Difference between revisions of "VPN over SSH"

From ArchWiki
Jump to: navigation, search
(Create tun interfaces)
(automatic style fixes)
Line 1: Line 1:
 
[[Category: Virtual Private Network]]
 
[[Category: Virtual Private Network]]
 +
{{i18n|VPN over SSH}}
  
 
OpenSSH has built-in VPN support using -w<local-tun-number>:<remote-tun-number>.
 
OpenSSH has built-in VPN support using -w<local-tun-number>:<remote-tun-number>.
Line 9: Line 10:
 
Create tun interfaces:
 
Create tun interfaces:
  
<pre>
+
{{bc|1=
 
$ cat /etc/network.d/vpn
 
$ cat /etc/network.d/vpn
 
INTERFACE='tun5'
 
INTERFACE='tun5'
Line 21: Line 22:
 
ADDR='<IP>'
 
ADDR='<IP>'
 
IPCFG=('route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')
 
IPCFG=('route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')
</pre>
+
}}
  
 
Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.
 
Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.
Line 31: Line 32:
 
=== Start SSH ===
 
=== Start SSH ===
  
<pre>
+
{{bc|
 
ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"
 
ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"
</pre>
+
}}
  
 
or you may add keep-alive options if you are behind a NAT.
 
or you may add keep-alive options if you are behind a NAT.
  
<pre>
+
{{bc|1=
 
ssh -f -w5:5 vpn@example.com \
 
ssh -f -w5:5 vpn@example.com \
 
         -o ServerAliveInterval=30 \
 
         -o ServerAliveInterval=30 \
Line 43: Line 44:
 
         -o TCPKeepAlive=yes \
 
         -o TCPKeepAlive=yes \
 
         -i ~/.ssh/key "sleep 1000000000"
 
         -i ~/.ssh/key "sleep 1000000000"
</pre>
+
}}
  
 
== Troubleshooting ==
 
== Troubleshooting ==

Revision as of 10:02, 30 May 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

OpenSSH has built-in VPN support using -w<local-tun-number>:<remote-tun-number>.

Set up

Create tun interfaces

Create tun interfaces:

$ cat /etc/network.d/vpn
INTERFACE='tun5'
CONNECTION='tuntap'
MODE='tun'
USER='vpn'
GROUP='network'

IP='static'
SKIPNOCARRIER='yes'
ADDR='<IP>'
IPCFG=('route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')

Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.

SSH can create both interfaces automatically, but you should configure IP and routing after connection established.

Also You may manage tun interfaces with 'ip tunnel' command.

Start SSH

ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"

or you may add keep-alive options if you are behind a NAT.

ssh -f -w5:5 vpn@example.com \
        -o ServerAliveInterval=30 \
        -o ServerAliveCountMax=5 \
        -o TCPKeepAlive=yes \
        -i ~/.ssh/key "sleep 1000000000"

Troubleshooting

  • ssh should have access rights to tun interface or permissions to create it. Check owner of tun interface and/or /dev/net/tun.
  • Obviously if you want to access network (not single machine) you should set up properly IP packet forwarding, routing and maybe netfilter on both sides.

See also