I have recently discovered that it is fairly easy to tunnel OpenVPN through SSH. This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to¬†distinguish¬†between one packet type and another, without just checking the port that is in use. You can, of course, get a much more in-depth and accurate account of what SPI does/doesn’t do from Wikipedia, however that it’s really the purpose of this post.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files

So, on to the technical part of the procedure. You need to do the folllowing:

  1. Set the OpenVPN server config file to use TCP rather than UDP. This is done by changing the line proto udp to proto tcp in the server config file (normally located at /etc/openvpn/server.conf).
  2. Set the OpenVPN client config file to use TCP rather than UDP. You can do this by changing the line proto udp to proto tcp-client in the client config file.
  3. Change the OpenVPN client config to connect to localhost rather than the remote server address. This is done by changing the “remote” line of the server to remote localhost 1194
  4. Create an SSH tunnel between the client machine and the OpenVPN Server, and forward from remote:1194 to localhost:1194. This can be done by running the command:
    ssh user@server -L 1194:localhost:1194 on the client machine (assuming you’re running Linux/Unix with the OpenSSH client binary installed)

All being well, after making those config file changes and creating your SSH tunnel, you’ll be able to tunnel OpenVPN through SSH.

It’s not the ideal solution – the is a lot more overhead when running OpenVPN in TCP mode, and even more when tunneling TCP over TCP, which is what you’re doing by using an SSH tunnel with VPN Traffic. However, needs must – and this is one way of getting round an SPI Firewall when SSH connections are allowed