ssh VPN
Scenario
In this recipe two machines will be configured:
- A server which is a firewall and has access to a private network ¹
- A client which initiates the connections to the server and gains direct access to the private network
-------- /\_/-\/\/-\ ----------------- | Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ] -------- \_/-\/\_/\/ / ----------------- \ ||\ \ ||\ \ || {tun0} {eth0} || {tun0} {eth1} || || \-================= tunnel ==============-/
For this recipe lets number things like this:
- the private net is 10.99.99.0/24
- eth0 on the server has public IP 5.6.7.8
- eth1 on the server has private IP 10.99.99.1
- the VPN network is 10.254.254.0/30
- tun0 on the server has private IP 10.254.254.1
- tun0 on the client has private IP 10.254.254.2
On the Client
If you do not already have them, generate an SSH keypair for root:
$ sudo ssh-keygen -t rsa
/etc/network/interfaces: Add this stanza to the file:
iface tun0 inet static pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true pre-up sleep 5 address 10.254.254.2 pointopoint 10.254.254.1 netmask 255.255.255.252 up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0 post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8
The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:
$ sudo ssh 5.6.7.8 The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established. RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.
Don’t bother logging in, just hit CTRL-C.
On the server
/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.
PermitTunnel point-to-point PermitRootLogin forced-commands-only
The PermitRootLogin line is changed from the default of no
. You do restrict root SSH login, right?
/root/.ssh/authorized_keys: Add the following line.
tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server
Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).
/etc/network/interfaces: Add the following stanza.
iface tun0 inet static address 10.254.254.1 netmask 255.255.255.252 pointopoint 10.254.254.2
/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding
is set to 1
net.ipv4.conf.default.forwarding=1
This will take effect upon the next reboot so make it active now:
$ sudo sysctl net.ipv4.conf.default.forwarding=1
Using the VPN
user@client:~$ sudo ifup tun0 RTNETLINK answers: File exists run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2 user@client:~$ ping -c 2 10.99.99.1 PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data. 64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms 64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms --- 10.99.99.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms user@client:~$ sudo ifdown tun0 Exit request sent.
You may get the two errors after running ifup. No problem, they are harmless.
Leave a reply