This is a simple VPN for those times when you want the ease of use of a VPN but only have a ssh server available.
Both servers need to have ssh configured to allow tunnels. You need to change the configs for ssh under /etc/ssh
Remote server sshd_config:
Local server ssh_config:
Setting up the tunnels requires you to use root when sshing. Since I don’t open my servers up to remote root logins I work around it by first creating a reverse tunnel from the remote server back to my home machine. You will need to forward you external ssh port on your broadband router to the ssh on your local machine. Then create the reverse tunnel like this.
ssh -f -N -R 2222:localhost:22 [email protected]
Now on your local server you should be able to ssh to the remote machine
as root via the reverse tunnel connected to your local port 2222
The -w 0:0 tells ssh to set up a tunX device at both ends and what their number should be. In this case we end up with a tun0 at both ends.
ssh -f -N -w0:0 127.0.0.1 -p 2222
Next we need to configure the local tun0 device and add in a route to the remote networks
ifconfig tun0 10.0.2.1 netmask 255.255.255.252 ip ro add 10.0.0.0/8 dev tun0
So that we can reference hosts within the remote networks I copy over the resolv.conf from the remote host to the local machine.
cp /etc/resolv.conf /etc/resolv.conf.before_ssh_tunnel scp -P 2222 127.0.0.1:/etc/resolv.conf /etc/resolv.conf
On the remote server, tell kernel to allow forwarding of traffic then configure the remote tun0 device
echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ifconfig tun0 10.0.2.2 netmask 255.255.255.252
Still on the remote server we need to configure the firewall to forward the traffic correctly and do some NAT so that the remote server can send packets back to the local machine. Make sure that eth0 is the internal network interface rather than the external facing one as you dont want to vpn into the internet
BIG CAUTION: I need to work out what is blocking in the standard iptables on Fedora. The following will turn off your firewall and only add back in the bits required for this VPN. You may be disabling you external firewall if there isn’t another firewall in the way. My particular machine has a hardware firewall in place so I am not too stressed by flushing iptables.
/sbin/iptables -F /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
If you are planning on doing this often then I would recommend something that can automate ssh for you such as wrapping all the commands in Capistrano or Fabric scripts.
I found NetworkManager-ssh-gnome when looking through the list of rpms available in Fedora 19 which automates a lot of the above process.
[[email protected]: ~]$ yum info NetworkManager-ssh-gnome.x86_64 Loaded plugins: langpacks, refresh-packagekit Available Packages Name : NetworkManager-ssh-gnome Arch : x86_64 Version : 0.0.3 Release : 0.8.20130419git3d5321b.fc19 Size : 32 k Repo : fedora/19/x86_64 Summary : NetworkManager VPN plugin for SSH - GNOME files URL : https://github.com/danfruehauf/NetworkManager-ssh Licence : GPLv2+ Description : This package contains software for integrating VPN capabilities with : the OpenSSH server with NetworkManager (GNOME files).
The upstream project is available https://github.com/danfruehauf/NetworkManager-ssh