ssh X11 forwarding fails when VPN connected.

user1248user1248
in Linux VPN Setup
I have machine A running Debian Stretch and the PIA client. From machine B (also Debian Stretch), I can ssh (without X11) to A whether the VPN is connected or not. If I ssh to A when the VPN is connected using "ssh -X" or "ssh -Y", it connects with the message "X11 forwarding request failed on channel 0" and I can't run any X clients. If the VPN is disconnected it works.

Comments

  • martoufmartouf
    with the VPN up, your machine B IP addresses (two of them) are:
    1. the same IP address as when the VPN is down (but useable only from your LAN)
    plus
    2. the IP address of the PIA server

    which of the two network interfaces is ssh using to reach machine A?
  • user1248user1248
    I'm using the LAN IP to connect to A.

  • martoufmartouf
    try making sure ssh binds to the LAN interface when the VPN is up (ref. "-b" parameter)
  • Max-PMax-P
    What options do you have enabled with the VPN? Killswitch by chance?

    It should work fine given that everything is tunnelled through the SSH tunnel, but for this to work SSH has to bind a port on the remote machine (so apps can connect to it). If the remote machine has a firewall rule to prevent connections to whatever address SSH bound to there, the X11 forward will fail. Depending on the network situation, SSH may also not source the traffic from the correct address on your local machine.
  • user1248user1248
    No options enabled. It is the default install. Both machines are not running a firewall. The local machine is not running a VPN so -b will not help.

  • martoufmartouf
    will you or did you make sure your 'local machine' ssh binds to the local machine's LAN interface when you attempt your x11 tunnelling? (your default route will send ssh traffic to the VPN interface otherwise when the VPN is up)
  • Max-PMax-P
    Alright, so I've run a few tests and I think I have figured it out.

    When you enable the VPN on the remote machine, PIA by default has IPv6 leak protection enabled which disabled IPv6 completely on the machine. However, sshd was started with IPv6 support, so when you do the X11 forward request, it attempts to bind both on IPv4 and IPv6 localhost and fails to bind on the IPv6 one.

    Disabling IPv6 leak protection in the app works around it, but to properly fix it you can also set
    AddressFamily=inet
    In your /etc/ssh/sshd_config so it uses IPv4 only.
  • user1248user1248
    Thanks Max-P. Disabling IPv6 in sshd fixed it.

  • martoufmartouf
    ah! that's good news. and something for me to file away in the memory bank. it was related to interface binding but i didn't give the right solution. sorry.
Sign In or Register to comment.