Annotation of src/usr.bin/ssh/README.tun, Revision 1.3.2.1
1.2 reyk 1: How to use OpenSSH-based virtual private networks
2: -------------------------------------------------
1.1 reyk 3:
4: OpenSSH contains support for VPN tunneling using the tun(4) network
5: tunnel pseudo-device which is available on most platforms, either for
6: layer 2 or 3 traffic.
7:
8: The following brief instructions on how to use this feature use
9: a network configuration specific to the OpenBSD operating system.
10:
11: (1) Server: Enable support for SSH tunneling
12:
13: To enable the ssh server to accept tunnel requests from the client, you
14: have to add the following option to the ssh server configuration file
15: (/etc/ssh/sshd_config):
16:
17: PermitTunnel yes
18:
19: Restart the server or send the hangup signal (SIGHUP) to let the server
20: reread it's configuration.
21:
22: (2) Server: Restrict client access and assign the tunnel
23:
24: The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25: restrict the client to connect to a specified tunnel and to
26: automatically start the related interface configuration command. These
27: settings are optional but recommended:
28:
29: tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30:
31: (3) Client: Configure the local network tunnel interface
32:
33: Use the hostname.if(5) interface-specific configuration file to set up
34: the network tunnel configuration with OpenBSD. For example, use the
35: following configuration in /etc/hostname.tun0 to set up the layer 3
36: tunnel on the client:
37:
38: inet 192.168.5.1 255.255.255.252 192.168.5.2
39:
40: OpenBSD also supports layer 2 tunneling over the tun device by adding
41: the link0 flag:
42:
43: inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44:
45: Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46: interface, like the following example for /etc/bridgename.bridge0:
47:
48: add tun0
49: add sis0
50: up
51:
52: (4) Client: Configure the OpenSSH client
53:
54: To establish tunnel forwarding for connections to a specified
55: remote host by default, use the following ssh client configuration for
56: the privileged user (in /root/.ssh/config):
57:
58: Host sshgateway
59: Tunnel yes
60: TunnelDevice 0:any
61: PermitLocalCommand yes
62: LocalCommand sh /etc/netstart tun0
63:
64: A more complicated configuration is possible to establish a tunnel to
65: a remote host which is not directly accessible by the client.
66: The following example describes a client configuration to connect to
67: the remote host over two ssh hops in between. It uses the OpenSSH
68: ProxyCommand in combination with the nc(1) program to forward the final
69: ssh tunnel destination over multiple ssh sessions.
70:
71: Host access.somewhere.net
72: User puffy
73: Host dmzgw
74: User puffy
75: ProxyCommand ssh access.somewhere.net nc dmzgw 22
76: Host sshgateway
1.3 reyk 77: Tunnel Ethernet
1.1 reyk 78: TunnelDevice 0:any
79: PermitLocalCommand yes
80: LocalCommand sh /etc/netstart tun0
81: ProxyCommand ssh dmzgw nc sshgateway 22
82:
83: The following network plan illustrates the previous configuration in
84: combination with layer 2 tunneling and Ethernet bridging.
85:
86: +--------+ ( ) +----------------------+
87: | Client |------( Internet )-----| access.somewhere.net |
88: +--------+ ( ) +----------------------+
89: : 192.168.1.78 |
90: :............................. +-------+
91: Forwarded ssh connection : | dmzgw |
92: Layer 2 tunnel : +-------+
93: : |
94: : |
95: : +------------+
96: :......| sshgateway |
97: | +------------+
98: --- real connection Bridge -> | +----------+
99: ... "virtual connection" [ X ]--------| somehost |
100: [X] switch +----------+
101: 192.168.1.25
102:
103: (5) Client: Connect to the server and establish the tunnel
104:
105: Finally connect to the OpenSSH server to establish the tunnel by using
106: the following command:
107:
108: ssh sshgateway
109:
110: It is also possible to tell the client to fork into the background after
111: the connection has been successfully established:
112:
113: ssh -f sshgateway true
114:
115: Without the ssh configuration done in step (4), it is also possible
116: to use the following command lines:
117:
118: ssh -fw 0:1 sshgateway true
119: ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120:
121: Using OpenSSH tunnel forwarding is a simple way to establish secure
122: and ad hoc virtual private networks. Possible fields of application
123: could be wireless networks or administrative VPN tunnels.
124:
125: Nevertheless, ssh tunneling requires some packet header overhead and
126: runs on top of TCP. It is still suggested to use the IP Security
127: Protocol (IPSec) for robust and permanent VPN connections and to
128: interconnect corporate networks.
129:
130: Reyk Floeter
131:
1.3.2.1 ! brad 132: $OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $