[olug] PPP via SSH

Brian Roberson brian at bstc.net
Tue Aug 22 23:31:30 UTC 2000 

< CUT OFF OF SLASHDOT >........



IPSeq (service 50) are not the only way to establish a VPN. For instance, 
you can use IP inside IP (Using either the kernel-based 'ipip.o' module, or 
a user-space ipip driver), or do as I do, create a PPP tunnel inside an SSH 
connection.
Here is how:
·       From your machine inside a firewalled LAN (e.g. work), use the 
following `pppd' options file (under Debian, create it in /etc/ppp/peers, 
e.g. /etc/ppp/peers/my-home):

# This link is over a SSH network connection
pty "ssh -t -enone -C yourhost.home.net /usr/sbin/pppd noauth ipparam 
172.16.0.0/16"

# IP Addresses to use for this link
192.168.0.1:192.168.0.2

# Let the remote host start the conversation
silent

# We trust each other
noauth

# Keep modem up even if connection fails
persist

Here, replace 172.16.0.0/16 with your company network. This will be used as 
argument for the PPP 'if-up' script on your home computer.
·       Make sure the root user on your work machine can SSH to your home 
machine (as root) without being prompted for password. If neccessary, run 
'ssh-keygen', and copy the '/root/.ssh/identity.pub' file from work to 
'/root/.ssh/authorized_keys' at home.
·       At home, create an if-up script, as follows:
·       Under Debian, create /etc/ppp/ip-up.d/vpn
·       Under RedHat, create or add to /etc/ppp/ip-up.local

The script should contain:
#!/bin/bash
########################################################################
### FILE: /etc/ppp/ip-up.d/vpn
### PURPOSE: Add routes after bringing up PPP link
########################################################################

### The following two lines are only needed with RedHat;
### Debian supplies these from the master ip-up script.
### $6 contains remote network/netmask (e.g. 172.16.0.0/16)
[ "$PPP_IFACE" ] || PPP_IFACE=$1
[ "$PPP_IPPARAM" ] || PPP_IPPARAM=$6



### Configure the route
if [ "$PPP_IPPARAM" ]
then
/sbin/route add -net $PPP_IPPARAM dev $PPP_IFACE metric 1
/sbin/ipchains -I input -j ACCEPT -i $PPP_IFACE
/sbin/ipchains -I forward -j MASQ -s 192.168.1.0/24 -i $PPP_IFACE
/sbin/ipchains -I output -j ACCEPT -i $PPP_IFACE
fi
·       Edit root's crontab on your work machine (crontab -e), to start 
this PPP link. Under Debian, it will look as follows:

*/20 * * * * netstat -rn | grep -qs ^192.168.0.2 || pon my-home

(replace 'my-home' with the name of the PPP options file in /etc/ppp/peers).
Using this, you now have a PPP over SSH tunnel to/from your home. If it 
breaks, it is immediately brought back up (hence "persist" above); and if 
too many retries have passes and PPP gives up, a new connection is retried 
every 20 minutes (or whatever you set the crontab line to).
Undetectable. :-)






At 04:49 AM 8/23/2000 -0500, Aaron Grothe wrote:
>Matt Payne wrote:
>
> > Brian (or anyone!) - Would you please send out and and all pointers to the
> > PPP via SSH stuff that was mentioned on Sunday?
> >
>
>There is a mini-howto on the subject available at http://www.linuxdoc.org
>
>http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
>
>I hope it is of some assistance.
>
>Regards,
>
>Aaron
>====
>"The Journey is the Reward" - Old Zen Buddhist Saying
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>For additional commands, e-mail: olug-help at bstc.net



---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list