SSH from outside my network.

Firerat, I'm really sorry to be such a newbie, but could you be a little more explicit in how I would use that? I've copied that into a file, made it executable and placed it in /etc/openvpn/ but I'm unsure what I do with it? Or should I just run it? Will that 'fix' openvpn until it updates? What did you mean by to get it to write add -i?

Thank you for your time and effort, I'm sorry for being quite confused

Quote:

Originally Posted by NotAComputerGuy Firerat, I'm really sorry to be such a newbie, but could you be a little more explicit in how I would use that? I've copied that into a file, made it executable and placed it in /etc/openvpn/ but I'm unsure what I do with it? Or should I just run it? Will that 'fix' openvpn until it updates? What did you mean by to get it to write add -i? Thank you for your time and effort, I'm sorry for being quite confused

Sorry, my fault

it is just a sed, ( stream editor )

just copy and paste it 'as is'

you will see the /etc/init.d/openvpn, only a modified version.

if you do "sed -i -e ....." instead of "sed -e ....." it will edit 'inline', i.e. save the changes. ( in this case you will need root )
actually, probably better to make it do a backup
"sed -i.backup -e ....."
The original will be saved as openvpn.backup


edit the "patch_script" replacing all of the YOUR.GATEWAY.IP.HERE, and add the -i.backup
to 'execute' it, just do

Code:

sh /path/to/patch_script

what it is actually doing is

adding the below, just above the line "start_vpn () {"

Code:

fix_ssh () {
ip rule add fwmark 65 table novpn
ip route add default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
}
undo_fix_ssh () {
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
iptables -t mangle -D OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
ip route del default via YOUR.GATEWAY.IP.HERE dev eth0 table novpn
ip rule del fwmark 65 table novpn
ip route flush cache
}

it is also adding "&& fix_ssh" and "&& undo_fix_ssh" to the end of start_vpn and stop_vpn lines
so whenever the openvpn runs its start_vpn function it then runs the fix_ssh function ( unless start_vpn fails ), and the undo part runs when stop_vpn as run

Technically it is a 'fudge', because it will blindly run for every VPN,
I assumed you only have the one client configured

it is also a bit dumb in that it will keep adding the {undo_}fix_ssh functions
you could fix that with

Code:

#!/bin/bash
grep -q fix_ssh /etc/init.d/openvpn || sed ........

so the sed only runs if grep didn't find fix_ssh

Hope that makes sense

Yes it made sense. Kind of. I think. Apologies.

I have an executable file located in /etc/openvpn/ (should it be called patch_script, is that where that came in? I couldn't find it mentioned before).

The file contains the following:

Code:

#!/bin/bash
grep -q fix_ssh /etc/init.d/openvpn || sed -i.backup -e '/start_vpn ()/ i fix_ssh () {\
ip rule add fwmark 65 table novpn\
ip route add default via 192.168.0.1 dev eth0 table novpn\
ip route flush cache\
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65\
iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP\
}\
undo_fix_ssh () {\
iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP\
iptables -t mangle -D OUTPUT -p tcp --sport 22 -j MARK --set-mark 65\
ip route del default via 192.168.0.1 dev eth0 table novpn\
ip rule del fwmark 65 table novpn\
ip route flush cache\
}'\
   -e 's/start_vpn$/& \&\& fix_ssh/' \
   -e 's/stop_vpn$/& \&\& undo_fix_ssh/' \
/etc/init.d/openvpn

Which as root I run with "sh scriptname". I'm sorry if I seem to be taking this slowly. Thanks to yourselves the system works pretty well at the moment, anxious not to break it, but also very aware if I don't do anything then the next reboot it will loose all it's settings.

Quote:

Originally Posted by NotAComputerGuy Yes it made sense. Kind of. I think. Apologies. I have an executable file located in /etc/openvpn/ (should it be called patch_script, is that where that came in? I couldn't find it mentioned before). Which as root I run with "sh scriptname". I'm sorry if I seem to be taking this slowly. Thanks to yourselves the system works pretty well at the moment, anxious not to break it, but also very aware if I don't do anything then the next reboot it will loose all it's settings.

Its me, I'm really bad at naming things

patch_script = Script_to_patch_etc_init.d_openvpn
so yeah "sh Script_to_patch_etc_init.d_openvpn"

To be honest I may have 'overcomplicated' it, I don't think it will make any difference if the VPN is running or not..
I just like to undo things

I managed to get it to run. Just out of interest, how come it wouldn't work with sudo (sh: 0: Can't open script), but would if I su'd into root? Just curiosity more than anything.

I'll test it tomorrow to ensure it all worked and let you know if it all works.

Thanks you

Honestly .. I have no idea..
about the only difference I can think of is that I have sh symlinked to bash instead of dash ( as I do LFS builds now and again )
But it should not present any problem to dash ( in sh mode or full dash )
It is basically a oneliner ( a long oneliner, but nothing 'complicated' )