Table of Contents

1. Overview
2. Background Information
3. Security
   • Server Security
   • Client Security
4. IP Addresses
5. How to VPN over SSH
   • Server Configuration
   • Client Configuration
6. Using the VPN connection
7. Testing the VPN connection
8. Troubleshooting
9. References

Dhammapada

He who has no entrapping, clinging desire to lead him in any direction,that Buddha, whose home is in the infinite, pathless as he is, by whatpath will you lead him?

Overview

This page is an extension of my blog post HERE . I will cover the commandsin a bit more detail here as it is too long for a blog ;) .

This how-to is intended to cover the details of how to establish aVPN (Virtual Private Network) over a SSH connection. Starting with open-ssh 4.3,you can now use a ssh connection to set up a VPN.

This is technically termed "layer-3 IP-in-SSH tunnelling" andis not using ssh to port forward (ssh -L ) or create a dynamic "application level" forwarding (SOCKS)(ssh -D ). Rather a VPN is established using a SSH connection to create a virtual interface, tun0.

Advantages :

1. IMO, this technique is easier to set up then openvpn, especially if you are using a single client.
2. Works with most Linux distributions without the need to install any additional software on the clients. The server only needs openssh-server.
3. This protocol uses udp to transmit tunneled tcp connections resulting in a more stable connection compared with port forwarding (using ssh with the -L or -D options).

Disadvantages :

1. As of yet I do not know of a windows client which will use this protocol.
2. If you are needing to set up a VPN with numerous clients I would use openvpn.

Although there are several "how-to's" on the web, most of them assume you know something about networking and routing.This page attempts to explain some of the "missing details".

Background Information

Understanding VNC over SSH requires an understanding of ssh, "basic" networking concepts, and the "route" command.

Commands you may wish to review :

1. ssh - in particular the options -M and -S .
2. ssh-keygen.
3. route
4. ifconfig
5. tracepath
6. visudo / configuration of the sudoers file

In particular, taking the 5-10 minutes required to review the route man page can help enormously.

At the risk of oversimplification, the "route" command instructs thekernel where to send (route) network packets (traffic). The defaultgateway(gw) is where packets are sent if no route has been specified (for thedestination host or network). Basic syntax for the route command is"send packets to host w.x.y.z through eth0".

Another potential stumbling blocks are the concepts of an IP Address,the difference between private / public networks, and port forwarding.Here are some links discussing networks and net masks :

• What is an IP address?
• Wikipedia Classful Network
• Wikipedia Private Network
• Assigning Private Network IP Addresses to the Internal LAN

A brief overview of public / private ip addresses and port forwarding :

Public - This is the ipaddress assigned to you by your internet provider. You can see your public ip address with this link

Private - This is the ipaddress assigned by your router. Generally10.0.0.0 , 172.0.0.0 , and 192.168.0.0 are reserved for privatenetworks. Wikipedia Private Networks

Port forwarding - You can not connect to a private ip address(private network) unless you have allowed (enabled) the network trafficconnectionfrom your router via a process known as port forwarding. From outsideyour LAN, you connect to your server useing the public ip address andthe router forwards the connection to the server. The Port Forwarding Progression

Security

Establishing a tunnel as outlined in this how to requires root accesson both server and client. Most of the tutorials I reviewedspent minimal time reviewing security and, in my opinion, have someconcerning security liabilities.

Before explaining the details of configuring the connection I would like to digress to discuss security.

Server Security

1. Restrict root access by using the "PermitRootLoginwithout-password" (rather then "PermitRootLogin yes") in/etc/ssh/sshd_config . The syntax is a bit misleading, this does notallow root to log in without a password,rather it forces root to use a ssh key (logging in as root with apassword is disabled). With this option you can leave the root accountlockedon Ubuntu.

2. Use ssh keys. You can configure a ssh key to force a command to be run at log in. In this example we will use -

tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0"

Basically you "force" a command by editing the authorized_keys file(~/.ssh/authorized_keys) on the server and adding command="command to beexecuted".

See also : University of Cambridge: ssh - authorized_keys HOWTO

For this tutorial I will add the following to the key :

tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

3. For a review of how to secure your ssh server see AdvancedOpenSSH

Client Security

1. Configure sudo (see Sudoers Manual for additional information) to allow users to establish the VPN tunnel,without a password, without giving full root access.

Edit /etc/sudoers with

export EDITOR=gedit && sudo -E visudo

Add this line (near the bottom, in the group section, under the linewhich begins %admin ... ) to allow users in the group "vpn"to run ifup and ifdown, as root, using sudo, and without entering apassword:

%vpn ALL=NOPASSWD: /sbin/ifup,/sbin/ifdown

2. If you wish, you can configure sudo to use a password (user "ALL" in place of "NOPASSWD".

3. I will also be generating a ssh key without a password, which isprobably sufficient as the key will use a forced command and thus doesnotgive full shell access. If you prefer, you can increase security byusing a password with the key.

IP Addresses used for this how-to

Server

Server - This is the computer you will be logging in to for VPN access.

Public IP address 1.2.3.4 -The ssh port (22 by default) is forwarded (routed) by the router fromthe public ip address (1.2.3.4) to the private address (172.0.0.10).

Private Network 172.0.0.0/24
Private IP address 172.0.0.10
default gw 172.0.0.1

Client

This is the computer you wish to connect to the server via VPN over SSH.

Public IP address - does not matter
Private network 192.168.0.0/24
Private IP address 192.168.1.10
Default gw 192.168.0.1

VPN Tunnel ( tun0 )

A virtual interface, called "tun0", is created and configured on boththe client and server and is then used to establish a VPN connection.This virtual interface, tun0, is created by ssh using the -w flag (seebelow) and must be separate from the server or client networks.

In this example, I will use 10.0.0.0/24 as a network for the virtual interfaces.

Server tun0 IP address = 10.0.0.1
Client tun0 IP address = 10.0.0.2

STOP - If you do not understand private / publicnetworks and that 172.0.0.0/24 , 192.168.1.0/24 , 10.0.0.0/24 ,are 3 DIFFERENT NETWORKS, you may wish to review the previous links oryou may have difficulty following the rest of this how-to .

How to VPN over SSH

Ok, enough background, let's set it up already.

Server Configuration

1. Using any editor, open /etc/ssh/sshd_config and change the "PermitRootLogin" line and add the "PermitTunnel" line :

PermitRootLogin without-password
PermitTunnel point-to-point

2. Allow NAT. These commands will enable NAT without the need to reboot (NAT will be persistent).

# enable now:

sudo sysctl -w net.ipv4.ip_forward=1

To set as default, using any editor, open /etc/sysctl.conf and add :

# Needed to add for forwarding
net.ipv4.ip_forward = 1

Next, configure iptables to allow masquerade (NAT)

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Your iptables settings will be lost when you reboot unless you configurea way of saving your settings. This can be done several ways,here I will use "iptables-save" and "iptables-restore" to setting masquerade as default.

sudo bash -c "iptables-save > /etc/iptables.rules"

Using any editor, open /etc/rc.local and add this line (above the exit 0 line)

iptables-restore < /etc/iptables.rules

3. Configure the tunnel (tun0). Using any editor, edit /etc/network/interfaces and add these lines (works on Debian/Ubuntu).

iface tun0 inet static
address 10.0.0.1
netmask 255.255.255.0
pointopoint 10.0.0.2 # Client tunnel address

The interface, tun0, will be brought up and down automatically whenthe client establishes a ssh connection, using forced commands on thessh key (see below).

Client Configuration

1. Make a ssh key , call it "VPN".

ssh-keygen -f VPN -b 1024

When generating the key, simply hit enter when asked for a password.This creates a "passwordless key". Alternately, if you wish to increasesecurity you can enter a password.

Note: You can use a stronger key if you wish (increase the bits -b 4096)

2. On the client, put the private key (VPN) in /root/.ssh and set permissions.

#If needed, make the directory /root/.ssh first.
sudo mkdir /root/.ssh
sudo cp VPN /root/.ssh/VPN
sudo chown root:root /root/.ssh/VPN
sudo chmod 400 /root/.ssh/VPN

3. Configure the key on the server.

After transferring the public key (VPN.pub) to the server, first put it in /root/.ssh/authorized_keys.

#If needed, make the directory /root/.ssh first.
sudo mkdir /root/.ssh
sudo bash -c "cat VPN.pub >> /root/.ssh/authorized_keys"

Next, edit /root/.ssh/authorized_keys adding a "forced command" (just before the ssh-rsa AAA ...):

tunnel="0",command="/sbin/ifdown tun0; /sbin/ifuptun0",no-port-forwarding,no-ptty,no-X11-forwarding,no-agent-forwardingssh-rsa AAAA .... (long sequence of random numbers / letters )

Note: The options"no-port-forwarding,no-ptty,no-X11-forwarding,no-agent-forwarding"further enhance security. Keep the forced commandand the rest of the key all on a single line.

4. Add the servers nameserver in the client /etc/resolv.conf

On the server , show your nameserver with :

grep nameserver /etc/resolv.conf

On the client, use any editor and add the server's nameserver to /etc/resolv.conf.

5. Configure tun0 on the client.

Using any editor, add the following lines to /etc/network/interfaces :

You will need to change "1.2.3.4" to the IP address of your server and "192.168.0.1" to the default gateway of your client.

iface tun0 inet static
pre-up ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -M -f -w 0:0 1.2.3.4 true
pre-up sleep 5

address 10.0.0.2
pointopoint 10.0.0.1
netmask 255.255.255.0

up route add -host 1.2.3.4 dev eth0
up route add default gw 10.0.0.1 dev tun0
up route del default gw 192.168.0.1 dev eth0

down route add default gw 192.168.0.1 dev eth0
down route del default gw 10.0.0.1 dev tun0
down route del -host 1.2.3.4 dev eth0

post-down ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -O exit 1.2.3.4

Note : "pre-up ... 1.2.3.4 true" and"post-down ... exit 1.2.3.4" are all on one line.

Let us examine this configuration in some detail.

"pre-up" commands are run before the interface (tun0) is enabled.

ssh ...
The -M flag allows the client to control the tunnel (see man ssh).
The -S flag specifies the path for the control file
pre-up sleep 5 -> allows time for ssh to establish the tunnel before proceeding with configuration.

Optional: add the -C flag to the ssh command to use compression. Compression may enhance the performance of the tunnel.

address 10.0.0.2 # sets the tunnel ipaddress
pointtopoint 10.0.0.1 # establishes the point - to - point connection (VPN).netmask = 255.255.255.0 #netmask for tunnel

"up" commands are run once the tun0 is configured and are used tochange the default route on the client to use the tunnel as default,thus establishing the VPN.

up route add -host # Specifies the route for ssh traffic to thepublic ip address of the server. This is necessary as we are next goingtochange the default gateway to the VPN connection.

up route add default gw 10.0.0.1 dev tun0
up route del default gw 192.168.0.1 dev eth0

Those lines change the default gateway from eth0 to the tunnel. Oncethe gateway is changed, the VPN connection is complete and the clientnowbehaves as if it is directly connected to the server's private network,172.0.0.0/24 in this example. The client can now ping or connect toother computers on the private network.

The down commands reverse the routing when the tunnel is brought down.

post-down ssh ... exit 1.2.3.4 brings the ssh connection and thus the tunnel, tun0, down.

6. Make a new group, "vpn", and add users you wish to use the tunnel to the vpn group.

Change the user "bodhi" to your actual user name.

sudo addgroup vpn
sudo adduser bodhi vpn

7. Allow members of the vpn group to establish the ssh-vpn tunnel without a password.

export EDITOR=gedit && sudo -E visudo

Add this line (near the bottom, in the group section, under the line which begins %admin ... )

%vpn ALL=NOPASSWD: /sbin/ifup,/sbin/ifdown

Save the file and exit gedit.

Using the VPN connection

Users in the vpn group can establish and disconnect the VPN.

Bring the connection up:

sudo ifup tun0

Bring the connection down:

sudo ifdown tun0

Testing the connection.

One way to test the connection is with tracepath.

tracepath google.com

Use tracepath both before and after establishing the VPN tunnel.Before you establish the tunnel you will see the network traffic goingthrougheth0 to your LAN, after it will go through tun0 to the remote LAN.

Troubleshooting

If you are having trouble establishing the tunnel:

1. First be sure you have configured ssh server side and port 22 is forwarded properly.
2. Then work through /etc/network/interfaces on both client and server and make sure the ip address and routes (gateway) are set properly.
3. Don't forget to set up NAT on the server.
4. Did you add the server nameserver to the guest ?

I has a a problem when the ssh tunnel failed or is terminatedunexpectedly. In that case the ifup and ifdown commands may not work andyoumay see error messages. In this event I have had to manually set theroute on the client including the default gateway. Delete the server as ahostif the tunnel is down.

References

• Ubuntu Wiki SSH_VPN
• Debian Administration - Setting up a Layer 3 tunneling VPN with using OpenSSH
• OpenSSH 4.3 VPN Example

bodhizazen.net