Recommended Posts

I know I am overlooking something obvious and silly, but here is the issue. On my router I have followed this guide to connect me to Private Internet Access. When it is on, I cannot establish an SSH connection to the router because apparently it cannot be routed through the VPN. I thought using the same port PIA is using for my SSH connection would allow it to work, but it does not. Basically it asks for a username/password when my SSH only uses a username and private key. Can somebody point me in the right direction?

Link to comment
https://www.neowin.net/forum/topic/1305770-cannot-connect-through-ssh-on-vpn/
Share on other sites

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

  On 15/08/2016 at 10:37, BudMan said:

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

Expand  

Indeed, it is unchecked. I am trying to hit my DuckDNS address which just points to my router.

 

hIu02l2.png

 

rQv4Zu7.png

 

I just hid the server address, username and password. It is there though.

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Private Internet Access is not a vpn server he runs on his router for remote access , that is a client connection so that he can hide his internet traffic from his isp or circumvent geographic restrictions, etc.

 

I vpn into my network all the time, and then can just ssh to my router using the normal rfc1918 address of the router..

 

 

 

no acls that are blocking that...it is a default thing...every asa I have setup, even sonicwalls I have setup, will not allow you to connect to the host internal ip...it doesn't route.  I vaguely remember that you do have to allow it, I just don't remember what and for the amount of times I have to remote into it when connected to the vpn it really isn't worth remembering. 

I don't have a asa to play with.. So maybe its some issue with asa..  But there should be no reason why it wouldn't work.. You have a tunnel network that is connected via interface X be it a real interface a sub interface on your wan.  There should be no reason it would not allow access to IP on the lan side interface.  And it clearly should be able to route that traffic back.

 

Maybe some sort of acl in the ssh server on the asa..  Last time I was on asa was couple of months ago to straighten out a routing issue they were having on a specific customer.  Previous to that it had been years.  I normally work on actual cisco routers and switches and firewalls its mostly juniper both isg and srx, etc.  And as of late palo alto's and fortinet

  On 15/08/2016 at 11:11, BudMan said:

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

Expand  

 

  On 15/08/2016 at 14:21, sc302 said:

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Expand  

Basically, all I want to do is be able to connect via SSH while the VPN is active on my entire network. I connect through a tunnel to VNC my home PC.

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

  On 16/08/2016 at 04:26, BudMan said:

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

Expand  

Anywhere away from home. I do not VPN into my home network. I run a VPN client on my router to connect to PIA. Yes, I remote and try to SSH my router directly. I just connect through my DuckDNS address which is the public address.

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

  On 16/08/2016 at 10:13, BudMan said:

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

Expand  

Indeed. Running an Asus RT-AC68U with Tomato 3.3-138 AIO-64K. You are correct, it must he the DDNS. When it works my DDNS resolves to my public IP from my ISP. When I enable the VPN it still shows my IP from my ISP.

 

pg7neVk.png

 

xEUz3au.png

 

In the options here it still shows my public IP rather than what I am receiving from PIA.

 

TdQ8CIi.png

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

  On 16/08/2016 at 13:09, BudMan said:

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

Expand  

I don't. I still only connect to my DDNS address. Even when I try to connect to my public IP it still won't work. Okay, so what is your recommendation for a VPN? AWS space with a VPN only you can use? No, I did not do that. My SSH server was listening on same port as the VPN, yes.

Ok, you have incoming and outgoing.  

 

Your outgoing is is fine leave it where it at.  

 

Your incoming cannot be used used with your outgoing.  Incoming connections into your network must be managed on your network not though your outgoing Vpn provider. 

 

your pia is outgoing only.  

"so what is your recommendation for a VPN"

 

For what reason are you using it?  What are you hiding from your ISP.. You want access to netflix us library - what is the reason you think you need a outbound vpn..  I use inbound vpn into my network remotely every day, etc..  I just don't get the need/want/use of services like PIA, Hidemyass, etc.  Might have some use when possible hostile network like open wifi, etc.  

 

I don't really see a legit reason for use outbound from your house to be honest..  Your worried neowin knows that IP you came from?

This topic is now closed to further replies.
  • Posts

    • Microsoft confirms Windows Outlook breaks in many ways after major Calendar feature upgrade by Sayan Sen Microsoft has been trying to get more users onto New Outlook for Windows, and it is doing so not just by enforcing the newer app but also by making improvements along the way. In doing so, though, the company has caused the Classic Outlook app to bug out in the past. The classic app received a major Shared Calendar-related upgrade recently, with many " long-awaited improvements" as well as "small changes in form and function." As the name suggests, the Outlook Shared Calendar essentially allows multiple people to interact with and manage the calendar. With Shared Calendar improvements enabled, users will see the following changes: Instant sync and view of shared calendars Editing series end date does not reset the past Accepting meeting without having to send a response Last Modified By no longer shown in the meeting item Adding same calendar multiple times can't be done Duplicate calendars simultaneously selection Attachments addition not possible when responding to a meeting invitation Event drafts auto-save changes The "Download shared folders" setting is ignored Unfortunately, as with any major feature upgrade, there are bugs, and Microsoft has confirmed this is no different. The tech giant has shared official guidance for it so that users can work around the problems. According to the company, "Shared Calendar improvements are now enabled by default in the most recent versions of Outlook, in all update channels for Microsoft 365 Apps," and thus, the bugs are likely to affect many. Here are some of the bugs Microsoft is investigating, as well as their workarounds: Bug Workaround Meeting cancellation sent unexpectedly to some attendees in classic Outlook In a REST shared calendar, after adding or removing an attendee, or forwarding a meeting, a meeting cancellation may be sent unexpectedly to some attendees. Use the Outlook Web App or new Outlook when adding or removing an attendee or forwarding a meeting. Attendees do not get updates on attachment changes by Delegate When a delegate sends an update on a meeting that requires removing an attachment on an occurrence of a meeting series, the recipients may not get some or all of the attachment changes. In the delegate's Sync Issues folder, you'll see sync errors. Example: 17:23:26 Synchronizer Version 16.0.15313 17:23:26 Synchronizing Mailbox 'Delegate User' 17:23:26 Synchronizing local changes in folder 'Manager User' 17:23:27 Uploading to server 'https://outlook.office365.com/mapi/emsmdb/?xxxxxxxx-xx' 17:23:30 Error synchronizing folder 17:23:30 [0-320] There is no known workaround. It is recommended, whenever possible, to save attachments to SharePoint or to OneDrive and share with a link. After an attachment is deleted from an existing meeting, it may reappear after being deleted Please wait approximately one minute to give the sync time to complete. Additionally, it is advisable to save attachments to SharePoint or OneDrive whenever possible and share them using a link. A meeting created by a delegate with limited calendar access disappears and is unsent when a sensitivity label other than "Normal" is selected Three potential solutions to address this issue, each with their own implications for functionality: Manager can update delegate's permissions to allow viewing of private items. Delegate can change the sensitivity label of the meeting to "Normal". Delegate can disable Shared Calendar Improvements (not recommended). Aside from these, Microsoft has also fixed several other bugs, which you can find in the official support article here on the company's website.
    • I’ve just paid £290/$390 for a 4TB Samsung 990 Pro for my PS5 Pro so it’s not too far from the going rate. Microsoft should definitely copy Sony and let users buy their own SSD in their next consoles rather than this proprietary stuff. I paid £374/$505 for the 2TB Seagate card for my Series X a few years ago so it’s not exactly over priced. 4TB of NVMe storage ain’t cheap!
    • The EU regulations force companies to respect users privacy, choice and data. Something all tech companies have abused to the hilt and would continue to do so if it wasn’t for important legislation and laws the EU brought in, which have been adopted elsewhere around the world. The EU can be a nuisance, but they actually do more good than harm. Forcing Apple, Google, Microsoft etc to make changes hasn’t negatively impacted anyone apart from their financials as they aren’t free to pillage our data like they once were, unless they explicitly provide options to obtain consent.
    • Windows 10 Enterprise IoT LTSC will continue getting updates until January 2032. I would expect support from most programs to continue until then. Firefox still supports Windows 7 (until the end of August), which will be just over 16 years since release. Windows 10 will be of a very similar age in January 2032. I'm sure some things like games will move on earlier, but I imagine a Windows 10 machine will be safe and usable for a long time to come yet, despite the pressure and fearmongering from those who stand to gain from selling you a new PC.
    • Refined dock and bug fixes land in latest Elementary OS 8 updates by David Uzondu If you're running Elementary OS 8, there's a new round of updates available, bringing some neat enhancements, particularly to its signature Dock and the underlying window manager, Gala. If you are not familiar, Elementary OS positions itself as a polished alternative to Windows and macOS. It runs its own custom desktop environment called Pantheon, with Gala handling all the window management magic, like animations and how windows behave. In the new update, the Dock gets some notable new tricks, including the return of a couple of features that old-school Plank (the Dock's foundation) users might remember. For starters, the Dock now shows multiple indicator dots beneath an app icon if you have more than one window open for that application, which is useful for quickly seeing what is running. Plus, if you are dragging something and hover over an app icon in the Dock, it will cycle through that app's open windows, making it easier to drop your item into the right place. You can also now long-press an app icon to bring up its context menu, a nice touch for those who prefer that interaction. The elementary OS team also squashed some bugs related to hide modes and memory usage, keeping things running smoothly. Gala itself recently got a massive update, addressing around 20 reported issues and introducing a brand new Gesture Controller. This means users can now swipe up in the Multitasking View to close windows, a slick and intuitive gesture. App titles are now always shown in Multitasking View, a significant improvement for touchscreen users. Users also get notified when they take a screenshot with a keyboard shortcut, and this notification lets them jump straight to the image in Files. Some other welcome Gala improvements include saving window states on sleep and shutdown, and fixing an annoying bug where menus might only show once. For gamers, a fix for Lutris Flatpak installations causing Gala to crash with GE Proton setups will be a relief, and users of the Postman app will be happy to know that window captures for it are no longer partially rendered. Shifting back to Elementary OS 8, in System Settings, choosing light or dark mode properly snoozes your schedule instead of outright disabling it. The Reduce Motion setting has been expanded to cover a wider array of animations, which is a blessing for folks prone to motion sickness. Hotcorners got some fixes too, and there is a new option to keep them active even when an application is full screen. Other notable updates include added screen reader support for notifications and the shortcut overlay, fixes for Flatpak sandbox issues that affected apps like Steam, and the latest version of GNOME Web, which brought better performance and a redesigned bookmarks sidebar. You can download all these updates by opening System Settings, heading to System, and hitting "Update All."
  • Recent Achievements

    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
    • Week One Done
      Nullun earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      186
    2. 2
      snowy owl
      131
    3. 3
      ATLien_0
      129
    4. 4
      Xenon
      121
    5. 5
      +Edouard
      91
  • Tell a friend

    Love Neowin? Tell a friend!