OpenVPN: Open Specific Port for external SSH access

1 1261
Hallo to all experts,

I am using as BPi M1 behind a router as a download station and media server (DLNA) for my local network with minidlna.
Bananian 15.08 is installed. For security reasons I use an external VPN Service. The network uses a router to the internet (cable company), therefore I have an free dyn DNS service running to access my network from outside.

The router has specific ports forwarded to 22 of my BPi M1.

So far everything works OK, however when I want to access my BPi M1 with running OpenVPN this ist of course not working directly. I have to access an second BPi M1 without VPN an then use an SSH tunnel.

I want to open the 22 port of my BPi M1 with OpenVPN to access die BPi directly without separat SSH tunnel.

As a Newbie to Linux and VPN I am a bit confused. I only found the following solution on the net, but it is not working with my banana pi and I am not able to adjust ist to my settings:

Who can help me on this?

Any help highly appreciated.

Kind regards,


That's the way I solved my problem, based on different posts on several help sites, most helpful was

Permanently you have to add an additional iptable (/etc/iproute2/rt_tables):

  1. <pre><code>$ echo 201 mytable >> /etc/iproute2/rt_tables</code></pre>
Copy the Code

The following commands have to be executed every time, so it is a good idea to create an autostart rule.

Here is just an short explanation, what we do, partly quoted from the site mentioned above:
Check for any existing ip rules that deal with netfilter masks:
  1. <blockquote><p>ip rule show | grep fwmark</p>
Copy the Code

If grep turns up nothing, you're in the clear.  If it does print some lines, take note of the hexadecimal number to the right of the word 'fwmark' in each line.  You will need to pick a number that is not currently in use.  Since I had no existing fwmark rules, I chose the number 65
so that's the first command line:
  1. ip rule add fwmark 65 table mytable
Copy the Code
Next ist to add a route to eth0 (as that's the network connection I use, 192.168.X.X ist the internal IP address of your router:
  1. ip route add default via 192.168.X.X dev eth0 table mytable
Copy the Code
Just to make sure  the new rules and routes take immediate effect:
  1. ip route flush cache
Copy the Code
Now comes the decisive line that all output of port 22 is marked with 65 so that the defined rules and our iptable is used:
  1. iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
Copy the Code
As last command I followed the recommendation that all traffic of port 22 over the vpn is ignored:
  1. iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j DROP
Copy the Code

Put all together in a script and that's it. To adjust to further / other ports should be easy for everyone.

Hope that helps others with similar questions.


You have to log in before you can reply Login | Sign Up

Points Rules