A relatively unknown feature of openssh is its abilty to create a VPN tunnel. This has been implemented in version 4.3. I am not talking about port forwarding. This VPN creates a virtual network interface, which you can use like any other network interface. This is much more flexible than simple TCP port forwarding. It can be used for udp and icmp.
To set it up is actually very simple, but because I couldn’t find any good documentation, it wasn’t easy to figure out.
Here are the steps:
On the server, in /etc/ssh/sshd_config, configure it to allow tunneling and allow root login (if it isn’t there already):
PermitTunnel yes PermitRootlogin yes
Restart the server with
/etc/init.d/sshd restart
From the client, you can then as root, and login as root to the server.
sudo ssh -w any:any root@fedoku
You need to be root on the client, and login as root. This is important, because only root can create the needed network devices (this is where I was stuck for some time).
When that was successful, you will see on both server and client a tun device:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Now you just need to configure them, both on server and client. Because they are point-to-point devices, you need to set the respective peer. The ifconfig commands mirror each other:
Client:
ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2
Server:
ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1
That’s it, actually. Now you can set up routing, firewall, nat and so on, if needed.
There is also a way to use layer 2 networking, with virtual ethernet devices. All you have to do is to set the device type in the client configuration file:
TunnelDevice ethernet
The network devices now show up as tap instead of tun. The advantage is that you can use those for IPv6. I was never able to do that with the tun devices.
Another good documentation can be found here – which I found when I already had it figured out.
Pingback: ssh connection sharing « Fermi Paradox
Pingback: SSH vpn and other tricks | KernelCrash
Pingback: OpenSSH ve VPN | KNYKSL.COM v3
We would like to thank you once again for the gorgeous ideas you offered Janet when preparing her own post-graduate research and also, most importantly, with regard to providing all of the ideas within a blog post. In case we had been aware of your web page a year ago, we would have been rescued from the needless measures we were participating in. Thank you very much. palm beach today
A good perfect facial area treatment skin cream is actually section of the recommended healthy skin care assortment for men just who involve to check more youthful and nourishing along with very well groomed.
Ich habe überall nach einer guten resorse sah ich danke Ihnen.
Pingback: 簡易 VPN: socat & openssh - 百匯博客