The post has been modified to include a number of improvements.
From the series "ssh resources are endless," I present a little known feature of ssh to create VPN.
The information contained herein is an OpenBSD server and client Ubuntu Linux, but adapting them can be extended to any configuration.
In OpenSSH, for some time, we've included support for VPN tunneling using the pseudo-network device tun (available on many platforms).
The first step is enabled in the OpenSSH server activation request of the tunnel by the client and ensure that the only command that the client can do is to activate the device tun server
To do this Just add the following options in the configuration file (/ etc / ssh / sshd_config):
... PermitTunnel point-to-point PermitRootLogin forced-commands-only ...
and restart the server by using the hangup signal.
See the manual the meaning of these parameters and the various other possible configurations.
Then, to authenticate the client without using passwords, and force him to run only the command to activate the tunnel, you can use public key authentication provided by OpenSSH.
Edit the file / root / .ssh / authorized_keys to contain a line like:
tunnel = "0" command = "sh / etc / netstart tun0" ssh-rsa ... utente@macchina.dominio
where the second space is the user's public key that is to trigger the tunnel.
this is done, all that remains is to configure the local interface tun0 is an address assigning.
On OpenBSD this work is done by providing the file hostname.if, in which `if` is the name of the device.
In our case we need to create a file from the content hostname.tun0:
inet 192.168.0.9 dest 192.168.0.10 255 255 255 252 NONE
interface that assigns the address 192.168.0.9 and expects the other end there is 192.168.0.10.
(In my LAN I have used these addresses and subnetting are among the free ones).
remains now is to configure the client.
By assumption, the activation of the VPN tunnel on the client will be done by root. using sudo, however you can launch the vpn activation by non-privileged user.
First, you decide the number of the tun device to use. (In the example, the client is used tun0).
client is configured by placing the configuration file / root / .ssh / config so that it contains:
Host vpn tunnel yes Hostname server.domain TunnelDevice 0: any User root
Furthermore, we must prepare the script `` enable_tunnel which has the task of giving is an address to the tun0 interface and set the routing table to reach the private LAN.
Remember that the address to be assigned in this case it is 192.168.0.10, and the remote is 192.168.0.9
Create a script in / root / bin / enable_tunnel the content:
# / bin / sh ifconfig tun0 192.168.0.10 netmask 255,255,255,252 pointopoint 192.168.0.9 route add-net xxxx netmask 192.168.0.9 gw
YYYY where XXXX and YYYY specifies the network address and netmask of the network that is `behind` the OpenSSH server.
Now, to ensure that normal users can activate the VPN, you need to configure sudo so that it can run the command: $ ssh-f
vpn true & & sh / root / bin / enable_tunnel
I solved the problem by creating an alias in your bash called vpn.
From this moment you can access the private network as if they were connected into it and, symmetrically, it can be accessed from it!
To end the VPN just kill the ssh process. PS
the VPN works even if you are behind a proxy server http / https. In order for this to happen, we must also enable the SSH server on port 443.
Also, install a program such as `connect-proxy 'on the client, and modify the configuration as:
Host ProtocolKeepAlives 30 ProxyCommand vpn-proxy-connect proxy-H ABCD: 3128 443 server.domain Tunnel yes TunnelDevice 0: any User root
Where ABCD: 3128 is the proxy server address and 3128 is the proxy port (usually squid).
The VPN works the same as above! In practice, it asks the server proxy `` put in contact with the door 443 of the SSH server. The proxy allows him to think that because we are using SSL. Instead, we're going to use SSH.
0 comments:
Post a Comment