In this tutorial , i’m showing how to use how to use VPN to login a server with ssh only listen to private IP.
NOTE : Both server are running on Google Cloud Platform, so it may not work with other platform.

VPN external IP : 35.189.191.35
VPN internal IP : 10.145.0.9
OVPN IP             : 10.8.0.0/24
Network Interface : ens4

SSH server internal IP : 10.145.0.11

At first, we need to setup a VPN server, we are using Openvpn as usual. After that, please route your OVPN to network interface. ( In Google Cloud Platform, all external IP are controlled outside the firewall. In this case, when we route OVPN to the network interface , it will automatically route to VPN external IP : 35.189.191.35 )
Also remember to allow OVPN in your server .

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens4 -j MASQUERADE
iptables -A INPUT -i ens4 -m state --state NEW -p udp --dport 1194 -j ACCEPT

Next, we are going to change SSH server ssh port to private ip.

vim /etc/ssh/sshd_config

Add this :

ListenAddress 10.145.0.11

Restart your sshd service and using netstat -ntulp to check your ssh listening port.

service sshd restart
netstat -ntulp
tcp 10.145.0.11:22 0.0.0.0:* LISTEN 15279/sshd

After that , allow VPN private IP to access ssh in firewall.

iptables -I INPUT -p tcp -s 10.145.0.9 -m tcp --dport  22 -j ACCEPT

You can now try to login SSH server without connected vpn, you will found that you can’t login the server. Because ssh port is only listen to private IP, and from the firewall rules we only allow the VPN internal IP. So we must connect to the VPN to login.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *