Skip to content

Instantly share code, notes, and snippets.



Last active Dec 28, 2016
What would you like to do?
HOWTO: Bust through firewalls using SSH-based VPN
- UBUNTU SERVER (16.xx) had /dev/net/tun, and TUN/TAP was build directly into the kernel, no need for 'tun' module, *BUT* tun0 wouldn't ever work... after much research and trial + error, I found this post:
sudo ip tuntap add mode tun dev tun0
ip addr add dev tun0 # give it an ip
ip link set dev tun0 up # bring the if up
ip route get # check that packets to 10.0.0.x are going through tun0
ping # leave this running in another shell to be able to see the effect of the next example
Now we have tun0 created.
- sure enough, running 'sudo ip tuntap add mode tun dev tun0' on the SERVER allowed tun0 to work perfectly fine!!
:: SSH-VPN ::
-- SERVER-side CONFIGs -- = server loopback/lo interface = hard-wired ethernet, eno1 interface
- to get Ubuntu Server to allow 'tun0' operation, command:
sudo ip tuntap add mode tun dev tun0
- /etc/ssh/sshd_config and change the "PermitRootLogin" line and add the "PermitTunnel" line :
PermitRootLogin without-password
PermitTunnel point-to-point
- Allow NAT. These commands will enable NAT without the need to reboot (NAT will be persistent).
# enable now:
sudo sysctl -w net.ipv4.ip_forward=1
** To set as default, using any editor, open '/etc/sysctl.conf' and add :
# Needed to add for forwarding
net.ipv4.ip_forward = 1
- Next, configure iptables to allow masquerade (NAT)
sudo iptables -t nat -A POSTROUTING -s -o eno1 -j MASQUERADE
** Your iptables settings will be lost when you reboot unless you configure a way of saving your settings. This can be done several ways, here I will use "iptables-save" and "iptables-restore" to setting masquerade as default.
sudo bash -c "iptables-save > /etc/iptables.rules"
** Using any editor, open '/etc/rc.local' and add this line (above the exit 0 line)
iptables-restore < /etc/iptables.rules
== START /etc/network/interfaces ==
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eno1
iface eno1 inet dhcp
# The SSH-VPN tunnel interface
iface tun0 inet static
pre-up sleep 5
pointopoint # Client tunnel address
up arp -sD eno1 pub
== END /etc/network/interfaces ==
- Put the PUBLIC key generated on the CLIENT here in /root/.ssh/authorized_keys :
== START /root/.ssh/authorized_keys ==
## laptop tunnel root-key SECURED, minus no-ptty (because it REQUIRES a password, even if one is NOT set?!)
tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9+i0wgjkmwytp0o3OKsNISFynoK5zQ8y68zdFPkIzfHLORbPK9fwRhjDbHWzC8bWHNcHjM3zDp2EVAbuS7AT9NYUX8m9BvbKyuw7aU2t4h95Fwgxug1bXeVhFOM4bLtBZldEvqcNc/g+o+BrLvl10nHKoBczfrOfMny+rYptNsrEoKySjuUb1C5EM08IZhq3DY9FgDiD0HKXvKdCoadZpB0IK5LhRQGfogMwKMsTcJ7nSXgSij6KaRsM4BbV9kKK60eA4wZ9/nl/KSNZbrZcVPDfMxdGJlXmtXouT2UurjkNenaMM1oXg8XuAusjvH1VLGFuzBc23Tpa/fUBo3wVbV079iCqDhjs4lXHf7HilqprEQpRSEorb9YYmH//PQ5kgkmXeGEhiX/l3YZPf6VBPNTJVMRGH/IoroLq0vp03ls+wZnX7CUq2znX3T5CUIkzd56zXxn6V962jrkHG8orFv7rZZPFQTfUcFrNg3LYl/vRMdGk5Ru21Sp54sU0/Kcp9d6a9mNarUdE8xuZ+Gy2+mXFkkXSPotbrb4ZM6K4moBgzt07r/r89zpr1HCc8MU2YQbs/STIGE/7McqspqB3Sbshzx7fec20plugZfnWEimi3GgRQzJ8CXSlzU8rrrGZuL2esLNRx4p7asLiMmXvdq4xJ9eFI2lNEqIws3GZwUw== root@CLIENT
== END /root/.ssh/authorized_keys ==
root@SERVER:~/.ssh# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:ca:3a:d0:ea:98 brd ff:ff:ff:ff:ff:ff
inet brd scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::baca:3aff:fed0:ea98/64 scope link
valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 84:3a:4b:81:df:6c brd ff:ff:ff:ff:ff:ff
-- CLIENT-side CONFIGs --
- Create an SSH-key for root:
sudo ssh-keygen -t rsa -b 4096
- Modify permissions on the newly generated PUBLIC + PRIVATE KEYs:
sudo chown root:root /root/.ssh
sudo chmod 400 /root/.ssh/id_rsa
sudo chmod 400 /root/.ssh/
- Configure /etc/network/interfaces on the CLIENT:
== START /etc/network/interfaces ==
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
iface tun0 inet static
pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 -p 31337 true
pre-up sleep 5
#up route add -net netmask gw tun0
#up ip route add via
up ip route add SERVER_PUBLIC_IP/32 via
up ip route add via
up ip route replace default via
#up ip route replace default via
down ip route replace default via
down ip route del via
down ip route del SERVER_PUBLIC_IP/32 via
post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit
== END /etc/network/interfaces ==
- Bring the connection up:
sudo ifup tun0
- Bring the connection down:
sudo ifdown tun0
- ping from the CLIENT, and from the SERVER
- all traffic should now be routing through the SSH VPN! as long as port 22 is allowed via your corporate firewall, this will tunnel everything through it
- the KEYS TO THIS WORKING WERE, making sure the 'iptables' command was pointing to the PROPER interface name (eno1 vs. eth0), and the 'ip route replace default via', as 1x GUIDE had it saying to use the DEFAULT GATEWAY of the SERVER, but in fact it should be the IP of the tun0 interface on the SERVER.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment