Skip to content

Instantly share code, notes, and snippets.

@pinkeen

pinkeen/ssh-tuntap-vpn.md

Last active April 11, 2024 13:44
Show Gist options
  • Save pinkeen/bc65c1b3beaa448ea5439e9688605866 to your computer and use it in GitHub Desktop.
Save pinkeen/bc65c1b3beaa448ea5439e9688605866 to your computer and use it in GitHub Desktop.
Download ZIP
TunTap pseudo-VPN Over SSH
Raw
ssh-tuntap-vpn.md

Poor Man's VPN over SSH

If you have ssh then you can setup a "bridge" to any external network or server in minutes.

This doesn't replace standard VPN solutions, but it has the advantage of being really simple and fast and will serve a lot of use-cases.

Drawbacks

  • Each client must have a separate TUN device on the target server (TODO: Check if this is really true)

Set up

For demonstration purposes the following parameters are used:

  • VPN Virtual Network Subnet: 10.5.5.0/24
  • VPN Server Virtual Network Address: 10.5.5.1
  • VPN Server Virtual Network TUN Device: tun5
  • VPN Server Host: vpn-server.example.com
  • VPN Server SSHD Port: 22
  • VPN Server SSH Username: root
  • VPN Client Virtual Network TUN Device: tun5

Server (Linux)

You should already have an SSH server running with access set up.

Configure SSH daemon

The configuration is usually in /etc/ssh/sshd_config. After changed reload the service via systemctl reload sshd or service sshd reload.

Ensure that tunnelling is permitted
PermitTunnel yes
Enable client keepalive
ClientAliveInterval 60
ClientAliveCountMax 10

Disable Reverse Path Filtering

This is not needed usually, most distros have this disabled by default.

sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.tun0.rp_filter=0

Linux Client

MacOS Client

ssh \
  -o PermitLocalCommand=yes \
  -o LocalCommand="ifconfig tun0 10.13.40.10 10.13.40.1 netmask 255.255.255.0 up" \
  -w 0:0 \
  -N \
  -v \
  user@target

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment