(fnord)/ sysadmin/ security/ vpn-with-ssh

index

The main page, and latest blog posts.

sysadmin

Howtos and notes about system administration.

gastronaut

To boldly eat what no man has ever eaten before.

kid project

Using DNS filtering to lightly enforce a domain based access policy.

free software

Free Software keeps the Internet together. Free software, and that the internet keeps itself together, are good things.

Poor man's VPN with SSH

SSH has port forwarding, dynamic forwarding, and now also IP forwarding. This allows you to create connections out through a firewall, and allow other connections in and out through your SSH-connection, originating at your SSH server. Read on for a few examples of use, and make sure you have the blessing of your security team.

Local forwarding

With local forwarding, you open a local port, and forward it to another host and port from the remote server.

Often used with forwarding to single webservers, proxies, Citrix ICA servers, VNC servers, and Windows Remote Desktop (RDP).

Example with local forwarding

Connect to a server at work, forwarding a connection from port 10080 on my laptop to important.server.example.org.

ssh -L 10080:important.server.example.org:80 me@loginserver.example.org

I can then open my browser to http://localhost:10080, and do my stuff. Some web applications, though, can be tricky enough to expect a hostname, and for that you need to edit /etc/hosts or equivalent, or you can read on for dynamic forwarding.

Remote forwarding

With remote forwarding, you open a listening port on the remote side, and forward it to another host and port from the local server.

Example with remote forwarding

One useful scenario is to help family members who have PC trouble. For instance: Mom has a problem, calls me, and wonders if I can help, and then clicks an icon on her desktop that does the following thing:

  • Starts Remote Desktop or VNC

  • Connects to my SSH server, with remote forwarding from on the SSH server, to localhost: on her PC.

    ssh -R 5801:localhost:5801 mom@myserver.example.com

What I do, is:

  • Connect to my SSH server, with local forwarding from on my laptop, to on the SSH server, which again connects through the remote forwarding to localhost: on mom's PC.

    ssh -L 5801:localhost:5801 me@myserver.example.com

Start a VNC client, and connect to my localhost:5801 on my laptop. This port is now connected through my ssh session, to mom's ssh session, to her PC.

Dynamic forwarding with SOCKS

OpenSSH's client has the ability to do dynamic forwarding to act as a local SOCKS server, both for SOCS4 and SOCS5.

Many programs have built-in SOCKS support, so if you enable this, and configure it to use localhost: as a SOCKS proxy.

For programs with no built-in SOCKS support, you can use "tsocks", to intercept networking calls, and work through the SOCKS server.

Example with dynamic forwarding

ssh -D 1080 me@myserver.example.com

Then I configure Firefox, for instance, to use the SOCKS server at localhost port 1080, and all my web connections will go through the SSH connection, and appear to be initiated from myserver.example.com. Much easier than with local forwarding, and works great for remote administration of things from home where you use different hostnames and ports, and perhaps also unroutable IP addresses.

IP forwarding with TUN

Now we're talking. This is the real thing, we get IP forwarding through a point-to-point interface. This exists only in newer versions of OpenSSH, and is not very well documented yet. Unfortunately, this also includes this document until I have more time to research further.

Example with IP forwarding

ssh -w 0:1 me@myserver.example.com

Where '0' is the local device tun0, and '1' refers to the remote device tun1. On each side, one needs to set an IP address for host-to-host contact, and add routing and perhaps also NAT for network access.

Beware, as careless use of IP forwarding between sites may have a serious impact on network security, and may make others very angry if used without permission.