Allow SSH to bypass VPN on OS X Mavericks using pf

[zycho42]

My home computer running Mavericks connects to the internet through an OpenVPN connection. However, I would like to be able to connect to my home computer from outside over ssh. Ssh is set up and working, but when I connect to the vpn ssh is only accessible from inside my home network.

I figure what's going wrong is my router forwards incoming ssh connections to my mac, but then my mac replies over the vpn, so the connection from outside times out. I've got pf set up for a couple of other things, but I can't figure out how to let the ssh replies bypass the vpn using pf. I've come across other solutions that use ip tables, routing tables and rules, but I can't figure out how to set that up on mavericks.

I've been searching for this for a while now but I haven't found a working solution. Any help would be greatly appreciated!

 

[satcomer]

Did you use a forwarding service for your Dynamic IP? Something like No-IP.com or read the article The Best Free Alternatives to DynDNS.

 

[zycho42]

@satcomer: yes, I'm using a dynamic dns service. The ssh request makes it to my home computer, the problem is that when my mac replies to the ssh request it gets routed through the vpn connection instead of to my router and back to the extarnal computer. I'm trying to configure pf so that it will catch the packages coming in on port 22 en reply to those through my ethernet interface instead of the vpn interface. Unfortunately I haven't been able to.

 

[BrianBaughn]

If that dynamic DNS address is setup on your router I would try a different dynamic DNS address with the location updater app for it on the computer itself. The computer is sending all traffic via the VPN to which it's connected, so the DDNS name should correspond with the IP of the VPN...a different IP than the one on the router.

I have no idea if that would work, though. Probably depends a great deal on the VPN service.

 

[zycho42]

@BrianBaughn: unfortunately that will not work with my vpn service. Thanks for the suggestion though.

 

[BrianBaughn]

You'd think someone would have figured it out using pf already. These days I have a tendency to believe that if you can't find it on the internet it can't be done.

You're probably already using something like Teamviewer to get to the Mac and run Terminal.

 

[zycho42]

@BrianBaughn haha, yeah you'd think that. But pf syntax for mac remains a bit mysterious to me. Tried a bunch of things that I think should work, but don't. Was really hoping some pf guru would read this and go "oh, that's easy!" but guess not ;-)

Anyway, yes, I have access through teamviewer and terminal, but it's much easier to use ssh for what I'm doing.

 

[Kasalic]

@BrianBaughn haha, yeah you'd think that. But pf syntax for mac remains a bit mysterious to me. Tried a bunch of things that I think should work, but don't. Was really hoping some pf guru would read this and go "oh, that's easy!" but guess not ;-)

Anyway, yes, I have access through teamviewer and terminal, but it's much easier to use ssh for what I'm doing.

I use SSH to remotely manage several Mac OS X servers, although in all cases they have a static IP address, using DDNS should be no different. I simply connect using the domain name, making sure that Port 22 is forwarded to the internal IP of the server or machine you wish to connect to. I cannot recall if I have tried to connect by SSH whilst the VPN is active, but providing you do not have the VPN set to 'route all traffic by VPN' it should work fine.

 

[sporting]

I use SSH to remotely manage several Mac OS X servers, although in all cases they have a static IP address, using DDNS should be no different. I simply connect using the domain name, making sure that Port 22 is forwarded to the internal IP of the server or machine you wish to connect to. I cannot recall if I have tried to connect by SSH whilst the VPN is active, but providing you do not have the VPN set to 'route all traffic by VPN' it should work fine.

Now if I would want exactly that: all traffic through VPN appart from incoming ssh connections, what would be the best way to go about things?
My approach would be to have PF filter out ssh traffic and route through the physical interface of the machine instead of the default route via the TUN/TAP if in use by openvpn. Anyone set up something like this?