Easy OpenSSH VPN using tunneling

· by Tim Hughes · Read in about 3 min · (568 words)

This is a simple VPN for those times when you want the ease of use of a VPN but only have a ssh server available.

Both servers need to have ssh configured to allow tunnels.  You need to change the configs for ssh under /etc/ssh

Remote server sshd_config:

PermitTunnel  yes

Local server ssh_config:

Tunnel  yes

Remote server

Setting up the tunnels requires you to use root when sshing. Since I don’t open my servers up to remote root logins I work around it by first creating a reverse tunnel from the remote server back to my home machine.  You will need to forward you external ssh port on your broadband router to the ssh on your local machine. Then create the reverse tunnel like this.

ssh -f -N -R 2222:localhost:22 [email protected]

Local server

Now on your local server you should be able to ssh to the remote machine as root via the reverse tunnel connected to your local port 2222
 The -w 0:0 tells ssh to set up a tunX device at both ends and what their number should be. In this case we end up with a tun0 at both ends.

ssh -f -N -w0:0 127.0.0.1 -p 2222

Next we need to configure the local tun0 device and add in a route to the remote networks

ifconfig tun0 10.0.2.1 netmask 255.255.255.252
ip ro add 10.0.0.0/8 dev tun0

So that we can reference hosts within the remote networks I copy over the resolv.conf from the remote host to the local machine.

cp /etc/resolv.conf /etc/resolv.conf.before_ssh_tunnel
scp -P 2222 127.0.0.1:/etc/resolv.conf /etc/resolv.conf

Remote server

On the remote server,  tell kernel to allow forwarding of traffic then configure the remote tun0 device

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ifconfig tun0 10.0.2.2 netmask 255.255.255.252

Still on the remote server we need to configure the firewall to forward the traffic correctly and do some NAT so that the remote server can send packets back to the local machine. Make sure that eth0 is the internal network interface rather than the external facing one as you dont want to vpn into the internet

BIG CAUTION: I need to work out what is blocking in the standard iptables on Fedora. The following will turn off your firewall and only add back in the bits required for this VPN. You may be disabling you external firewall if there isn’t another firewall in the way. My particular machine has a hardware firewall in place so I am not too stressed by flushing iptables.

/sbin/iptables -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0  -j ACCEPT

If you are planning on doing this often then I would recommend something that can automate ssh for you such as wrapping all the commands in Capistrano or Fabric scripts.

***[EDIT]***

I found NetworkManager-ssh-gnome when looking through the list of rpms available in Fedora 19 which automates a lot of the above process.

[[email protected]: ~]$ yum info NetworkManager-ssh-gnome.x86_64
Loaded plugins: langpacks, refresh-packagekit
Available Packages
Name        : NetworkManager-ssh-gnome
Arch        : x86_64
Version     : 0.0.3
Release     : 0.8.20130419git3d5321b.fc19
Size        : 32 k
Repo        : fedora/19/x86_64
Summary     : NetworkManager VPN plugin for SSH - GNOME files
URL         : https://github.com/danfruehauf/NetworkManager-ssh
Licence     : GPLv2+
Description : This package contains software for integrating VPN capabilities with
            : the OpenSSH server with NetworkManager (GNOME files).

The upstream project is available https://github.com/danfruehauf/NetworkManager-ssh