README.tun revision 157016
1239310SdimHow to use OpenSSH-based virtual private networks 2239310Sdim------------------------------------------------- 3239310Sdim 4239310SdimOpenSSH contains support for VPN tunneling using the tun(4) network 5239310Sdimtunnel pseudo-device which is available on most platforms, either for 6239310Sdimlayer 2 or 3 traffic. 7239310Sdim 8239310SdimThe following brief instructions on how to use this feature use 9239310Sdima network configuration specific to the OpenBSD operating system. 10239310Sdim 11249423Sdim(1) Server: Enable support for SSH tunneling 12249423Sdim 13249423SdimTo enable the ssh server to accept tunnel requests from the client, you 14239310Sdimhave to add the following option to the ssh server configuration file 15239310Sdim(/etc/ssh/sshd_config): 16239310Sdim 17239310Sdim PermitTunnel yes 18239310Sdim 19243830SdimRestart the server or send the hangup signal (SIGHUP) to let the server 20249423Sdimreread it's configuration. 21249423Sdim 22249423Sdim(2) Server: Restrict client access and assign the tunnel 23239310Sdim 24239310SdimThe OpenSSH server simply uses the file /root/.ssh/authorized_keys to 25243830Sdimrestrict the client to connect to a specified tunnel and to 26239310Sdimautomatically start the related interface configuration command. These 27239310Sdimsettings are optional but recommended: 28239310Sdim 29239310Sdim tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org 30239310Sdim 31239310Sdim(3) Client: Configure the local network tunnel interface 32239310Sdim 33239310SdimUse the hostname.if(5) interface-specific configuration file to set up 34239310Sdimthe network tunnel configuration with OpenBSD. For example, use the 35239310Sdimfollowing configuration in /etc/hostname.tun0 to set up the layer 3 36239310Sdimtunnel on the client: 37239310Sdim 38239310Sdim inet 192.168.5.1 255.255.255.252 192.168.5.2 39239310Sdim 40239310SdimOpenBSD also supports layer 2 tunneling over the tun device by adding 41239310Sdimthe link0 flag: 42239310Sdim 43239310Sdim inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 44239310Sdim 45239310SdimLayer 2 tunnels can be used in combination with an Ethernet bridge(4) 46239310Sdiminterface, like the following example for /etc/bridgename.bridge0: 47239310Sdim 48239310Sdim add tun0 49239310Sdim add sis0 50239310Sdim up 51239310Sdim 52239310Sdim(4) Client: Configure the OpenSSH client 53239310Sdim 54239310SdimTo establish tunnel forwarding for connections to a specified 55239310Sdimremote host by default, use the following ssh client configuration for 56239310Sdimthe privileged user (in /root/.ssh/config): 57243830Sdim 58243830Sdim Host sshgateway 59243830Sdim Tunnel yes 60239310Sdim TunnelDevice 0:any 61249423Sdim PermitLocalCommand yes 62249423Sdim LocalCommand sh /etc/netstart tun0 63239310Sdim 64239310SdimA more complicated configuration is possible to establish a tunnel to 65239310Sdima remote host which is not directly accessible by the client. 66239310SdimThe following example describes a client configuration to connect to 67239310Sdimthe remote host over two ssh hops in between. It uses the OpenSSH 68239310SdimProxyCommand in combination with the nc(1) program to forward the final 69239310Sdimssh tunnel destination over multiple ssh sessions. 70239310Sdim 71239310Sdim Host access.somewhere.net 72239310Sdim User puffy 73239310Sdim Host dmzgw 74239310Sdim User puffy 75239310Sdim ProxyCommand ssh access.somewhere.net nc dmzgw 22 76239310Sdim Host sshgateway 77239310Sdim Tunnel Ethernet 78239310Sdim TunnelDevice 0:any 79239310Sdim PermitLocalCommand yes 80239310Sdim LocalCommand sh /etc/netstart tun0 81239310Sdim ProxyCommand ssh dmzgw nc sshgateway 22 82239310Sdim 83239310SdimThe following network plan illustrates the previous configuration in 84239310Sdimcombination with layer 2 tunneling and Ethernet bridging. 85239310Sdim 86239310Sdim+--------+ ( ) +----------------------+ 87239310Sdim| Client |------( Internet )-----| access.somewhere.net | 88239310Sdim+--------+ ( ) +----------------------+ 89239310Sdim : 192.168.1.78 | 90239310Sdim :............................. +-------+ 91239310Sdim Forwarded ssh connection : | dmzgw | 92239310Sdim Layer 2 tunnel : +-------+ 93249423Sdim : | 94249423Sdim : | 95249423Sdim : +------------+ 96249423Sdim :......| sshgateway | 97249423Sdim | +------------+ 98239310Sdim--- real connection Bridge -> | +----------+ 99239310Sdim... "virtual connection" [ X ]--------| somehost | 100239310Sdim[X] switch +----------+ 101239310Sdim 192.168.1.25 102239310Sdim 103239310Sdim(5) Client: Connect to the server and establish the tunnel 104239310Sdim 105239310SdimFinally connect to the OpenSSH server to establish the tunnel by using 106249423Sdimthe following command: 107249423Sdim 108249423Sdim ssh sshgateway 109249423Sdim 110249423SdimIt is also possible to tell the client to fork into the background after 111249423Sdimthe connection has been successfully established: 112249423Sdim 113249423Sdim ssh -f sshgateway true 114249423Sdim 115249423SdimWithout the ssh configuration done in step (4), it is also possible 116249423Sdimto use the following command lines: 117249423Sdim 118249423Sdim ssh -fw 0:1 sshgateway true 119249423Sdim ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 120239310Sdim 121239310SdimUsing OpenSSH tunnel forwarding is a simple way to establish secure 122249423Sdimand ad hoc virtual private networks. Possible fields of application 123249423Sdimcould be wireless networks or administrative VPN tunnels. 124249423Sdim 125249423SdimNevertheless, ssh tunneling requires some packet header overhead and 126249423Sdimruns on top of TCP. It is still suggested to use the IP Security 127249423SdimProtocol (IPSec) for robust and permanent VPN connections and to 128249423Sdiminterconnect corporate networks. 129239310Sdim 130239310Sdim Reyk Floeter 131239310Sdim 132249423Sdim$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $ 133249423Sdim