SSH vpn and other tricks

As a Unix sysadmin, I am using ssh every day. Its an innocuous little tool thats absolutely essential. Sure it does terminal sessions, but its all the other little features that make it quite indespensable; port forwarding, agent forwarding ….

And they always seem to add in cool features that I never find out about until much later. For example, the built in SOCKS proxy using the -D option. That is so useful. Often you have ssh access to a machine on a remote network but firewalls prevent you from getting http or other forms of access into that network. So typically I do:

ssh -D 1080 user@machine_i_can_get_to

Then point my PC’s browser at a SOCKS proxy on port 1080 and I can do what I need to do. Very handy.

A new feature I discovered today is that Openssh (since v4.3) can create a VPN on top of the ssh connection. That is incredibly useful. How come I miss these things? Why didn’t anyone tell me about this?

There’s a decent short description of the Openssh VPN functionality on the Fermi Paradox blog. There’s more information here. The basic thing is that you need to enable some settings on your sshd server, and you also need to use tun devices (ie. if your server is linux make sure you have the tun module either compiled in or loaded). In /etc/ssh/sshd_config you need;

PermitTunnel yes
PermitRootlogin yes

Then you need to restart sshd. The client then uses the -w option to ssh to connect. For example;

sudo ssh -w any:any root@server

You really need the ssh client and server users to be root since sshd and ssh need to configure some of the tun stuff. Of course, thats not all, you still need to ifconfig the interfaces at either end of your link. Check that Fermi Paradox blog for more info.

I actually got this working with my macbook as the client and a linux box as server. To do this you need to install the tun/tap stuff for OS X.  I installed the latest leopard version on the macbook. My server was a regular Debian Etch setup.

So on the server make the changes to /etc/ssh/sshd_config and restart sshd.

On my Macbook I generated a root rsa key to use for the login, so on the mac;

sudo su -
ssh-keygen -t rsa
# I just put a blank password
cat ~/.ssh/

Copy the crypto text with your mouse, log onto your server;

sudo su -
cat >>~/.ssh/authorized_keys
<and now paste in what you copied with your mouse and press ctrl-d>

Back on your Mac, make sure that the passwordless ssh works:

sudo su -
ssh root@server
<It shouldn't prompt for a password>

OK, still on your Mac, try this;

sudo su -
ssh -f -w 15:15 root@server "ifconfig tun15 pointopoint;sleep 10"
ifconfig tun15

Now you should be able to do a ifconfig on the Mac and see a tun15 interface with IP address (obviously change the address range if this causes a clash with your internal network).

Try pinging from your Mac and hopefully you’ll get a response from the linux server. Try ssh’ing in to the linux server using the address.

Thats the bulk of getting it working. This obviously just creates a point to point link between the two machines, so to have full access to the remote server network you need to do a little more work, but I’m sure you can work that out.