Openvpn Client On Server

Have you ever struggled with connecting a VPS or server to an OpenVPN server without losing your current SSH or VNC connection? I have faced this challenge myself and found the solutions available online unsatisfactory. So, I took the opportunity to deepen my knowledge of Linux, networking, and now I would like to share with you the most effective and straightforward solution to this problem. How could one connect a vps or a server as client to a OpenVPN server without losing my actual ssh / vnc connection ?

Table of contents

Diagram

To help you understand our desired outcome, I have created a diagram that illustrates my current setup and IP addresses. This visual representation should make it easier for you to follow along.

Diagram that show the setup and ip addresses

Instructions

  1. Obtain the Box/Router public IP by running the following command in a local shell:
curl ipinfo.io/ip

Example output: 49.237.14.154

  1. Connect to your server with ssh:
ssh mrdotb@35.201.136.114
  1. Store the public IP in an environment variable on the server:
export our_ip="49.237.14.154"
  1. Understanding the Network Connection Loss When starting OpenVPN, it modifies the main routing table and all traffic is redirected through the VPN (tun0).
ip route show table main

Output before starting OpenVPN:

default via 10.140.0.1 dev ens4 proto dhcp src 10.140.0.14 metric 100 10.140.0.1 dev ens4 proto dhcp scope link src 10.140.0.14 metric 100

Output after start OpenVPN:

0.0.0.0/1 via 10.8.0.1 dev tun0 default via 10.140.0.1 dev ens4 proto dhcp src 10.140.0.14 metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.3 10.140.0.1 dev ens4 proto dhcp scope link src 10.140.0.14 metric 100 113.29.230.196 via 10.140.0.1 dev ens4 128.0.0.0/1 via 10.8.0.1 dev tun0
  1. Maintaining Network Access To keep network access, incoming and outgoing packets to/from $our_ip are redirected to a special route called route 22. This route is a mirror of the main table before it was modified by OpenVPN.
ip route | awk '{print "sudo ip route add table 22 " $0}' | bash sudo ip rule add from $our_ip table 22 sudo ip rule add to $our_ip table 22
  1. Testing the Connection
timeout 30 /usr/sbin/openvpn yourvpnconfig.ovpn

If the shell become unresponsive or you are unable to open a second ssh connection something is wrong, wait 30 sec and check that you input all the correct IP in the cmd. Otherwise, congratulations ! You have successfully established a connection to your OpenVPN server while maintaining access to your local network. You can run openvpn without the timeout cmd.

  1. Resolving Domain Names If you are unable to resolve domains, add the following to the /etc/resolv.conf file:
sudo echo "nameserver 8.8.8.8" >> /etc/resolv.conf sudo echo "nameserver 8.8.4.4" >> /etc/resolv.conf

Your openvpn server pushes some bad routes preventing you to use your local host resolver. Using google DNS is the easiest way to solve the problem.

  1. How can you reset all the previous modifications ?
ip rule delete from $our_ip table 22 ip rule delete to $our_ip table 22 ip route flush table 22

You can also reboot the server.

Short version script

# I assume you are using ssh on port 22 # save our public ip # copy main table in table 22 # from / to lookup in table 22 # launch VPN with timeout cmd to prevent lock export your_ip=`echo $SSH_CLIENT | awk '{ print $1 }'` ip route | awk '{print "sudo ip route add table 22 " $0}' | bash sudo ip rule add from $your_ip 22 sudo ip rule add to $your_ip 22 timeout 30 sudo /usr/sbin/openvpn yourvpnconfig.ovpn # If successfull run the previous cmd without the timeout

Resources

If you want to learn more about linux and networks read linux-ip.

Stay up to date

Sign up for the mailing list and get notified via email when new blog posts come out.