Situatie
In general VPN permite accesul securizat (criptat si cu parola) din internet in reteaua locala. Sau poate unii doua retele locale prin intermediul retelei publice de internet, cu criptarea transferului prin reteaua publica.
Incepand cu versiunea 4.3 de ssh acesta include optiunea de a crea “Virtual Private Networks” via interfata tun. Un bun tutorial este aici:
https://help.ubuntu.com/community/SSH_VPN
+---------------+ OpenSSH 4.3 +---------------+
| Machine A | tun0 -- Tunnel Interface -- tun0 | Machine B |
| Has a tunnel | <------------------------------->| Has a tunnel |
| and ethernet | 10.0.0.100 10.0.0.200 | and ethernet |
+-------+-------+ point to point connection +-------+-------+
eth0 | creates a bridge | eth0
10.0.0.100 | that plugs machine B | 192.168.0.100
port 22 | into network A |
forwarded | |
here | |
+-------+-------+ +-~-~-~-~-~-~-~-+ +-------+-------+
| Network A | | | | Network B |
| 10.0.0.1/24 | 1.2.3.4 | The Internet | | 192.168.0.1/24|
| Has internet |<-------->| |<----->| Has internet |
| NAT gateway | Routable | | | NAT gateway |
+---------------+ Address +-~-~-~-~-~-~-~-+ +---------------+
Backup
Pentru a putea folosi VPN via SSH trebuiesc facute unele configurari prealabile:
Mai intai trebuie instalat pachetul uml-utilities: “apt-get install uml-utilities” pentru a aputea creea interfete tun cu comanda “tunctl -t tun0”.
De asemenea trebuie ca pe server sa fie activat ip_forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
Serverul ssh trebuie configurat in /etc/ssh/sshd_config ca sa accepte tunel:
PermitRootLogin yes
PermitTunnel yes
Ideal ar fi sa fie configurata autentificare cu cheie publica; pentru a genera cheia de autentificare:
client:~# ssh-keygen
care apoi se copiaza pe server:
client:~# ssh-copy-id [server]
O alta configuratie utila este mutarea portului implicit de ssh – sa zicem pe 2223: in /etc/ssh/sshd_config “Port 2223” in loc de “Port 22”
Pentru ca sa se poata rula comenzi ca root pe un user normal se adauga in visudo linia
<nume_logon> ALL=(ALL) NOPASSWD: ALL
Solutie
#!/bin/bash ########################################################### # #Enter the ip of the target you wish to make a tunnel with. #By ip address or hostname # target=11.22.33.44 port=2223 # ########################################################### # suggestions contact rich at lehcar.no-ip.org # with thanks to Billy T (for idea and assistance) ########################################################### #load module /usr/bin/sudo /sbin/modprobe tun /usr/bin/sudo tunctl -t tun0 #load remote module /usr/bin/ssh -p $port $target "/usr/bin/sudo /sbin/modprobe tun; /usr/bin/sudo tunctl -t tun0" /bin/sleep 1 #/usr/bin/sudo /usr/bin/autossh -p $port -M 0 -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -fw 0:0 $target /bin/true /usr/bin/sudo /usr/bin/ssh -p $port -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -fw 0:0 $target /bin/true /bin/sleep 4 /usr/bin/ssh -p $port $target "/usr/bin/sudo /sbin/ifconfig tun0 192.168.5.2 pointopoint 192.168.5.1 netmask 255.255.255.252 broadcast 192.168.5.3" /usr/bin/sudo /sbin/ifconfig tun0 192.168.5.1 pointopoint 192.168.5.2 netmask 255.255.255.252 broadcast 192.168.5.3 /usr/bin/sudo /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /usr/bin/sudo /usr/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT /usr/bin/sudo /usr/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT /usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" /usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT" /usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT"
######################################################
Tip solutie
PermanentImpact colateral
(sursa https://docs.slackware.com/howtos:network_services:tunnel_interfaces)
Un alt turorial bun se gaseste la
https://tuxtor.blogspot.ro/2010/11/how-to-use-ssh-for-internet-connection.html
Leave A Comment?