OpenVPN through SSH

This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to distinguish between one packet type and another, without just checking the port that is in use.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files.

You need to do the folllowing changes:

  • change the line proto udp to proto tcp on client and server configuration file
  • add socks-proxy localhost 5555 in the OpenVPN client configuration file
  • create an SSH tunnel between the client machine and the OpenVPN Server. Assuming you’re running Linux/Unix with the OpenSSH client binary installed then run the command:
ssh -ND5555 user@test.org

 

Note: If you are using Windows please read what this guy wrote here: http://blog.ramin-hossaini.com/2009/10/06/creating-a-tunnel-and-socks-proxy-with-putty/

4 thoughts on “OpenVPN through SSH”

  1. Thank you! My machine where the OpenVPN Server is running is saying “channel 2: open failed: connect failed: Connection refused”. Any idea?

    1. I would first try this:

      ssh -ND5555 user@test.org -v -v

      You can use “-v” up to 3 times to increase verbosity to see what is happening there.

      Second, I would try to change this:

      socks-proxy localhost 5555

      to this:

      socks-proxy 127.0.0.1 5555

      1. Thank you very much for your reply! Connection seems to work, but trying to open a website the remote machine says: “debug2: channel 2: open confirm rwindow 2097152 rmax 32768 Write failed: Broken pipe”.
        My client config is like this:
        dev tun
        client
        proto tcp-client
        remote localhost
        socks-proxy localhost 5555
        resolv-retry infinite

        I’m note sure about the “remote localhost” line.

        1. Sorry for my late reply.
          At this moment I don’t have access to any server which I can use to run some tests, but try to comment the line “remote localhost” line and try to connect again.

Leave a Reply

Your email address will not be published. Required fields are marked *