I am excited to be finally using a VPN however, I can't access my system from outside anymore. My VPN allows ports to be opened, so I am pretty sure that for example, if I want to bind local port 22 to the VPN port 12345 all I have to do is set up a reverse port forward. However, I can't seem to do that successfully. I've verified that the port IS open on the outside. What SSH command do I use to connect? I tried this and got a "Connection refused" error: ssh -R 12345:localhost:22 me@mynewvpn.com Any help would be fantastic, as I need to get access to my system before leaving for a trip on Wednesday!
Well, you could shut down the VPN while traveling If that doesn't work, however ... First, you need a forwarded port on the VPN service's servers. Some give you one by default, and some you need to configure or request. Once you have that, you can test easily by running a simple webserver on your device. I like the SimpleHTTPServer module that comes with Python. You just run that in a folder, containing hello.html or whatever, using the port that you forwarded (say "3456"). Make sure that you're not running firewall rules that block ports, and allow 3456 if necessary. OK, let's say that you're using a VPN server. You're connecting on a.b.c.x and you see using ipchicken or whatever that the exit is a.b.c.y. So you point a browser at a.b.c.y:3456 and you should see hello.html or whatever. Yes?
Yes, you're totally right that I can shut off the VPN while traveling. I don't really need it active while I'm on the road, but if I forget, I'll be totally unable to access my system for weeks. And that would totally suck. So AT LEAST establishing a command line connection so I can turn OFF the VPN if needed would be great. Like I said in the original post, the VPN does open ports. However it just opens them. It doesn't connect them TO anything, so I need help doing that part. If the VPN's got an open port 12345, how do I link my 22 or 5900 to it? That's all I need to know. I've tried a bunch of different things and nothing seems to work.
It's not that you link the port. You just connect to it. So for SSH, it'd just be ssh -p 12345 user@a.b.c.y I think.
@mirimir Interesting, I'm possibly totally clueless then. "Just connect to it" are you meaning from inside my network or outside, in the wild world? Because if the latter, how does the port 12345 know to hook up to my internal 22? Unless I forward some port there, wouldn't it just sit there open, like a door that doesn't lead anywhere?
From out in the world. OK, you've arranged port forwarding for port 12345 with your VPN. When you connect to a.b.c.y:12345, packets get routed to your computer. If there's something listening on port 12345, it replies. Such as the Python web server that I mentioned. I forgot to mention that for SSH, you need to tell your SSH server to listen on port 12345. You could also use an app that forwards ports. What OS are you using?
Thanks for the (continued!) help, @mirimir ! So I use Windows (putty) and Linux. My ssh server is on a Linux machine. My VPN allows me to forward multiple ports. 12345, 67890, etc. But (as I tried to make clear in the OP), what I need help with is -- like you say -- telling SSH to listen at the right port for incoming connections. Right now I've got: Home system > sshd > port:22 VPN > forwarding port:12345 Without any LINK between that port:12345 and the port:22 I believe I need to either forward my local port 22 to the VPN's port 12345 (right?) or else I need to forward the VPN's 12345 to my local port 22. No? But I don't know the syntax or commands to make that happen. Thanks so much!
Did I understand correctly that you have a windows client (PuTTY) that can connect to ssh server and you want to tunnel vpn connection throught that established ssh tunnel? Like this? SSH tunnel: SSH client (PuTTY) ----> SSH Server (standard port 22) VPN tunnel: VPN client ---> localhost:12345 ---> SSH Server ---> VPN server ---> out to WWW 1. 2. 3. Tell your VPN client to connect localhost:12345 ? EDIT: Or maybe like this?
Thank you @Stefan Froberg for the info. I think what you've posted is what I WILL need at some point but right now, I'm not there yet. If you think of the whole thing like a phone, right now, from out on the WWW, I want to reach my home server. I used to pick up the phone, dial myserver:22 and have a nice conversation with the SSH daemon. Now, I try to dial mynewvpn:12345 and get nothing. MyNewVPN has a port, 12345, open, that's pointing to my computer, but when I call, I don't get anything. What I need to know is how to USE that port. Right now it's just open, but it doesn't go anywhere. It doesn't go to 22 on my local machine. Does that make sense? How do I tell my localhost to send/listen from mynewvpn:12345 not localhost:22?
Uh...stupid question: When you say "MyNewVPN" you mean your own VPN server? You have setup your own OpenVPN server ? EDIT: If it really is your own VPN server and even better, if this "MyNewVPN" is also the same server that your SSH is running, then you just create an SSH tunnel, do the 12345:localhost:12345 fowarding, tell your VPN client to use it and pam! Your VPN server answers. Or should answer if it is running in the same machine as your SSH service and really listening port 12345 There is no way in universe you can just tell your SSH port to magically change to port 12345. Thats not how forwarding works
I did a little graphic that might help. Part of the problem is I don't know the terms to use to really explain it well:
No, it's not that I'm running my own VPN server. I just have a service. And they open port #12345 for me to connect to. I can get the IP and the domain name of the vpnserver, just using "MyNewVPN" like www.example.com or something. Thanks for any and all help.
Aah, so you wan't to connect to your SSH server throught VPN? Sorry, I tought it was the otherway around
I just want to be able to be outside my house, somewhere in the world, and be able to reach my computer. It seems like there have to be thousands of people who have achieved this goal before me, yet either I'm just not explaining it right or it's way more uncommon than I thought.
No, it's not uncommon. I connect to my own SSH servers routinely from all around the world with my laptop when traveling. Without any forwarding or like that. EDIT: Of course, if your server has no static IP then it can be a pain in the *ss and you need to setup reverse tunnels and all that ... EDIT2: Or use DynDNS ... EDIT3: Nice ... there still exist noip service https://www.noip.com/free
Yes, so to I...just haven't had a VPN before. So now that I do have one, I'm trying to get the same functionality that I had. It can't be that difficult...right?
It should just "work". VPN nothing more than dump, encrypted pipe. Just like SSH tunnel is nothing more than dump encrypted pipe. So if you can't reach your server now that you are using this VPN service then there is clearly something fishy going on with the VPN but for the life of me I can't understand why they would block totally innocent SSH port 22 ?
Well, since it's a shared VPN I suspect they open a port for each user. If we were all trying to access port 22 how would we know which computer we're connecting to. If you SSH to your machine with the VPN working (and it's a service? Not a locally run VPN?) what's the process?
Same like NAT does. IP : port pair EDIT: Or like this: user 1: IP: 1.2.3.4 port:34354 <----> VPN server <----> server.com:80 (or 22 if ssh instead of http) user 2: IP: 7.8.3.5 port:56575 <----> VPN server <----> server.com:80 ... ... ... user n: IP: 6.4.6.3 port: 45765 <---> VPN server <---> server.com:80
So...should I set my router to allow traffic on 12345 then? Is that all that's necessary? Really, I think maybe it's just syntax. When I don't have the VPN, I type: ssh me@my.domain.or.ip and get a login prompt. When I have the VPN going, I type: ssh me@my.domain.or.ip and get "Connection refused." What's going wrong? Or actually, I don't care what's going wrong, the why part. All I want to know is what do I type, what program or command do I run, to get a connection established?
See https://linux.die.net/man/5/sshd_config In the Linux box, use nano etc to edit /etc/ssh/sshd_config and tell it to listen on your forwarded port. The default is probably (from memory) ... ListenAddress localhost:22 So add yours ... ListenAddress localhost:12345 You can have as many of those lines as you like. You could also use rinetd to redirect 12345 to 22. http://www.lenzg.net/rinetd/rinetd.html
"Connection refused" would hint somekind of firewall/filtering going on for port 22 ... Does your VPN otherwise work? That is, you can surf web normally but only SSH is not working? You could try to give -vv switch for ssh command and see if it gives more info ... ssh -vv me@my.domain.or.ip Writing this throught my own OpenVPN server right now and also SSH works without problem ...
I can SSH out to the real world no problem, and view the web, etc. It's the incoming connection that's the problem. I tried doing this, as per @mirimir 's suggestions. I then did service ssh restart and got the same connection refused. Then I made sure port 12345 was open on my router, mapping back to my same machine. Still nothing. # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 ListenAddress localhost:12345 Should I change the "Port 22" to "Port 12345" and see if that works?
So...I added Port 12345 and tried again, restarted SSH and...no dice. Same thing. Just to be sure, I sshed successfully to another server I run, outside. I can ssh fine from one computer to another inside my home network. I believe I've got 12345 properly opened up on my router. My dynamicDNS is seeing the correct VPN IP. Do I need to specify the port for the SSH connection? (I tried using the -p 12345 option and it didn't have any effect.) I've seen some forums discuss using IPtables. Is that perhaps the way to go? I hate messing with IPtables because of the chance of messing something up or leaving my system open. But...perhaps this will work?
