4

I need to access company's internal network without using their OPENVPN server directly (My ISP blocks it). So I used an instance with a public IP, where my company is located, and have configured a OPENVPN client then used it to connect to the company's OPENVPN server.

(public IP instance) ===OPENVPN===> (Company)

Now, I need to achieve a further thing, which is working from my local machine by using VPN over SSH tunnel using sshuttle, such that the topology becomes:

(local) ===SSHUTTLE===> (public IP instance) ===OPENVPN===> (Company)

Note that public IP instance has two network adapters; eth0 (it has public IP) and tun0 (which belongs to OPENVPN)

I installed sshuttle, and tested the next command:

sshuttle --dns -r <user>@<public IP instance address> 0.0.0.0/0

It says connected after then but I still cant access anything. I tested dig and it returned results showing addresses of company's internal services. However, I still can't ping them. I tested using traceroute and it stops at some point after displaying some hops.

One important point is that I can't ping the tun0 address (on public ip instance) from my local machine.

I suspect that I need to add some routes on the intermediate public IP instance, but I am not sure.

I would appreciate any help Thanks in advance

Badr
  • 694
  • 1
  • 7
  • 26

1 Answers1

0

your setup is right but your assumptions are wrong.

Initially, check that your vpn is working fine on the jump box , if linux just check

route -n

Wrong assumptions:

  • sshuttle will route your dig commands , sshutle only route TCP and DNS queries are UDP
  • using --dns in your sshuttle meanless as you wont gain dns of vpn but of the jump box and that wont work
  • you should add the DNS of local vpn in your /etc/resolv.conf with target domain for local discovery like : < call tech support to provide you with right DNS , you can find it in vpn log on jump box
search companydomain.internal
nameserver 10.x.y.z
  • its better to split the traffic and only target your company CIDR over sshuttle , most of them use parts of 10.0.0.0/8 instead of all traffic 0.0.0.0/0
  • important note: that may be your company block egress traffic to the internet over VPN access