In this tutorial , i’m showing how to use how to use VPN to login a server with ssh only listen to private IP.
NOTE : Both server are running on Google Cloud Platform, so it may not work with other platform.
VPN external IP : 22.214.171.124 VPN internal IP : 10.145.0.9 OVPN IP : 10.8.0.0/24 Network Interface : ens4 SSH server internal IP : 10.145.0.11
At first, we need to setup a VPN server, we are using Openvpn as usual. After that, please route your OVPN to network interface. ( In Google Cloud Platform, all external IP are controlled outside the firewall. In this case, when we route OVPN to the network interface , it will automatically route to VPN external IP : 126.96.36.199 )
Also remember to allow OVPN in your server .
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens4 -j MASQUERADE iptables -A INPUT -i ens4 -m state --state NEW -p udp --dport 1194 -j ACCEPT
Next, we are going to change SSH server ssh port to private ip.
Add this :
Restart your sshd service and using netstat -ntulp to check your ssh listening port.
service sshd restart netstat -ntulp tcp 10.145.0.11:22 0.0.0.0:* LISTEN 15279/sshd
After that , allow VPN private IP to access ssh in firewall.
iptables -I INPUT -p tcp -s 10.145.0.9 -m tcp --dport 22 -j ACCEPT
You can now try to login SSH server without connected vpn, you will found that you can’t login the server. Because ssh port is only listen to private IP, and from the firewall rules we only allow the VPN internal IP. So we must connect to the VPN to login.