If you are managing a remote Linux network and you are tired of NATting or two ssh hops to enter a remote server, but OpenVPN poses too much overhead, you can use ssh tunneling to easily create a workstation-to-site VPN.
I’ve tested this with Ubuntu 9.10 Karmic Koala as the workstation and Debian 5.0 Lenny as the server, but it should work identically with older Ubuntu and Debian (both server or workstation).
- Standard Debian or Ubuntu
- openssh-server on the remote side of the VPN
- openssh-client on the local side of the VPN (your PC)
Network configuration (as an example)
- Workstation LAN: 192.168.0.0/24
- Server LAN: 192.168.10.0/24 on eth1
- VPN: 10.0.0.0/24
- Remote server public address: 18.104.22.168 on eth0
First of all, on the workstation generate a dedicated key (it should be a dedicated one cause the server will identify you’re going to bring up a tunnel based on the key you’re using to connect) with
# ssh-keygen -f /root/.ssh/VPNkey -b 2048
/etc/network/interfaces and create a new stanza like this one (remember to change IP addresses – in bold – according to your personal network configuration)
iface tun0 inet static
# from pre-up to true on the same line
pre-up ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -M -f -w 0:0 22.214.171.124 true
pre-up sleep 5
up route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.1.0.1 tun0
post-down ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -O exit 126.96.36.199
Just a copuple of notes:
address is your VPN local endpoint address (say, your workstation) while
pointopoint is the remote VPNaddress (your server), which are the two tunnel’s endpoints.
Now let’s go to the server.
/etc/ssh/sshd_server, add the line
and restart your sshd instance.
Now edit (or create)
/root/.ssh/authorized_keys (remember, we are on the server now, not your workstation) and add a line like
tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0" ssh-rsa HERE IT GOES YOUR VPNkey.pub FROM YOUR WORKSTATION
/etc/network/interfaces and add this stanza:
iface tun0 inet static
post-up /sbin/sysctl -w net.ipv4.ip_forward=1
post-up /sbin/iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth1 -j MASQUERADE
post-down /sbin/iptables -t nat -D POSTROUTING -s 10.1.0.0/24 -o eth1 -j MASQUERADE
post-down /sbin/sysctl -w net.ipv4.ip_forward=0
the post-up and post-down commands enable the network sharing between the VPN server endpoint and the remote LAN (it’s called masquerading), so you can access the remote LAN from your workstation and not only the remote server. Obviously you need to instruct your workstation with a dedicated static route to reach the remote LAN network, and this is the
route add -net in your workstation config.
Now, bring up the tunnel on the workstation with
# ifup tun0
and you should be able to reach a remote server on your remote LAN, with traffic secured by OpenSSH encryption.