 17:54:14 2014 us=165453   handshake_window = 60
Mon Oct 27 17:54:14 2014 us=165459   transition_window = 3600
Mon Oct 27 17:54:14 2014 us=165465   single_session = DISABLED
Mon Oct 27 17:54:14 2014 us=165471   push_peer_info = DISABLED
Mon Oct 27 17:54:14 2014 us=165476   tls_exit = DISABLED
Mon Oct 27 17:54:14 2014 us=165482   tls_auth_file = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165488   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165494   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165500   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165506   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165512   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165518   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165524   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165529   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165535   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165541   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165547   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165553   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165559   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165564   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165570   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165576   pkcs11_protected_authentication = DISABLED
Mon Oct 27 17:54:14 2014 us=165582   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165588   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165594   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165600   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165606   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165617   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165624   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165630   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165636   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165642   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165648   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165654   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165660   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165666   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165672   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165678   pkcs11_private_mode = 00000000
Mon Oct 27 17:54:14 2014 us=165683   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165689   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165695   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165701   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165707   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165712   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165718   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165724   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165730   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165736   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165741   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165747   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165753   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165759   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165764   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165770   pkcs11_cert_private = DISABLED
Mon Oct 27 17:54:14 2014 us=165776   pkcs11_pin_cache_period = -1
Mon Oct 27 17:54:14 2014 us=165782   pkcs11_id = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=165788   pkcs11_id_management = DISABLED
Mon Oct 27 17:54:14 2014 us=166003   server_network = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166025   server_netmask = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166034   server_network_ipv6 = ::
Mon Oct 27 17:54:14 2014 us=166040   server_netbits_ipv6 = 0
Mon Oct 27 17:54:14 2014 us=166047   server_bridge_ip = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166053   server_bridge_netmask = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166060   server_bridge_pool_start = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166067   server_bridge_pool_end = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166073   ifconfig_pool_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=166079   ifconfig_pool_start = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166086   ifconfig_pool_end = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166092   ifconfig_pool_netmask = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166098   ifconfig_pool_persist_filename = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166105   ifconfig_pool_persist_refresh_freq = 600
Mon Oct 27 17:54:14 2014 us=166111   ifconfig_ipv6_pool_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=166117   ifconfig_ipv6_pool_base = ::
Mon Oct 27 17:54:14 2014 us=166123   ifconfig_ipv6_pool_netbits = 0
Mon Oct 27 17:54:14 2014 us=166129   n_bcast_buf = 256
Mon Oct 27 17:54:14 2014 us=166135   tcp_queue_limit = 64
Mon Oct 27 17:54:14 2014 us=166141   real_hash_size = 256
Mon Oct 27 17:54:14 2014 us=166147   virtual_hash_size = 256
Mon Oct 27 17:54:14 2014 us=166153   client_connect_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166159   learn_address_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166165   client_disconnect_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166172   client_config_dir = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166178   ccd_exclusive = DISABLED
Mon Oct 27 17:54:14 2014 us=166184   tmp_dir = '/tmp'
Mon Oct 27 17:54:14 2014 us=166203   push_ifconfig_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=166210   push_ifconfig_local = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166217   push_ifconfig_remote_netmask = 0.0.0.0
Mon Oct 27 17:54:14 2014 us=166223   push_ifconfig_ipv6_defined = DISABLED
Mon Oct 27 17:54:14 2014 us=166240   push_ifconfig_ipv6_local = ::/0
Mon Oct 27 17:54:14 2014 us=166248   push_ifconfig_ipv6_remote = ::
Mon Oct 27 17:54:14 2014 us=166254   enable_c2c = DISABLED
Mon Oct 27 17:54:14 2014 us=166260   duplicate_cn = DISABLED
Mon Oct 27 17:54:14 2014 us=166266   cf_max = 0
Mon Oct 27 17:54:14 2014 us=166272   cf_per = 0
Mon Oct 27 17:54:14 2014 us=166278   max_clients = 1024
Mon Oct 27 17:54:14 2014 us=166284   max_routes_per_client = 256
Mon Oct 27 17:54:14 2014 us=166290   auth_user_pass_verify_script = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166296   auth_user_pass_verify_script_via_file = DISABLED
Mon Oct 27 17:54:14 2014 us=166302   port_share_host = '[UNDEF]'
Mon Oct 27 17:54:14 2014 us=166308   port_share_port = 0
Mon Oct 27 17:54:14 2014 us=166314   client = ENABLED
Mon Oct 27 17:54:14 2014 us=166320   pull = ENABLED
Mon Oct 27 17:54:14 2014 us=166326   auth_user_pass_file = '/etc/openvpn/login.pia'
Mon Oct 27 17:54:14 2014 us=166334 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Mon Oct 27 17:54:14 2014 us=199516 LZO compression initialized
Mon Oct 27 17:54:14 2014 us=199583 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 27 17:54:14 2014 us=199625 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Oct 27 17:54:14 2014 us=202292 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 27 17:54:14 2014 us=202322 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Oct 27 17:54:14 2014 us=202330 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Oct 27 17:54:14 2014 us=202348 Local Options hash (VER=V4): '41690919'
Mon Oct 27 17:54:14 2014 us=202359 Expected Remote Options hash (VER=V4): '530fdded'
Mon Oct 27 17:54:14 2014 us=202372 UDPv4 link local (bound): [AF_INET]192.168.100.13:1194
Mon Oct 27 17:54:14 2014 us=202379 UDPv4 link remote: [AF_INET]93.115.83.244:1194
Mon Oct 27 17:54:14 2014 us=239323 TLS: Initial packet from [AF_INET]93.115.83.244:1194, sid=bb2e3c12 9e137b77
Mon Oct 27 17:54:14 2014 us=239417 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Oct 27 17:54:14 2014 us=472807 CRL CHECK OK: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mon Oct 27 17:54:14 2014 us=472851 VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Mon Oct 27 17:54:14 2014 us=472999 Validating certificate key usage
Mon Oct 27 17:54:14 2014 us=473009 ++ Certificate has key usage  00a0, expects 00a0
Mon Oct 27 17:54:14 2014 us=473016 VERIFY KU OK
Mon Oct 27 17:54:14 2014 us=473025 Validating certificate extended key usage
Mon Oct 27 17:54:14 2014 us=473033 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Oct 27 17:54:14 2014 us=473040 VERIFY EKU OK
Mon Oct 27 17:54:14 2014 us=473087 CRL CHECK OK: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Mon Oct 27 17:54:14 2014 us=473106 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Mon Oct 27 17:54:14 2014 us=639441 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 27 17:54:14 2014 us=639472 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 27 17:54:14 2014 us=639518 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 27 17:54:14 2014 us=639526 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 27 17:54:14 2014 us=639577 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Oct 27 17:54:14 2014 us=639597 [Private Internet Access] Peer Connection Initiated with [AF_INET]93.115.83.244:1194
Mon Oct 27 17:54:16 2014 us=697840 SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
Mon Oct 27 17:54:16 2014 us=734290 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.126.1.1,topology net30,ifconfig 10.126.1.6 10.126.1.5'
Mon Oct 27 17:54:16 2014 us=734376 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 27 17:54:16 2014 us=734386 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 27 17:54:16 2014 us=734393 OPTIONS IMPORT: route options modified
Mon Oct 27 17:54:16 2014 us=734398 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 27 17:54:16 2014 us=734549 ROUTE_GATEWAY 192.168.100.10/255.255.255.0 IFACE=eth1 HWADDR=00:0c:29:6f:fa:48
Mon Oct 27 17:54:16 2014 us=746608 TUN/TAP device tun0 opened
Mon Oct 27 17:54:16 2014 us=746628 TUN/TAP TX queue length set to 100
Mon Oct 27 17:54:16 2014 us=746641 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Oct 27 17:54:16 2014 us=746659 /sbin/ip link set dev tun0 up mtu 1500
Mon Oct 27 17:54:16 2014 us=748139 /sbin/ip addr add dev tun0 local 10.126.1.6 peer 10.126.1.5
Mon Oct 27 17:54:16 2014 us=748976 /sbin/ip route add 93.115.83.244/32 via 192.168.100.10
Mon Oct 27 17:54:16 2014 us=749737 /sbin/ip route add 0.0.0.0/1 via 10.126.1.5
Mon Oct 27 17:54:16 2014 us=750310 /sbin/ip route add 128.0.0.0/1 via 10.126.1.5
Mon Oct 27 17:54:16 2014 us=750803 /sbin/ip route add 10.126.1.1/32 via 10.126.1.5
Mon Oct 27 17:54:16 2014 us=751309 Initialization Sequence Completed

Mon Oct 27 17:56:45 2014 us=819279 event_wait : Interrupted system call (code=4)
Mon Oct 27 17:56:45 2014 us=819485 TCP/UDP: Closing socket
Mon Oct 27 17:56:45 2014 us=819530 /sbin/ip route del 10.126.1.1/32
Mon Oct 27 17:56:45 2014 us=820269 /sbin/ip route del 93.115.83.244/32
Mon Oct 27 17:56:45 2014 us=820850 /sbin/ip route del 0.0.0.0/1
Mon Oct 27 17:56:45 2014 us=821401 /sbin/ip route del 128.0.0.0/1
Mon Oct 27 17:56:45 2014 us=821927 Closing TUN/TAP interface
Mon Oct 27 17:56:45 2014 us=821953 /sbin/ip addr del dev tun0 local 10.126.1.6 peer 10.126.1.5
Mon Oct 27 17:56:45 2014 us=834264 SIGINT[hard,] received, process exiting

When the OpenVPN client is on, remote ssh access don't works

2 Answers2