Tunneling OpenVPN Through SSH

I have recently discovered that it is fairly easy to tunnel OpenVPN through SSH. This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to¬†distinguish¬†between one packet type and another, without just checking the port that is in use. You can, of course, get a much more in-depth and accurate account of what SPI does/doesn’t do from Wikipedia, however that it’s really the purpose of this post.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files

So, on to the technical part of the procedure. You need to do the folllowing:

  1. Set the OpenVPN server config file to use TCP rather than UDP. This is done by changing the line proto udp to proto tcp in the server config file (normally located at /etc/openvpn/server.conf).
  2. Set the OpenVPN client config file to use TCP rather than UDP. You can do this by changing the line proto udp to proto tcp-client in the client config file.
  3. Change the OpenVPN client config to connect to localhost rather than the remote server address. This is done by changing the “remote” line of the server to remote localhost 1194
  4. Create an SSH tunnel between the client machine and the OpenVPN Server, and forward from remote:1194 to localhost:1194. This can be done by running the command:
    ssh user@server -L 1194:localhost:1194 on the client machine (assuming you’re running Linux/Unix with the OpenSSH client binary installed)

All being well, after making those config file changes and creating your SSH tunnel, you’ll be able to tunnel OpenVPN through SSH.

It’s not the ideal solution – the is a lot more overhead when running OpenVPN in TCP mode, and even more when tunneling TCP over TCP, which is what you’re doing by using an SSH tunnel with VPN Traffic. However, needs must – and this is one way of getting round an SPI Firewall when SSH connections are allowed

4 thoughts on “Tunneling OpenVPN Through SSH

  1. Pingback: Getting OpenVPN to run on random ports « nTh among all

  2. Didn’t you encounter any problems with routes when using this setup? The OpenVPN will set up the default route through tun/tap interface and a secound route to remote through the previous gateway. If the remote is set up as localhost, you will not get a route to where the OpenVPN server really is. This makes the SSH connection (and the tunnel) fail after a while, as it tries to route its packets through the tun/tap interface.

    • I was concerned that this would be the case – but I had to use this set up for some time, and didn’t run into any trouble. My assumption was that because the SSH connection was established before OpenVPN set the new route up, the original route carried on being used – but I’m not sure!

  3. I ran into the exact problem that Andrzej described: the ssh tunnel drops after a few seconds
    due to trying to route through the OpenVPN connection.

    The solution is to set up a direct route to your server, using the current default route host, before starting the ssh tunnel:

    route add server current-default-route-host

    where “server” is the IP address of the OpenVPN server and “current-default-route-host” is the IP address of the current gateway to the Internet (the gateway for destination “” or “default” as given by route -n
    or netstat -rn).

    This seems to work: I am posting this comment through just such a tunnel!

Leave a Reply