That allow me to connect to the LXC by this command:
ssh -p 22220 192.168.1.103
I can ssh into this container just fine when openvpn is not running, but when it connects, the ssh connect is frozen (cannot ctrl+c or do anything). Trying to ssh via another session just timeouts. I am wondering what I can do within the container (also using ufw) to prevent this. The container uses ufw which I setup per this wiki.
Sorry for not replying to your question, as I use LXD I have no direct experience of your use case, but I was just wanting to say that I used your way to connect directly to a container for a long time and I just discovered another way of doing it and it has been an instant sell for me, I found this a much better way since I can keep a single door open for all my connexions so maybe it could be of interest to you too;
Thats the proxyjump feature of ssh.
In the .ssh/config of your computer add something like:
Host jump
hostname <your host name or IP>
user jump
PreferredAuthentications publickey
IdentityFile <a host public key file>
Host yourcontainer
user yourcontainerusername
proxyjump jump
IdentityFile <a container public key file>
your keys should be generated on your work computer and transferred respectively on the host and the container. The name ‘yourcontainer’ should be usable from the host (it can be in the hosts file and not really known from the outside) or just use the internal container IP address. The user on the host (‘jump’ in my example) must have login rights and capability (but does not need special rights)
Depending on your ssh host config, you may have to add to the sshd_config something like
Match user jump
PasswordAuthentication no
AuthenticationMethods publickey
Match all
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
Nice, the jumpproxy allows me to ssh in but without additional forwarding, I am unable to reach the webserver running in the LXC… I can forward ports with ssh, but I need to the ability to hit the httpd directly.
well, not necessarily, there is the possibility to run a http app server in a container while running a proxy (such as nginx or haproxy) in the host that will handle the https stuff. There are tons of post on such setups on this forum…