2011/08/22

SSH tunneling for a small VPN

Here is a simple script that sets up a simple VPN between two networks using SSH tunneling. You must have root access to a computer on both networks. You must have 2 IP addresses for the remote network. The remote network is assumed to be /24. The script assumes that tun0 is available on both computers. If you don't understand this or you don't have this, you can't use this script.
#!/bin/bash


HOST=$1
LOCAL_IP=$2
REMOTE_IP=$3

eval $(ipcalc --network $LOCAL_IP/24)
if [[ "NETWORK=$NETWORK" != $(ipcalc --network $REMOTE_IP/24) ]] ; then
echo "Local IP ($LOCAL_IP) and remote IP ($REMOTE_IP) must be on the same network" >&2
exit 3
fi

ip route del $NETWORK/24 dev eth0 2>/dev/null
set -e

set -x
ssh -w 0:0 $HOST "
ip link set tun0 up
ip addr add $LOCAL_IP peer $REMOTE_IP/32 dev tun0
arp -sD $REMOTE_IP eth0 pub
echo 1 >/proc/sys/NETWORK/ipv4/ip_forward
echo OK
while true ; do sleep 3600 ; done
" | (
set +x
read OK;
echo "Connected to $HOST: $OK"
ip link set tun0 up
ip addr add $REMOTE_IP peer $LOCAL_IP/32 dev tun0
ip route add $NETWORK/24 via $REMOTE_IP dev tun0

iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface tun0 -j MASQUERADE
set +e
read -e -p 'Connected' K iptables --delete FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat --delete POSTROUTING --out-interface tun0 -j MASQUERADE
echo "Use ^C to stop background ssh"
)

Note that the script has very little error checking beyond verifying that REMOTE_IP and LOCAL_IP are on the same /24.

The script is executed as vpn-ssh remote-host local-ip remote-ip. For example:
ssh my-client 192.168.100.130 192.168.100.205
192.168.100.130 is now an IP for the local computer. It may be connected to from the remote computer and anything on the remote network. If you set up your routing properly, other computers on the local network may also connect to the remote network also.

To create a tunnel ssh must run as root and must connect as root on the remote side. You should use have public/private keys set up, as allowing password login for root over ssh is a bad idea. Tunneling and root login are often deactivated by default, so you'll have to turn them on.

No comments: