| Damien Miller | 90cd1c5 | 2006-01-02 20:23:18 +1100 | [diff] [blame] | 1 | How to use OpenSSH-based virtual private networks |
| 2 | ------------------------------------------------- |
| 3 | |
| 4 | OpenSSH contains support for VPN tunneling using the tun(4) network |
| 5 | tunnel pseudo-device which is available on most platforms, either for |
| 6 | layer 2 or 3 traffic. |
| 7 | |
| 8 | The following brief instructions on how to use this feature use |
| 9 | a network configuration specific to the OpenBSD operating system. |
| 10 | |
| 11 | (1) Server: Enable support for SSH tunneling |
| 12 | |
| 13 | To enable the ssh server to accept tunnel requests from the client, you |
| 14 | have to add the following option to the ssh server configuration file |
| 15 | (/etc/ssh/sshd_config): |
| 16 | |
| 17 | PermitTunnel yes |
| 18 | |
| 19 | Restart the server or send the hangup signal (SIGHUP) to let the server |
| 20 | reread it's configuration. |
| 21 | |
| 22 | (2) Server: Restrict client access and assign the tunnel |
| 23 | |
| 24 | The OpenSSH server simply uses the file /root/.ssh/authorized_keys to |
| 25 | restrict the client to connect to a specified tunnel and to |
| 26 | automatically start the related interface configuration command. These |
| 27 | settings are optional but recommended: |
| 28 | |
| 29 | tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org |
| 30 | |
| 31 | (3) Client: Configure the local network tunnel interface |
| 32 | |
| 33 | Use the hostname.if(5) interface-specific configuration file to set up |
| 34 | the network tunnel configuration with OpenBSD. For example, use the |
| 35 | following configuration in /etc/hostname.tun0 to set up the layer 3 |
| 36 | tunnel on the client: |
| 37 | |
| 38 | inet 192.168.5.1 255.255.255.252 192.168.5.2 |
| 39 | |
| 40 | OpenBSD also supports layer 2 tunneling over the tun device by adding |
| 41 | the link0 flag: |
| 42 | |
| 43 | inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 |
| 44 | |
| 45 | Layer 2 tunnels can be used in combination with an Ethernet bridge(4) |
| 46 | interface, like the following example for /etc/bridgename.bridge0: |
| 47 | |
| 48 | add tun0 |
| 49 | add sis0 |
| 50 | up |
| 51 | |
| 52 | (4) Client: Configure the OpenSSH client |
| 53 | |
| 54 | To establish tunnel forwarding for connections to a specified |
| 55 | remote host by default, use the following ssh client configuration for |
| 56 | the privileged user (in /root/.ssh/config): |
| 57 | |
| 58 | Host sshgateway |
| 59 | Tunnel yes |
| 60 | TunnelDevice 0:any |
| 61 | PermitLocalCommand yes |
| 62 | LocalCommand sh /etc/netstart tun0 |
| 63 | |
| 64 | A more complicated configuration is possible to establish a tunnel to |
| 65 | a remote host which is not directly accessible by the client. |
| 66 | The following example describes a client configuration to connect to |
| 67 | the remote host over two ssh hops in between. It uses the OpenSSH |
| 68 | ProxyCommand in combination with the nc(1) program to forward the final |
| 69 | ssh tunnel destination over multiple ssh sessions. |
| 70 | |
| 71 | Host access.somewhere.net |
| 72 | User puffy |
| 73 | Host dmzgw |
| 74 | User puffy |
| 75 | ProxyCommand ssh access.somewhere.net nc dmzgw 22 |
| 76 | Host sshgateway |
| 77 | Tunnel Ethernet |
| 78 | TunnelDevice 0:any |
| 79 | PermitLocalCommand yes |
| 80 | LocalCommand sh /etc/netstart tun0 |
| 81 | ProxyCommand ssh dmzgw nc sshgateway 22 |
| 82 | |
| 83 | The following network plan illustrates the previous configuration in |
| 84 | combination with layer 2 tunneling and Ethernet bridging. |
| 85 | |
| 86 | +--------+ ( ) +----------------------+ |
| 87 | | Client |------( Internet )-----| access.somewhere.net | |
| 88 | +--------+ ( ) +----------------------+ |
| 89 | : 192.168.1.78 | |
| Damien Miller | ddd63ab | 2006-03-31 23:10:51 +1100 | [diff] [blame] | 90 | :............................. +-------+ |
| Damien Miller | 90cd1c5 | 2006-01-02 20:23:18 +1100 | [diff] [blame] | 91 | Forwarded ssh connection : | dmzgw | |
| 92 | Layer 2 tunnel : +-------+ |
| 93 | : | |
| 94 | : | |
| Damien Miller | ddd63ab | 2006-03-31 23:10:51 +1100 | [diff] [blame] | 95 | : +------------+ |
| Damien Miller | 90cd1c5 | 2006-01-02 20:23:18 +1100 | [diff] [blame] | 96 | :......| sshgateway | |
| 97 | | +------------+ |
| 98 | --- real connection Bridge -> | +----------+ |
| 99 | ... "virtual connection" [ X ]--------| somehost | |
| 100 | [X] switch +----------+ |
| 101 | 192.168.1.25 |
| 102 | |
| 103 | (5) Client: Connect to the server and establish the tunnel |
| 104 | |
| 105 | Finally connect to the OpenSSH server to establish the tunnel by using |
| 106 | the following command: |
| Damien Miller | ddd63ab | 2006-03-31 23:10:51 +1100 | [diff] [blame] | 107 | |
| Damien Miller | 90cd1c5 | 2006-01-02 20:23:18 +1100 | [diff] [blame] | 108 | ssh sshgateway |
| 109 | |
| 110 | It is also possible to tell the client to fork into the background after |
| 111 | the connection has been successfully established: |
| 112 | |
| 113 | ssh -f sshgateway true |
| 114 | |
| 115 | Without the ssh configuration done in step (4), it is also possible |
| 116 | to use the following command lines: |
| 117 | |
| 118 | ssh -fw 0:1 sshgateway true |
| 119 | ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 |
| 120 | |
| 121 | Using OpenSSH tunnel forwarding is a simple way to establish secure |
| 122 | and ad hoc virtual private networks. Possible fields of application |
| 123 | could be wireless networks or administrative VPN tunnels. |
| 124 | |
| 125 | Nevertheless, ssh tunneling requires some packet header overhead and |
| 126 | runs on top of TCP. It is still suggested to use the IP Security |
| 127 | Protocol (IPSec) for robust and permanent VPN connections and to |
| 128 | interconnect corporate networks. |
| 129 | |
| 130 | Reyk Floeter |
| 131 | |
| Damien Miller | ddd63ab | 2006-03-31 23:10:51 +1100 | [diff] [blame] | 132 | $OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $ |