Sunday, January 16, 2011

SSH remote access vpn tunnel

Hi All, I have two machines both running CentOS linux, one is public facing machine with a real ip address (foo). The other is at a client's site behind a very restrictive firewall and with no real ip and no possibility of natting or opening an port to it (bar).

I can ssh from bar to foo, however obviously not the other way round.

Ideally I would like to be able to ssh from foo to bar so I am able to send file, work remotely, etc. Would really appreciate any help or advice on how best to get this working, have seen various tutorials on the internet which suggest it should be possible to setup a VPN connection over ssh but can't quite seem to figure it out.

Jona

From serverfault Jona

  • There are several options and lots of answers can be found on this site if you search. You can forward ports. You can use ssh as a socks proxy. Or you can actually tunnel ip over ssh using something like ppp.

    From Zoredache

  • Sounds like you are looking for something that works like Wippien or Remobo, which are inspired by the costly Hamachi client.

    From djangofan

  • This ought to do it for you (from bar):

    ssh -R2222:localhost:22 foo

    Then, on foo:

    ssh localhost -p 2222

    The first connection opens a remote port forward, which makes port 2222 on foo forwarded to port 22 on bar. So, if you ssh to port 2222 on foo, you are really connecting to bar. You can then add whatever forwards you need to through that ssh connection, to forward any other ports.

    Jona : Hi there, this is exactly what I want to do however these specific syntax don't seem to work. One difference I notice is that I need to use ssh -p 2222 localhost. But obviously something else isn't working as this command outputs connection refused.
    pkaeding : Oops, yeah I made a mistake with the syntax. I fixed it now. Do you see anything interesting in in the ssh session on bar? You can get information about open connections by hitting ~# (in sequence, not at the same time). Does that give back anything interesting?
    From pkaeding

  • Under Centos the answer appears to be as follows:

    on bar (the restricted machine) run the following command:

    ssh -N -R 1234:localhost:22 foo.theinternet.com

    then on foo (the open machine) run:

    ssh -p 1234 localhost

    I suspect there are refinements to be made to this, but hopefully it will be enough to get any googlers started.

    Thanks to pkaeding for putting me on the right track.

    From Jona

  • You can create tun device, that is a full tunnel. Requirements are: probably root access in both client and server, and recent versions of SSH.

    server /etc/ssh/sshd_config

    PermitRootLogin yes PermitTunnel yes

    client /etc/ssh/ssh_config

    Tunnel yes

    Connect with: ssh -w any:any ...

    That will create a tun0 device on both client and server. You must set up IP:

    server

    ifconfig tun0 192.168.55.1 pointopoint 192.168.55.2

    client

    ifconfig tun0 192.168.55.2 pointopoint 192.168.55.1

    Now routes, NAT, whatever...

    Anyway i wouldn't recommend this method for connecting from bar to foo automatically, ie. in a non-interactive fashion. If the TCP session dies it won't respawn automatically. Well, maybe you can make it respawn: http://www.deer-run.com/~hal/sysadmin/SSH-SyslogNG.html

    There should be a way to create a VPN between the two hosts, not neccesarily based on SSH.

    Jona : Will this work when one of the machines is private so I can only ssh in one direction?
    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:12 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)