利用SSH的端口轉發功能,可以輕易實現一個基於SSH加密通道的虛擬私人網絡(VPN)。
─────────────────────────
man ssh;
─────────────────────────
-w local_tun[:remote_tun]
Requests tunnel device forwarding with the specified tun devices between the
client (local_tun) and the server (remote_tun).
The devices may be specified by numerical ID or the keyword “any”,
which uses the next available tunnel device.
If remote_tun is not specified, it defaults to “any”.
See also the Tunnel and TunnelDevice directives in ssh_config.
If the Tunnel directive is unset, it is set to the default tunnel mode, which is “point-to-point”.
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using the tun
network pseudo-device, allowing two networks to be joined securely.
The sshd_config configuration option PermitTunnel controls whether the server
supports this, and at what level (layer 2 or 3 traffic).
─────────────────────────
man sshd_config;
─────────────────────────
PermitTunnel
Specifies whether tun(4) device forwarding is allowed. The argument must be:
* yes- permits both “point-to-point” and “ethernet”
* point-to-point(layer3)-
* ethernet(layer 2)-
* no- The default is “no”
─────────────────────────
一個設置范例(Example)
─────────────────────────
Client Network: 10.0.2.0/24Server or gateway of client network;
Server Gateway: 192.168.56.1Must be gateway of remote network;
Remote Network: 192.168.57.0/24Can't connet with client network directly;
Point-to-Point: 10.1.1.1 - 10.1.1.2The VPN tunnel we should build;
(1) On the ssh server, change the sshd configuration:
# vi /etc/ssh/sshd_config;
------------------------------------------------------------------------------
PermitRootLogin yes
PermitTunnel yes
------------------------------------------------------------------------------
Reload ssh servcie
# service ssh reload;# for Debian/Ubuntu;
# service sshd reload;# for RedHat/CentOS;
(2) On the client site:
# ssh -f -w 0:0 192.168.56.1 true;
Check if tun0 build successfully(檢查通道是否成功建立):
# ip addr show tun0;# Check if tun0 build successfully;
# ip addr show tun0;# Check ssh server site should have same tun0;
# ifconfig tun0;# Check the tun0 interface;
參數說明:
-f ssh連接之後將置於後端運行;
-w 0:0 如通道tunnel建立成功後,將在Client和Server端分別出現名為tun0的界面;
-w 1:1 如通道tunnel建立成功後,將在Client和Server端分別出現名為tun1的界面;
true
注意:不要混淆了Linux下面名為tunl0的預設Tunnel界面,請用 ip addr show 命令檢查。
################################################################################
常見錯誤處理:
################################################################################
如果上述命令出現如下錯誤信息,請檢查是否ssh連接兩端已經存在名為tun0的通道界面:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
channel 0: open failed: administratively prohibited: open failed
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# ip addr show | grep tun;# Check both site if have already up this tun0;
# ip addr show | grep 10.;# Check both site if have already up this ip;
如有需要,可用如下命令刪除預設tunl0的IP設置:
# ip addr flush tunl0;# flushe the contents of address labels;
# ip addr del 10.1.1.1/32 dev tunl0;# assume there is same IP on tunl0;
# ip addr del 10.1.1.2/32 dev tunl0;# assume there is same IP on tunl0;
________________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(3) Still on the client server:
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add -net 192.168.57.0/24 gw 10.1.1.2 dev tun0
# ifconfig tun0 | grep -A 1 tun0;
------------------------------------------------------------------------------
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.2 P-t-P:10.1.1.2 Mask:255.255.255.252
------------------------------------------------------------------------------
# route -n | grep tun0
------------------------------------------------------------------------------
10.1.1.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
192.168.57.0 10.1.1.2 255.255.255.0 UG 0 0 0 tun0
------------------------------------------------------------------------------
(4) On the ssh server:
# ifconfig tun0 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add -net 10.0.2.0/24 gw 10.1.1.1 dev tun0
# ifconfig tun0 | grep -A 1 tun0
------------------------------------------------------------------------------
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1 P-t-P:10.1.1.1 Mask:255.255.255.252
------------------------------------------------------------------------------
# route -n | grep tun0
------------------------------------------------------------------------------
10.0.2.0 10.1.1.1 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
------------------------------------------------------------------------------
(5) 進階使用和注意事項(Advance configuration)
Client access may be more finely tuned via the ~/.ssh/authorized_keys file and
the PermitRootLogin server option.
The following entry would permit connections on tun device 1 from user “jane” and
on tun device 2 from user “john”, if PermitRootLogin is set to “forced-commands-only”:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
Since an SSH-based setup entails(意味著) a fair amount of overhead(開銷),
it may be more suited to temporary setups, such as for wireless VPNs.
More permanent VPNs are better provided by tools such as ipsecctl and isakmpd.
(6) Dbugging tools and commands
# tcpdump -i any -nnn not port ssh
# ip addr show
# ip addr flush tun0
# ip route show table all
# traceroute -n 10.0.2.15
# traceroute -n 192.168.57.102
