SSH VPN Tunnel


It is possible to use SSH server like VPN concentrator. In this case you are able to route traffic between two or more subnets with using SSH connection like in standard VPN solution.

To use this feature you will need to use ROOT account on source as well on destination server.

According to this make sure:

- That you are using SSH Key authentication ONLY !
- That your IPTABLES is configured correctly !
- That your SELinux is configured correctly !
- That your SSH is not enabling too much for as a root logged in users !

Creating SSH VPN Tunnel

SSH Server configuration

On SSH Server it is required to enable this type of tunneling in “/etc/ssh/sshd_config “.

PermitRootLogin yes                                 # Enable Root Loggin to system
PermitTunnel yes                                    # Enable this typ of tunneling
PasswordAuthentication no                           # Disable Using of Passwords for Authentication
AuthorizedKeysFile     .ssh/authorized_keys         # Location of user key in user home dir
RSAAuthentication yes                               # Enable User Key Authentication
PubkeyAuthentication yes                            # Enable User Public key Authentication
ChallengeResponseAuthentication no                  # Disable  s/key (onetime) password Authentication
UsePAM no                                           # Disable external PAM Authentication

Restart SSH Service

# ps -elf | grep sshd                                                                    # Search for SSHD PID
5 S root     25161     1  0  80   0 - 16651 poll_s 22:16 ?   00:00:00 /usr/sbin/sshd
# kill -HUP 25161                                                                        # Reload config in SSHD process

Restart in CentOS / RHEL

# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Establish SSH VPN Tunnel

On SSH Client site run this command:

# ssh -C -w 1:1 root@server

This command will create “tun1” device on SSH Client as well SSH Server Site in the case that you will prefer to use different interface change the parameter “-w local_tun[:remote_tun] “

I do prefer to use “ -C ” switch to compress the traffic in tunnel.

Check the new “tun” Interface

On SSH Client and SSH Server site you are able to see new network interface. In our case it is called “tun1”.

It is possible to use this interface like standard network interface, you can:
- Assign a IP to this interface
- Route network traffic to this interface
- …

# ifconfig tun1                                                                       # It shall be possible to see same result
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-vpn-tunnel (generated for current page)