1 How to use OpenSSH-based virtual private networks 2 ------------------------------------------------- 3 4 OpenSSH contains support for VPN tunneling using the tun(4) network 5 tunnel pseudo-device which is available on most platforms, either for 6 layer 2 or 3 traffic. 7 8 The following brief instructions on how to use this feature use 9 a network configuration specific to the OpenBSD operating system. 10 11 (1) Server: Enable support for SSH tunneling 12 13 To enable the ssh server to accept tunnel requests from the client, you 14 have to add the following option to the ssh server configuration file 15 (/etc/ssh/sshd_config): 16 17 PermitTunnel yes 18 19 Restart the server or send the hangup signal (SIGHUP) to let the server 20 reread it's configuration. 21 22 (2) Server: Restrict client access and assign the tunnel 23 24 The OpenSSH server simply uses the file /root/.ssh/authorized_keys to 25 restrict the client to connect to a specified tunnel and to 26 automatically start the related interface configuration command. These 27 settings are optional but recommended: 28 29 tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk (a] openbsd.org 30 31 (3) Client: Configure the local network tunnel interface 32 33 Use the hostname.if(5) interface-specific configuration file to set up 34 the network tunnel configuration with OpenBSD. For example, use the 35 following configuration in /etc/hostname.tun0 to set up the layer 3 36 tunnel on the client: 37 38 inet 192.168.5.1 255.255.255.252 192.168.5.2 39 40 OpenBSD also supports layer 2 tunneling over the tun device by adding 41 the link0 flag: 42 43 inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 44 45 Layer 2 tunnels can be used in combination with an Ethernet bridge(4) 46 interface, like the following example for /etc/bridgename.bridge0: 47 48 add tun0 49 add sis0 50 up 51 52 (4) Client: Configure the OpenSSH client 53 54 To establish tunnel forwarding for connections to a specified 55 remote host by default, use the following ssh client configuration for 56 the privileged user (in /root/.ssh/config): 57 58 Host sshgateway 59 Tunnel yes 60 TunnelDevice 0:any 61 PermitLocalCommand yes 62 LocalCommand sh /etc/netstart tun0 63 64 A more complicated configuration is possible to establish a tunnel to 65 a remote host which is not directly accessible by the client. 66 The following example describes a client configuration to connect to 67 the remote host over two ssh hops in between. It uses the OpenSSH 68 ProxyCommand in combination with the nc(1) program to forward the final 69 ssh tunnel destination over multiple ssh sessions. 70 71 Host access.somewhere.net 72 User puffy 73 Host dmzgw 74 User puffy 75 ProxyCommand ssh access.somewhere.net nc dmzgw 22 76 Host sshgateway 77 Tunnel Ethernet 78 TunnelDevice 0:any 79 PermitLocalCommand yes 80 LocalCommand sh /etc/netstart tun0 81 ProxyCommand ssh dmzgw nc sshgateway 22 82 83 The following network plan illustrates the previous configuration in 84 combination with layer 2 tunneling and Ethernet bridging. 85 86 +--------+ ( ) +----------------------+ 87 | Client |------( Internet )-----| access.somewhere.net | 88 +--------+ ( ) +----------------------+ 89 : 192.168.1.78 | 90 :............................. +-------+ 91 Forwarded ssh connection : | dmzgw | 92 Layer 2 tunnel : +-------+ 93 : | 94 : | 95 : +------------+ 96 :......| sshgateway | 97 | +------------+ 98 --- real connection Bridge -> | +----------+ 99 ... "virtual connection" [ X ]--------| somehost | 100 [X] switch +----------+ 101 192.168.1.25 102 103 (5) Client: Connect to the server and establish the tunnel 104 105 Finally connect to the OpenSSH server to establish the tunnel by using 106 the following command: 107 108 ssh sshgateway 109 110 It is also possible to tell the client to fork into the background after 111 the connection has been successfully established: 112 113 ssh -f sshgateway true 114 115 Without the ssh configuration done in step (4), it is also possible 116 to use the following command lines: 117 118 ssh -fw 0:1 sshgateway true 119 ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 120 121 Using OpenSSH tunnel forwarding is a simple way to establish secure 122 and ad hoc virtual private networks. Possible fields of application 123 could be wireless networks or administrative VPN tunnels. 124 125 Nevertheless, ssh tunneling requires some packet header overhead and 126 runs on top of TCP. It is still suggested to use the IP Security 127 Protocol (IPSec) for robust and permanent VPN connections and to 128 interconnect corporate networks. 129 130 Reyk Floeter 131 132 $OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $ 133