VPN over SSH

From ArchWiki
Revision as of 10:19, 31 May 2012 by Sergej (talk | contribs) (Creating interfaces in SSH command)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

OpenSSH has built-in VPN support using -w<local-tun-number>:<remote-tun-number>.

Set up

Create tun interfaces

Create tun interfaces:

$ cat /etc/network.d/vpn


Then do 'netcfg -u vpn' or add it into /etc/conf.d/netcfg.

Also You may manage tun interfaces with 'ip tunnel' command.

Creating interfaces in SSH command

SSH can create both interfaces automatically, but you should configure IP and routing after connection established.

ssh \
  -o PermitLocalCommand=yes \
  -o LocalCommand="sudo ifconfig tun5 pointopoint netmask" \
  -o ServerAliveInterval=60 \
  -w 5:5 vpn@example.com \
  'sudo ifconfig tun5 pointopoint netmask; echo tun0 ready'

Start SSH

ssh -f -w5:5 vpn@example.com -i ~/.ssh/key "sleep 1000000000"

or you may add keep-alive options if you are behind a NAT.

ssh -f -w5:5 vpn@example.com \
        -o ServerAliveInterval=30 \
        -o ServerAliveCountMax=5 \
        -o TCPKeepAlive=yes \
        -i ~/.ssh/key "sleep 1000000000"


  • ssh should have access rights to tun interface or permissions to create it. Check owner of tun interface and/or /dev/net/tun.
  • Obviously if you want to access network (not single machine) you should set up properly IP packet forwarding, routing and maybe netfilter on both sides.

See also