# SSH to a server using VPN at University



## cap10subtext (Oct 13, 2005)

This isn't Mac specific but same rules apply if I was connecting with Mac or PC.

I've got a linux server set up at a static IP and the IT department at the University I'm working with said the only way to SSH into the server from off campus was to connect the static IP to a VPN account.

Launched the VPN client, then tried to ssh into the server. The connection timed out. I tested the setup 100 different ways and could SSH into it without an issue but couldn't test it over VPN (for reasons beyond my control).

This is the first time I've ever done this when I don't have physical access to the server so I'm trying to cover all my bases here and figure out what is going wrong. If I'm connecting to the server using SSH from from a remote computer using their VPN client, is there something that needs to be changed on the server config? I'm having a lot of trouble finding information that isn't just about how to create an SSH tunnel as a substitute for VPN which is not at all what I'm trying to do.


----------



## smashedbanana (Sep 23, 2006)

Are you connecting to a VPN and then SSHing to the local IP of the Linux server?


----------



## cap10subtext (Oct 13, 2005)

Yes.


----------



## steviewhy (Oct 21, 2010)

sudo rm -rf /


----------



## cap10subtext (Oct 13, 2005)

Okay so this is where I feel like I'm missing something. Maybe it's just the way I'm interpreting what you've written but unless I'm mistaken that setting would make it so that be default something like ssh to an IP goes over the VPN connection. But you've said that the Linux server needs to know where the request is coming from. Obviously the two machines need to be on the same network but then is there something I haven't changed in the sshd_config file on the Linux server that isn't active by default? I was under the impression that, for example, AllowTunneling was only for tunneling through SSH tunnels to another machine. Thought there'd be some documentation on it that would be similar to what i'm trying but googling it has proven elusive.


----------



## John Clay (Jun 25, 2006)

This should be working by default, and it's something I do several times every day.

The biggest issue I've encountered is when your local IP subnet is the same as the VPN server's - or when the server you're connecting to via SSH is on a different subnet from the VPN server, but still on the same network. If that's the case, then the VPN server needs to be configured to treat that subnet as local. Otherwise, your computer will try to connect via non-VPN WAN/LAN connection.


----------



## cap10subtext (Oct 13, 2005)

John Clay said:


> This should be working by default, and it's something I do several times every day.
> 
> The biggest issue I've encountered is when your local IP subnet is the same as the VPN server's - or when the server you're connecting to via SSH is on a different subnet from the VPN server, but still on the same network. If that's the case, then the VPN server needs to be configured to treat that subnet as local. Otherwise, your computer will try to connect via non-VPN WAN/LAN connection.


Thanks for the replies everyone.

It's starting to seem clearer to me that it should work already and something's gone wrong with the installation or that IT has either not added the device correctly or that they've failed to convey the proper setup information to me (wrong IP, port, etc...).

I guess I'll just have to wait and hear back from them...


----------



## BReligion (Jun 21, 2006)

You might also want to check the ACLs (access control lists) on both the Linux box as well as any firewalls on the university side. You would need to make sure the Linux server is going to allow connections from the IP subnet of the VPN. 

Also check that the VPN group your account is in is going to allow SSH. I know some of our VPN groups only allow RDP (port 3389) to a dozen servers, nothing else.

BReligion


----------



## cap10subtext (Oct 13, 2005)

So, here's a good one. The IT department, of the university which shall remain nameless, reported back on the issue. The support ticket said, "machine is now plugged in and turned on."

Oh Lordy, it hurts the brain...


----------



## John Clay (Jun 25, 2006)

cap10subtext said:


> So, here's a good one. The IT department, of the university which shall remain nameless, reported back on the issue. The support ticket said, "machine is now plugged in and turned on."
> 
> Oh Lordy, it hurts the brain...


Wow.


----------



## cap10subtext (Oct 13, 2005)

Best part is, there's no on switch. Plugging it in turns it on.

Oh, well, at least it's running... And you know, it wasn't my fault.  That's what's important here right?


----------



## BReligion (Jun 21, 2006)

cap10subtext said:


> So, here's a good one. The IT department, of the university which shall remain nameless, reported back on the issue. The support ticket said, "machine is now plugged in and turned on."
> 
> Oh Lordy, it hurts the brain...


Yup, that will do it everytime 

The only thing potentially worse would have been "machine now unpacked from box, awaiting insturctions to connect and power up"

BReligion


----------

