Annotation of src/usr.bin/ssh/README.tun, Revision 1.1
1.1 ! reyk 1: Host to use OpenSSH-based virtual private networks
! 2: --------------------------------------------------
! 3:
! 4: OpenSSH contains support for VPN tunneling using the tun(4) network
! 5: tunnel pseudo-device which is available on most platforms, either for
! 6: layer 2 or 3 traffic.
! 7:
! 8: The following brief instructions on how to use this feature use
! 9: a network configuration specific to the OpenBSD operating system.
! 10:
! 11: (1) Server: Enable support for SSH tunneling
! 12:
! 13: To enable the ssh server to accept tunnel requests from the client, you
! 14: have to add the following option to the ssh server configuration file
! 15: (/etc/ssh/sshd_config):
! 16:
! 17: PermitTunnel yes
! 18:
! 19: Restart the server or send the hangup signal (SIGHUP) to let the server
! 20: reread it's configuration.
! 21:
! 22: (2) Server: Restrict client access and assign the tunnel
! 23:
! 24: The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
! 25: restrict the client to connect to a specified tunnel and to
! 26: automatically start the related interface configuration command. These
! 27: settings are optional but recommended:
! 28:
! 29: tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
! 30:
! 31: (3) Client: Configure the local network tunnel interface
! 32:
! 33: Use the hostname.if(5) interface-specific configuration file to set up
! 34: the network tunnel configuration with OpenBSD. For example, use the
! 35: following configuration in /etc/hostname.tun0 to set up the layer 3
! 36: tunnel on the client:
! 37:
! 38: inet 192.168.5.1 255.255.255.252 192.168.5.2
! 39:
! 40: OpenBSD also supports layer 2 tunneling over the tun device by adding
! 41: the link0 flag:
! 42:
! 43: inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
! 44:
! 45: Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
! 46: interface, like the following example for /etc/bridgename.bridge0:
! 47:
! 48: add tun0
! 49: add sis0
! 50: up
! 51:
! 52: (4) Client: Configure the OpenSSH client
! 53:
! 54: To establish tunnel forwarding for connections to a specified
! 55: remote host by default, use the following ssh client configuration for
! 56: the privileged user (in /root/.ssh/config):
! 57:
! 58: Host sshgateway
! 59: Tunnel yes
! 60: TunnelDevice 0:any
! 61: PermitLocalCommand yes
! 62: LocalCommand sh /etc/netstart tun0
! 63:
! 64: A more complicated configuration is possible to establish a tunnel to
! 65: a remote host which is not directly accessible by the client.
! 66: The following example describes a client configuration to connect to
! 67: the remote host over two ssh hops in between. It uses the OpenSSH
! 68: ProxyCommand in combination with the nc(1) program to forward the final
! 69: ssh tunnel destination over multiple ssh sessions.
! 70:
! 71: Host access.somewhere.net
! 72: User puffy
! 73: Host dmzgw
! 74: User puffy
! 75: ProxyCommand ssh access.somewhere.net nc dmzgw 22
! 76: Host sshgateway
! 77: Tunnel yes
! 78: TunnelDevice 0:any
! 79: PermitLocalCommand yes
! 80: LocalCommand sh /etc/netstart tun0
! 81: ProxyCommand ssh dmzgw nc sshgateway 22
! 82:
! 83: The following network plan illustrates the previous configuration in
! 84: combination with layer 2 tunneling and Ethernet bridging.
! 85:
! 86: +--------+ ( ) +----------------------+
! 87: | Client |------( Internet )-----| access.somewhere.net |
! 88: +--------+ ( ) +----------------------+
! 89: : 192.168.1.78 |
! 90: :............................. +-------+
! 91: Forwarded ssh connection : | dmzgw |
! 92: Layer 2 tunnel : +-------+
! 93: : |
! 94: : |
! 95: : +------------+
! 96: :......| sshgateway |
! 97: | +------------+
! 98: --- real connection Bridge -> | +----------+
! 99: ... "virtual connection" [ X ]--------| somehost |
! 100: [X] switch +----------+
! 101: 192.168.1.25
! 102:
! 103: (5) Client: Connect to the server and establish the tunnel
! 104:
! 105: Finally connect to the OpenSSH server to establish the tunnel by using
! 106: the following command:
! 107:
! 108: ssh sshgateway
! 109:
! 110: It is also possible to tell the client to fork into the background after
! 111: the connection has been successfully established:
! 112:
! 113: ssh -f sshgateway true
! 114:
! 115: Without the ssh configuration done in step (4), it is also possible
! 116: to use the following command lines:
! 117:
! 118: ssh -fw 0:1 sshgateway true
! 119: ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
! 120:
! 121: Using OpenSSH tunnel forwarding is a simple way to establish secure
! 122: and ad hoc virtual private networks. Possible fields of application
! 123: could be wireless networks or administrative VPN tunnels.
! 124:
! 125: Nevertheless, ssh tunneling requires some packet header overhead and
! 126: runs on top of TCP. It is still suggested to use the IP Security
! 127: Protocol (IPSec) for robust and permanent VPN connections and to
! 128: interconnect corporate networks.
! 129:
! 130: Reyk Floeter
! 131:
! 132: $OpenBSD$