SSH to container stops when OpenVPN is connected... how to allow

darksky · December 31, 2019, 10:50am

I have a LXC that runs OpenVPN. The container’s network adapter is a NAT bridge run by lxc-net.
Host machine = 192.168.1.103
LXC = 10.0.3.100

On the host, I added this to /etc/ufw/before.rules

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 22220 -j DNAT --to-destination 10.0.3.100:22
COMMIT

That allow me to connect to the LXC by this command:

ssh -p 22220 192.168.1.103

I can ssh into this container just fine when openvpn is not running, but when it connects, the ssh connect is frozen (cannot ctrl+c or do anything). Trying to ssh via another session just timeouts. I am wondering what I can do within the container (also using ufw) to prevent this. The container uses ufw which I setup per this wiki.

gpatel-fr · December 31, 2019, 2:34pm

Sorry for not replying to your question, as I use LXD I have no direct experience of your use case, but I was just wanting to say that I used your way to connect directly to a container for a long time and I just discovered another way of doing it and it has been an instant sell for me, I found this a much better way since I can keep a single door open for all my connexions so maybe it could be of interest to you too;
Thats the proxyjump feature of ssh.
In the .ssh/config of your computer add something like:

Host jump
     hostname <your host name or IP>
     user jump
     PreferredAuthentications publickey
     IdentityFile <a host public key file>

Host yourcontainer
     user yourcontainerusername
     proxyjump jump
     IdentityFile <a container public key file>

your keys should be generated on your work computer and transferred respectively on the host and the container. The name ‘yourcontainer’ should be usable from the host (it can be in the hosts file and not really known from the outside) or just use the internal container IP address. The user on the host (‘jump’ in my example) must have login rights and capability (but does not need special rights)

Depending on your ssh host config, you may have to add to the sshd_config something like

Match user jump
    PasswordAuthentication no
    AuthenticationMethods publickey

Match all
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication yes

HTH

darksky · December 31, 2019, 3:37pm

Nice, the jumpproxy allows me to ssh in but without additional forwarding, I am unable to reach the webserver running in the LXC… I can forward ports with ssh, but I need to the ability to hit the httpd directly.

Thanks for sharing the JumpProxy stuff though

gpatel-fr · December 31, 2019, 4:40pm

well, not necessarily, there is the possibility to run a http app server in a container while running a proxy (such as nginx or haproxy) in the host that will handle the https stuff. There are tons of post on such setups on this forum…