ssh over openvpn works but times out and stops

rajid · March 31, 2025, 7:39pm

I have a GL.iNet GL-SFT1200 (Opal) and I'm connecting it to my home pfsense box via openvpn. All of that works fine and the connection is made and seems stable. I can contact the gl-inet box as host 192.168.2.2 over the vpn from a computer inside the pfsense NATed network.

When I establish an ssh connection to the gl-inet box, it works fine, asks for password, logs in, and I have a prompt. Hitting returns gives another prompt for about 30 seconds. At that point, packets just stop and a few seconds later the ssh connection dies.

I have the openvpn configured with "Allow Remote Access LAN" and "IP Masquerading". I tried setting MTU to 512, but then the VPN never comes up, so it set it back to the default of 1500.

I looked around for some ssh daemon timeout on the gl-inet box, but didn't see anything.

What am I missing?

bruce · April 2, 2025, 7:29am

Hello,

I did not seem to reproduce this issue in my SFT1200.

PC VPN remotely connects to SFT1200, PC initiates SSH to connect to the SFT1200, and the SSH never disconnected.

Please check whether the network is disconnected:

PC, ping pfsense WAN IP, like ping x.x.x.x -t.
After the PC establishes a VPN connection with SFT1200, the PC ping OpenVPN server IP, such as ping 10.8.0.1 -t.

rajid · April 3, 2025, 6:53pm

Thanks for the data point!

Using my phone to create a VPN to my home pfsense box, then using a terminal emulator on my phone to ssh to the gl-inet's IP address on it's own VPN, I was able to login and it didn't time out. Of course, this means the phone and the gl-inet are both on the same subnet.

This would seem to indicate that my pfsense box is breaking the connection because it's coming from inside my home network, perhaps. More investigation is needed, but it's definitely interesting that a VPN and ssh connection directly from my phone works fine.

Oh, I tried your various pings tests and a ping from my laptop continues receiving a response even while the ssh connection dies. It's beginning to look like a firewall issue of some type, directed specifically at the ssh port. (Also, connecting to the gl-inet's web server using the same address works fine, so it seems specific to ssh.)

bruce · April 9, 2025, 3:51am

Generally after establishing a VPN tunnel, it is already simulated and local access. As long as the VPN connection is stable, services such as GL GUI, SSH router should be stable.

In addition, the GL firmware does not have a timeout disconnection rule for SSH. It will remain connected always if it connected.

As you said, the ping OpenVPN server IP has not been lost, so the VPN connection has not been disconnected.

Maybe it's your SSH software rule? Or firewall of your client OS?