OpenSSH : Tunneling VPN
Introduction
Since version 4.3 of OpenSSH, the option to create IP tunnels has been added.
First, you need to check the OpenSSH version on both the server and client.
|
|
You need root privileges on both machines. There are operations to perform, both at the configuration and network levels.
Configuration
Server
OpenBSD
The first thing to do is to tell OpenSSH to authorize tunnels by adding this directive:
|
|
We need to ensure that forwarding is activated:
|
|
And will be activated at reboot:
|
|
Let’s create a tun interface:
|
|
And again, make the configuration permanent:
|
|
Now we can restart SSH:
|
|
You also need to disable privilege separation, or adjust permissions on /dev/tun
. For simplicity, I’ve added:
UsePrivilegeSeparation no
Another solution is to grant read-write permissions to a specific group on /dev/tun
, which is much simpler and safer.
|
|
And of course, be in that group.
You then need to load the tun module:
|
|
And add it to /etc/modprobe.preload
for loading at next boot:
|
|
Client
On the client side, we also need to add this directive but in the /etc/ssh/ssh_config
file:
|
|
Edit the /etc/network/interfaces
file and add this interface:
|
|
You only need permissions on /dev/tun
, so either run as root or have write permission on /dev/tun
, as mentioned above, then do (where client is the server):
|
|
You can look at the -f
and -N
options to avoid launching a shell on the remote machine. And of course, the usual options still work (key, tunnel, master/slave).
Then, as root, you can change the IP of the new tun0 interface on the server:
|
|
On FreeBSD:
|
|
And do the same on the client:
|
|
or
|
|
Finally, you can now test the ping from the client:
|
|
The rest is normal interface configuration. You can add routes, a firewall, anything.
However, you should know that TCP connections over TCP (as is the case with SSH) are not recommended, due to the nature of TCP.
FAQ
Connection closed by …
This is generally due to the server struggling. Check that it has the correct DNS settings and that in the configuration (/etc/ssh/sshd_config
) the LoginGraceTime value is high enough.
Cannot fork into background without a command to execute
You may encounter this error message:
Cannot fork into background without a command to execute
Failed to bring up tun1.
To resolve this issue, add the -N
option to the SSH command.
Resources
Last updated 14 May 2010, 22:46 CEST.