I have an Ubuntu 17.04 VM server (hosted in Azure) running OpenVPN. The server has a public ip address and a private ip address (10.1.x.x).

sshd has been put behind the VPN by doing the following:
/etc/ssh/sshd_config
ListenAddress <private ip address of server, e.g. 10.1.x.x>
(no other ip addresses are specified)

Restarted the sshd service
netstat shows sshd is only listening on the private ip address.


I can now ssh to the server through the VPN using the private ip address. All is good so far.

The main Issue:
I can also ssh to the server via it's public ip address without using the VPN. This is obviously undesirable. How can I prevent ssh being accessed publicly? ListenAddress has been setup correctly, so I'm confused.


Also a few questions:
Question 1
For the ssh ListenAddress, should I be using the server's private ip address (10.1.x.x) or the tunnel gateway ip address (10.8.x.x)?
I.e. is the comms via the gateway IP encrypted and the comms via the server IP not encrypted? Or comms via either IP are encrypted.


Question 2
Currently my Azure and Ubuntu server firewall rules (which are the same) are:
Allow UDP/1194
Allow TCP/22

Is this correct? I'm trying to close anything that is not needed.
Can I remove the Azure and Ubuntu TCP port 22 rules since I'm going in via the VPN?


PS: Thank you for everyone that helped me get this far with OpenVPN and SSH on the other thread. I still have alot to learn.

Why don't you simply filter access (using iptables) on that ip address so that it wouldn't matter how you've configured your sshd_config? I think you should do that anyway so that the ssh traffic doesn't pass the firewall.

To answer your first question, it depends on how you've configured your firewall. I don't think there's any meaningful difference, if there's no context given. I guess I would use the tunnel gateway. It's more direct and you wouldn't have to worry about how the traffic is forwarded at a later stage.

2 - no, you cannot remove the ssh rule, bcause you won't have access to the ssh anymore. It doesn't matter if you're using vpn. The request is going to be made on port 22 - that's what the server is going to see after it decrypts the traffic. Just create a rule that listens only on the particular ip you're trying to acces through ssh.

1 members found this post helpful.

You want your ssh daemon listening on the VPN private gateway address. So if OpenVPN uses 10.8.0.1 as its gateway address, then sshd needs to listen there. Your firewall should block all access to SSH, unless a client is connecting from the 10.8.0.0/24 subnet (or whatever ip addressing you chose to use). I assume you set up some sort of DNS service on the server that runs OpenVPN. This should also only be accessible from your VPN subnet after connecting to it.

A TCP connect scan of your server:

Should not report any open ports or closed port services.

As I recall, your goal was to assure that ssh (and any other network service you install) is only accessible via the VPN network for security purposes. Your firewall and listening services should reflect that model.

UFW should be more specific than just allowing everything to port 22. You need it blocking anything outside of the VPN network towards SSH. The only service that should be accessible is OpenVPN. I would also suggest having OpenVPN listening on a higher, non-standard port for obscurity.

Do not confuse the private and public IP addresses your server is given by your web host with the private gateway ip address of OpenVPN. This is likely why you are still able to connect to your SSH service even when not connected to OpenVPN.

1 members found this post helpful.