jvaubourg/sshvpn.sh

## sshvpn.sh
#!/bin/bash

# Goal to reach:
# +--------------------------------+           +-----------------------------+
# |          LOCAL LAPTOP          |    In     |        REMOTE SERVER        |
# |              tun1              | <=(ter)=> |            tun1             |
# | Private IPv4 of the remote net |    net    | Remote IPv4 private network |
# +--------------------------------+           +-----------------------------+

# Good doc: https://help.ubuntu.com/community/SSH_VPN
# Notes:
#  - If you just need to access to a webpage located on a remote non-reachable web
#    server, just configure your browser to use a SOCKS5 created with ssh -D, and
#    you don't need a root access or any specific configuration on the remote server
#  - If you just need to access to various TCP connections from your laptop, just use
#    sshuttle, and you don't need a root access or any specific configuration on the
#    remote server (it uses iptable to redirect TCP flows and uses directly SSH to
#    transmit data, which is more efficient than using SOCKS5)
#  - But with this solution (ssh -w), you get a real VPN and you can do everything \o/

# On your local laptop:
#  - Be sure all host key verifications on the SSH path are already done
#  - Be sure your SSH agent is already running and will not ask any input

# On the remote server:
#  - apt install uml-utilites
#  - PermitRootLogin yes in sshd_config
#  - PermitTunnel yes in sshd_config

remote_ssh=root-sibra-vpn
local_rootssh=localhost-root

remote_netdev=enp1s0
remote_prefix=10.10.0 # /24
remote_peer_ip=5
local_peer_ip=4

# This script has to be runned with your standard user
if [ $EUID -eq 0 ]; then
   echo '[ERR] You should not be root.' 1>&2
   exit 1
fi

set -x

# SSH has to be used as root on your laptop to be able to open the tunnel
# ... but we would like to keep all SSH configs in ~user/.ssh/config
#     (with a ProxyCommand, remind to use -F /root/.ssh/config.vpn)
sudo cp "/home/$USER/.ssh/config" /root/.ssh/config.vpn
sudo chown root: /root/.ssh/config.vpn

# ... and to use the SSH agent of the standard user
ssh -A "${local_rootssh}" "\
  ssh -F /root/.ssh/config.vpn -TC -w 1:1 ${remote_ssh} '\
    ip link set tun1 up;\
    ip address add ${remote_prefix}.${remote_peer_ip}/32 peer ${remote_prefix}.${local_peer_ip} dev tun1;\
    arp -sD ${remote_prefix}.${local_peer_ip} ${remote_netdev} pub;\
    echo 1 > /proc/sys/net/ipv4/ip_forward\
  '\
" > /dev/null &

# Wait for the creation of the tunnel
false || while [ $? -ne 0 ]; do
  sleep 1
  ip link show dev tun1 &> /dev/null
done

sudo ip link set tun1 up
sudo ip address add "${remote_prefix}.${local_peer_ip}/32" peer "${remote_prefix}.${remote_peer_ip}" dev tun1
sudo ip route add "${remote_prefix}.0/24" via "${remote_prefix}.${remote_peer_ip}"

vpn_pid=$(ps aux | grep ssh | grep -v "${local_rootssh}" | awk "/[1] ${remote_ssh}/ { print \$2 }")

set +x
echo -e "\nStop VPN connection?"
read
sudo kill "${vpn_pid}"

exit 0
	#!/bin/bash

	# Goal to reach:
	# +--------------------------------+ +-----------------------------+
	# \| LOCAL LAPTOP \| In \| REMOTE SERVER \|
	# \| tun1 \| <=(ter)=> \| tun1 \|
	# \| Private IPv4 of the remote net \| net \| Remote IPv4 private network \|
	# +--------------------------------+ +-----------------------------+

	# Good doc: https://help.ubuntu.com/community/SSH_VPN
	# Notes:
	# - If you just need to access to a webpage located on a remote non-reachable web
	# server, just configure your browser to use a SOCKS5 created with ssh -D, and
	# you don't need a root access or any specific configuration on the remote server
	# - If you just need to access to various TCP connections from your laptop, just use
	# sshuttle, and you don't need a root access or any specific configuration on the
	# remote server (it uses iptable to redirect TCP flows and uses directly SSH to
	# transmit data, which is more efficient than using SOCKS5)
	# - But with this solution (ssh -w), you get a real VPN and you can do everything \o/

	# On your local laptop:
	# - Be sure all host key verifications on the SSH path are already done
	# - Be sure your SSH agent is already running and will not ask any input

	# On the remote server:
	# - apt install uml-utilites
	# - PermitRootLogin yes in sshd_config
	# - PermitTunnel yes in sshd_config

	remote_ssh=root-sibra-vpn
	local_rootssh=localhost-root

	remote_netdev=enp1s0
	remote_prefix=10.10.0 # /24
	remote_peer_ip=5
	local_peer_ip=4

	# This script has to be runned with your standard user
	if [ $EUID -eq 0 ]; then
	echo '[ERR] You should not be root.' 1>&2
	exit 1
	fi

	set -x

	# SSH has to be used as root on your laptop to be able to open the tunnel
	# ... but we would like to keep all SSH configs in ~user/.ssh/config
	# (with a ProxyCommand, remind to use -F /root/.ssh/config.vpn)
	sudo cp "/home/$USER/.ssh/config" /root/.ssh/config.vpn
	sudo chown root: /root/.ssh/config.vpn

	# ... and to use the SSH agent of the standard user
	ssh -A "${local_rootssh}" "\
	ssh -F /root/.ssh/config.vpn -TC -w 1:1 ${remote_ssh} '\
	ip link set tun1 up;\
	ip address add ${remote_prefix}.${remote_peer_ip}/32 peer ${remote_prefix}.${local_peer_ip} dev tun1;\
	arp -sD ${remote_prefix}.${local_peer_ip} ${remote_netdev} pub;\
	echo 1 > /proc/sys/net/ipv4/ip_forward\
	'\
	" > /dev/null &

	# Wait for the creation of the tunnel
	false \|\| while [ $? -ne 0 ]; do
	sleep 1
	ip link show dev tun1 &> /dev/null
	done

	sudo ip link set tun1 up
	sudo ip address add "${remote_prefix}.${local_peer_ip}/32" peer "${remote_prefix}.${remote_peer_ip}" dev tun1
	sudo ip route add "${remote_prefix}.0/24" via "${remote_prefix}.${remote_peer_ip}"

	vpn_pid=$(ps aux \| grep ssh \| grep -v "${local_rootssh}" \| awk "/[1] ${remote_ssh}/ { print \$2 }")

	set +x
	echo -e "\nStop VPN connection?"
	read
	sudo kill "${vpn_pid}"

	exit 0