Route only ssh traffic through VPN

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












4















Is it possible to route a computer's SSH service through a VPN connection but allow ALL other data to exit through the WAN address? What sort of iptables magic needs to be done to accomplish this?



SSH data → goes through VPN

ALL other data → goes through default route










share|improve this question




























    4















    Is it possible to route a computer's SSH service through a VPN connection but allow ALL other data to exit through the WAN address? What sort of iptables magic needs to be done to accomplish this?



    SSH data → goes through VPN

    ALL other data → goes through default route










    share|improve this question


























      4












      4








      4


      1






      Is it possible to route a computer's SSH service through a VPN connection but allow ALL other data to exit through the WAN address? What sort of iptables magic needs to be done to accomplish this?



      SSH data → goes through VPN

      ALL other data → goes through default route










      share|improve this question
















      Is it possible to route a computer's SSH service through a VPN connection but allow ALL other data to exit through the WAN address? What sort of iptables magic needs to be done to accomplish this?



      SSH data → goes through VPN

      ALL other data → goes through default route







      ssh routing vpn remote-management






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 21 '13 at 17:02









      Anthon

      61.4k17106169




      61.4k17106169










      asked May 21 '13 at 16:40









      Juan Adrián CubilloJuan Adrián Cubillo

      2113




      2113




















          2 Answers
          2






          active

          oldest

          votes


















          3














          My answer is related to the answer of related, but more complicate question and not tested.



          You need the iproute2 package installed.



          Add to /etc/iproute2/rt_tables the line



          200 vpn-route


          and then write a script that you call after VPN is initialized:



          # set default gateway of vpn-route
          ip route add default via $VPNGATEWAY dev $VPNINTERFACE table vpn-route
          # use this for marked packages
          ip rule add fwmark 0x1 table vpn-route
          # mark outgoing ssh packages
          iptables -t mangle -A OUTPUT -o $WANINTERFACE -p tcp --dport 22 -j MARK --set-mark 1
          # rewrite source address
          iptables -t nat -A POSTROUTING -o $VPNINTERFACE -j MASQUERADE


          Of course, you need to replace the $... variables with their actual values.



          PS: If your IP on the WAN-interface is fix, you can replace the last line with
          iptables -A POSTROUTING -t nat -o $WANINTERFACE -p tcp --dport 22 -j SNAT --to $WANIP






          share|improve this answer
































            0














            If you want to connect to a server using ssh through VPN since your company requires a VPN connection to access the server, there is another way to bypass the VPN.
            First, you need to connect to your server using VPN.
            Then, start ngrok to open a reverse ssh (is this the correct term?)



            ngrok tcp 22


            This will give you an address and a port. It usually looks like this: 0.tcp.eu.ngrok.io:12345.
            Now, you can stop your VPN and ssh to your server using the above address and port.



            ssh yourname@0.tcp.eu.ngrok.io -p 12345





            share|improve this answer























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f76605%2froute-only-ssh-traffic-through-vpn%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              3














              My answer is related to the answer of related, but more complicate question and not tested.



              You need the iproute2 package installed.



              Add to /etc/iproute2/rt_tables the line



              200 vpn-route


              and then write a script that you call after VPN is initialized:



              # set default gateway of vpn-route
              ip route add default via $VPNGATEWAY dev $VPNINTERFACE table vpn-route
              # use this for marked packages
              ip rule add fwmark 0x1 table vpn-route
              # mark outgoing ssh packages
              iptables -t mangle -A OUTPUT -o $WANINTERFACE -p tcp --dport 22 -j MARK --set-mark 1
              # rewrite source address
              iptables -t nat -A POSTROUTING -o $VPNINTERFACE -j MASQUERADE


              Of course, you need to replace the $... variables with their actual values.



              PS: If your IP on the WAN-interface is fix, you can replace the last line with
              iptables -A POSTROUTING -t nat -o $WANINTERFACE -p tcp --dport 22 -j SNAT --to $WANIP






              share|improve this answer





























                3














                My answer is related to the answer of related, but more complicate question and not tested.



                You need the iproute2 package installed.



                Add to /etc/iproute2/rt_tables the line



                200 vpn-route


                and then write a script that you call after VPN is initialized:



                # set default gateway of vpn-route
                ip route add default via $VPNGATEWAY dev $VPNINTERFACE table vpn-route
                # use this for marked packages
                ip rule add fwmark 0x1 table vpn-route
                # mark outgoing ssh packages
                iptables -t mangle -A OUTPUT -o $WANINTERFACE -p tcp --dport 22 -j MARK --set-mark 1
                # rewrite source address
                iptables -t nat -A POSTROUTING -o $VPNINTERFACE -j MASQUERADE


                Of course, you need to replace the $... variables with their actual values.



                PS: If your IP on the WAN-interface is fix, you can replace the last line with
                iptables -A POSTROUTING -t nat -o $WANINTERFACE -p tcp --dport 22 -j SNAT --to $WANIP






                share|improve this answer



























                  3












                  3








                  3







                  My answer is related to the answer of related, but more complicate question and not tested.



                  You need the iproute2 package installed.



                  Add to /etc/iproute2/rt_tables the line



                  200 vpn-route


                  and then write a script that you call after VPN is initialized:



                  # set default gateway of vpn-route
                  ip route add default via $VPNGATEWAY dev $VPNINTERFACE table vpn-route
                  # use this for marked packages
                  ip rule add fwmark 0x1 table vpn-route
                  # mark outgoing ssh packages
                  iptables -t mangle -A OUTPUT -o $WANINTERFACE -p tcp --dport 22 -j MARK --set-mark 1
                  # rewrite source address
                  iptables -t nat -A POSTROUTING -o $VPNINTERFACE -j MASQUERADE


                  Of course, you need to replace the $... variables with their actual values.



                  PS: If your IP on the WAN-interface is fix, you can replace the last line with
                  iptables -A POSTROUTING -t nat -o $WANINTERFACE -p tcp --dport 22 -j SNAT --to $WANIP






                  share|improve this answer















                  My answer is related to the answer of related, but more complicate question and not tested.



                  You need the iproute2 package installed.



                  Add to /etc/iproute2/rt_tables the line



                  200 vpn-route


                  and then write a script that you call after VPN is initialized:



                  # set default gateway of vpn-route
                  ip route add default via $VPNGATEWAY dev $VPNINTERFACE table vpn-route
                  # use this for marked packages
                  ip rule add fwmark 0x1 table vpn-route
                  # mark outgoing ssh packages
                  iptables -t mangle -A OUTPUT -o $WANINTERFACE -p tcp --dport 22 -j MARK --set-mark 1
                  # rewrite source address
                  iptables -t nat -A POSTROUTING -o $VPNINTERFACE -j MASQUERADE


                  Of course, you need to replace the $... variables with their actual values.



                  PS: If your IP on the WAN-interface is fix, you can replace the last line with
                  iptables -A POSTROUTING -t nat -o $WANINTERFACE -p tcp --dport 22 -j SNAT --to $WANIP







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Apr 13 '17 at 12:36









                  Community

                  1




                  1










                  answered May 21 '13 at 17:37









                  jofeljofel

                  20.7k34980




                  20.7k34980























                      0














                      If you want to connect to a server using ssh through VPN since your company requires a VPN connection to access the server, there is another way to bypass the VPN.
                      First, you need to connect to your server using VPN.
                      Then, start ngrok to open a reverse ssh (is this the correct term?)



                      ngrok tcp 22


                      This will give you an address and a port. It usually looks like this: 0.tcp.eu.ngrok.io:12345.
                      Now, you can stop your VPN and ssh to your server using the above address and port.



                      ssh yourname@0.tcp.eu.ngrok.io -p 12345





                      share|improve this answer



























                        0














                        If you want to connect to a server using ssh through VPN since your company requires a VPN connection to access the server, there is another way to bypass the VPN.
                        First, you need to connect to your server using VPN.
                        Then, start ngrok to open a reverse ssh (is this the correct term?)



                        ngrok tcp 22


                        This will give you an address and a port. It usually looks like this: 0.tcp.eu.ngrok.io:12345.
                        Now, you can stop your VPN and ssh to your server using the above address and port.



                        ssh yourname@0.tcp.eu.ngrok.io -p 12345





                        share|improve this answer

























                          0












                          0








                          0







                          If you want to connect to a server using ssh through VPN since your company requires a VPN connection to access the server, there is another way to bypass the VPN.
                          First, you need to connect to your server using VPN.
                          Then, start ngrok to open a reverse ssh (is this the correct term?)



                          ngrok tcp 22


                          This will give you an address and a port. It usually looks like this: 0.tcp.eu.ngrok.io:12345.
                          Now, you can stop your VPN and ssh to your server using the above address and port.



                          ssh yourname@0.tcp.eu.ngrok.io -p 12345





                          share|improve this answer













                          If you want to connect to a server using ssh through VPN since your company requires a VPN connection to access the server, there is another way to bypass the VPN.
                          First, you need to connect to your server using VPN.
                          Then, start ngrok to open a reverse ssh (is this the correct term?)



                          ngrok tcp 22


                          This will give you an address and a port. It usually looks like this: 0.tcp.eu.ngrok.io:12345.
                          Now, you can stop your VPN and ssh to your server using the above address and port.



                          ssh yourname@0.tcp.eu.ngrok.io -p 12345






                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Mar 1 at 13:44









                          v4rv4r

                          1011




                          1011



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Unix & Linux Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f76605%2froute-only-ssh-traffic-through-vpn%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown






                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?