SSH, OpenVPN and connection reset by peer

by

I have an OpenVPN server configured to listen on UDP ports. Recently I noticed that I can’t access some hosts in my network via SSH. Here’s my setup:

  • tun0 – the openvpn tunnel on the server
  • enp2s0 – the ethernet adapter connected to Verizon router
  • bunch of other servers connected to the same Verizon router

the IP address of tun0 is 10.9.0.1

my IPTABLES is dead simple:

# Generated by iptables-save v1.6.0 on Sat Oct 22 01:16:10 2016
*filter
:INPUT ACCEPT [61507:19615383]
:FORWARD ACCEPT [13925:2889584]
:OUTPUT ACCEPT [58841:13675304]
-A FORWARD -i enp2s0 -o tun0 -j ACCEPT
COMMIT
# Completed on Sat Oct 22 01:16:10 2016
# Generated by iptables-save v1.6.0 on Sat Oct 22 01:16:10 2016
*nat
:PREROUTING ACCEPT [222:18139]
:INPUT ACCEPT [43:2580]
:OUTPUT ACCEPT [153:10471]
:POSTROUTING ACCEPT [238:15571]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Sat Oct 22 01:16:10 2016

one of the servers I can’t connect to has the IP address 192.168.1.157

the IP address of the client host that is connected via VPN is 10.9.0.100

I can ping 192.168.1.157 from 10.9.0.100. I can ping 10.9.0.100 from 192.168.1.157

I started nc -l -s 192.168.1.157 -p 2222 on 192.168.1.157 and tried to connect to port 2222 from 10.9.0.100 – that worked, I can type in text on 10.9.0.100 and see it appearing on other terminal – and then read(net): Connection reset by peer is printed on 192.168.1.157 and netcat terminates. If I connect to the netcat and try to type something on 192.168.1.157 – then nothing appears in the console on 10.9.0.100 and I get this read(net): Connection reset by peer on 192.168.1.157

I can telnet to port 22 on 192.168.1.157 from 10.9.0.100 but I can’t see the standard prompt of SSH server.

However if I try to connect to the server with the SSH client, I can see in the logs of the server that

Oct 22 01:26:56 http-1-1 sshd[626]: debug1: Forked child 995.
Oct 22 01:26:56 http-1-1 sshd[995]: debug1: Set /proc/self/oom_score_adj to 0
Oct 22 01:26:56 http-1-1 sshd[995]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Oct 22 01:26:56 http-1-1 sshd[995]: debug1: inetd sockets after dupping: 3, 3
Oct 22 01:26:56 http-1-1 sshd[995]: debug1: getpeername failed: Transport endpoint is not connected
Oct 22 01:26:56 http-1-1 sshd[995]: debug1: ssh_remote_port failed

if I do tcpdump -i eth0 port 22 and src host 10.9.0.100 on 192.168.1.157 and try to connect via ssh from 10.9.0.100 i see this in /var/log/auth.log

01:39:45.486123 IP 10.9.0.100.53546 > http-1-1.fios-router.home.ssh: Flags [S], seq 1176047909, win 29200, options [mss 1368,sackOK,TS val 8701042 ecr 0,nop,wscale 7], length 0
01:39:45.562909 IP 10.9.0.100.53546 > http-1-1.fios-router.home.ssh: Flags [.], ack 324252195, win 229, options [nop,nop,TS val 8701066 ecr 286207], length 0
01:39:45.567772 IP 10.9.0.100.53546 > http-1-1.fios-router.home.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 8701066 ecr 286207], length 21
01:39:45.641442 IP 10.9.0.100.53546 > http-1-1.fios-router.home.ssh: Flags [R], seq 1176047931, win 0, length 0
01:39:45.839893 IP 10.9.0.100.53546 > http-1-1.fios-router.home.ssh: Flags [P.], seq 0:21, ack 1, win 229, options [nop,nop,TS val 8701150 ecr 286207], length 21

What do I miss here? I guess there’s some packet filtering happening in place, but not sure if I screwed up my iptables, or that Verizon FiOS router screws up some packets while processing those. I don’t see where that RST packet really comes from.

Please advice.

Answer

Try replacing tun0 with enp2s0 in the POSTROUTING chain rule.
And the rule in the FORWARD chain seems unnecessary.

Attribution
Source : Link , Question Author : jdevelop , Answer Author : Sam

Leave a Comment