VPN for SSH, Internet for all the rest
Intro: Hi, I've been trying to get a VPN and ssh command to work together. And I've been successful to the point where I can get on the server with ssh user@hostname. But when the VPN is active, all of my internet passes trough that VPN.
Target: I'd like to use my own internet connection for everything other than that SSH connection.
Option breaks SSH > VPN:
I've noticed that there is an option "Use this connection only for resources on its network" in the "Editing VPN" - "IPv4 settings" tab - "Routes..." button.
It seemed like the solution, but if I enable that, I can't connect anymore with the "ssh user@hostname" command, it hangs till it times out.
Thoughts: My thoughts so far are that it does not work because the hostname(from ssh username@hostname) and the gateway(from the VPN settings) are different. But I don't know enough about ssh or VPN to know that.
Ideas? Is there like an option in ssh that I am overlooking? I tried ssh -b gatewayFromVPN username@hostname but this didn't seem to work (and I doubt it should). Or is there an option in the VPN settings or something that could solve this?
Thanks in advance.
Summary
- browse etc > internet connection
- (simultaneously with)
- SSH > VPN connection
"Use this connection only for resources on its network" breaks SSH > VPN
ssh vpn
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
add a comment |
Intro: Hi, I've been trying to get a VPN and ssh command to work together. And I've been successful to the point where I can get on the server with ssh user@hostname. But when the VPN is active, all of my internet passes trough that VPN.
Target: I'd like to use my own internet connection for everything other than that SSH connection.
Option breaks SSH > VPN:
I've noticed that there is an option "Use this connection only for resources on its network" in the "Editing VPN" - "IPv4 settings" tab - "Routes..." button.
It seemed like the solution, but if I enable that, I can't connect anymore with the "ssh user@hostname" command, it hangs till it times out.
Thoughts: My thoughts so far are that it does not work because the hostname(from ssh username@hostname) and the gateway(from the VPN settings) are different. But I don't know enough about ssh or VPN to know that.
Ideas? Is there like an option in ssh that I am overlooking? I tried ssh -b gatewayFromVPN username@hostname but this didn't seem to work (and I doubt it should). Or is there an option in the VPN settings or something that could solve this?
Thanks in advance.
Summary
- browse etc > internet connection
- (simultaneously with)
- SSH > VPN connection
"Use this connection only for resources on its network" breaks SSH > VPN
ssh vpn
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
add a comment |
Intro: Hi, I've been trying to get a VPN and ssh command to work together. And I've been successful to the point where I can get on the server with ssh user@hostname. But when the VPN is active, all of my internet passes trough that VPN.
Target: I'd like to use my own internet connection for everything other than that SSH connection.
Option breaks SSH > VPN:
I've noticed that there is an option "Use this connection only for resources on its network" in the "Editing VPN" - "IPv4 settings" tab - "Routes..." button.
It seemed like the solution, but if I enable that, I can't connect anymore with the "ssh user@hostname" command, it hangs till it times out.
Thoughts: My thoughts so far are that it does not work because the hostname(from ssh username@hostname) and the gateway(from the VPN settings) are different. But I don't know enough about ssh or VPN to know that.
Ideas? Is there like an option in ssh that I am overlooking? I tried ssh -b gatewayFromVPN username@hostname but this didn't seem to work (and I doubt it should). Or is there an option in the VPN settings or something that could solve this?
Thanks in advance.
Summary
- browse etc > internet connection
- (simultaneously with)
- SSH > VPN connection
"Use this connection only for resources on its network" breaks SSH > VPN
ssh vpn
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
Intro: Hi, I've been trying to get a VPN and ssh command to work together. And I've been successful to the point where I can get on the server with ssh user@hostname. But when the VPN is active, all of my internet passes trough that VPN.
Target: I'd like to use my own internet connection for everything other than that SSH connection.
Option breaks SSH > VPN:
I've noticed that there is an option "Use this connection only for resources on its network" in the "Editing VPN" - "IPv4 settings" tab - "Routes..." button.
It seemed like the solution, but if I enable that, I can't connect anymore with the "ssh user@hostname" command, it hangs till it times out.
Thoughts: My thoughts so far are that it does not work because the hostname(from ssh username@hostname) and the gateway(from the VPN settings) are different. But I don't know enough about ssh or VPN to know that.
Ideas? Is there like an option in ssh that I am overlooking? I tried ssh -b gatewayFromVPN username@hostname but this didn't seem to work (and I doubt it should). Or is there an option in the VPN settings or something that could solve this?
Thanks in advance.
Summary
- browse etc > internet connection
- (simultaneously with)
- SSH > VPN connection
"Use this connection only for resources on its network" breaks SSH > VPN
ssh vpn
ssh vpn
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
edited Aug 23 '12 at 14:57
Ramchandra Apte
1,4181220
1,4181220
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
asked Aug 23 '12 at 14:31
Tjen WellensTjen Wellens
413
413
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.
I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.
By port
Only allow certain outbound traffic on certain interfaces
By user Can I limit a user (and their apps) to one network interface?
I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.
Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...
Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW
I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.
edited Apr 13 '17 at 12:37
Community♦
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
add a comment |
I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04)
This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.
Though this is not what I was aiming for, it will have to do for now.
Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
add a comment |
Best way to achieve this is to define route to your ssh host via vpn gateway, default route via your internet gateway.
To further reading:
route (8)
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f179442%2fvpn-for-ssh-internet-for-all-the-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.
I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.
By port
Only allow certain outbound traffic on certain interfaces
By user Can I limit a user (and their apps) to one network interface?
I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.
Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...
Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW
I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.
edited Apr 13 '17 at 12:37
Community♦
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
add a comment |
I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.
I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.
By port
Only allow certain outbound traffic on certain interfaces
By user Can I limit a user (and their apps) to one network interface?
I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.
Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...
Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW
I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.
edited Apr 13 '17 at 12:37
Community♦
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
add a comment |
I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.
I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.
By port
Only allow certain outbound traffic on certain interfaces
By user Can I limit a user (and their apps) to one network interface?
I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.
Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...
Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW
I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.
edited Apr 13 '17 at 12:37
Community♦
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
I have wanted to do something similar in the past. I had two ideas: split things based on port and split things based on process owner. Linux's networking system can, it transpires, handle both of these scenarios.
I asked two questions on Unix.SE. I haven't followed up on either particularly well so if you do play around, let me know what works for you.
By port
Only allow certain outbound traffic on certain interfaces
By user Can I limit a user (and their apps) to one network interface?
I dare say there is some overlap between the two techniques and that's why I mention both of them here. I've also put a large bounty on the second for some solid examples. I think splitting network connections between users is probably the most useful scenario for both of us.
Edit: I just did a Google for iptables owner and found this. This seems to suggest that a few dirty iptables lines would fix this right up. I'm still to test but it looks positively simple...
Assume you had eth0 and eth1 connections and you wanted user bob to use eth1 and only ever use eth1, and force everything else onto eth0. This should do it...
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bob -j DROP
iptables -A OUTPUT -o eth1 -m owner --uid-owner bob -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
iptables -A OUTPUT -o eth0 -j ALLOW
I'm assuming you can just swap our eth1 for your VPN connection's name and bob for an new user you'll create to run your ssh connection from via: su -c ssh username@host bob.
edited Apr 13 '17 at 12:37
Community♦
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
edited Apr 13 '17 at 12:37
Community♦
1
edited Apr 13 '17 at 12:37
Community♦
1
edited Apr 13 '17 at 12:37
Community♦
1
1
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
answered Aug 24 '12 at 23:54
Oli♦Oli
224k89567767
224k89567767
add a comment |
add a comment |
I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04)
This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.
Though this is not what I was aiming for, it will have to do for now.
Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
add a comment |
I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04)
This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.
Though this is not what I was aiming for, it will have to do for now.
Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
add a comment |
I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04)
This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.
Though this is not what I was aiming for, it will have to do for now.
Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
I have kind of achieved what I wanted by running Ubuntu virtually in Windows 7 at the moment. (Currently running VMware Player with Ubuntu 12.04)
This way my entire internet on Ubuntu is going through the VPN, but I can use my browser etc in windows 7 what doesn't have that VPN.
Though this is not what I was aiming for, it will have to do for now.
Maybe I can run Ubuntu virtually in Ubuntu or something so I don't have the need for windows in the future...
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
answered Aug 24 '12 at 19:38
Tjen WellensTjen Wellens
413
413
add a comment |
add a comment |
Best way to achieve this is to define route to your ssh host via vpn gateway, default route via your internet gateway.
To further reading:
route (8)
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
add a comment |
Best way to achieve this is to define route to your ssh host via vpn gateway, default route via your internet gateway.
To further reading:
route (8)
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
add a comment |
Best way to achieve this is to define route to your ssh host via vpn gateway, default route via your internet gateway.
To further reading:
route (8)
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
Best way to achieve this is to define route to your ssh host via vpn gateway, default route via your internet gateway.
To further reading:
route (8)
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
answered 5 mins ago
Pasi SuominenPasi Suominen
47526
47526
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f179442%2fvpn-for-ssh-internet-for-all-the-rest%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
