OpenVPN with SSH tunnel to VPN Provider

Bernd · June 19, 2019, 6:37pm

Hello.

I am trying to set up an SSH tunnel on openwrt. Manual way works with this solution on OpenWRT with sshtunnel package and PuTTY.

How can I implement this command in SSH tunnel configuration?
(The command asks for a password)

ssh -N -D 127.0.0.1:10000 -oUserKnownHostsFile=perfect_privacy_known_hosts -p 443 username@80.255.7.101

Here is the sshtunnel config:

#
# password authentication is not possible, public key authentication must be used.
# set "option IdentityFile" to he file from which the identity (private key) for RSA or DSA authentication is read.  
# The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
# ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
#

#config server disney
#	option user			mourinho
#	option hostname			server.disney.com
#	option port			22
#	option retrydelay		1	
#	option CheckHostIP		yes
#	option Compression		no
#	option CompressionLevel		6
#	option IdentityFile		~/.ssh/id_rsa
#	option LogLevel			INFO
#	option PKCS11Provider		/lib/pteidpkcs11.so
#	option ServerAliveCountMax	3
#	option ServerAliveInterval	0
#	option StrictHostKeyChecking	ask
#	option TCPKeepAlive		yes
#	option VerifyHostKeyDNS		yes

# tunnelR(emote) - when the connection will be initiated to the R(emote) endpoint at
# remoteaddress:remoteport and then forwarded to localaddress:localport
#
#config tunnelR http
#	option server		disney
#	option remoteaddress	*
#	option remoteport	9009
#	option localaddress	192.168.1.13
#	option localport	80

# tunnelL(ocal) - when the connection will be initiated to the L(ocal) endpoint at
# localaddress:localport and then forwarded to remoteaddress:remoteport 
#
#config tunnelL test
#	option server		disney
#	option localaddress	*
#	option localport	1022
#	option remoteaddress	secretserver.disney.com
#	option remoteport	22

# tunnelD(ynamic) - when the connection will be initiated with the SOCKS4 or SOCKS5 protocol
# to the local endpoint at localaddress:localport and then forwarded over the remote host
#
#config tunnelD proxy
#	option server		disney
#	option localaddress	*
#	option localport	4055

# tunnelW - creates TUN/TAP devices on client and server to establish a VPN tunnel between them
# vpntypes:
#  point-to-point = TUN
#  ethernet = TAP
#
#config tunnelW proxy
#	option server           disney
#	option vpntype		point-to-point|ethernet
#	option localdev		any|0|1|2|...
#	option remotedev	any|0|1|2|...

Thanks.

Bernd.

lleachii · June 19, 2019, 6:52pm

To be clear:

You want to initiate a SSH connection with a tunneled TCP port?
You then want to start an OpenVPN session thru that tunneled port?
You want to script the startup of the SSH session?
You are connected to an ISP that doesn't permit direct connections to a VPN?

Bernd · June 19, 2019, 7:19pm

You want to initiate a SSH connection with a tunneled TCP port?

Yes. I want to initiate a SSH connection with Port 22, 53, 443, 8085, 9009 or 36315.

You then want to start an OpenVPN session thru that tunneled port?

Yes.

You want to script the startup of the SSH session?

Yes, I want to script this command on startup :

ssh -N -D 127.0.0.1:10000 -oUserKnownHostsFile=perfect_privacy_known_hosts -p 443 username@80.255.7.101

I thought I can do that with sshtunnel config.

You are connected to an ISP that doesn't permit direct connections to a VPN?

No. My ISP permit direct connections to a VPN. I want to write this solution for other VPN users.

lleachii · June 19, 2019, 8:55pm

It doesn't appear the -D argument is implemented on OpenWrt's version of SSH - you may have to install the OpenSSH version of the client
I think you should have a space after the -o argument and before its attribute
Can't -b 127.0.0.1 -L 10000:<VPN_server_ip>:<VPN_server_port> argument be used instead (this may require editing of the VPN's conf file)?

BTW, the config you posted is entirely commented out - no settings are active.
SSH and sshtunnel are 2 different things

OK....but didn't you post a link on setting up this this solution already?

I hope the best in your endeavor.

Bernd · June 19, 2019, 9:38pm

Can't -b 127.0.0.1 -L 10000:<VPN_server_ip>:<VPN_server_port> argument be used instead (this may require editing of the VPN's conf file)?

What exactly should I try? ssh -b 127.0.0.1 -L 10000:80.255.7.101:443?

SSH and sshtunnel are 2 different things

Yes, you are Right.

OK....but didn't you post a link on setting up this this solution already?

This "solution" is for a Linux operating System and not for OpenWRT, which should do it automatically.

lleachii · June 19, 2019, 10:06pm

You put the VPN server and port. From your example above, that's the SSH server - which would be incorrect. This information would definitely be in the conf file.

Also, I wasn't aware you could auto login when a password had to be entered. I thought keys are needed.

And the full command would be:

ssh 80.255.7.101 -p 443 -b 127.0.0.1 -L 10000:<VPN_server_ip>:<VPN_server_port -N -D -o UserKnownHostsFile=perfect_privacy_known_hosts -p 443 -l username

Bernd · June 21, 2019, 11:22pm

This command does not work, but it does not matter now:

ssh 80.255.7.101 -p 443 -b 127.0.0.1 -L 10000:<VPN_server_ip>:<VPN_server_port -N -D -o UserKnownHostsFile=perfect_privacy_known_hosts -p 443 -l username

With this command is no auto login possible:

ssh -N -D 127.0.0.1:10000 -o UserKnownHostsFile=perfect_privacy_known_hosts -p 443 username@80.255.7.101

And for openwrt there is no sshpass or expect package.