Home | History | Annotate | Download | only in openssh
      1 How to use OpenSSH-based virtual private networks
      2 -------------------------------------------------
      3 
      4 OpenSSH contains support for VPN tunneling using the tun(4) network
      5 tunnel pseudo-device which is available on most platforms, either for
      6 layer 2 or 3 traffic.
      7 
      8 The following brief instructions on how to use this feature use
      9 a network configuration specific to the OpenBSD operating system.
     10 
     11 (1) Server: Enable support for SSH tunneling
     12 
     13 To enable the ssh server to accept tunnel requests from the client, you
     14 have to add the following option to the ssh server configuration file
     15 (/etc/ssh/sshd_config):
     16 
     17 	PermitTunnel yes
     18 
     19 Restart the server or send the hangup signal (SIGHUP) to let the server
     20 reread it's configuration.
     21 
     22 (2) Server: Restrict client access and assign the tunnel
     23 
     24 The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
     25 restrict the client to connect to a specified tunnel and to
     26 automatically start the related interface configuration command. These
     27 settings are optional but recommended:
     28 
     29 	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk (a] openbsd.org
     30 
     31 (3) Client: Configure the local network tunnel interface
     32 
     33 Use the hostname.if(5) interface-specific configuration file to set up
     34 the network tunnel configuration with OpenBSD. For example, use the
     35 following configuration in /etc/hostname.tun0 to set up the layer 3
     36 tunnel on the client:
     37 
     38 	inet 192.168.5.1 255.255.255.252 192.168.5.2
     39 
     40 OpenBSD also supports layer 2 tunneling over the tun device by adding
     41 the link0 flag:
     42 
     43 	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
     44 
     45 Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
     46 interface, like the following example for /etc/bridgename.bridge0:
     47 
     48 	add tun0
     49 	add sis0
     50 	up
     51 
     52 (4) Client: Configure the OpenSSH client
     53 
     54 To establish tunnel forwarding for connections to a specified
     55 remote host by default, use the following ssh client configuration for
     56 the privileged user (in /root/.ssh/config):
     57 
     58 	Host sshgateway
     59 		Tunnel yes
     60 		TunnelDevice 0:any
     61 		PermitLocalCommand yes
     62 	        LocalCommand sh /etc/netstart tun0
     63 
     64 A more complicated configuration is possible to establish a tunnel to
     65 a remote host which is not directly accessible by the client.
     66 The following example describes a client configuration to connect to
     67 the remote host over two ssh hops in between. It uses the OpenSSH
     68 ProxyCommand in combination with the nc(1) program to forward the final
     69 ssh tunnel destination over multiple ssh sessions.
     70 
     71 	Host access.somewhere.net
     72 	        User puffy
     73 	Host dmzgw
     74 	        User puffy
     75 	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
     76 	Host sshgateway
     77 	        Tunnel Ethernet
     78 	        TunnelDevice 0:any
     79 	        PermitLocalCommand yes
     80 	        LocalCommand sh /etc/netstart tun0
     81 	        ProxyCommand ssh dmzgw nc sshgateway 22
     82 
     83 The following network plan illustrates the previous configuration in
     84 combination with layer 2 tunneling and Ethernet bridging.
     85 
     86 +--------+       (          )      +----------------------+
     87 | Client |------(  Internet  )-----| access.somewhere.net |
     88 +--------+       (          )      +----------------------+
     89     : 192.168.1.78                             |
     90     :.............................         +-------+
     91      Forwarded ssh connection    :         | dmzgw |
     92      Layer 2 tunnel              :         +-------+
     93                                  :             |
     94                                  :             |
     95                                  :      +------------+
     96                                  :......| sshgateway |
     97                                       | +------------+
     98 --- real connection                 Bridge ->  |          +----------+
     99 ... "virtual connection"                     [ X ]--------| somehost |
    100 [X] switch                                                +----------+
    101                                                           192.168.1.25
    102 
    103 (5) Client: Connect to the server and establish the tunnel
    104 
    105 Finally connect to the OpenSSH server to establish the tunnel by using
    106 the following command:
    107 
    108 	ssh sshgateway
    109 
    110 It is also possible to tell the client to fork into the background after
    111 the connection has been successfully established:
    112 
    113 	ssh -f sshgateway true
    114 
    115 Without the ssh configuration done in step (4), it is also possible
    116 to use the following command lines:
    117 
    118 	ssh -fw 0:1 sshgateway true
    119 	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
    120 
    121 Using OpenSSH tunnel forwarding is a simple way to establish secure
    122 and ad hoc virtual private networks. Possible fields of application
    123 could be wireless networks or administrative VPN tunnels.
    124 
    125 Nevertheless, ssh tunneling requires some packet header overhead and
    126 runs on top of TCP. It is still suggested to use the IP Security
    127 Protocol (IPSec) for robust and permanent VPN connections and to
    128 interconnect corporate networks.
    129 
    130 	Reyk Floeter
    131 
    132 $OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
    133