[kwlug-disc] Initiating connections to OpenVPN clients

unsolicited unsolicited at swiz.ca
Wed Jun 29 18:50:52 EDT 2011


Paul Nijjar wrote, On 06/29/2011 6:37 PM:
> Let's say I have the following: 
> 
> - a network named "A", which is an OpenVPN server (running on pfSense,
>   as usual)
> - a server named "B" on that network. It is running Windows. 
> - a client named "C", which has a connection to network A. It is
>   running Ubuntu, and has SSHD running on it. 
> 
> Client C can see network A. It can make arbitrary connections to
> machines in that network, including server B.
> 
> However, server B cannot initiate an SSH session on C (or ping it, or
> anything else). It can *respond* to requests for client C, but cannot
> *initiate* anything. 

Can anything else on the network? (Excluding the vpn server itself.)

Follow the route - if you see how server B's traffic is hopping, 
perhaps it is not going down the expected path.

Try 'route add <vpn net> mask <vpn net mask> <vpn server>' on server 
B, see if it all gets happy. If it does, server B's gateway isn't 
sending the packet back the vpn server's way.

> My inclination is to say that the firewall in front of client C is
> blocking incoming connections from network A. But I don't know whether
> OpenVPN can do magic to get around that. Can it?

Everything is tunnelled over the established vpn connection. C's 
firewall's SPI issue shouldn't be apparent. Server B's traffic is 
tunnelled within it.

> My eventual goal is to initiate an SSH session from server B to client
> C. (Yes, I know this is weird.) Can I do this without installing
> Cygwin and SSHD on server B?

Well ... if you want server B to ssh anywhere, you'll have to install 
ssh on it. (Actually, arguably, since the vpn connection is encrypted, 
telnet may do you.) sshd shouldn't be necessary, given what you've 
said. I suppose it could be the openssl windows ssh client though 
(which probably uses the cygwin dll anyways). Or putty, or something.

But if pings don't work (assuming icmp is accepted by all stations in 
the path) you have a routing issue. Go directly to jail (routing), do 
not pass go (ssh client) ...



More information about the kwlug-disc mailing list