At the meeting, there was some interest expressed in setting up a VPN using only SSH (note: this is not single port tunneling)
My notes on SSH are here: http://mcarlson.ca/fossnotes/?page=ssh Newer versions of OpenSSH can do a VPN! Here is a summary of the actions you need to do. Consult the man page for more info (especially the here and some came from the ssh(1) man page on OpenBSD. If you follow these directions exactly, you could run in to problems, they are just notes, and don't cover generating keys, the location of keys, or permissions of certain files. For this example, I have my home network, 192.168.2.1/24 and a remote network, 192.168.1.1/24. By creating a tun(4) device on my laptop at home (OpenBSD, IP: 192.168.2.106) with the IP 10.0.0.2, I can set up a VPN to a remote machine (FreeBSD, IP: 192.168.1.2) with the IP 10.0.0.1. With the correct "route add" commands, I can talk to 192.168.2.1/24 machines from the FreeBSD box, and can talk to 192.168.1.1/24 machines from the OpenBSD box! On the machine inside the network: You will have to do the following: # emacs /etc/sshd/sshd_config PermitRootLogin yes PermitTunnel yes # emacs /root/.ssh/authorized_keys # # ssh-dss ... is the contents of /root/.ssh/id_dsa_vpn.pub # # from the gateway tunnel="0",command="/sbin/ifconfig tun0 10.0.0.1 10.0.3.2 netmask 255.255.255.253; route add 192.168.2.1/24 10.0.0.2; echo VPN Established!" ssh-dss ... On the machine outside the network: You will have to do the following: # emacs /root/.ssh/config # # fill in: remote.host.to.vpn.to.com Host vpn HostName remote.host.to.vpn.to.com User root IdentityFile ~/.ssh/id_dsa_vpn Tunnel yes TunnelDevice 0:any PermitLocalCommand yes LocalCommand /bin/echo > /dev/tun0; /sbin/ifconfig tun0 10.0.0.2 10.0.0.1 netmask 255.255.255.253; route add 192.168.1.1/24 10.0.0.1 Test it out! # ssh vpn # on the machine outside the network # ping 192.168.1.1 # on the machine outside the network # ping 192.168.2.1 # on the machine inside the network -Mark _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
