Route SSH to internal virtual network via centos7 vm router
-
Wouldn’t you need to add another route to your VPN config to have full access to internal network?
push "route 10.0.10.0 255.255.255.0" -
@black3dynamite if that was the case then ping wouldn't work though, no?
trace from 10.0.1.2
Tracing route to 10.0.10.10 over a maximum of 30 hops1 11 ms 15 ms 30 ms 10.0.1.1
2 16 ms 11 ms 11 ms 10.0.0.20
3 12 ms 12 ms 13 ms 10.0.10.10Trace complete.
i will try it out now
[edit]
this didn't help. -
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@scottalanmiller i suppose what i don't understand here is why i can ping 10.0.10.10 from 10.0.1.2, get a reply and vice versa, but why is ssh being blocked?
is there not a cmd i can pass to firewalld to allow ssh?
Oh, is there no NAT here? Just wide open? I missed that.
-
You can shut down the firewall completely on the router for testing.
-
@scottalanmiller the image up top is the physical router which has the vpn service running on it (DDWRT), that's the route table with NAT to 10.0.10.0 via the virtual external nic 10.0.0.20, ipv4 forwarding is enabled, nics have zones assigned (int/ext).
i can ssh to the internal nic on the vm router 10.0.10.2, however i cannot ssh to the server 10.0.10.10 which sits behind this vm router, i just thought a rule needed adding to firewalld to allow ssh traffic through too, as pings already are.
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@scottalanmiller the image up top is the physical router which has the vpn service running on it (DDWRT), that's the route table with NAT to 10.0.10.0 via the virtual external nic 10.0.0.20, ipv4 forwarding is enabled, nics have zones assigned (int/ext).
i can ssh to the internal nic on the vm router 10.0.10.2, however i cannot ssh to the server 10.0.10.10 which sits behind this vm router, i just thought a rule needed adding to firewalld to allow ssh traffic through too, as pings already are.
Can you ssh from an IP in the same subnet, i.e. traffic not crossing the router? This will allow you to eliminate the firewall on the host. Since traces and pings are working then you know your routing is correct. Depending on how your VPN is configured it may need a specific rule in the VPN settings to allow traffic instead of configuring it in the firewall settings (not familiar with the particulars of DDWRT).
-
What VPN are using on your DD-WRT? OpenVPN?
-
@black3dynamite aye, with certs and the client on my work laptop.
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite aye, with certs and the client on my work laptop.
I've only setup OpenVPN on pfSense with great success.
On this website...
https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/Does your config looks somewhat similar this?
What about your firewall rules?
-
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
-
@kelly yes i can ssh from the vm router (10.0.10.2) to the server (10.0.10.10), basically same as another machine. i can ssh from my kvm host (10.0.0.10) to the server (10.0.10.10)
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
so i shutdown the firewall on the centos vm router and i was able to connect to the internal server.
definitely need to look into firewalld
-
So to get this to work i needed to use this firewalld line:
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i eth1 -j ACCEPTeth1 is the external interface on the vm router.
does this effectively render the firewall pointless though?
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router
does this effectively render the firewall pointless though?
Yep. You need to do port forwarding too have an effective firewall.
I wouldn't recommend CentOS as a router. It can do the job, but was not designed for it.
I'v been using a VyOS software firewall for my home lab, which seems to do a very good job with few system resources needed. Plus it's used the same sort of command line environment that many hardware firewalls do, so I learned how to use many more things than just VyOS.Edited for phone auto spell weirdness.
-
@travisdh1 ahhh, i had a feeling that was going to be the answer :persevering_face:. Thanks tho, i'll definitely check this out!
