1e31 SSH - Telecomix Crypto Munitions Bureau


From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

[edit] Guides

[edit] Howto use OpenSSH as a VPN

OpenSSH 4.3 comes with TUN/TAP support. This means that you can establish an encrypted virtual tunnel between two computers. This tunnel can be used to establish a VPN between these two networks. In the sample network you can establish an SSH connection to but not the other two machines because they're firewalled off. Using an SSH VPN tunnel you can gain access to that entire network (anything that would have access to). To clarify this is not SSH port forwarding. This is full IP forwarding using a tunnel interface.

This is done by creating a tunnel between your home PC ( and the network gateway PC ( This is done with the -w command in SSH.

ssh -w0:0

This creates a tun0 interface on both ends of the SSH session. Once the tunnel is established you will need to put an IP on both sides of the tunnel using the following commands. Note: the PermitTunnel option must be turned on in your sshd_config file for this to work.

# IP Address for your Home PC
ifconfig tun0 netmask 
# IP Address for the network gateway PC
ifconfig tun0 netmask

At this point you should be able to ping both sides of the tunnel from both machines. Now a little Linux routing knowledge comes in handy. You'll need two route statements to do this. One to force access to the network gateway PC to go out eth0 (or whatever your output device is), and the other to tell it to use tun0 for access to the rest of that subnet.

route add -host dev eth0
route add -net dev tun0 

Everything will route properly now, but the firewalled machines will not know how to get back to your home PC. A little NAT will fix that right up. You'll need to setup IP Forwarding and NAT on the network gateway PC to masquerade all requests from your home PC.

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Source: Howto use OpenSSH as a VPN

[edit] To use open ssh as a proxy

ssh -fND 8888 user@server

Then point your soft on localhost 8888

Personal tools