Cannot Connect Through SSH on VPN

By Yorak
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Yorak

Posted
Posted

I know I am overlooking something obvious and silly, but here is the issue. On my router I have followed this guide to connect me to Private Internet Access. When it is on, I cannot establish an SSH connection to the router because apparently it cannot be routed through the VPN. I thought using the same port PIA is using for my SSH connection would allow it to work, but it does not. Basically it asks for a username/password when my SSH only uses a username and private key. Can somebody point me in the right direction?

Link to comment
https://www.neowin.net/forum/topic/1305770-cannot-connect-through-ssh-on-vpn/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

Grand Master

Yorak

Posted
  • Author
Posted
  On 15/08/2016 at 10:37, BudMan said:

Are you trying to hit your routers public IP or private IP? 

 

Did you uncheck

Uncheck Redirect Internet Traffic

 

It shouldn't be sending local traffic out the vpn.. Especially traffic to your routers lan IP..

 

 

Expand  

Indeed, it is unchecked. I am trying to hit my DuckDNS address which just points to my router.

 

hIu02l2.png

 

rQv4Zu7.png

 

I just hid the server address, username and password. It is there though.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Private Internet Access is not a vpn server he runs on his router for remote access , that is a client connection so that he can hide his internet traffic from his isp or circumvent geographic restrictions, etc.

 

I vpn into my network all the time, and then can just ssh to my router using the normal rfc1918 address of the router..

 

 

 

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

no acls that are blocking that...it is a default thing...every asa I have setup, even sonicwalls I have setup, will not allow you to connect to the host internal ip...it doesn't route.  I vaguely remember that you do have to allow it, I just don't remember what and for the amount of times I have to remote into it when connected to the vpn it really isn't worth remembering. 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I don't have a asa to play with.. So maybe its some issue with asa..  But there should be no reason why it wouldn't work.. You have a tunnel network that is connected via interface X be it a real interface a sub interface on your wan.  There should be no reason it would not allow access to IP on the lan side interface.  And it clearly should be able to route that traffic back.

 

Maybe some sort of acl in the ssh server on the asa..  Last time I was on asa was couple of months ago to straighten out a routing issue they were having on a specific customer.  Previous to that it had been years.  I normally work on actual cisco routers and switches and firewalls its mostly juniper both isg and srx, etc.  And as of late palo alto's and fortinet

Grand Master

Yorak

Posted
  • Author
Posted
  On 15/08/2016 at 11:11, BudMan said:

Why would you be doing that from the inside???  That is completely and utterly pointless. Are you outside your network??

 

Your on some rfc1918 address behind your router, 192.168.x.x why would you not hit your routers via its 192.168.x.x address if you wan to ssh to it.  Are you saying your out somewhere on the public internet and want to manage your router via ssh remotely?? 

Expand  

 

  On 15/08/2016 at 14:21, sc302 said:

I think he wants to remote in and configure the firewall/vpn appliance once he establishes the vpn....the vpn appliance does not allow you to ssh or ssl into it if you vpn through it...you would need to connect to a pc on the network first then connect to it. 

 

I forget what you need to do to "fix" this, but I have always just remotted into another computer to remote in and config the router/firewall/vpn appliance.

Expand  

Basically, all I want to do is be able to connect via SSH while the VPN is active on my entire network. I connect through a tunnel to VNC my home PC.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

Grand Master

Yorak

Posted
  • Author
Posted
  On 16/08/2016 at 04:26, BudMan said:

where are you?  When you do this?

 

So your remote and vpn'd into your home network?  or your home?  Your saying when your remove you vnc to your home pc, and can still not ssh to your router?

 

Or your remote and try and ssh/gui to your router directly?  Via what ip its public IP or its private IP, ie through the tunnel?

Expand  

Anywhere away from home. I do not VPN into my home network. I run a VPN client on my router to connect to PIA. Yes, I remote and try to SSH my router directly. I just connect through my DuckDNS address which is the public address.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

Grand Master

Yorak

Posted
  • Author
Posted (edited)
  On 16/08/2016 at 10:13, BudMan said:

And when the pia vpn is off, this works just fine remotely to your routers public IP?  What router are you running.. That makes no sense at all and sounds like a bug in whatever router your running.

 

You sure its not just messing up your ddns when you connect the the vpn...  So your public IP is 1.2.3.4, your router connects to vpn and it gets IP address 4.5.6.7 or whatever so it registers that IP.  So now when you try and connect to this dynamic dns name your connecting to something else.

 

When it works what is the IP your dynamic dns resolves too.. ping the name, do a nslookup on the name, dig, drill, host your fav dns tool.. Something so you know what your public IP is.. Look on the routers status for its wan..  Then connect to the vpn, and give it a while, then check what this dynamic dns name resolves to now..

 

And your title is wrong, should be can not ssh to router, when router has vpn client connection.  Your not sshing through any vpn here at all..  You router making a connection to some vpn service should have NOTHING to do with it listening for ssh connections on its public IP.

Expand  

Indeed. Running an Asus RT-AC68U with Tomato 3.3-138 AIO-64K. You are correct, it must he the DDNS. When it works my DDNS resolves to my public IP from my ISP. When I enable the VPN it still shows my IP from my ISP.

 

pg7neVk.png

 

xEUz3au.png

 

In the options here it still shows my public IP rather than what I am receiving from PIA.

 

TdQ8CIi.png

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

Grand Master

Yorak

Posted
  • Author
Posted
  On 16/08/2016 at 13:09, BudMan said:

huh??

 

Dude why do you think if you connect to PIA that you should then connect to your PIA IP to ssh to your router??

 

These PIA services rarely give you your own personal IPv4 address... Your sharing it with lots of other suckers, I mean users ;) Did you setup something on their end to forward ssh traffic down the tunnel to your routers private IP it got on the tunnel?  Is router ssh server listening on the tunnel IP?

 

So can you connect to your routers IP address ssh when your remote or not??  Forget whatever it is your thinking your doing with a tunnel. And a vpn client connect that is meant to route your users out the vpn so you can watch us netflix, etc..  Or hide whatever thing it is you want to hide from your ISP..

 

Use your routers IP directly not some dyndns address, etc.

Expand  

I don't. I still only connect to my DDNS address. Even when I try to connect to my public IP it still won't work. Okay, so what is your recommendation for a VPN? AWS space with a VPN only you can use? No, I did not do that. My SSH server was listening on same port as the VPN, yes.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Ok, you have incoming and outgoing.  

 

Your outgoing is is fine leave it where it at.  

 

Your incoming cannot be used used with your outgoing.  Incoming connections into your network must be managed on your network not though your outgoing Vpn provider. 

 

your pia is outgoing only.  

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"so what is your recommendation for a VPN"

 

For what reason are you using it?  What are you hiding from your ISP.. You want access to netflix us library - what is the reason you think you need a outbound vpn..  I use inbound vpn into my network remotely every day, etc..  I just don't get the need/want/use of services like PIA, Hidemyass, etc.  Might have some use when possible hostile network like open wifi, etc.  

 

I don't really see a legit reason for use outbound from your house to be honest..  Your worried neowin knows that IP you came from?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • hi my Hard drive has only got 100 gig left on it

      By +BudMan · Posted

      how big is your HDD that only has 100gb left? I take it this the main drive.  Is this a pc or laptop? I ask because changing hdd in pcs are much easier. You sure a good clean/purge of data wouldn't clear up space - have you ran disk cleanup? Which is part of windows..  You can for sure move data to your external drive, install programs to it, etc - but using it to store updates?   
    • How to record screen as GIF in Windows 11

      By TarasBuria · Posted

      How to record screen as GIF in Windows 11 by Taras Buria The Snipping Tool app is already quite a capable program for screenshots and screen recordings. Still, there is always room for improvement, and many users agree that the app needs the ability to save screen recordings as GIFs. Microsoft heard those users, and recent updates introduced the long-requested feature, allowing you to record your screen as a GIF. Here is how to do it. Record screen as a GIF in Windows 11 Note: By the time of publishing this article, GIF support in Snipping Tool is only available to Windows Insiders. However, you can enable that feature on stable Windows 11 releases as well; here is how: Go to store.rg-adguard.net, select ProductID in the first drop-down, paste 9MZ95KL8MR0L into the search box, and select Fast in the last drop-down. Press the checkmark button. Find and download Microsoft.ScreenSketch_2022.2505.21.0_neutral_~_8wekyb3d8bbwe.msixbundle in the list of apps. The version number could be newer, just make sure you are downloading an msixbundle file. Note that the browser will warn you about downloading a potentially harmful file. Open the file and click Update. Download ViveTool from GitHub and unpack the files in a convenient and easy-to-find folder. Run Command Prompt as Administrator and navigate to the folder containing the ViveTool files with the CD command. For example, if you have placed ViveTool in C:\Vive, type CD C:\Vive. Type vivetool /enable /id:47081492 and press Enter. The steps above might seem a bit tedious, but that is the only way to get GIF support in Snipping Tool without enrolling your device in the Windows Insider program. We will update the article once the feature is publicly available, so there is no need to jump through all the hoops just to make it work. Tip: You can always roll back Snippint Tool to the latest version from the Microsoft Store by uninstalling it and downloading it again. Now, with GIF support enabled in Snipping Tool, here is how to save a screen recording as a GIF in Windows 11: Press Win + Shift + S, select screen recording mode and record whatever you want. After the recording is over, Snipping Tool will open your video so that you can view, trim, or save it. At this point, all you have to do is click the GIF button in the upper-right corner. On the next screen, select your GIF quality and click Export to save as a file or Copy to copy it to the clipboard. And that is how you save screen recordings as GIFs in Windows 11. Note that Snipping Tool can only save GIFs for up to 30 seconds. Anything beyond that will be cut off. You might think that Clipchamp, Windows 11's built-in video editor, is a good option when you want to save a screen recording as a GIF. However, it really sucks at that. The video duration is capped at just 15 seconds, which is even worse than the Snipping Tool, and the output resolution is hilariously low. The latter makes it impossible to distinguish any details, and all you get is a blurry, pixelated mess. No, Clipchamp is not a good option for that. If you want to create GIFs that are longer than 30 seconds, a good option is to go with apps like ShareX, which is extremely flexible and customizable (and also free, which makes it one of our favorite must-have apps for Windows 11). Alternatively, you can record a video using the Snipping Tool and then convert it to a GIF using web-based services like Ezgif, another great free utility. Keep in mind that the larger your video resolution and the longer its duration, the bigger the final GIF size. Depending on the settings, GIFs could reach hundreds of megabytes, so you have to set your expectations correctly (and so do the settings, too).
    • You will soon have fewer reasons to open Control Panel in Windows 11

      By M. Murcek · Posted

      I'll give you an example of "the settings problem." As awful as the HP Smart app is, it's magnitudes more useful than Settings when I need to do some deep dive stuff on my HP Officejet.
    • Apple releases massive slide deck to help children convince their parents to buy them a Mac

      By Good Bot, Bad Bot · Posted

      I hate to defend Apple but this marketing and they are only "desperate" to move from #3 to #1 for biggest company in the world.
    • You will soon have fewer reasons to open Control Panel in Windows 11

      By M. Murcek · Posted

      There's very granular stuff in the legacy Control Panel that will probably never be accessible from settings. But that stuff will still be there if you know where to look.

  • Recent Achievements

    • Week One Done
      DXB APPS earned a badge
      Week One Done
    • One Month Later
      DecaffKnight94 earned a badge
      One Month Later
    • Dedicated
      S.P earned a badge
      Dedicated
    • One Month Later
      adxnksd42031 earned a badge
      One Month Later
    • Rising Star
      aphanic went up a rank
      Rising Star

  • Popular Contributors

    1. 1
      +primortal
      661
    2. 2
      ATLien_0
      253
    3. 3
      Michael Scrip
      234
    4. 4
      Steven P.
      155
    5. 5
      +FloatingFatMan
      149
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!