For a long time, I used combination of
.ssh/config to enable seamless surfing over ssh tunnels. However, this time, I wanted to access university network from home DSL.
I remembered all warnings about tunneling tcp over tcp and why it is bad idea, but I really liked simplicity of reusing ssh. So, I start looking for guides to implement minimal solution like this:
client.lan ssh gateway private network eth0 192.168.1.20 <--DSL-nat--> eth0 gw.example.com tun0 10.60.0.81 <-pointopoint-> tun0 10.60.0.80 eth1 10.60.0.10 <-----> 10.60.0.0/24It's a bit more complicated, because LAN clients have to use NAT to access private network, but that's a single line in configuration. So, let's get started...
Generate ssh key for VPN
root@client:~# ssh-keygen -t rsa -f /root/.ssh/gw-tun0 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/gw-tun0. Your public key has been saved in /root/.ssh/gw-tun0.pub.
Transfer it to server
echo 'tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0"' `cat /root/.ssh/gw-tun0.pub` | \ ssh firstname.lastname@example.org 'sudo sh -c "cat >> /root/.ssh/authorized_keys"'If you didn't have
gw.example.comyou will also have to fix group with:
root@gw:~# chown root:root /root/.ssh/authorized_keys
iface tun0 inet static pre-up ssh -i /root/.ssh/gw-tun0 -S /var/run/gw-tun0 -M -f -w 0:0 gw.example.com true pre-up sleep 5 address 10.60.0.81 netmask 255.255.0.0 pointopoint 10.60.0.80 up iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE post-down ssh -S /var/run/gw-tun0 -O exit gw.example.com
iptablesare used to NAT all hosts on home network, so they can see whole private network and not just IPs on gw.example.com
I also added following route to my home network gateway so that all traffic for private network will go through VPN:
# netstat -rn Kernel IP routing table Destination Gateway Genmask 10.60.0.0 192.168.1.20 255.255.0.0
#PermitRootLogin yes PermitTunnel point-to-point PermitRootLogin forced-commands-only
iface tun0 inet static address 10.60.0.80 netmask 255.255.255.255 pointopoint 10.60.0.81 up arp -sD 10.60.0.81 eth1 pubarp entry is used to make home IP address 10.60.0.81 visible to all hosts in private network. That, together with
client.lanenabled me to tunnel connections to other hosts on my local network by creating port redirection (again, sigh!). I could have solved that with route on ssh gateway
gw.example.com, but this solution leaves configuration of incomming connections on home side of link.
# monitor tun0 */1 * * * * root fping -q 10.60.0.81 || ( ifdown tun0 ; ifup tun0 ) | logger -t tun0