1

I'm trying to connect from the Google Cloud Virtual Machine to NordVPN servers. The VPN connection works however as soon as the connection is established the existing SSH session freezes up and trying to create a new session times out.

The machine is running Ubuntu 16.04. It has a statically allocated IP but no IP forwarding enabled.

Things I've tried:

I've tried using both NordVPN directly as well as using OpenVPN.

Everything from: Anonymizing OpenVPN Allow SSH Access to Internal Server

^ This makes a difference in that I get one more line of logging from OpenVPN in the SSH session before it freezes than without it.

From: https://askubuntu.com/questions/646051/ssh-to-server-that-is-connected-to-vpn

# set "connection" mark of connection from eth0 when first packet of connection arrives
sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

# set "firewall" mark for response packets in connection with our connection mark
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 table 3412

# route packets with our firewall mark using our routing table
sudo ip rule add fwmark 4321 table 3412

From: https://askubuntu.com/questions/893775/cant-ssh-to-server-with-vpn-connection

#!/bin/sh
ip rule add from <your-server-ip> table 128
ip route add table 128 to <your-server-subnet> dev <your-interface>
ip route add table 128 default via <server-gateway>

^ Both of these don't seem to change anything, there's seemingly no difference with or without them. I'm not sure if I was using the correct subnet however. The best I could find was the Google Cloud CIDRs 35.224.0.0/12, 35.240.0.0/13, and 35.208.0.0/12.

From: Prevent SSH connection lost after logging into VPN on server machine

route add -host <my-ip> gw <default gateway>

^ This stops the SSH session dying but then no traffic actually goes through the VPN.

Any advice would be greatly appreciated right now because I'm out of ideas.

Community
  • 1
SchoolJava101
  • 121
  • 2

1 Answers1

1

The problem is that ssh traffic starts going through the VPN when you connect to it. That means the ssh connection cannot continue (since you changed the endpoint).

The idea is to fix the route for the ssh traffic, so that it keep on flowing over the same interface (I'm simplifying it a bit, this will not necessarily work in more complex environments).

So, remove all the rules you have added so far to solve the problem, start with a clean slate. Then, connect via ssh.

Do an ip route list to get the default route information (I'm guessing your current ssh traffic uses that), you will see something like this:

# ip route list
default via 172.24.1.1 dev DEVICE onlink

Now you add an explicit route for your ssh traffic (change DEVICE to match the one in the default route):

# ip route add your.ssh.remote.address dev DEVICE

And starting the VPN should not stop your ssh session. After starting the VPN you can do #ip route list and check if your manually added route is still there. If it is not, the VPN might be removing the routes.

Eduardo Trápani
  • 1,210
  • 8
  • 12
  • Unfortunately this didn't work, I can still see the manually added route after the VPN disconnects but it's still hanging my SSH session. Not sure if it's significant but running `ip route list` initially gave: `default via 10.132.0.1 dev ens4 \ 10.132.0.1 dev ens4 scope link` – SchoolJava101 Jan 13 '20 at 15:56