HOWTO: Bust through firewalls using SSH-based VPN

SSH-VPN.txt

- UBUNTU SERVER (16.xx) had /dev/net/tun, and TUN/TAP was build directly into the kernel, no need for 'tun' module, *BUT* tun0 wouldn't ever work... after much research and trial + error, I found this post:

https://stackoverflow.com/a/35735842

sudo ip tuntap add mode tun dev tun0
ip addr add 10.0.0.0/24 dev tun0  # give it an ip
ip link set dev tun0 up  # bring the if up
ip route get 10.0.0.2  # check that packets to 10.0.0.x are going through tun0
ping 10.0.0.2  # leave this running in another shell to be able to see the effect of the next example

Now we have tun0 created.

- sure enough, running 'sudo ip tuntap add mode tun dev tun0' on the SERVER allowed tun0 to work perfectly fine!!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
:: SSH-VPN ::

-- SERVER-side CONFIGs --
127.0.0.1/8 = server loopback/lo interface
192.168.0.101/24 = hard-wired ethernet, eno1 interface
WIRELESS is DISABLED


- to get Ubuntu Server to allow 'tun0' operation, command:

        sudo ip tuntap add mode tun dev tun0


- /etc/ssh/sshd_config and change the "PermitRootLogin" line and add the "PermitTunnel" line :

        PermitRootLogin without-password
        PermitTunnel point-to-point


- Allow NAT. These commands will enable NAT without the need to reboot (NAT will be persistent).

        # enable now:
        sudo sysctl -w net.ipv4.ip_forward=1

** To set as default, using any editor, open '/etc/sysctl.conf' and add :

        # Needed to add for forwarding
        net.ipv4.ip_forward = 1

- Next, configure iptables to allow masquerade (NAT)

        sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eno1 -j MASQUERADE

** Your iptables settings will be lost when you reboot unless you configure a way of saving your settings. This can be done several ways, here I will use "iptables-save" and "iptables-restore" to setting masquerade as default.

        sudo bash -c "iptables-save > /etc/iptables.rules"

** Using any editor, open '/etc/rc.local' and add this line (above the exit 0 line)

        iptables-restore < /etc/iptables.rules


===================================
== START /etc/network/interfaces ==
===================================
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eno1
iface eno1 inet dhcp

# The SSH-VPN tunnel interface
iface tun0 inet static
    pre-up sleep 5
    address 10.0.0.1
    netmask 255.255.255.0
    pointopoint 10.0.0.2 # Client tunnel address
    up arp -sD 10.0.0.2 eno1 pub
=================================
== END /etc/network/interfaces ==
=================================


- Put the PUBLIC key generated on the CLIENT here in /root/.ssh/authorized_keys :

======================================
== START /root/.ssh/authorized_keys ==
======================================
## laptop tunnel root-key SECURED, minus no-ptty (because it REQUIRES a password, even if one is NOT set?!)
tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9+i0wgjkmwytp0o3OKsNISFynoK5zQ8y68zdFPkIzfHLORbPK9fwRhjDbHWzC8bWHNcHjM3zDp2EVAbuS7AT9NYUX8m9BvbKyuw7aU2t4h95Fwgxug1bXeVhFOM4bLtBZldEvqcNc/g+o+BrLvl10nHKoBczfrOfMny+rYptNsrEoKySjuUb1C5EM08IZhq3DY9FgDiD0HKXvKdCoadZpB0IK5LhRQGfogMwKMsTcJ7nSXgSij6KaRsM4BbV9kKK60eA4wZ9/nl/KSNZbrZcVPDfMxdGJlXmtXouT2UurjkNenaMM1oXg8XuAusjvH1VLGFuzBc23Tpa/fUBo3wVbV079iCqDhjs4lXHf7HilqprEQpRSEorb9YYmH//PQ5kgkmXeGEhiX/l3YZPf6VBPNTJVMRGH/IoroLq0vp03ls+wZnX7CUq2znX3T5CUIkzd56zXxn6V962jrkHG8orFv7rZZPFQTfUcFrNg3LYl/vRMdGk5Ru21Sp54sU0/Kcp9d6a9mNarUdE8xuZ+Gy2+mXFkkXSPotbrb4ZM6K4moBgzt07r/r89zpr1HCc8MU2YQbs/STIGE/7McqspqB3Sbshzx7fec20plugZfnWEimi3GgRQzJ8CXSlzU8rrrGZuL2esLNRx4p7asLiMmXvdq4xJ9eFI2lNEqIws3GZwUw== root@CLIENT
====================================
== END /root/.ssh/authorized_keys ==
====================================


root@SERVER:~/.ssh# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:ca:3a:d0:ea:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global eno1
       valid_lft forever preferred_lft forever
    inet6 fe80::baca:3aff:fed0:ea98/64 scope link
       valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 84:3a:4b:81:df:6c brd ff:ff:ff:ff:ff:ff

--------------------------------------------------------------------------
-- CLIENT-side CONFIGs --

- Create an SSH-key for root:

        sudo ssh-keygen -t rsa -b 4096


- Modify permissions on the newly generated PUBLIC + PRIVATE KEYs:

        sudo chown root:root /root/.ssh
        sudo chmod 400 /root/.ssh/id_rsa
        sudo chmod 400 /root/.ssh/id_rsa.pub


- Configure /etc/network/interfaces on the CLIENT:

===================================
== START /etc/network/interfaces ==
===================================
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

iface tun0 inet static
    pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 
    SERVER.net -p 31337 true
    pre-up sleep 5

    address 10.0.0.2
    pointopoint 10.0.0.1
    netmask 255.255.255.252

    #up route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 tun0
    #up ip route add 10.0.0.0/24 via 10.0.0.1
    up ip route add SERVER_PUBLIC_IP/32 via 10.214.32.1
    up ip route add 192.168.0.0/24 via 10.0.0.1
    up ip route replace default via 10.0.0.1
    #up ip route replace default via 192.168.0.1

    down ip route replace default via 10.214.32.1
    down ip route del 192.168.0.0/24 via 10.0.0.1
    down ip route del SERVER_PUBLIC_IP/32 via 10.214.32.1
    post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit ssh.SERVER.net
=================================
== END /etc/network/interfaces ==
=================================
---------------------------------------------------------------
- USING THE VPN CONNECTION, DONE FROM THE CLIENT:

- Bring the connection up:

        sudo ifup tun0

- Bring the connection down:

        sudo ifdown tun0

- ping 10.0.0.1 from the CLIENT, and 10.0.0.2 from the SERVER
- all traffic should now be routing through the SSH VPN! as long as port 22 is allowed via your corporate firewall, this will tunnel everything through it


- the KEYS TO THIS WORKING WERE, making sure the 'iptables' command was pointing to the PROPER interface name (eno1 vs. eth0), and the 'ip route replace default via 10.0.0.1', as 1x GUIDE had it saying to use the DEFAULT GATEWAY of the SERVER, but in fact it should be the IP of the tun0 interface on the SERVER.

:: USEFUL LINKS ::
http://bodhizazen.net/Tutorials/VPN-Over-SSH/
https://debian-administration.org/article/539/Setting_up_a_Layer_3_tunneling_VPN_with_using_OpenSSH
https://help.ubuntu.com/community/SSH_VPN
https://stackoverflow.com/questions/1003684/how-to-interface-with-the-linux-tun-driver
        https://stackoverflow.com/a/35735842
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
http://www.dest-unreach.org/socat/doc/socat-tun.html