Dobrica Pavlinušić's Weblog / Blog

For a long time, I used combination of proxy.pac and DynamicForward in .ssh/config to enable seamless surfing over ssh tunnels. However, this time, I wanted to access university network from home DSL.

I remembered all warnings about tunneling tcp over tcp and why it is bad idea, but I really liked simplicity of reusing ssh. So, I start looking for guides to implement minimal solution like this:

client.lan                      ssh gateway             private network
eth0 192.168.1.20 <--DSL-nat--> eth0 gw.example.com
tun0 10.60.0.81 <-pointopoint-> tun0 10.60.0.80 
                                eth1 10.60.0.10 <-----> 10.60.0.0/24

It's a bit more complicated, because LAN clients have to use NAT to access private network, but that's a single line in configuration. So, let's get started...

client.lan

1. Generate ssh key for VPN

   root@client:~# ssh-keygen -t rsa -f /root/.ssh/gw-tun0
   Generating public/private rsa key pair.
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /root/.ssh/gw-tun0.
   Your public key has been saved in /root/.ssh/gw-tun0.pub.
   

2. Transfer it to server

   echo 'tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0"' `cat /root/.ssh/gw-tun0.pub` | \
       ssh dpavlin@gw.example.com 'sudo sh -c "cat >> /root/.ssh/authorized_keys"'
   

   If you didn't have authorized_keys on gw.example.com you will also have to fix group with:

   root@gw:~# chown root:root /root/.ssh/authorized_keys
   

3. /etc/network/interfaces

   iface tun0 inet static
       pre-up ssh -i /root/.ssh/gw-tun0 -S /var/run/gw-tun0 -M -f -w 0:0 gw.example.com true
       pre-up sleep 5
       address 10.60.0.81
       netmask 255.255.0.0
       pointopoint 10.60.0.80
       up iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
       post-down ssh -S /var/run/gw-tun0 -O exit gw.example.com
   

   iptables are used to NAT all hosts on home network, so they can see whole private network and not just IPs on gw.example.com
   I also added following route to my home network gateway so that all traffic for private network will go through VPN:

   # netstat -rn
   Kernel IP routing table
   Destination     Gateway         Genmask
   10.60.0.0       192.168.1.20    255.255.0.0
   

gw.example.com

1. /etc/ssh/sshd_config

   #PermitRootLogin yes
   PermitTunnel point-to-point
   PermitRootLogin forced-commands-only
   

2. /etc/network/interfaces

   iface tun0 inet static
       address 10.60.0.80
       netmask 255.255.255.255
       pointopoint 10.60.0.81
       up arp -sD 10.60.0.81 eth1 pub
   

   arp entry is used to make home IP address 10.60.0.81 visible to all hosts in private network. That, together with rinetd on client.lan enabled me to tunnel connections to other hosts on my local network by creating port redirection (again, sigh!). I could have solved that with route on ssh gateway gw.example.com, but this solution leaves configuration of incomming connections on home side of link.
3. /etc/cron.d/gw.example.com

   # monitor tun0
   */1     * * * * root    fping -q 10.60.0.81 || ( ifdown tun0 ; ifup tun0 ) | logger -t tun0