Join Log in
Score:1
Lightsong avatar Server

Trouble setting up a simple SSH VPN to bypass a firewall

au flag
Lightsong

I have a small test network composed of two LANs connected via a firewall, with Linux hosts(containers). This firewall is set up to block certain websites from being accesed from within the B LAN, and as such I want to check out ways of bypassing said firewall.

For this, I know that both A and B are SSH servers (which allow root login, tunneling etc. for testing purposes), and moreover that A has set up a NAT server so that it can look up websites and such for other hosts.

enter image description here

So far, I have set up B as a VPN client, and A as a VPN server, with the following command, which sets up both the tunnel and the tun interfaces on each side, with addresses A_tun0_address and B_tun0_address:

root@B:/# ssh -w 0:0 root@A \
       -o "PermitLocalCommand=yes" \
       -o "LocalCommand= ip addr add B_tun0_address/24 dev tun0 && \
       ip link set tun0 up" \
       -o "RemoteCommand=ip addr add A_tun0_address/24 dev tun0 && \
       ip link set tun0 up"```

Now, let's say that I want to access a blocked website from B1, for this I would want to use the tunnel set up on B...but how? Should I redirect traffic to B_tun0_address somehow? I do not know what should be the steps from here.

Note:

This should be the equivalent of doing dynamic port forwarding, such as ssh -4NT -D <B’s IP>:<B’s port X> <user id>@<A’s IP> from B and then using B as a socks5 proxy, but the point would be doing this only with a VPN.

Edit 1:

As per @tsc_chazz comment's, I have set up the following iptables rules on B to do a dNAT:

    iptables -t nat -A PREROUTING -s 192.168.20.0/24 ! -d 192.168.20.0/24 -j DNAT --to-destination B_run0_address
    iptables -t nat -A POSTROUTING -j MASQUERADE

Also, on A, I made it masquerade traffic too:

    iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0

And then, on B1, I set up B as the default gateway for simplicity:

    ip route del default
    route add default gw 192.168.20.99

Now, I have noticed in Wireshark that, misteriously, after setting the default route for B1, the traffic just hops from that host to the destination directly, whatever the destination. I suspect that VirtualBox may be doing funky stuff so I'm not sure if that's correct.

Example, showing a Wireshark trace for a traceroute: enter image description here

433
2 + 0
vpn
ssh
Score:0
A. Trevelyan avatar Server
id flag
A. Trevelyan

You have a typo at the end of your first iptables rule after the edit, but I'm assuming you entered it correctly on the actual system since from the sound of the rest of it you were able to send traffic out by the end.

As for the wireshark bit I guess it would depend on where you're capturing from and what you're looking at. A screenshot or 2 might help explain that more.

Also, are you just interested in web traffic here or other protocols as well? If it's just web it might have been easier to configure B as a proxy server instead of having to do that NAT configuration.

EDIT

You're only seeing 1 hop because it's only 1 hop - the communication is going from B1 --> B and terminating.

This command (changed the run to tun):

iptables -t nat -A PREROUTING -s 192.168.20.0/24 ! -d 192.168.20.0/24 -j DNAT --to-destination B_tun0_address

is telling B that whenever it receives a packet from 192.168.20.0/24 going anywhere outside of 192.168.20.0/24, it should do a DNAT and change the destination to B_tun0_address, meaning B is responding to all your traceroutes and pretending to be the destination.

If you want the traffic to actually be forwarded, you'll need to undo that config line.

You should only need a POSTROUTING MASQUERADE bit to take care of hiding the real source IP behind B, which will enforce that A responds to B using the tunnel. So then as long as the default route through the VPN tunnel is preferred on B over the route that goes through the firewall (which I think it should be), everything should work.

Basically, revert these:

iptables -t nat -A PREROUTING -s 192.168.20.0/24 ! -d 192.168.20.0/24 -j DNAT --to-destination B_tun0_address
iptables -t nat -A POSTROUTING -j MASQUERADE

and do this:

iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o B_tun0 -j MASQUERADE

and you should be set.

+ 6
Lightsong avatar
au flag
Lightsong
Do you mean the typo at "B_run0_address"? I masked the real ip addresses to make it simpler. Or is it something else wrong? As for the wireshark output, it simply shows as one hop from the B1 and the internet, in both the request and response, and tcpdump on either end of the VPN tunnel shows nothing going on when making the request. Assumming nothing is wrong with those rules, I will attribute to Virtualbox being wonky. Re: the protocols, it's just a test for evading firewall restrictions (in this case, it blocks a few websites)
0
Reply
A. Trevelyan avatar
id flag
A. Trevelyan
I'm probably just retarded I assumed that was meant to be `B_tun0_address` not `run0`, but I guess on the actual system you would've had to use the IP anyway so it's not a big deal. What protocol are u looking at in wireshark though? As far as I know wireshark doesn't show hops, it just shows the communication happening between based on the source & destination information in the packet headers. If you want the hop count you would have to run a traceroute, no?
0
Reply
Lightsong avatar
au flag
Lightsong
It's showing hops correctly (on wireshark) when B1 reaches to the internet via the original router, listening on every interface and protocol from the host machine which controls all virtual interfaces. I tried to do a traceroute and it just automagically reaches to it in one hop when using the VPN (see screenshot this time :P), although in WIreshark it just shows as the packet being unable to get back to B1 (a normal ping is just a correct back-and-forth). Unless there is some misconfiguration I guess VirtualBox is doing weird stuff...
1
Reply
A. Trevelyan avatar
id flag
A. Trevelyan
Ah okay cool, I see what you were doing now. It seems I was a bit confused initially what you were going for -- The reason the traceroute is only showing 1 hop is because it technically is only 1 hop. I'll edit my original answer just to have some more room to type here.
0
Reply
Lightsong avatar
au flag
Lightsong
OH, so that was it...now it's working correctly. I guess I need to take another read to the iptables manuals... thank you so much!
0
Reply
A. Trevelyan avatar
id flag
A. Trevelyan
No problem, iptables is a pain even for people who have been doing this stuff for ages.
0
Reply
Score:0
tsc_chazz avatar Server
vn flag
tsc_chazz

There would seem to be two pieces to this. The first is that B needs to be set up to forward incoming network traffic from 192.168.20.0/24, destined for anywhere outside 192.168.20.0/24, to B_tun0_address which should then result in it being forwarded to A, and from there to the Internet. With that done, all you should need to do is set a static route in B1 that sends traffic to 192.168.20.99, if it's destined either for the specific website, or for everywhere - in which case you'd set 192.168.20.99 as the default gateway.

If B is already your default gateway for the 192,168.20.0/24 network, you will have to implement filtering rules in your firewall - you do have a firewall in B, no? - to prevent any machine except B1 from seeing anything outside the 10.8.0.0/24 network.

+ 1
Lightsong avatar
au flag
Lightsong
thanks! I have done as you recommended, but I am not sure if the iptables commands I used were correct, since the traffic from b1 misteriously hops from it to whatever destination (I explained what I did on the edit) I have not considered setting up firewalls on B, which was not previously a default gateway (192.168.20.11 was for all of them, and now only for B itself), but indeed it would be needed. This is a toy set up in VirtualBox so I ignored those aspects.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.