Solved Route SSH to internal virtual network via centos7 vm router
-
@black3dynamite aye, with certs and the client on my work laptop.
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite aye, with certs and the client on my work laptop.
I've only setup OpenVPN on pfSense with great success.
On this website...
https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/Does your config looks somewhat similar this?
What about your firewall rules?
-
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
-
@kelly yes i can ssh from the vm router (10.0.10.2) to the server (10.0.10.10), basically same as another machine. i can ssh from my kvm host (10.0.0.10) to the server (10.0.10.10)
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
-
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@kelly said in Route SSH to internal virtual network via centos7 vm router:
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router:
@black3dynamite so my config box looks exactly like what i posted in the OP, idk if its the cause of diff ddwrt builds but any extra settings i put in there caused the vpn service to fail to start so i left it minimal as it just worked.
firewall looks like this
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT iptables -I FORWARD 1 –source 10.0.1.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADEobvs 443 to bypass work fw.
You don't have an outbound rule. I'm not an iptables guru, but from what I've read it sounds like you need an explicit rule.
Reference: https://unix.stackexchange.com/questions/136190/iptables-rule-to-allow-incoming-ssh-connections.
so i shutdown the firewall on the centos vm router and i was able to connect to the internal server.
definitely need to look into firewalld
-
So to get this to work i needed to use this firewalld line:
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i eth1 -j ACCEPTeth1 is the external interface on the vm router.
does this effectively render the firewall pointless though?
-
@voodoorabbit87 said in Route SSH to internal virtual network via centos7 vm router
does this effectively render the firewall pointless though?
Yep. You need to do port forwarding too have an effective firewall.
I wouldn't recommend CentOS as a router. It can do the job, but was not designed for it.
I'v been using a VyOS software firewall for my home lab, which seems to do a very good job with few system resources needed. Plus it's used the same sort of command line environment that many hardware firewalls do, so I learned how to use many more things than just VyOS.Edited for phone auto spell weirdness.
-
@travisdh1 ahhh, i had a feeling that was going to be the answer :persevering_face:. Thanks tho, i'll definitely check this out!
