VPN with openssh

A relatively unknown feature of openssh is its abilty to create a VPN tunnel. This has been implemented in version 4.3. I am not talking about port forwarding. This VPN creates a virtual network interface, which you can use like any other network interface. This is much more flexible than simple TCP port forwarding. It can be used for udp and icmp.
To set it up is actually very simple, but because I couldn’t find any good documentation, it wasn’t easy to figure out.

Here are the steps:

On the server, in /etc/ssh/sshd_config, configure it to allow tunneling and allow root login (if it isn’t there already):

PermitTunnel yes
PermitRootlogin yes

Restart the server with

/etc/init.d/sshd restart

From the client, you can then as root, and login as root to the server.

sudo ssh -w any:any root@fedoku

You need to be root on the client, and login as root. This is important, because only root can create the needed network devices (this is where I was stuck for some time).

When that was successful, you will see on both server and client a tun device:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Now you just need to configure them, both on server and client. Because they are point-to-point devices, you need to set the respective peer. The ifconfig commands mirror each other:

Client:

ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2

Server:

ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1

That’s it, actually. Now you can set up routing, firewall, nat and so on, if needed.

There is also a way to use layer 2 networking, with virtual ethernet devices. All you have to do is to set the device type in the client configuration file:

TunnelDevice ethernet

The network devices now show up as tap instead of tun. The advantage is that you can use those for IPv6. I was never able to do that with the tun devices.

Another good documentation can be found here – which I found when I already had it figured out.

Advertisements

6 Comments

Filed under debian, ipv6, linux, openssh

6 responses to “VPN with openssh

  1. Pingback: ssh connection sharing « Fermi Paradox

  2. Pingback: SSH vpn and other tricks | KernelCrash

  3. Pingback: OpenSSH ve VPN | KNYKSL.COM v3

  4. We would like to thank you once again for the gorgeous ideas you offered Janet when preparing her own post-graduate research and also, most importantly, with regard to providing all of the ideas within a blog post. In case we had been aware of your web page a year ago, we would have been rescued from the needless measures we were participating in. Thank you very much. palm beach today

  5. Ich habe überall nach einer guten resorse sah ich danke Ihnen.

  6. Pingback: 簡易 VPN: socat & openssh - 百匯博客