A relatively unknown feature of openssh is its abilty to create a VPN tunnel. This has been implemented in version 4.3. I am not talking about port forwarding. This VPN creates a virtual network interface, which you can use like any other network interface. This is much more flexible than simple TCP port forwarding. It can be used for udp and icmp.
To set it up is actually very simple, but because I couldn’t find any good documentation, it wasn’t easy to figure out.
Here are the steps:
On the server, in /etc/ssh/sshd_config, configure it to allow tunneling and allow root login (if it isn’t there already):
PermitTunnel yes PermitRootlogin yes
Restart the server with
/etc/init.d/sshd restart
From the client, you can then as root, and login as root to the server.
sudo ssh -w any:any root@fedoku
You need to be root on the client, and login as root. This is important, because only root can create the needed network devices (this is where I was stuck for some time).
When that was successful, you will see on both server and client a tun device:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Now you just need to configure them, both on server and client. Because they are point-to-point devices, you need to set the respective peer. The ifconfig commands mirror each other:
Client:
ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2
Server:
ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1
That’s it, actually. Now you can set up routing, firewall, nat and so on, if needed.
There is also a way to use layer 2 networking, with virtual ethernet devices. All you have to do is to set the device type in the client configuration file:
TunnelDevice ethernet
The network devices now show up as tap instead of tun. The advantage is that you can use those for IPv6. I was never able to do that with the tun devices.
Another good documentation can be found here – which I found when I already had it figured out.
2 Comments
June 19, 2008 at 2:55 pm
[...] message though. This is pretty annoying if you don’t know it. I think this also applies to ssh tunneling. This is reported as a bug in [...]
July 31, 2008 at 9:21 am
[...] a decent short description of the Openssh VPN functionality on the Fermi Paradox blog. There’s more information here. The basic thing is that you need to [...]