Skip to content

Instantly share code, notes, and snippets.

@xorr0

xorr0/SSH-VPN.txt

Last active Dec 28, 2016
Embed
What would you like to do?
HOWTO: Bust through firewalls using SSH-based VPN
- UBUNTU SERVER (16.xx) had /dev/net/tun, and TUN/TAP was build directly into the kernel, no need for 'tun' module, *BUT* tun0 wouldn't ever work... after much research and trial + error, I found this post:
https://stackoverflow.com/a/35735842
sudo ip tuntap add mode tun dev tun0
ip addr add 10.0.0.0/24 dev tun0 # give it an ip
ip link set dev tun0 up # bring the if up
ip route get 10.0.0.2 # check that packets to 10.0.0.x are going through tun0
ping 10.0.0.2 # leave this running in another shell to be able to see the effect of the next example
Now we have tun0 created.
- sure enough, running 'sudo ip tuntap add mode tun dev tun0' on the SERVER allowed tun0 to work perfectly fine!!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
:: SSH-VPN ::
-- SERVER-side CONFIGs --
127.0.0.1/8 = server loopback/lo interface
192.168.0.101/24 = hard-wired ethernet, eno1 interface
WIRELESS is DISABLED
- to get Ubuntu Server to allow 'tun0' operation, command:
sudo ip tuntap add mode tun dev tun0
- /etc/ssh/sshd_config and change the "PermitRootLogin" line and add the "PermitTunnel" line :
PermitRootLogin without-password
PermitTunnel point-to-point
- Allow NAT. These commands will enable NAT without the need to reboot (NAT will be persistent).
# enable now:
sudo sysctl -w net.ipv4.ip_forward=1
** To set as default, using any editor, open '/etc/sysctl.conf' and add :
# Needed to add for forwarding
net.ipv4.ip_forward = 1
- Next, configure iptables to allow masquerade (NAT)
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eno1 -j MASQUERADE
** Your iptables settings will be lost when you reboot unless you configure a way of saving your settings. This can be done several ways, here I will use "iptables-save" and "iptables-restore" to setting masquerade as default.
sudo bash -c "iptables-save > /etc/iptables.rules"
** Using any editor, open '/etc/rc.local' and add this line (above the exit 0 line)
iptables-restore < /etc/iptables.rules
===================================
== START /etc/network/interfaces ==
===================================
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eno1
iface eno1 inet dhcp
# The SSH-VPN tunnel interface
iface tun0 inet static
pre-up sleep 5
address 10.0.0.1
netmask 255.255.255.0
pointopoint 10.0.0.2 # Client tunnel address
up arp -sD 10.0.0.2 eno1 pub
=================================
== END /etc/network/interfaces ==
=================================
- Put the PUBLIC key generated on the CLIENT here in /root/.ssh/authorized_keys :
======================================
== START /root/.ssh/authorized_keys ==
======================================
## laptop tunnel root-key SECURED, minus no-ptty (because it REQUIRES a password, even if one is NOT set?!)
tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC9+i0wgjkmwytp0o3OKsNISFynoK5zQ8y68zdFPkIzfHLORbPK9fwRhjDbHWzC8bWHNcHjM3zDp2EVAbuS7AT9NYUX8m9BvbKyuw7aU2t4h95Fwgxug1bXeVhFOM4bLtBZldEvqcNc/g+o+BrLvl10nHKoBczfrOfMny+rYptNsrEoKySjuUb1C5EM08IZhq3DY9FgDiD0HKXvKdCoadZpB0IK5LhRQGfogMwKMsTcJ7nSXgSij6KaRsM4BbV9kKK60eA4wZ9/nl/KSNZbrZcVPDfMxdGJlXmtXouT2UurjkNenaMM1oXg8XuAusjvH1VLGFuzBc23Tpa/fUBo3wVbV079iCqDhjs4lXHf7HilqprEQpRSEorb9YYmH//PQ5kgkmXeGEhiX/l3YZPf6VBPNTJVMRGH/IoroLq0vp03ls+wZnX7CUq2znX3T5CUIkzd56zXxn6V962jrkHG8orFv7rZZPFQTfUcFrNg3LYl/vRMdGk5Ru21Sp54sU0/Kcp9d6a9mNarUdE8xuZ+Gy2+mXFkkXSPotbrb4ZM6K4moBgzt07r/r89zpr1HCc8MU2YQbs/STIGE/7McqspqB3Sbshzx7fec20plugZfnWEimi3GgRQzJ8CXSlzU8rrrGZuL2esLNRx4p7asLiMmXvdq4xJ9eFI2lNEqIws3GZwUw== root@CLIENT
====================================
== END /root/.ssh/authorized_keys ==
====================================
root@SERVER:~/.ssh# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:ca:3a:d0:ea:98 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.101/24 brd 192.168.0.255 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::baca:3aff:fed0:ea98/64 scope link
valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 84:3a:4b:81:df:6c brd ff:ff:ff:ff:ff:ff
--------------------------------------------------------------------------
-- CLIENT-side CONFIGs --
- Create an SSH-key for root:
sudo ssh-keygen -t rsa -b 4096
- Modify permissions on the newly generated PUBLIC + PRIVATE KEYs:
sudo chown root:root /root/.ssh
sudo chmod 400 /root/.ssh/id_rsa
sudo chmod 400 /root/.ssh/id_rsa.pub
- Configure /etc/network/interfaces on the CLIENT:
===================================
== START /etc/network/interfaces ==
===================================
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
iface tun0 inet static
pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0
SERVER.net -p 31337 true
pre-up sleep 5
address 10.0.0.2
pointopoint 10.0.0.1
netmask 255.255.255.252
#up route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 tun0
#up ip route add 10.0.0.0/24 via 10.0.0.1
up ip route add SERVER_PUBLIC_IP/32 via 10.214.32.1
up ip route add 192.168.0.0/24 via 10.0.0.1
up ip route replace default via 10.0.0.1
#up ip route replace default via 192.168.0.1
down ip route replace default via 10.214.32.1
down ip route del 192.168.0.0/24 via 10.0.0.1
down ip route del SERVER_PUBLIC_IP/32 via 10.214.32.1
post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit ssh.SERVER.net
=================================
== END /etc/network/interfaces ==
=================================
---------------------------------------------------------------
- USING THE VPN CONNECTION, DONE FROM THE CLIENT:
- Bring the connection up:
sudo ifup tun0
- Bring the connection down:
sudo ifdown tun0
- ping 10.0.0.1 from the CLIENT, and 10.0.0.2 from the SERVER
- all traffic should now be routing through the SSH VPN! as long as port 22 is allowed via your corporate firewall, this will tunnel everything through it
- the KEYS TO THIS WORKING WERE, making sure the 'iptables' command was pointing to the PROPER interface name (eno1 vs. eth0), and the 'ip route replace default via 10.0.0.1', as 1x GUIDE had it saying to use the DEFAULT GATEWAY of the SERVER, but in fact it should be the IP of the tun0 interface on the SERVER.
:: USEFUL LINKS ::
http://bodhizazen.net/Tutorials/VPN-Over-SSH/
https://debian-administration.org/article/539/Setting_up_a_Layer_3_tunneling_VPN_with_using_OpenSSH
https://help.ubuntu.com/community/SSH_VPN
https://stackoverflow.com/questions/1003684/how-to-interface-with-the-linux-tun-driver
https://stackoverflow.com/a/35735842
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
http://www.dest-unreach.org/socat/doc/socat-tun.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment