Difference between revisions of "VPN over SSH"

From ArchWiki
Jump to: navigation, search
(Troubleshooting)
m (route to ip route.)
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Category: Virtual Private Network]]
 
[[Category: Virtual Private Network]]
 +
There are several ways to set up a Virtual Private Network through SSH. Note that, while this may be useful from time to time, it may not be a full replacement for a regular VPN. See for example [http://sites.inka.de/bigred/devel/tcp-tcp.html].
  
OpenSSH has built-in VPN support using -w<local-tun-number>:<remote-tun-number>.
+
== OpenSSH's built in tunneling ==
  
== Set up ==
+
OpenSSH has built-in TUN/TAP support using -w<local-tun-number>:<remote-tun-number>. Here, a layer 3/point-to-point/ TUN tunnel is described. It is also possible to create a layer 2/ethernet/TAP tunnel.
  
 
=== Create tun interfaces ===
 
=== Create tun interfaces ===
Line 9: Line 10:
 
Create tun interfaces:
 
Create tun interfaces:
  
<pre>
+
{{bc|1=
 
$ cat /etc/network.d/vpn
 
$ cat /etc/network.d/vpn
 
INTERFACE='tun5'
 
INTERFACE='tun5'
Line 20: Line 21:
 
SKIPNOCARRIER='yes'
 
SKIPNOCARRIER='yes'
 
ADDR='<IP>'
 
ADDR='<IP>'
IPCFG=('route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')
+
IPCFG=('ip route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')
</pre>
+
}}
  
 
Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.
 
Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.
  
Also SSH can create both interfaces automatically, but you should configure IP and routing manually after connection established.
+
Also You may manage tun interfaces with 'ip tunnel' command.
 +
 
 +
==== Creating interfaces in SSH command ====
 +
 
 +
SSH can create both interfaces automatically, but you should configure IP and routing after connection established.
 +
 
 +
{{bc|1=
 +
ssh \
 +
  -o PermitLocalCommand=yes \
 +
  -o LocalCommand="sudo ifconfig tun5 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0" \
 +
  -o ServerAliveInterval=60 \
 +
  -w 5:5 vpn@example.com \
 +
  'sudo ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0; echo tun0 ready'
 +
}}
  
 
=== Start SSH ===
 
=== Start SSH ===
  
<pre>
+
{{bc|
 
ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"
 
ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"
</pre>
+
}}
  
 
or you may add keep-alive options if you are behind a NAT.
 
or you may add keep-alive options if you are behind a NAT.
  
<pre>
+
{{bc|1=
 
ssh -f -w5:5 vpn@example.com \
 
ssh -f -w5:5 vpn@example.com \
 
         -o ServerAliveInterval=30 \
 
         -o ServerAliveInterval=30 \
Line 41: Line 55:
 
         -o TCPKeepAlive=yes \
 
         -o TCPKeepAlive=yes \
 
         -i ~/.ssh/key "sleep 1000000000"
 
         -i ~/.ssh/key "sleep 1000000000"
</pre>
+
}}
  
== Troubleshooting ==
+
=== Troubleshooting ===
  
 
* ssh should have access rights to tun interface or permissions to create it. Check owner of tun interface and/or /dev/net/tun.
 
* ssh should have access rights to tun interface or permissions to create it. Check owner of tun interface and/or /dev/net/tun.
 
* Obviously if you want to access network (not single machine) you should set up properly IP packet forwarding, routing and maybe netfilter on both sides.
 
* Obviously if you want to access network (not single machine) you should set up properly IP packet forwarding, routing and maybe netfilter on both sides.
 +
 +
== Using PPP over SSH ==
 +
 +
[[Pppd|pppd]] can easily be used to create a tunnel through an SSH server:
 +
 +
{{ic|/usr/sbin/pppd updetach noauth silent nodeflate pty "/usr/bin/ssh root@remote-gw /usr/sbin/pppd nodetach notty noauth" ipparam vpn 10.0.8.1:10.0.8.2}}
 +
 +
When the VPN is established, you can route traffic through it. To get access to an internal network:
 +
 +
{{ic|ip route add 192.168.0.0/16 via 10.0.8.2}}
 +
 +
To route all Internet traffic through the tunnel, for example to protect your communication on an unencrypted network, first add a route to the SSH server through your regular gateway:
 +
 +
{{ic|ip route add <remote-gw> via <current default gateway>}}
 +
 +
Next, replace the default route with the tunnel
 +
 +
{{ic|ip route replace default via 10.0.8.2}}
 +
 +
=== Helper script ===
 +
[https://github.com/halhen/pvpn pvpn] (available in [[AUR]] package {{aur|pvpn}}) is a wrapper script around {{ic|pppd}} over SSH.
  
 
== See also ==
 
== See also ==
 +
 
* [[Configuring Network]]
 
* [[Configuring Network]]
 
* [[Ssh]]
 
* [[Ssh]]
 
* [[Router]]
 
* [[Router]]

Revision as of 08:39, 4 March 2013

There are several ways to set up a Virtual Private Network through SSH. Note that, while this may be useful from time to time, it may not be a full replacement for a regular VPN. See for example [1].

OpenSSH's built in tunneling

OpenSSH has built-in TUN/TAP support using -w<local-tun-number>:<remote-tun-number>. Here, a layer 3/point-to-point/ TUN tunnel is described. It is also possible to create a layer 2/ethernet/TAP tunnel.

Create tun interfaces

Create tun interfaces:

$ cat /etc/network.d/vpn
INTERFACE='tun5'
CONNECTION='tuntap'
MODE='tun'
USER='vpn'
GROUP='network'

IP='static'
SKIPNOCARRIER='yes'
ADDR='<IP>'
IPCFG=('ip route add <REMOTE-NETWORK/MASK> via <REMOTE-SIDE-IP>')

Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.

Also You may manage tun interfaces with 'ip tunnel' command.

Creating interfaces in SSH command

SSH can create both interfaces automatically, but you should configure IP and routing after connection established.

ssh \
  -o PermitLocalCommand=yes \
  -o LocalCommand="sudo ifconfig tun5 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0" \
  -o ServerAliveInterval=60 \
  -w 5:5 vpn@example.com \
  'sudo ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0; echo tun0 ready'

Start SSH

ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"

or you may add keep-alive options if you are behind a NAT.

ssh -f -w5:5 vpn@example.com \
        -o ServerAliveInterval=30 \
        -o ServerAliveCountMax=5 \
        -o TCPKeepAlive=yes \
        -i ~/.ssh/key "sleep 1000000000"

Troubleshooting

  • ssh should have access rights to tun interface or permissions to create it. Check owner of tun interface and/or /dev/net/tun.
  • Obviously if you want to access network (not single machine) you should set up properly IP packet forwarding, routing and maybe netfilter on both sides.

Using PPP over SSH

pppd can easily be used to create a tunnel through an SSH server:

/usr/sbin/pppd updetach noauth silent nodeflate pty "/usr/bin/ssh root@remote-gw /usr/sbin/pppd nodetach notty noauth" ipparam vpn 10.0.8.1:10.0.8.2

When the VPN is established, you can route traffic through it. To get access to an internal network:

ip route add 192.168.0.0/16 via 10.0.8.2

To route all Internet traffic through the tunnel, for example to protect your communication on an unencrypted network, first add a route to the SSH server through your regular gateway:

ip route add <remote-gw> via <current default gateway>

Next, replace the default route with the tunnel

ip route replace default via 10.0.8.2

Helper script

pvpn (available in AUR package pvpnAUR) is a wrapper script around pppd over SSH.

See also