How To Route SSH Tunnel Traffic Through OpenVPN Client Gateway

  • I have a persistent OpenVPN client connection on my pfSense machine and would like for it to be the gateway for traffic that is tunneled through that machine via SSH.  That is to say, I SSH directly to my pfSense machine using the -D option (e.g. ssh -D 12345 user@mypfsensemachine).  I have my WAN interface (not my VPN client virtual interface) as the default gateway for the pfSense machine, and use policy routing to force all LAN traffic through the VPN.  That works beautifully, but when I SSH directly to my pfSense machine, that traffic obviously never hits the LAN interface.  So I feel like I need firewall rules on the WAN and/or VPN interfaces, but I haven't been able to come up with a rule that will successfully corral that SSH traffic through the VPN.  I wonder if I'm missing something obvious, or if I'm just not thinking about this correctly and it's not really possible?  Thanks in advance for any ideas or advice.

  • LAYER 8 Global Moderator

    "but when I SSH directly to my pfSense machine"

    From where are you sshing to your pfsense machine?  From the outside on public internet or lan side?

    If your outside on the public internet and you want to come in the vpn tunnel pfsense has created with some vpn service.. You would have to hit that VPN IP on the public side and your vpn would have to forward that traffic down the tunnel.

  • Sorry about that, I'm SSHing in from the public Internet to my physical WAN interface.  So I take your point that the sensible (and perhaps only) thing to do, so long as my VPN provider allows it, is to instead SSH in to my logical VPN client interface.

  • LAYER 8 Global Moderator

    My point was how you would access your machine would be via your normal wan IP from the public internet.

    I would not go through some vpn tunnel you have already set up with some vpn provider.. I would go direct to your wan IP.  But would just vpn in via a vpn server you run on pfsense not some client to some vpn service.

Log in to reply