rss logo

How to set up a SSH VPN

Intro

I needed to access to a network which only has a ssh server. So I used the ssh tools to set a VPN tunnel.

Network diagram

ssh vpn architecture

Destination : Debian

  • eth0 : 192.168.1.10/24
  • tun0 : 10.110.0.100/32

Commands

  • This package is needed in order to have tun0 interface
root@host:~# apt-get install uml-utilities
  • Check the service is up
root@host:~# systemctl status uml-utilities.service
  • Turn ip forward on
root@host:~# echo 1 | tee /proc/sys/net/ipv4/ip_forward
  • Set tun0 address
root@host:~# ip addr add 10.110.0.100/32 peer 10.110.0.200 dev tun0
  • Turn tun0 interface up
root@host:~# ip link set tun0 up
  • Add 192.168.2.0/24 route (in this case the 192.168.1.0/24 network needs to have 192.168.1.10 as default gateway)
root@host:~# ip route add 192.168.2.0/24 via 10.110.0.200
  • Or you can set netfilter masquerading to access to 192.168.1.0/24
root@host:~# iptables -t nat -A POSTROUTING -d 192.168.1.0/24 -o eth0 -j MASQUERADE

/etc/ssh/sshd_config

PermitRootLogin yes PermitTunnel yes root@host:~# systemctl restart sshd

Source : Archlinux

  • eth0 : 192.168.2.10/24
  • tun0 : 10.110.0.200/32

Commands

  • -w local_tun[:remote_tun] : Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).
  • -N : Do not execute a remote command
  • -f : Requests ssh to go to background just before command execution
root@host:~# ssh -Nf -w 0:0 -p 22 root@1.1.1.1
  • Set tun0 address
root@host:~# ip addr add 10.110.0.200/32 peer 10.110.0.100 dev tun0
  • Turn tun0 interface up
root@host:~# ip link set tun0 up
  • Add 192.168.1.0/24 route
root@host:~# ip route add 192.168.1.0/24 via 10.110.0.100

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address