0

I have the current situation:

  • Home network with router and a few devices, including a Computer (a Raspberry Pi) that I want to connect to a commercial VPN provider but I would like to access remotely.
  • A few ports (e.g. 22) are forwarded in the router to allow to use the Computer as I need
  • The router public IP is, for example, 89.11.12.13
  • The Computer is normally accessible remotely via HTTP

I cannot completely explain the following:

  • Outside of my local network, if the Computer is connected to the VPN, when I connect to 89.11.12.13:22 I cannot reach the Computer (fair enough).
  • Within my local network, if the Computer is connected to the VPN, when I connect to 89.11.12.13:22 (with some other computer) I can reach the Computer

Why can I reach the computer when I'm in my local network using the public IP? (Is that obvious?)

I have asked the VPN service support how to enable the whitelist feature (available in their Windows application) but it is not available for manual OpenVPN connections. They suggested me instead to modify the routing table with someting like

route add IP gw gatewayIP

I tried but with no success. Any suggestions?

I have found some explanations from these two questions but I still don't have things clear:

Davide
  • 1
  • The host route approach will only make sense if you are always connecting from only a few public IP. – Tom Yan Jan 10 '20 at 05:43

1 Answers1

0

It is normal, as you have the subnet route for replying to hosts in the local LAN.

But for connection from the Internet, the replies will be directed by the default route, which routes the traffic to the VPN server via the VPN tunnel when you are connected to the VPN. The VPN server basically have to do source NAT when it forwards traffics out to the Internet. So even if the replying traffics are allowed to reach the connecting host, they will not be recognized as replies from your router, but "unknown" incoming traffics from the VPN server. Hence, the connection cannot be established.

A/The solution would be to mark traffics with the SSH port as their source port with iptables rules and do policy routing with ip rules for them (by having another route table with the original default route, and route to your router, and look up to it for those marked traffics).

Tom Yan
  • 9,643