Recommended Posts

I know I am overlooking something obvious and silly, but here is the issue. On my router I have followed this guide to connect me to Private Internet Access. When it is on, I cannot establish an SSH connection to the router because apparently it cannot be routed through the VPN. I thought using the same port PIA is using for my SSH connection would allow it to work, but it does not. Basically it asks for a username/password when my SSH only uses a username and private key. Can somebody point me in the right direction?

Link to comment
https://www.neowin.net/forum/topic/1305770-cannot-connect-through-ssh-on-vpn/
Share on other sites

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

  On 15/08/2016 at 10:37, BudMan said:

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

Expand  

Indeed, it is unchecked. I am trying to hit my DuckDNS address which just points to my router.

 

hIu02l2.png

 

rQv4Zu7.png

 

I just hid the server address, username and password. It is there though.

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Private Internet Access is not a vpn server he runs on his router for remote access , that is a client connection so that he can hide his internet traffic from his isp or circumvent geographic restrictions, etc.

 

I vpn into my network all the time, and then can just ssh to my router using the normal rfc1918 address of the router..

 

 

 

no acls that are blocking that...it is a default thing...every asa I have setup, even sonicwalls I have setup, will not allow you to connect to the host internal ip...it doesn't route.  I vaguely remember that you do have to allow it, I just don't remember what and for the amount of times I have to remote into it when connected to the vpn it really isn't worth remembering. 

I don't have a asa to play with.. So maybe its some issue with asa..  But there should be no reason why it wouldn't work.. You have a tunnel network that is connected via interface X be it a real interface a sub interface on your wan.  There should be no reason it would not allow access to IP on the lan side interface.  And it clearly should be able to route that traffic back.

 

Maybe some sort of acl in the ssh server on the asa..  Last time I was on asa was couple of months ago to straighten out a routing issue they were having on a specific customer.  Previous to that it had been years.  I normally work on actual cisco routers and switches and firewalls its mostly juniper both isg and srx, etc.  And as of late palo alto's and fortinet

  On 15/08/2016 at 11:11, BudMan said:

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

Expand  

 

  On 15/08/2016 at 14:21, sc302 said:

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Expand  

Basically, all I want to do is be able to connect via SSH while the VPN is active on my entire network. I connect through a tunnel to VNC my home PC.

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

  On 16/08/2016 at 04:26, BudMan said:

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

Expand  

Anywhere away from home. I do not VPN into my home network. I run a VPN client on my router to connect to PIA. Yes, I remote and try to SSH my router directly. I just connect through my DuckDNS address which is the public address.

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

  On 16/08/2016 at 10:13, BudMan said:

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

Expand  

Indeed. Running an Asus RT-AC68U with Tomato 3.3-138 AIO-64K. You are correct, it must he the DDNS. When it works my DDNS resolves to my public IP from my ISP. When I enable the VPN it still shows my IP from my ISP.

 

pg7neVk.png

 

xEUz3au.png

 

In the options here it still shows my public IP rather than what I am receiving from PIA.

 

TdQ8CIi.png

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

  On 16/08/2016 at 13:09, BudMan said:

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

Expand  

I don't. I still only connect to my DDNS address. Even when I try to connect to my public IP it still won't work. Okay, so what is your recommendation for a VPN? AWS space with a VPN only you can use? No, I did not do that. My SSH server was listening on same port as the VPN, yes.

Ok, you have incoming and outgoing.  

 

Your outgoing is is fine leave it where it at.  

 

Your incoming cannot be used used with your outgoing.  Incoming connections into your network must be managed on your network not though your outgoing Vpn provider. 

 

your pia is outgoing only.  

"so what is your recommendation for a VPN"

 

For what reason are you using it?  What are you hiding from your ISP.. You want access to netflix us library - what is the reason you think you need a outbound vpn..  I use inbound vpn into my network remotely every day, etc..  I just don't get the need/want/use of services like PIA, Hidemyass, etc.  Might have some use when possible hostile network like open wifi, etc.  

 

I don't really see a legit reason for use outbound from your house to be honest..  Your worried neowin knows that IP you came from?

This topic is now closed to further replies.
  • Posts

    • Firefox, for privacy, wide range of plugins without having to suffer the latest Google manifest restrictions and when used on Android for the mobile browser plugins like an ad-blocker, sadly that option isn't available to me now I've swapped to iOS as outside of the EU Firefox mobile is just a reskin of Safari
    • Ok will give that a shot soon as wake up in morning.     Hopefully does restore it working right  
    • Try doing a reset/repair on the Windows store: To reset the Microsoft Store on Windows 11, press the Windows key + I to open Settings, go to Apps & features, find Microsoft Store, click on it, select Advanced options, and then click the Reset button. This will clear the cache and restore the app to its default state, which can help resolve issues.
    • Microsoft's new Exchange Message Trace: What admins need to know before September by Paul Hill Microsoft has just announced the general availability of the new Message Trace in the Exchange admin center (EAC) in Exchange Online for its worldwide (WW) customers. The Redmond giant said that it’ll begin rolling it out in mid-June and complete the rollout in July. Message Trace in the Exchange Admin Center for Exchange Online is a tool that lets admins trace which path emails took as they traveled through the Microsoft 365 organization. It lets admins see if emails were received, rejected, or deferred. It is helpful for troubleshooting mail flow issues and validating policy changes. To get started with the new Message Trace, admins can access it by going to the Exchange admin center > Mail flow > Message Trace. While the Windows-maker has received positive feedback during the Public Preview, you can still provide your thoughts through Exchange admin center > Give Feedback. In addition, Microsoft will continue to maintain the old Message Trace user experience in Exchange admin center and cmdlets for several months to ease the transition, however, they will be deprecated for WW customers starting from September 1. The Reporting Webservice support for Message Trace data will also begin deprecating on this date. A side note to mention here is that this timeline only applies to the WW environment and doesn’t affect GCC, GCC-High, DOD, or other sovereign clouds. More information about the switch over for those will be provided in the second half of the year. Who it affects, and how These changes need to be noted by Exchange Online administrators and IT professionals as those are the people who will be directly affected. Specifically, it will affect anyone managing mail flow and troubleshooting email delivery in Exchange Online. Those who are affected will have to get switched over to the new Message Trace before Microsoft starts deprecating features in several months time. Admins will want to act promptly to avoid any unforeseen issues that could arise. Another detail that admins should be aware of is that scripts that rely on the older “Get-MessageTrace” or “Get-MessageTraceDetail” cmdlets will break on September 1. To address this, admins will need to update their scripts to use the new “Get-MessageTraceV2” and the “Get-MessageTraceDetailV2” cmdlets. Finally, any admins out there using the Reporting Webservice for Message Trace data will also need to make a change. They will need to shift to the new Message Trace PowerShell cmdlets. Why it’s happening Microsoft has been working on a new Message Trace experience, incorporating feedback from the Public Preview phase, to improve its design and performance. The switch gives Microsoft the opportunity to standardize and modernize admin interfaces and the underlying technologies. What to watch for While September 1 may seem like a long way away, fixing any issues, such as scripts due to deprecations, could take some time. Any admins managing the affected items need to ensure they deal with affected components in a timely manner. In terms of documentation, Microsoft has so far only released the Public Preview document which highlights the changes between the old and new versions. Microsoft says that it will publish cmdlet documentation for the new Message Trace cmdlets by the time of the general availability, so admins should look out for that.
    • Microsoft PC Manager 3.17.2.0 (Offline Installer) by Razvan Serea With Microsoft PC Manager, users can easily perform basic computer maintenance and enhance the speed of their devices with just one click. This app offers a range of features, including disk cleanup, startup app management, virus scanning, Windows Update checks, process monitoring, and storage management. Microsoft PC Manager key features: Storage Manager- easily uninstall infrequently used apps, manage large files, perform a cleanup, and set up Storage Sense to automatically clear temporary files. Health Checkup feature -scans for potential problems, viruses, and startup programs to turn off. It helps you identify unnecessary items to remove, optimizing your system's performance. Pop-up Management - block pop-up windows from appearing in apps. Windows Update - scans your system for any pending updates. Startup Apps - enable or disable startup apps on your PC, allowing you to optimize your system's startup performance. Browser Protection - rest assured that harmful programs cannot alter your default browser. Also enables you to change your default browser. Process Management - allows you to conveniently terminate any active process, ensuring optimal system performance and resource utilization. Anti-virus protection - Fully integrated with Windows Security. Safeguard your PC anytime. Quick Steps: Download Microsoft PC Manager Offline Installer (APPX/MSIX) with Adguard Adguard serves as a third-party online service, offering a user-friendly method for directly downloading appx, appxbundle, and msixbundle files from the Microsoft Store. Official download links will be generated for both the app's various versions and its dependency packages. How to download Microsoft PC Manager Offline Installer (APPX/MSIX) 1. Initially, you must find the app URL within the Microsoft Store. Access the Microsoft Store via your browser and search for "Microsoft PC Manager". Once located, copy the app URL, which includes the product ID, either from the address bar or from the provided link below. https://apps.microsoft.com/detail/9PM860492SZD 2. Now paste the app URL into the designated area, then click the check mark button to produce a direct download link. 3. To download, right-click the relevant link and select “Save link as…” from your browser's menu. Occasionally, Microsoft Edge may flag the download as insecure. In such cases, consider utilizing alternative browsers such as Google Chrome or Firefox to successfully complete the download. Microsoft PC Manager is a completely free tool optimized exclusively for use on Windows 10 (version 1809 or newer) and Windows 11. Download: Microsoft PC Manager 3.17.2.0 | from Microsoft Store View: Microsoft PC Manager Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
    • First Post
      m10d earned a badge
      First Post
    • Conversation Starter
      DarkShrunken earned a badge
      Conversation Starter
  • Popular Contributors

    1. 1
      +primortal
      261
    2. 2
      snowy owl
      158
    3. 3
      +FloatingFatMan
      145
    4. 4
      ATLien_0
      140
    5. 5
      Xenon
      131
  • Tell a friend

    Love Neowin? Tell a friend!