xref: /dragonfly/crypto/openssh/README.tun (revision 86d7f5d3) 
1*86d7f5d3SJohn MarinoHow to use OpenSSH-based virtual private networks
2*86d7f5d3SJohn Marino-------------------------------------------------
3*86d7f5d3SJohn Marino
4*86d7f5d3SJohn MarinoOpenSSH contains support for VPN tunneling using the tun(4) network
5*86d7f5d3SJohn Marinotunnel pseudo-device which is available on most platforms, either for
6*86d7f5d3SJohn Marinolayer 2 or 3 traffic.
7*86d7f5d3SJohn Marino
8*86d7f5d3SJohn MarinoThe following brief instructions on how to use this feature use
9*86d7f5d3SJohn Marinoa network configuration specific to the OpenBSD operating system.
10*86d7f5d3SJohn Marino
11*86d7f5d3SJohn Marino(1) Server: Enable support for SSH tunneling
12*86d7f5d3SJohn Marino
13*86d7f5d3SJohn MarinoTo enable the ssh server to accept tunnel requests from the client, you
14*86d7f5d3SJohn Marinohave to add the following option to the ssh server configuration file
15*86d7f5d3SJohn Marino(/etc/ssh/sshd_config):
16*86d7f5d3SJohn Marino
17*86d7f5d3SJohn Marino	PermitTunnel yes
18*86d7f5d3SJohn Marino
19*86d7f5d3SJohn MarinoRestart the server or send the hangup signal (SIGHUP) to let the server
20*86d7f5d3SJohn Marinoreread it's configuration.
21*86d7f5d3SJohn Marino
22*86d7f5d3SJohn Marino(2) Server: Restrict client access and assign the tunnel
23*86d7f5d3SJohn Marino
24*86d7f5d3SJohn MarinoThe OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25*86d7f5d3SJohn Marinorestrict the client to connect to a specified tunnel and to
26*86d7f5d3SJohn Marinoautomatically start the related interface configuration command. These
27*86d7f5d3SJohn Marinosettings are optional but recommended:
28*86d7f5d3SJohn Marino
29*86d7f5d3SJohn Marino	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30*86d7f5d3SJohn Marino
31*86d7f5d3SJohn Marino(3) Client: Configure the local network tunnel interface
32*86d7f5d3SJohn Marino
33*86d7f5d3SJohn MarinoUse the hostname.if(5) interface-specific configuration file to set up
34*86d7f5d3SJohn Marinothe network tunnel configuration with OpenBSD. For example, use the
35*86d7f5d3SJohn Marinofollowing configuration in /etc/hostname.tun0 to set up the layer 3
36*86d7f5d3SJohn Marinotunnel on the client:
37*86d7f5d3SJohn Marino
38*86d7f5d3SJohn Marino	inet 192.168.5.1 255.255.255.252 192.168.5.2
39*86d7f5d3SJohn Marino
40*86d7f5d3SJohn MarinoOpenBSD also supports layer 2 tunneling over the tun device by adding
41*86d7f5d3SJohn Marinothe link0 flag:
42*86d7f5d3SJohn Marino
43*86d7f5d3SJohn Marino	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44*86d7f5d3SJohn Marino
45*86d7f5d3SJohn MarinoLayer 2 tunnels can be used in combination with an Ethernet bridge(4)
46*86d7f5d3SJohn Marinointerface, like the following example for /etc/bridgename.bridge0:
47*86d7f5d3SJohn Marino
48*86d7f5d3SJohn Marino	add tun0
49*86d7f5d3SJohn Marino	add sis0
50*86d7f5d3SJohn Marino	up
51*86d7f5d3SJohn Marino
52*86d7f5d3SJohn Marino(4) Client: Configure the OpenSSH client
53*86d7f5d3SJohn Marino
54*86d7f5d3SJohn MarinoTo establish tunnel forwarding for connections to a specified
55*86d7f5d3SJohn Marinoremote host by default, use the following ssh client configuration for
56*86d7f5d3SJohn Marinothe privileged user (in /root/.ssh/config):
57*86d7f5d3SJohn Marino
58*86d7f5d3SJohn Marino	Host sshgateway
59*86d7f5d3SJohn Marino		Tunnel yes
60*86d7f5d3SJohn Marino		TunnelDevice 0:any
61*86d7f5d3SJohn Marino		PermitLocalCommand yes
62*86d7f5d3SJohn Marino	        LocalCommand sh /etc/netstart tun0
63*86d7f5d3SJohn Marino
64*86d7f5d3SJohn MarinoA more complicated configuration is possible to establish a tunnel to
65*86d7f5d3SJohn Marinoa remote host which is not directly accessible by the client.
66*86d7f5d3SJohn MarinoThe following example describes a client configuration to connect to
67*86d7f5d3SJohn Marinothe remote host over two ssh hops in between. It uses the OpenSSH
68*86d7f5d3SJohn MarinoProxyCommand in combination with the nc(1) program to forward the final
69*86d7f5d3SJohn Marinossh tunnel destination over multiple ssh sessions.
70*86d7f5d3SJohn Marino
71*86d7f5d3SJohn Marino	Host access.somewhere.net
72*86d7f5d3SJohn Marino	        User puffy
73*86d7f5d3SJohn Marino	Host dmzgw
74*86d7f5d3SJohn Marino	        User puffy
75*86d7f5d3SJohn Marino	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76*86d7f5d3SJohn Marino	Host sshgateway
77*86d7f5d3SJohn Marino	        Tunnel Ethernet
78*86d7f5d3SJohn Marino	        TunnelDevice 0:any
79*86d7f5d3SJohn Marino	        PermitLocalCommand yes
80*86d7f5d3SJohn Marino	        LocalCommand sh /etc/netstart tun0
81*86d7f5d3SJohn Marino	        ProxyCommand ssh dmzgw nc sshgateway 22
82*86d7f5d3SJohn Marino
83*86d7f5d3SJohn MarinoThe following network plan illustrates the previous configuration in
84*86d7f5d3SJohn Marinocombination with layer 2 tunneling and Ethernet bridging.
85*86d7f5d3SJohn Marino
86*86d7f5d3SJohn Marino+--------+       (          )      +----------------------+
87*86d7f5d3SJohn Marino| Client |------(  Internet  )-----| access.somewhere.net |
88*86d7f5d3SJohn Marino+--------+       (          )      +----------------------+
89*86d7f5d3SJohn Marino    : 192.168.1.78                             |
90*86d7f5d3SJohn Marino    :.............................         +-------+
91*86d7f5d3SJohn Marino     Forwarded ssh connection    :         | dmzgw |
92*86d7f5d3SJohn Marino     Layer 2 tunnel              :         +-------+
93*86d7f5d3SJohn Marino                                 :             |
94*86d7f5d3SJohn Marino                                 :             |
95*86d7f5d3SJohn Marino                                 :      +------------+
96*86d7f5d3SJohn Marino                                 :......| sshgateway |
97*86d7f5d3SJohn Marino                                      | +------------+
98*86d7f5d3SJohn Marino--- real connection                 Bridge ->  |          +----------+
99*86d7f5d3SJohn Marino... "virtual connection"                     [ X ]--------| somehost |
100*86d7f5d3SJohn Marino[X] switch                                                +----------+
101*86d7f5d3SJohn Marino                                                          192.168.1.25
102*86d7f5d3SJohn Marino
103*86d7f5d3SJohn Marino(5) Client: Connect to the server and establish the tunnel
104*86d7f5d3SJohn Marino
105*86d7f5d3SJohn MarinoFinally connect to the OpenSSH server to establish the tunnel by using
106*86d7f5d3SJohn Marinothe following command:
107*86d7f5d3SJohn Marino
108*86d7f5d3SJohn Marino	ssh sshgateway
109*86d7f5d3SJohn Marino
110*86d7f5d3SJohn MarinoIt is also possible to tell the client to fork into the background after
111*86d7f5d3SJohn Marinothe connection has been successfully established:
112*86d7f5d3SJohn Marino
113*86d7f5d3SJohn Marino	ssh -f sshgateway true
114*86d7f5d3SJohn Marino
115*86d7f5d3SJohn MarinoWithout the ssh configuration done in step (4), it is also possible
116*86d7f5d3SJohn Marinoto use the following command lines:
117*86d7f5d3SJohn Marino
118*86d7f5d3SJohn Marino	ssh -fw 0:1 sshgateway true
119*86d7f5d3SJohn Marino	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120*86d7f5d3SJohn Marino
121*86d7f5d3SJohn MarinoUsing OpenSSH tunnel forwarding is a simple way to establish secure
122*86d7f5d3SJohn Marinoand ad hoc virtual private networks. Possible fields of application
123*86d7f5d3SJohn Marinocould be wireless networks or administrative VPN tunnels.
124*86d7f5d3SJohn Marino
125*86d7f5d3SJohn MarinoNevertheless, ssh tunneling requires some packet header overhead and
126*86d7f5d3SJohn Marinoruns on top of TCP. It is still suggested to use the IP Security
127*86d7f5d3SJohn MarinoProtocol (IPSec) for robust and permanent VPN connections and to
128*86d7f5d3SJohn Marinointerconnect corporate networks.
129*86d7f5d3SJohn Marino
130*86d7f5d3SJohn Marino	Reyk Floeter
131*86d7f5d3SJohn Marino
132*86d7f5d3SJohn Marino$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133