You are on page 1of 2

VPN with SSH

As of version 4.3, OpenSSH can use the tun/tap device to encrypt a tunnel. This is very similar to other TLS based !" solutions li#e Open !". One advanta$e %ith SSH is that there is no need to install and confi$ure additional soft%are. Additionally the tunnel uses the SSH authentication li#e pre shared #eys. The dra%bac# is that the encapsulation is done over T&! %hich mi$ht result in poor performance on a slo% lin#. Also the tunnel is relyin$ on a sin$le 'fra$ile( T&! connection. This techni)ue is very useful for a )uic# *! based !" setup. There is no limitation as %ith the sin$le T&! port for%ard, all layer 3/4 protocols li#e *&+!, T&!/,-!, etc. are for%arded over the !". *n any case, the follo%in$ options are needed in the sshd.conf file/
PermitRootLogin yes PermitTunnel yes

The connection is started from hclient to hserver and is done as root. The tunnel end points are 01.1.0.0 'server( and 01.1.0.2 'client( and %e create a device tun3 'this could also be an other number(. The procedure is very simple/ &onnect %ith SSH usin$ the tunnel option 4% &onfi$ure the *! addresses of the tunnel. Once on the server and once on the client.

Connect two networks


Suppose for the e5ample, netA is 062.078.30.1/24 and net9 062.078.07.1/24. "AT must be activated on the private interface only if the $ates are not the same as the default $ate%ay of their net%or#. 192.168.51.0/24 (netA) !"teA #$% !"te& 192.168.16.0/24 (net&) &onnect %ith SSH usin$ the tunnel option 4%. &onfi$ure the *! addresses of the tunnel. Once on the server and once on the client. Add the routin$ for the t%o net%or#s. *f necessary, activate "AT on the private interface of the $ate.

The setup is started from gateA in netA.

Connect 'ro( !"teA to !"te&


&onnection is started from $ateA and commands are e5ecuted on $ate9. !"te& is on )in*+
gateA># gateB># shell gateB># gateB># &efault gateB># ssh -w5:5 root@gateB ifconfig tun5 1 ! !1!1 netmas" #55!#55!#55!#5# # $%ecute& on the gateB route a&& -net 1'#!1()!51! netmas" #55!#55!#55! &e* tun5 echo 1 > +,roc+sys+net+i,*-+i,.forwar& # /nly nee&e& if not gw i,ta0les -t nat -A P/1TR/2T345 -o eth -6 7A182$RA9$

Con'i!*re !"teA
&ommands e5ecuted on $ateA/ !"teA is on )in*+
gateA># gateA># gateA># gateA># ifconfig tun5 1 ! !1!# netmas" #55!#55!#55!#5# route a&& -net 1'#!1()!1(! netmas" #55!#55!#55! &e* tun5 echo 1 > +,roc+sys+net+i,*-+i,.forwar& i,ta0les -t nat -A P/1TR/2T345 -o eth -6 7A182$RA9$

The t%o private net%or#s are no% transparently connected via the SSH !". The *! for%ard and "AT settin$s are only necessary if the $ates are not the default $ate%ays. *n this case the clients %ould not #no% %here to for%ard the response, and nat must be activated.