portpic.blogg.se - Howto setup ssh tunnel

Next, replace the default route with the tunnel To route all Internet traffic through the tunnel, for example, to protect your communication on an unencrypted network, first add a route to the SSH server through your regular gateway: When the VPN is established, you can route traffic through it. # pppd updetach noauth silent nodeflate pty "/usr/bin/ssh /usr/sbin/pppd nodetach notty noauth" ipparam vpn 10.0.8.1:10.0.8.2 Pppd can easily be used to create a tunnel through an SSH server: Tunnel forwarding failed Using PPP over SSH If you do not enable tunneling, you may get the following error when you want to create an SSH tunnel using -w:Ĭhannel 0: open failed: connect failed: open failed.Obviously if you want to access a network rather than a single machine you should properly set up IP packet forwarding, routing and maybe a netfilter on both sides.

Check owner of tun interface and/or /dev/net/tun.

ssh should have access rights to tun interface or permissions to create it.

Or you may add keep-alive options if you are behind a NAT. SSH creates both interfaces automatically, but IP and routing should be configured after the connection is established. Once these files are created, enable them by restarting rvice.Īlso, you may manage tun interfaces with ip tunnel command. Group=network /etc/systemd/network/vpn.network

See sshd_config(5) for details.Ĭreate tun interfaces using systemd-networkd /etc/systemd/network/vpn.netdev Setting yes enables forwarding for both point-to-point and ethernet tunnels. To enable forwarding for the TUN device, edit /etc/ssh/sshd_config and set PermitTunnel to yes, point-to-point or ethernet.

It is also possible to create a layer 2/ethernet/TAP tunnel. Here, a layer 3/point-to-point/ TUN tunnel is described. OpenSSH has built-in TUN/TAP support using -w. Now all traffic (except for DNS and the SSH server itself) should go through tun0. # ip route add default via 10.0.0.2 metric 6 With all of that said, let us get to work: We also need a new default route with a lower metric than your old default route so that traffic goes into the tunnel at all. Apart from that, we need to set an explicit DNS route because tun2socks does not tunnel UDP (required for DNS). The idea behind setting the metrics specifically is because we need to ensure that the route picked to the SSH server is always direct because otherwise it would go back into the SSH tunnel which would cause a loop and we would lose the SSH connection as a result. Default route for all other traffic with a higher metric than the other routes.Route for DNS server (because tun2socks does not do UDP which is necessary for DNS) with a low metric.Route that goes to the SSH server that we use for the tunnel with a low metric.Let us set up a route that routes all traffic into it. Now you have a working local tun0 interface which routes all traffic going into it through the SOCKS proxy you set up earlier.Īll that's left to do now is to set up a local route to get some traffic into it. $ ssh -TND 4711 up badvpn and tunnel interfaceĪfterwards, we can go ahead with setting up the TUN.

Note: The badvpn project has been discontinued in August 2022, and the latest stable release is from April 2015.īadvpn is a collection of utilities for various VPN-related use cases.įirst, we will set up a normal SSH dynamic socks proxy like usual: