1*86d7f5d3SJohn MarinoHow to use OpenSSH-based virtual private networks 2*86d7f5d3SJohn Marino------------------------------------------------- 3*86d7f5d3SJohn Marino 4*86d7f5d3SJohn MarinoOpenSSH contains support for VPN tunneling using the tun(4) network 5*86d7f5d3SJohn Marinotunnel pseudo-device which is available on most platforms, either for 6*86d7f5d3SJohn Marinolayer 2 or 3 traffic. 7*86d7f5d3SJohn Marino 8*86d7f5d3SJohn MarinoThe following brief instructions on how to use this feature use 9*86d7f5d3SJohn Marinoa network configuration specific to the OpenBSD operating system. 10*86d7f5d3SJohn Marino 11*86d7f5d3SJohn Marino(1) Server: Enable support for SSH tunneling 12*86d7f5d3SJohn Marino 13*86d7f5d3SJohn MarinoTo enable the ssh server to accept tunnel requests from the client, you 14*86d7f5d3SJohn Marinohave to add the following option to the ssh server configuration file 15*86d7f5d3SJohn Marino(/etc/ssh/sshd_config): 16*86d7f5d3SJohn Marino 17*86d7f5d3SJohn Marino PermitTunnel yes 18*86d7f5d3SJohn Marino 19*86d7f5d3SJohn MarinoRestart the server or send the hangup signal (SIGHUP) to let the server 20*86d7f5d3SJohn Marinoreread it's configuration. 21*86d7f5d3SJohn Marino 22*86d7f5d3SJohn Marino(2) Server: Restrict client access and assign the tunnel 23*86d7f5d3SJohn Marino 24*86d7f5d3SJohn MarinoThe OpenSSH server simply uses the file /root/.ssh/authorized_keys to 25*86d7f5d3SJohn Marinorestrict the client to connect to a specified tunnel and to 26*86d7f5d3SJohn Marinoautomatically start the related interface configuration command. These 27*86d7f5d3SJohn Marinosettings are optional but recommended: 28*86d7f5d3SJohn Marino 29*86d7f5d3SJohn Marino tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org 30*86d7f5d3SJohn Marino 31*86d7f5d3SJohn Marino(3) Client: Configure the local network tunnel interface 32*86d7f5d3SJohn Marino 33*86d7f5d3SJohn MarinoUse the hostname.if(5) interface-specific configuration file to set up 34*86d7f5d3SJohn Marinothe network tunnel configuration with OpenBSD. For example, use the 35*86d7f5d3SJohn Marinofollowing configuration in /etc/hostname.tun0 to set up the layer 3 36*86d7f5d3SJohn Marinotunnel on the client: 37*86d7f5d3SJohn Marino 38*86d7f5d3SJohn Marino inet 192.168.5.1 255.255.255.252 192.168.5.2 39*86d7f5d3SJohn Marino 40*86d7f5d3SJohn MarinoOpenBSD also supports layer 2 tunneling over the tun device by adding 41*86d7f5d3SJohn Marinothe link0 flag: 42*86d7f5d3SJohn Marino 43*86d7f5d3SJohn Marino inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 44*86d7f5d3SJohn Marino 45*86d7f5d3SJohn MarinoLayer 2 tunnels can be used in combination with an Ethernet bridge(4) 46*86d7f5d3SJohn Marinointerface, like the following example for /etc/bridgename.bridge0: 47*86d7f5d3SJohn Marino 48*86d7f5d3SJohn Marino add tun0 49*86d7f5d3SJohn Marino add sis0 50*86d7f5d3SJohn Marino up 51*86d7f5d3SJohn Marino 52*86d7f5d3SJohn Marino(4) Client: Configure the OpenSSH client 53*86d7f5d3SJohn Marino 54*86d7f5d3SJohn MarinoTo establish tunnel forwarding for connections to a specified 55*86d7f5d3SJohn Marinoremote host by default, use the following ssh client configuration for 56*86d7f5d3SJohn Marinothe privileged user (in /root/.ssh/config): 57*86d7f5d3SJohn Marino 58*86d7f5d3SJohn Marino Host sshgateway 59*86d7f5d3SJohn Marino Tunnel yes 60*86d7f5d3SJohn Marino TunnelDevice 0:any 61*86d7f5d3SJohn Marino PermitLocalCommand yes 62*86d7f5d3SJohn Marino LocalCommand sh /etc/netstart tun0 63*86d7f5d3SJohn Marino 64*86d7f5d3SJohn MarinoA more complicated configuration is possible to establish a tunnel to 65*86d7f5d3SJohn Marinoa remote host which is not directly accessible by the client. 66*86d7f5d3SJohn MarinoThe following example describes a client configuration to connect to 67*86d7f5d3SJohn Marinothe remote host over two ssh hops in between. It uses the OpenSSH 68*86d7f5d3SJohn MarinoProxyCommand in combination with the nc(1) program to forward the final 69*86d7f5d3SJohn Marinossh tunnel destination over multiple ssh sessions. 70*86d7f5d3SJohn Marino 71*86d7f5d3SJohn Marino Host access.somewhere.net 72*86d7f5d3SJohn Marino User puffy 73*86d7f5d3SJohn Marino Host dmzgw 74*86d7f5d3SJohn Marino User puffy 75*86d7f5d3SJohn Marino ProxyCommand ssh access.somewhere.net nc dmzgw 22 76*86d7f5d3SJohn Marino Host sshgateway 77*86d7f5d3SJohn Marino Tunnel Ethernet 78*86d7f5d3SJohn Marino TunnelDevice 0:any 79*86d7f5d3SJohn Marino PermitLocalCommand yes 80*86d7f5d3SJohn Marino LocalCommand sh /etc/netstart tun0 81*86d7f5d3SJohn Marino ProxyCommand ssh dmzgw nc sshgateway 22 82*86d7f5d3SJohn Marino 83*86d7f5d3SJohn MarinoThe following network plan illustrates the previous configuration in 84*86d7f5d3SJohn Marinocombination with layer 2 tunneling and Ethernet bridging. 85*86d7f5d3SJohn Marino 86*86d7f5d3SJohn Marino+--------+ ( ) +----------------------+ 87*86d7f5d3SJohn Marino| Client |------( Internet )-----| access.somewhere.net | 88*86d7f5d3SJohn Marino+--------+ ( ) +----------------------+ 89*86d7f5d3SJohn Marino : 192.168.1.78 | 90*86d7f5d3SJohn Marino :............................. +-------+ 91*86d7f5d3SJohn Marino Forwarded ssh connection : | dmzgw | 92*86d7f5d3SJohn Marino Layer 2 tunnel : +-------+ 93*86d7f5d3SJohn Marino : | 94*86d7f5d3SJohn Marino : | 95*86d7f5d3SJohn Marino : +------------+ 96*86d7f5d3SJohn Marino :......| sshgateway | 97*86d7f5d3SJohn Marino | +------------+ 98*86d7f5d3SJohn Marino--- real connection Bridge -> | +----------+ 99*86d7f5d3SJohn Marino... "virtual connection" [ X ]--------| somehost | 100*86d7f5d3SJohn Marino[X] switch +----------+ 101*86d7f5d3SJohn Marino 192.168.1.25 102*86d7f5d3SJohn Marino 103*86d7f5d3SJohn Marino(5) Client: Connect to the server and establish the tunnel 104*86d7f5d3SJohn Marino 105*86d7f5d3SJohn MarinoFinally connect to the OpenSSH server to establish the tunnel by using 106*86d7f5d3SJohn Marinothe following command: 107*86d7f5d3SJohn Marino 108*86d7f5d3SJohn Marino ssh sshgateway 109*86d7f5d3SJohn Marino 110*86d7f5d3SJohn MarinoIt is also possible to tell the client to fork into the background after 111*86d7f5d3SJohn Marinothe connection has been successfully established: 112*86d7f5d3SJohn Marino 113*86d7f5d3SJohn Marino ssh -f sshgateway true 114*86d7f5d3SJohn Marino 115*86d7f5d3SJohn MarinoWithout the ssh configuration done in step (4), it is also possible 116*86d7f5d3SJohn Marinoto use the following command lines: 117*86d7f5d3SJohn Marino 118*86d7f5d3SJohn Marino ssh -fw 0:1 sshgateway true 119*86d7f5d3SJohn Marino ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 120*86d7f5d3SJohn Marino 121*86d7f5d3SJohn MarinoUsing OpenSSH tunnel forwarding is a simple way to establish secure 122*86d7f5d3SJohn Marinoand ad hoc virtual private networks. Possible fields of application 123*86d7f5d3SJohn Marinocould be wireless networks or administrative VPN tunnels. 124*86d7f5d3SJohn Marino 125*86d7f5d3SJohn MarinoNevertheless, ssh tunneling requires some packet header overhead and 126*86d7f5d3SJohn Marinoruns on top of TCP. It is still suggested to use the IP Security 127*86d7f5d3SJohn MarinoProtocol (IPSec) for robust and permanent VPN connections and to 128*86d7f5d3SJohn Marinointerconnect corporate networks. 129*86d7f5d3SJohn Marino 130*86d7f5d3SJohn Marino Reyk Floeter 131*86d7f5d3SJohn Marino 132*86d7f5d3SJohn Marino$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $ 133