Monthly Archives: February 2012

OpenVPN over SSH


I’ve recently moved to Barcelona to continue my Computer Science studies on UB. First thing I noticed walking into the University building was my mobile happily notifying me that it has found a known network. Ah, of course: eduroam. My Slovenian eduroam account from University of Ljubljana should be valid throughout Europe for accessing the eduroam wireless network. And indeed it is. Nice.

Troubles on the horizon

Alas … there is a downside. Apparently the IT dept at UB is filtering OpenVPN and IPsec traffic. I’m soo used to having these that I feel “naked” using a public network without encrypting all my communications.

Now wait a minute, what do I see here, SSH traffic goes through without problems? If SSH goes through, then it should possible to tunnel basically anything through it. Even an OpenVPN tunnel. Yep, tunneling a tunnel over a tunnel, that’s the idea :).

The solution

After some fiddling around, this is how I did it (referencing my original setup):

  1. Find a server somewhere on the net you can SSH to, so you can setup a SOCKS proxy:

    $ ssh <some_IP_on_the_net> -D 6666
  2. Change protocol in OpenVPN’s server.conf to use TCP rather than UDP. Normally, using UDP is better, but if you want tunneling over SOCKS, you need TCP:

    proto tcp
  3. Change protocol in OpenVPN’s iptables config:

    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
  4. Now modify the client.conf to use TCP and to use SOCKS proxy:

    proto tcp
    socks-proxy 6666
    route <some_IP_on_the_net> net_gateway

Notice the last line: it adds a specific rule to route traffic to your SSH server directly and not through OpenVPN. This keeps the SOCKS proxy alive and kicking. All other traffic is still routed through OpenVPN tunnel to keep your communications safe.