]>
Commit | Line | Data |
---|---|---|
7ebf4412 | 1 | How to use OpenSSH-based virtual private networks |
2 | ------------------------------------------------- | |
3 | ||
4 | OpenSSH contains support for VPN tunneling using the tun(4) network | |
5 | tunnel pseudo-device which is available on most platforms, either for | |
6 | layer 2 or 3 traffic. | |
7 | ||
8 | The following brief instructions on how to use this feature use | |
9 | a network configuration specific to the OpenBSD operating system. | |
10 | ||
11 | (1) Server: Enable support for SSH tunneling | |
12 | ||
13 | To enable the ssh server to accept tunnel requests from the client, you | |
14 | have to add the following option to the ssh server configuration file | |
15 | (/etc/ssh/sshd_config): | |
16 | ||
17 | PermitTunnel yes | |
18 | ||
19 | Restart the server or send the hangup signal (SIGHUP) to let the server | |
20 | reread it's configuration. | |
21 | ||
22 | (2) Server: Restrict client access and assign the tunnel | |
23 | ||
24 | The OpenSSH server simply uses the file /root/.ssh/authorized_keys to | |
25 | restrict the client to connect to a specified tunnel and to | |
26 | automatically start the related interface configuration command. These | |
27 | settings are optional but recommended: | |
28 | ||
29 | tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org | |
30 | ||
31 | (3) Client: Configure the local network tunnel interface | |
32 | ||
33 | Use the hostname.if(5) interface-specific configuration file to set up | |
34 | the network tunnel configuration with OpenBSD. For example, use the | |
35 | following configuration in /etc/hostname.tun0 to set up the layer 3 | |
36 | tunnel on the client: | |
37 | ||
38 | inet 192.168.5.1 255.255.255.252 192.168.5.2 | |
39 | ||
40 | OpenBSD also supports layer 2 tunneling over the tun device by adding | |
41 | the link0 flag: | |
42 | ||
43 | inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 | |
44 | ||
45 | Layer 2 tunnels can be used in combination with an Ethernet bridge(4) | |
46 | interface, like the following example for /etc/bridgename.bridge0: | |
47 | ||
48 | add tun0 | |
49 | add sis0 | |
50 | up | |
51 | ||
52 | (4) Client: Configure the OpenSSH client | |
53 | ||
54 | To establish tunnel forwarding for connections to a specified | |
55 | remote host by default, use the following ssh client configuration for | |
56 | the privileged user (in /root/.ssh/config): | |
57 | ||
58 | Host sshgateway | |
59 | Tunnel yes | |
60 | TunnelDevice 0:any | |
61 | PermitLocalCommand yes | |
62 | LocalCommand sh /etc/netstart tun0 | |
63 | ||
64 | A more complicated configuration is possible to establish a tunnel to | |
65 | a remote host which is not directly accessible by the client. | |
66 | The following example describes a client configuration to connect to | |
67 | the remote host over two ssh hops in between. It uses the OpenSSH | |
68 | ProxyCommand in combination with the nc(1) program to forward the final | |
69 | ssh tunnel destination over multiple ssh sessions. | |
70 | ||
71 | Host access.somewhere.net | |
72 | User puffy | |
73 | Host dmzgw | |
74 | User puffy | |
75 | ProxyCommand ssh access.somewhere.net nc dmzgw 22 | |
76 | Host sshgateway | |
77 | Tunnel Ethernet | |
78 | TunnelDevice 0:any | |
79 | PermitLocalCommand yes | |
80 | LocalCommand sh /etc/netstart tun0 | |
81 | ProxyCommand ssh dmzgw nc sshgateway 22 | |
82 | ||
83 | The following network plan illustrates the previous configuration in | |
84 | combination with layer 2 tunneling and Ethernet bridging. | |
85 | ||
86 | +--------+ ( ) +----------------------+ | |
87 | | Client |------( Internet )-----| access.somewhere.net | | |
88 | +--------+ ( ) +----------------------+ | |
89 | : 192.168.1.78 | | |
2e437378 | 90 | :............................. +-------+ |
7ebf4412 | 91 | Forwarded ssh connection : | dmzgw | |
92 | Layer 2 tunnel : +-------+ | |
93 | : | | |
94 | : | | |
2e437378 | 95 | : +------------+ |
7ebf4412 | 96 | :......| sshgateway | |
97 | | +------------+ | |
98 | --- real connection Bridge -> | +----------+ | |
99 | ... "virtual connection" [ X ]--------| somehost | | |
100 | [X] switch +----------+ | |
101 | 192.168.1.25 | |
102 | ||
103 | (5) Client: Connect to the server and establish the tunnel | |
104 | ||
105 | Finally connect to the OpenSSH server to establish the tunnel by using | |
106 | the following command: | |
2e437378 | 107 | |
7ebf4412 | 108 | ssh sshgateway |
109 | ||
110 | It is also possible to tell the client to fork into the background after | |
111 | the connection has been successfully established: | |
112 | ||
113 | ssh -f sshgateway true | |
114 | ||
115 | Without the ssh configuration done in step (4), it is also possible | |
116 | to use the following command lines: | |
117 | ||
118 | ssh -fw 0:1 sshgateway true | |
119 | ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 | |
120 | ||
121 | Using OpenSSH tunnel forwarding is a simple way to establish secure | |
122 | and ad hoc virtual private networks. Possible fields of application | |
123 | could be wireless networks or administrative VPN tunnels. | |
124 | ||
125 | Nevertheless, ssh tunneling requires some packet header overhead and | |
126 | runs on top of TCP. It is still suggested to use the IP Security | |
127 | Protocol (IPSec) for robust and permanent VPN connections and to | |
128 | interconnect corporate networks. | |
129 | ||
130 | Reyk Floeter | |
131 | ||
2e437378 | 132 | $OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $ |