« Comet experiment: RFID reader with Koha data in browser | Main | LDAP haters guide to groups »

Simple network to network VPN with OpenSSH and tun device

For a long time, I used combination of proxy.pac and DynamicForward in .ssh/config to enable seamless surfing over ssh tunnels. However, this time, I wanted to access university network from home DSL.

I remembered all warnings about tunneling tcp over tcp and why it is bad idea, but I really liked simplicity of reusing ssh. So, I start looking for guides to implement minimal solution like this: 

client.lan                      ssh gateway             private network
eth0 192.168.1.20 <--DSL-nat--> eth0 gw.example.com
tun0 10.60.0.81 <-pointopoint-> tun0 10.60.0.80 
                                eth1 10.60.0.10 <-----> 10.60.0.0/24
It's a bit more complicated, because LAN clients have to use NAT to access private network, but that's a single line in configuration. So, let's get started...

client.lan

  1. Generate ssh key for VPN 
    root@client:~# ssh-keygen -t rsa -f /root/.ssh/gw-tun0
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/gw-tun0.
Your public key has been saved in /root/.ssh/gw-tun0.pub.
  2. Transfer it to server 
    echo 'tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0"' `cat /root/.ssh/gw-tun0.pub` | \
    ssh dpavlin@gw.example.com 'sudo sh -c "cat >> /root/.ssh/authorized_keys"'
    If you didn't have authorized_keys on gw.example.com you will also have to fix group with: 
    root@gw:~# chown root:root /root/.ssh/authorized_keys
  3. /etc/network/interfaces 
    iface tun0 inet static
    pre-up ssh -i /root/.ssh/gw-tun0 -S /var/run/gw-tun0 -M -f -w 0:0 gw.example.com true
    pre-up sleep 5
    address 10.60.0.81
    netmask 255.255.0.0
    pointopoint 10.60.0.80
    up iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
    post-down ssh -S /var/run/gw-tun0 -O exit gw.example.com
    iptables are used to NAT all hosts on home network, so they can see whole private network and not just IPs on gw.example.com
    I also added following route to my home network gateway so that all traffic for private network will go through VPN: 
    # netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask
10.60.0.0       192.168.1.20    255.255.0.0

gw.example.com

  1. /etc/ssh/sshd_config 
    #PermitRootLogin yes
PermitTunnel point-to-point
PermitRootLogin forced-commands-only
  2. /etc/network/interfaces 
    iface tun0 inet static
    address 10.60.0.80
    netmask 255.255.255.255
    pointopoint 10.60.0.81
    up arp -sD 10.60.0.81 eth1 pub
    arp entry is used to make home IP address 10.60.0.81 visible to all hosts in private network. That, together with rinetd on client.lan enabled me to tunnel connections to other hosts on my local network by creating port redirection (again, sigh!). I could have solved that with route on ssh gateway gw.example.com, but this solution leaves configuration of incomming connections on home side of link.
  3. /etc/cron.d/gw.example.com 
    # monitor tun0
*/1     * * * * root    fping -q 10.60.0.81 || ( ifdown tun0 ; ifup tun0 ) | logger -t tun0

Tags:

Posted by Dobrica Pavlinušić on April 18, 2009 11:54 AM |

TrackBack

TrackBack URL for this entry:
http://blog.rot13.org/mt/mt-tb.cgi/621

Listed below are links to weblogs that reference Simple network to network VPN with OpenSSH and tun device:

» tap magic: kvm network bridge using ssh ethernet tunnel from Dobrica Pavlinušić's Weblog / Blog
Let's assume that you want to create virtual network which spans sites (or continents :-). While we are at it, let's assume that you want to have layer 2 connectivity (because you want to run just single DHCP server for example). At first, it seemed l... [Read More]

Tracked on August 14, 2009 9:58 PM

» OpenVZ, VLANs, ethernet bridge and ssh tunneling from Dobrica Pavlinušić's Weblog / Blog
I know that title is mouthful. But, I occasionally use this blog as place to dump interesting configuration settings and it helps me remember configuration which helps me to remember it and might be useful to lone surfers who stumbles upon this page. ... [Read More]

Tracked on February 22, 2010 10:48 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on April 18, 2009 11:54 AM.

The previous post in this blog was Comet experiment: RFID reader with Koha data in browser.

The next post in this blog is LDAP haters guide to groups.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 4.32-en