diff options
author | Damien Miller <djm@mindrot.org> | 2006-01-02 20:23:18 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-01-02 20:23:18 +1100 |
commit | 90cd1c549b4e6be1c5a664ca4d4646a3d3768c2f (patch) | |
tree | 47b8a3629e69f587b46d208cdce6cfd1cae488ad /README.tun | |
parent | 5df52e89b4d83f4f56eba73f5d37ed5a6fc64c08 (diff) |
- (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
Diffstat (limited to 'README.tun')
-rw-r--r-- | README.tun | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/README.tun b/README.tun new file mode 100644 index 000000000..d814f396d --- /dev/null +++ b/README.tun | |||
@@ -0,0 +1,132 @@ | |||
1 | How to use OpenSSH-based virtual private networks | ||
2 | ------------------------------------------------- | ||
3 | |||
4 | OpenSSH contains support for VPN tunneling using the tun(4) network | ||
5 | tunnel pseudo-device which is available on most platforms, either for | ||
6 | layer 2 or 3 traffic. | ||
7 | |||
8 | The following brief instructions on how to use this feature use | ||
9 | a network configuration specific to the OpenBSD operating system. | ||
10 | |||
11 | (1) Server: Enable support for SSH tunneling | ||
12 | |||
13 | To enable the ssh server to accept tunnel requests from the client, you | ||
14 | have to add the following option to the ssh server configuration file | ||
15 | (/etc/ssh/sshd_config): | ||
16 | |||
17 | PermitTunnel yes | ||
18 | |||
19 | Restart the server or send the hangup signal (SIGHUP) to let the server | ||
20 | reread it's configuration. | ||
21 | |||
22 | (2) Server: Restrict client access and assign the tunnel | ||
23 | |||
24 | The OpenSSH server simply uses the file /root/.ssh/authorized_keys to | ||
25 | restrict the client to connect to a specified tunnel and to | ||
26 | automatically start the related interface configuration command. These | ||
27 | settings are optional but recommended: | ||
28 | |||
29 | tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org | ||
30 | |||
31 | (3) Client: Configure the local network tunnel interface | ||
32 | |||
33 | Use the hostname.if(5) interface-specific configuration file to set up | ||
34 | the network tunnel configuration with OpenBSD. For example, use the | ||
35 | following configuration in /etc/hostname.tun0 to set up the layer 3 | ||
36 | tunnel on the client: | ||
37 | |||
38 | inet 192.168.5.1 255.255.255.252 192.168.5.2 | ||
39 | |||
40 | OpenBSD also supports layer 2 tunneling over the tun device by adding | ||
41 | the link0 flag: | ||
42 | |||
43 | inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 | ||
44 | |||
45 | Layer 2 tunnels can be used in combination with an Ethernet bridge(4) | ||
46 | interface, like the following example for /etc/bridgename.bridge0: | ||
47 | |||
48 | add tun0 | ||
49 | add sis0 | ||
50 | up | ||
51 | |||
52 | (4) Client: Configure the OpenSSH client | ||
53 | |||
54 | To establish tunnel forwarding for connections to a specified | ||
55 | remote host by default, use the following ssh client configuration for | ||
56 | the privileged user (in /root/.ssh/config): | ||
57 | |||
58 | Host sshgateway | ||
59 | Tunnel yes | ||
60 | TunnelDevice 0:any | ||
61 | PermitLocalCommand yes | ||
62 | LocalCommand sh /etc/netstart tun0 | ||
63 | |||
64 | A more complicated configuration is possible to establish a tunnel to | ||
65 | a remote host which is not directly accessible by the client. | ||
66 | The following example describes a client configuration to connect to | ||
67 | the remote host over two ssh hops in between. It uses the OpenSSH | ||
68 | ProxyCommand in combination with the nc(1) program to forward the final | ||
69 | ssh tunnel destination over multiple ssh sessions. | ||
70 | |||
71 | Host access.somewhere.net | ||
72 | User puffy | ||
73 | Host dmzgw | ||
74 | User puffy | ||
75 | ProxyCommand ssh access.somewhere.net nc dmzgw 22 | ||
76 | Host sshgateway | ||
77 | Tunnel Ethernet | ||
78 | TunnelDevice 0:any | ||
79 | PermitLocalCommand yes | ||
80 | LocalCommand sh /etc/netstart tun0 | ||
81 | ProxyCommand ssh dmzgw nc sshgateway 22 | ||
82 | |||
83 | The following network plan illustrates the previous configuration in | ||
84 | combination with layer 2 tunneling and Ethernet bridging. | ||
85 | |||
86 | +--------+ ( ) +----------------------+ | ||
87 | | Client |------( Internet )-----| access.somewhere.net | | ||
88 | +--------+ ( ) +----------------------+ | ||
89 | : 192.168.1.78 | | ||
90 | :............................. +-------+ | ||
91 | Forwarded ssh connection : | dmzgw | | ||
92 | Layer 2 tunnel : +-------+ | ||
93 | : | | ||
94 | : | | ||
95 | : +------------+ | ||
96 | :......| sshgateway | | ||
97 | | +------------+ | ||
98 | --- real connection Bridge -> | +----------+ | ||
99 | ... "virtual connection" [ X ]--------| somehost | | ||
100 | [X] switch +----------+ | ||
101 | 192.168.1.25 | ||
102 | |||
103 | (5) Client: Connect to the server and establish the tunnel | ||
104 | |||
105 | Finally connect to the OpenSSH server to establish the tunnel by using | ||
106 | the following command: | ||
107 | |||
108 | ssh sshgateway | ||
109 | |||
110 | It is also possible to tell the client to fork into the background after | ||
111 | the connection has been successfully established: | ||
112 | |||
113 | ssh -f sshgateway true | ||
114 | |||
115 | Without the ssh configuration done in step (4), it is also possible | ||
116 | to use the following command lines: | ||
117 | |||
118 | ssh -fw 0:1 sshgateway true | ||
119 | ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 | ||
120 | |||
121 | Using OpenSSH tunnel forwarding is a simple way to establish secure | ||
122 | and ad hoc virtual private networks. Possible fields of application | ||
123 | could be wireless networks or administrative VPN tunnels. | ||
124 | |||
125 | Nevertheless, ssh tunneling requires some packet header overhead and | ||
126 | runs on top of TCP. It is still suggested to use the IP Security | ||
127 | Protocol (IPSec) for robust and permanent VPN connections and to | ||
128 | interconnect corporate networks. | ||
129 | |||
130 | Reyk Floeter | ||
131 | |||
132 | $OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $ | ||