Skip to content

Instantly share code, notes, and snippets.

@CMCDragonkai

CMCDragonkai/ssh_vpn.md

Last active January 8, 2024 16:47
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save CMCDragonkai/976ee34adeb3d4b7efe5e04d9ddfbd61 to your computer and use it in GitHub Desktop.
Save CMCDragonkai/976ee34adeb3d4b7efe5e04d9ddfbd61 to your computer and use it in GitHub Desktop.
Download ZIP
SSH VPN #cli
Raw
ssh_vpn.md

SSH VPN

Here's an example of setting up a basic point to point VPN using SSH tunnels.

First you need a server in the cloud that isn't behind a NAT.

Ensure that the host and server has port 22 open and is running sshd.

If you're using AWS, make sure to check your security groups.

Edit /etc/ssh/sshd_config contains:

AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts clientspecified
X11Forwarding yes

Then run:

sudo systemctl reload sshd

Now your server in the middle will allow agent forwarding, TCP forwarding, binding to public IP, and X11 forwarding.

We won't actually need any of those settings. But it will be useful when doing more advanced things.

From the host run:

ssh -v -N -T -R 55555:localhost:22 user-server@server

From the client run:

ssh -v -N -T -L 55555:localhost:55555 user-server@server

You have now mapped 22 on the host to 55555 on the server, then to 55555 on the client.

You can now ssh into your host from the client:

ssh user-host@localhost -p 55555

To make your host more reliable, you can instead use autossh:

autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -T -R 55555:localhost:22 user-server@server
@CMCDragonkai
Copy link
Author

CMCDragonkai commented Dec 28, 2018
edited

To deal with Mosh. The problem is that Mosh uses UDP ports (60000-61000) (exclusive-exclusive), and SSH doesn't port forward UDP ports normally. You can:

  1. Use socat on both ends to convert UDP to TCP, then forward TCP ports again (but you have to do it for the entire range), but Mosh does start using 60001 first, so you can just do that, but multiple connections will require other ports.
  2. Use SSH tun device feature which allows you to set up a point to point link that can forward any packet. A tun device will operate on layer 3 and can deal with IP packets (ipv4 on an ipv4 connection). Using the proxy would require first creating tun devices between the proxy server and the host. Also tun devices between the proxy server and the client. Then on the server, both tunnel devices need to be bridged together?

When connecting in this way, it can be useful to add the below into your SSH config.

Host remotehost
    HostName 127.0.0.1
    Port 55555
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/keys/identity

This way you can use ssh user-host@remotehost or mosh user-host@remotehost. Remember mosh has a different way of specifying the SSH port required, but by using this, it becomes a lot easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment