xref: /freebsd/crypto/openssh/README.tun (revision 761efaa70c2ed8d35722b7bc234a46bf2457f876) 
1021d409fSDag-Erling SmørgravHow to use OpenSSH-based virtual private networks
2021d409fSDag-Erling Smørgrav-------------------------------------------------
3021d409fSDag-Erling Smørgrav
4021d409fSDag-Erling SmørgravOpenSSH contains support for VPN tunneling using the tun(4) network
5021d409fSDag-Erling Smørgravtunnel pseudo-device which is available on most platforms, either for
6021d409fSDag-Erling Smørgravlayer 2 or 3 traffic.
7021d409fSDag-Erling Smørgrav
8021d409fSDag-Erling SmørgravThe following brief instructions on how to use this feature use
9021d409fSDag-Erling Smørgrava network configuration specific to the OpenBSD operating system.
10021d409fSDag-Erling Smørgrav
11021d409fSDag-Erling Smørgrav(1) Server: Enable support for SSH tunneling
12021d409fSDag-Erling Smørgrav
13021d409fSDag-Erling SmørgravTo enable the ssh server to accept tunnel requests from the client, you
14021d409fSDag-Erling Smørgravhave to add the following option to the ssh server configuration file
15021d409fSDag-Erling Smørgrav(/etc/ssh/sshd_config):
16021d409fSDag-Erling Smørgrav
17021d409fSDag-Erling Smørgrav	PermitTunnel yes
18021d409fSDag-Erling Smørgrav
19021d409fSDag-Erling SmørgravRestart the server or send the hangup signal (SIGHUP) to let the server
20021d409fSDag-Erling Smørgravreread it's configuration.
21021d409fSDag-Erling Smørgrav
22021d409fSDag-Erling Smørgrav(2) Server: Restrict client access and assign the tunnel
23021d409fSDag-Erling Smørgrav
24021d409fSDag-Erling SmørgravThe OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25021d409fSDag-Erling Smørgravrestrict the client to connect to a specified tunnel and to
26021d409fSDag-Erling Smørgravautomatically start the related interface configuration command. These
27021d409fSDag-Erling Smørgravsettings are optional but recommended:
28021d409fSDag-Erling Smørgrav
29021d409fSDag-Erling Smørgrav	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30021d409fSDag-Erling Smørgrav
31021d409fSDag-Erling Smørgrav(3) Client: Configure the local network tunnel interface
32021d409fSDag-Erling Smørgrav
33021d409fSDag-Erling SmørgravUse the hostname.if(5) interface-specific configuration file to set up
34021d409fSDag-Erling Smørgravthe network tunnel configuration with OpenBSD. For example, use the
35021d409fSDag-Erling Smørgravfollowing configuration in /etc/hostname.tun0 to set up the layer 3
36021d409fSDag-Erling Smørgravtunnel on the client:
37021d409fSDag-Erling Smørgrav
38021d409fSDag-Erling Smørgrav	inet 192.168.5.1 255.255.255.252 192.168.5.2
39021d409fSDag-Erling Smørgrav
40021d409fSDag-Erling SmørgravOpenBSD also supports layer 2 tunneling over the tun device by adding
41021d409fSDag-Erling Smørgravthe link0 flag:
42021d409fSDag-Erling Smørgrav
43021d409fSDag-Erling Smørgrav	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44021d409fSDag-Erling Smørgrav
45021d409fSDag-Erling SmørgravLayer 2 tunnels can be used in combination with an Ethernet bridge(4)
46021d409fSDag-Erling Smørgravinterface, like the following example for /etc/bridgename.bridge0:
47021d409fSDag-Erling Smørgrav
48021d409fSDag-Erling Smørgrav	add tun0
49021d409fSDag-Erling Smørgrav	add sis0
50021d409fSDag-Erling Smørgrav	up
51021d409fSDag-Erling Smørgrav
52021d409fSDag-Erling Smørgrav(4) Client: Configure the OpenSSH client
53021d409fSDag-Erling Smørgrav
54021d409fSDag-Erling SmørgravTo establish tunnel forwarding for connections to a specified
55021d409fSDag-Erling Smørgravremote host by default, use the following ssh client configuration for
56021d409fSDag-Erling Smørgravthe privileged user (in /root/.ssh/config):
57021d409fSDag-Erling Smørgrav
58021d409fSDag-Erling Smørgrav	Host sshgateway
59021d409fSDag-Erling Smørgrav		Tunnel yes
60021d409fSDag-Erling Smørgrav		TunnelDevice 0:any
61021d409fSDag-Erling Smørgrav		PermitLocalCommand yes
62021d409fSDag-Erling Smørgrav	        LocalCommand sh /etc/netstart tun0
63021d409fSDag-Erling Smørgrav
64021d409fSDag-Erling SmørgravA more complicated configuration is possible to establish a tunnel to
65021d409fSDag-Erling Smørgrava remote host which is not directly accessible by the client.
66021d409fSDag-Erling SmørgravThe following example describes a client configuration to connect to
67021d409fSDag-Erling Smørgravthe remote host over two ssh hops in between. It uses the OpenSSH
68021d409fSDag-Erling SmørgravProxyCommand in combination with the nc(1) program to forward the final
69021d409fSDag-Erling Smørgravssh tunnel destination over multiple ssh sessions.
70021d409fSDag-Erling Smørgrav
71021d409fSDag-Erling Smørgrav	Host access.somewhere.net
72021d409fSDag-Erling Smørgrav	        User puffy
73021d409fSDag-Erling Smørgrav	Host dmzgw
74021d409fSDag-Erling Smørgrav	        User puffy
75021d409fSDag-Erling Smørgrav	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76021d409fSDag-Erling Smørgrav	Host sshgateway
77021d409fSDag-Erling Smørgrav	        Tunnel Ethernet
78021d409fSDag-Erling Smørgrav	        TunnelDevice 0:any
79021d409fSDag-Erling Smørgrav	        PermitLocalCommand yes
80021d409fSDag-Erling Smørgrav	        LocalCommand sh /etc/netstart tun0
81021d409fSDag-Erling Smørgrav	        ProxyCommand ssh dmzgw nc sshgateway 22
82021d409fSDag-Erling Smørgrav
83021d409fSDag-Erling SmørgravThe following network plan illustrates the previous configuration in
84021d409fSDag-Erling Smørgravcombination with layer 2 tunneling and Ethernet bridging.
85021d409fSDag-Erling Smørgrav
86021d409fSDag-Erling Smørgrav+--------+       (          )      +----------------------+
87021d409fSDag-Erling Smørgrav| Client |------(  Internet  )-----| access.somewhere.net |
88021d409fSDag-Erling Smørgrav+--------+       (          )      +----------------------+
89021d409fSDag-Erling Smørgrav    : 192.168.1.78                             |
90021d409fSDag-Erling Smørgrav    :.............................         +-------+
91021d409fSDag-Erling Smørgrav     Forwarded ssh connection    :         | dmzgw |
92021d409fSDag-Erling Smørgrav     Layer 2 tunnel              :         +-------+
93021d409fSDag-Erling Smørgrav                                 :             |
94021d409fSDag-Erling Smørgrav                                 :             |
95021d409fSDag-Erling Smørgrav                                 :      +------------+
96021d409fSDag-Erling Smørgrav                                 :......| sshgateway |
97021d409fSDag-Erling Smørgrav                                      | +------------+
98021d409fSDag-Erling Smørgrav--- real connection                 Bridge ->  |          +----------+
99021d409fSDag-Erling Smørgrav... "virtual connection"                     [ X ]--------| somehost |
100021d409fSDag-Erling Smørgrav[X] switch                                                +----------+
101021d409fSDag-Erling Smørgrav                                                          192.168.1.25
102021d409fSDag-Erling Smørgrav
103021d409fSDag-Erling Smørgrav(5) Client: Connect to the server and establish the tunnel
104021d409fSDag-Erling Smørgrav
105021d409fSDag-Erling SmørgravFinally connect to the OpenSSH server to establish the tunnel by using
106021d409fSDag-Erling Smørgravthe following command:
107021d409fSDag-Erling Smørgrav
108021d409fSDag-Erling Smørgrav	ssh sshgateway
109021d409fSDag-Erling Smørgrav
110021d409fSDag-Erling SmørgravIt is also possible to tell the client to fork into the background after
111021d409fSDag-Erling Smørgravthe connection has been successfully established:
112021d409fSDag-Erling Smørgrav
113021d409fSDag-Erling Smørgrav	ssh -f sshgateway true
114021d409fSDag-Erling Smørgrav
115021d409fSDag-Erling SmørgravWithout the ssh configuration done in step (4), it is also possible
116021d409fSDag-Erling Smørgravto use the following command lines:
117021d409fSDag-Erling Smørgrav
118021d409fSDag-Erling Smørgrav	ssh -fw 0:1 sshgateway true
119021d409fSDag-Erling Smørgrav	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120021d409fSDag-Erling Smørgrav
121021d409fSDag-Erling SmørgravUsing OpenSSH tunnel forwarding is a simple way to establish secure
122021d409fSDag-Erling Smørgravand ad hoc virtual private networks. Possible fields of application
123021d409fSDag-Erling Smørgravcould be wireless networks or administrative VPN tunnels.
124021d409fSDag-Erling Smørgrav
125021d409fSDag-Erling SmørgravNevertheless, ssh tunneling requires some packet header overhead and
126021d409fSDag-Erling Smørgravruns on top of TCP. It is still suggested to use the IP Security
127021d409fSDag-Erling SmørgravProtocol (IPSec) for robust and permanent VPN connections and to
128021d409fSDag-Erling Smørgravinterconnect corporate networks.
129021d409fSDag-Erling Smørgrav
130021d409fSDag-Erling Smørgrav	Reyk Floeter
131021d409fSDag-Erling Smørgrav
132761efaa7SDag-Erling Smørgrav$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133