SSH to Linux machine behind VPN server shows IP address of VPN server

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
linush100
Posts: 3
Joined: Sat Sep 15, 2018 6:01 pm

SSH to Linux machine behind VPN server shows IP address of VPN server

Post by linush100 » Sat Sep 15, 2018 6:29 pm

I have SoftEther server installed on a machine on subnet 10.25.8.0/18 and I am able to SSH through the VPN server to machines in the same network on subnet 10.25.0.0/18 but the machine that I SSH in to logs the IP address of the VPN server as the originating address. Is there a way for it to show the IP address of the machine where I am running the SSH client process?

See example snippet from /var/log/messages:

msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="<user>" exe="/usr/sbin/sshd" hostname=10.25.8.10 addr=10.25.8.10 terminal=ssh res=success'

Preferably, I'd like to see the public IP address in cases where the user is behind a router and has, for example, a 192.168.0.0 IP address assigned to his/her computer.

Thanks for any help.
Linus

cowgoesmoo
Posts: 2
Joined: Thu Sep 20, 2018 11:03 am

Re: SSH to Linux machine behind VPN server shows IP address of VPN server

Post by cowgoesmoo » Sat Sep 22, 2018 3:58 pm

Hi Linus,

What you're trying to achieve is difficult, because the whole point of the VPN is for clients to appear to be part of the network where the VPN server is. Regardless of whether you use local bridging, or SecureNAT/VDHCP, to get VPN traffic onto the local network, it will always appear in the logs that the connection is coming from an ip address on the local network.

You might be able to use information from the log files of the VPN server and/or the local subnet's DHCP server to try and work out who is connecting, but it is non-trivial to do this.

The simplest way is probably to expose a port for the SSH server and allow people to connect directly, thereby giving you their external ip every time they log in. If you go down that route, you will obviously want to take measures to harden the SSH server, and implement a basic firewall to control who can access it.

Kind Regards,

moo

Post Reply