Creare una VPN con ssh 4.3: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Utilizzando un tun/tap per bridge= | |||
* È Decisamente più veloce di openvpn | |||
*Assicurarsi che su entrambi gli host ci sia | |||
sudoedit /etc/ssh/sshd_config | |||
# ... | |||
PermitTunnel yes | |||
PermitRootLogin yes | |||
# | |||
sudo systemctl restart sshd | |||
*Se si vuole fare un bridge: | |||
<pre> | |||
ssh -o "PermitLocalCommand=yes" \ | |||
-o "LocalCommand=brctl addif vmbr1 tap0 && ifconfig tap0 up" \ | |||
-o Tunnel=ethernet \ | |||
-w 0:0 \ | |||
-t root@myremote \ | |||
"brctl addif vmbr1 tap0 && ifconfig tap0 up" | |||
</pre> | |||
==Riferimenti== | |||
*[https://blog.pboehm.org/blog/2016/12/07/ssh-features-bridging-two-networks/ SSH Features: Bridging two networks ⋅ /dev/pboehm] | |||
=Utilizzando sshuttle= | =Utilizzando sshuttle= | ||
Si può utilizare | Si può utilizare | ||
apt-get install sshuttle | apt-get install sshuttle | ||
sshuttle -r root@server. | sshuttle -r root@server.example.com 0/0 | ||
==Riferimenti== | ==Riferimenti== | ||
Latest revision as of 10:55, 3 January 2023
Utilizzando un tun/tap per bridge
- È Decisamente più veloce di openvpn
- Assicurarsi che su entrambi gli host ci sia
sudoedit /etc/ssh/sshd_config
# ... PermitTunnel yes PermitRootLogin yes #
sudo systemctl restart sshd
- Se si vuole fare un bridge:
ssh -o "PermitLocalCommand=yes" \
-o "LocalCommand=brctl addif vmbr1 tap0 && ifconfig tap0 up" \
-o Tunnel=ethernet \
-w 0:0 \
-t root@myremote \
"brctl addif vmbr1 tap0 && ifconfig tap0 up"
Riferimenti
Utilizzando sshuttle
Si può utilizare
apt-get install sshuttle
sshuttle -r root@server.example.com 0/0
Riferimenti
Utilizzando uno script
The following script will let you start a full featured VPN using SSH and tun:
#!/sbin/sh
HOST=your.web.server
TUN_LOCAL=0
TUN_REMOTE=1
IP_LOCAL=192.168.2.2
IP_REMOTE=192.168.2.1
IP_MASK=24
PRIVATE_NETWORK=10.0.0.0/8
PRIVATE_DOMAIN="your.private.domain private.domain"
PRIVATE_NAMESERVER=192.168.2.1
PRIVATE_LOCAL=10.0.1.2
echo "Starting VPN tunnel ..."
modprobe tun
ssh -w ${TUN_LOCAL}:${TUN_REMOTE} -f ${HOST} "\
ip addr add ${IP_REMOTE}/${IP_MASK} dev tun${TUN_REMOTE} \
&& ip link set tun${TUN_REMOTE} up \
&& iptables -t nat -I POSTROUTING -s ${IP_LOCAL} -j SNAT --to ${PRIVATE_LOCAL} \
&& iptables -t nat -I PREROUTING -d ${PRIVATE_LOCAL} -j DNAT --to ${IP_LOCAL} \
&& iptables -I INPUT -i tun${TUN_REMOTE} -j ACCEPT \
&& iptables -I FORWARD -i tun${TUN_REMOTE} -j ACCEPT \
&& iptables -t nat -I PREROUTING -i tun${TUN_REMOTE} -j ACCEPT \
&& true"
sleep 3
ip addr add ${IP_LOCAL}/${IP_MASK} dev tun0
ip link set tun${TUN_LOCAL} up
ip route add ${PRIVATE_NETWORK} dev tun${TUN_LOCAL}
echo "search ${PRIVATE_DOMAIN}
nameserver ${PRIVATE_NAMESERVER}
" >/etc/resolv.conf
echo "... done."
- The following configuration can be set at the beginning of the script:
| Item | Description |
|---|---|
| HOST | Hostname of the remote SSH server (either IP or DNS name). |
| TUN_LOCAL | Number of local tun interface. You cannot use any. |
| TUN_REMOTE | Number of remote tun interface. You cannot use any. |
| IP_LOCAL | IP address of local tun interface. |
| IP_REMOTE | IP address of server tun interface. |
| IP_MASK | IP address mask of the tuns. |
| PRIVATE_NETWORK | Network specification (any of its IP addresses and mask) of the private network. |
| PRIVATE_DOMAIN | Space delimiteed list of domain names of the private network (if any). |
| PRIVATE_NAMESERVER | Nameserver in the private network. |
| PRIVATE_LOCAL | IP address in the private network that uses this computer (in order to allow access from the private network). |
- TODO: Convert to init.d script (ie. create stop script), detect failure, on close clear the servers iptables and restore local /etc/resolv.conf.