人生在世，看得透，又看得远者prevail everywhere.

ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fVjECx ppt.cc/fIr1ax ppt.cc/fEnHsx ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com man.linuxde.net bit.ly/2EzoUDo bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2X6vadl bit.ly/2viLpHU linuxprobe.com linuxtechi.com linuxstory.org systutorials.com ghacks.net linuxopsys.com reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Tuesday 31 May 2016

用ssh tunnel创建一个vpn网络

OpenSSH 4.3 comes with TUN/TAP support. This means that you can establish an encrypted virtual tunnel between two computers. This tunnel can be used to establish a VPN between these two networks. In the sample network you can establish an SSH connection to 55.56.57.58 but not the other two machines because they're firewalled off. Using an SSH VPN tunnel you can gain access to that entire network (anything that 55.56.57.58 would have access to). To clarify this is not SSH port forwarding. This is full IP forwarding using a tunnel interface.

This is done by creating a tunnel between your home PC (1.2.3.4) and the network gateway PC (55.56.57.58). This is done with the -w command in SSH.

ssh -w0:0 55.56.57.58This creates a tun0 interface on both ends of the SSH session. Once the tunnel is established you will need to put an IP on both sides of the tunnel using the following commands. Note: the PermitTunnel option must be turned on in your sshd_config file for this to work.

# IP Address for your Home PC
ifconfig tun0 10.0.2.1 netmask 255.255.255.252

# IP Address for the network gateway PC
ifconfig tun0 10.0.2.2 netmask 255.255.255.252

At this point you should be able to ping both sides of the tunnel from both machines. Now a little Linux routing knowledge comes in handy. You'll need two route statements to do this. One to force access to the network gateway PC to go out eth0 (or whatever your output device is), and the other to tell it to use tun0 for access to the rest of that subnet.

route add -host 55.56.57.58 dev eth0
route add -net 55.56.57.58/24 dev tun0

Everything will route properly now, but the firewalled machines will not know how to get back to your home PC. A little NAT will fix that right up. You'll need to setup IP Forwarding and NAT on the network gateway PC to masquerade all requests from your home PC.

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

from http://www.perturb.org/display/770_OpenSSH_4_3_VPN_Example.html

-----------------------------------------------

VPN WITH SSH

As of version 4.3, OpenSSH can use the tun/tap device to encrypt a tunnel. This is very similar to other TLS based VPN solutions like OpenVPN. One advantage with SSH is that there is no need to install and configure additional software. Additionally the tunnel uses the SSH authentication like pre shared keys. The drawback is that the encapsulation is done over TCP which might result in poor performance on a slow link. Also the tunnel is relying on a single (fragile) TCP connection. This technique is very useful for a quick IP based VPN setup. There is no limitation as with the single TCP port forward, all layer 3/4 protocols like ICMP, TCP/UDP, etc. are forwarded over the VPN. In any case, the following options are needed in the sshd_conf file:

PermitRootLogin yes
PermitTunnel yes

Single P2P connection

Here we are connecting two hosts, hclient and hserver with a peer to peer tunnel. The connection is started from hclient to hserver and is done as root. The tunnel end points are 10.0.1.1 (server) and 10.0.1.2 (client) and we create a device tun5 (this could also be an other number). The procedure is very simple:

Connect with SSH using the tunnel option -w
Configure the IP addresses of the tunnel. Once on the server and once on the client.

Connect to the server

Connection started on the client and commands are executed on the server.

Server is on Linux

cli># ssh -w5:5 root@hserver
srv># ifconfig tun5 10.0.1.1 netmask 255.255.255.252   # Executed on the server shell

Server is on FreeBSD

cli># ssh -w5:5 root@hserver
srv># ifconfig tun5 10.0.1.1 10.0.1.2                  # Executed on the server shell

Configure the client

Commands executed on the client:

cli># ifconfig tun5 10.0.1.2 netmask 255.255.255.252   # Client is on Linux
cli># ifconfig tun5 10.0.1.2 10.0.1.1                  # Client is on FreeBSD

The two hosts are now connected and can transparently communicate with any layer 3/4 protocol using the tunnel IP addresses.

Connect two networks

In addition to the p2p setup above, it is more useful to connect two private networks with an SSH VPN using two gates. Suppose for the example, netA is 192.168.51.0/24 and netB 192.168.16.0/24. The procedure is similar as above, we only need to add the routing. NAT must be activated on the private interface only if the gates are not the same as the default gateway of their network.
192.168.51.0/24 (netA)|gateA <-> gateB|192.168.16.0/24 (netB)

Connect with SSH using the tunnel option -w.
Configure the IP addresses of the tunnel. Once on the server and once on the client.
Add the routing for the two networks.
If necessary, activate NAT on the private interface of the gate.

The setup is started from gateA in netA.

Connect from gateA to gateB

Connection is started from gateA and commands are executed on gateB.

gateB is on Linux

gateA># ssh -w5:5 root@gateB
gateB># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # Executed on the gateB shell
gateB># route add -net 192.168.51.0 netmask 255.255.255.0 dev tun5
gateB># echo 1 > /proc/sys/net/ipv4/ip_forward        # Only needed if not default gw
gateB># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

gateB is on FreeBSD

gateA># ssh -w5:5 root@gateB                          # Creates the tun5 devices
gateB># ifconfig tun5 10.0.1.1 10.0.1.2               # Executed on the gateB shell
gateB># route add 192.168.51.0/24 10.0.1.2
gateB># sysctl net.inet.ip.forwarding=1               # Only needed if not default gw
gateB># natd -s -m -u -dynamic -n fxp0                # see NAT
gateA># sysctl net.inet.ip.fw.enable=1

Configure gateA

Commands executed on gateA:

gateA is on Linux

gateA># ifconfig tun5 10.0.1.2 netmask 255.255.255.252
gateA># route add -net 192.168.16.0 netmask 255.255.255.0 dev tun5
gateA># echo 1 > /proc/sys/net/ipv4/ip_forward
gateA># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

gateA is on FreeBSD

gateA># ifconfig tun5 10.0.1.2 10.0.1.1
gateA># route add 192.168.16.0/24 10.0.1.2
gateA># sysctl net.inet.ip.forwarding=1
gateA># natd -s -m -u -dynamic -n fxp0                # see NAT
gateA># sysctl net.inet.ip.fw.enable=1

The two private networks are now transparently connected via the SSH VPN. The IP forward and NAT settings are only necessary if the gates are not the default gateways. In this case the clients would not know where to forward the response, and nat must be activated.

from http://sleepyhead.de/howto/?href=vpn
--------

用openssh的tunnel建立vpn

A机能用ssh登录B机

A机的IP：172.16.8.106
B机的IP：172.16.8.108
A机拨通vpn tunnel后tun的ip：192.168.244.2
B机拨通vpn tunnel后tun的ip：192.168.244.1

首先编辑A和B的/etc/ssh/sshd_config，允许tunnel，缺省是不允许的，然后service sshd restart ，重启sshd

...
PermitTunnel yes  
...

A和B安装linux下的tun软件，并启动一个tunnel设备：

yum install tunctl  
tunctl -t tun5 -u root

在A(172.16.8.106)机器上生成key，并设置能无密码证书直接登录B(172.16.8.108)

ssh-keygen  
ssh-copy-id root@172.16.8.108

在A上执行命令，建立ssh tunnel：

ssh -w 5:5 root@172.168.8.108

在A上执行

ifconfig tun5 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0

在B上执行

ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0

这样分别在A和B上ping 192.168.244.1和192.168.244.2，都能通就表示已经ok了。

优化一下，A和B两边都先把tun5起来以后，直接在A上一句话搞定，这个不会自动退出，所以得ctrl+z，然后bg放后台去：

ssh \  
  -o PermitLocalCommand=yes \
  -o LocalCommand="ifconfig tun5 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0" \
  -o ServerAliveInterval=60 \
  -w 5:5 root@172.16.8.108 \
  'ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0; echo tun5 ready'

如果要用在翻墙的环境，那就得保持长链接了。假设A机器是在一个防火墙后，且被NAT了，那么就得先这样打通隧道：

ssh -f -w5:5 vpn@example.com \  
        -o ServerAliveInterval=30 \
        -o ServerAliveCountMax=5 \
        -o TCPKeepAlive=yes \
        -i ~/.ssh/id_rsa "sleep 1000000000"

然后在A和B上分别单独配置ip即可。
再进阶：假设A要建立独立的netns空间，加ip及网关如下：

ip net add ns-vpn  
ip net exec ip addr add  100.64.42.2/24 dev tun42  
ip net exec ip link set up dev tun42  
ip net exec ip route add default via 100.64.42.1

再在B的/etc/sysctl.conf打开转发

net.ipv4.ip_forward = 1

sysctl -p

iptables -t nat -A POSTROUTING -s 192.168.244.0/24 -j SNAT --to 172.16.8.108

A就可以通过B代理出去了。
--------------------------------------

使用 SSH 建立 VPN

自 4.3 版开始，OpenSSH 可以使用 tun/tap 设备来加密一个隧道。其非常类似于基于 TLS 的 VPN 解决方案(像 OpenVPN)。对于 SSH 的一个优势是，她不需要安装和配置额外的软件。另外隧道使用 SSH 认证(像共享密钥)。其缺点是，对于一个缓慢的连接，其传输效率较低。并且这个隧道依赖于单个(易断的) TCP 链接。这个技术对于快速设置一个基于 IP 的 VPN 来说非常有用。她对于用单个 TCP 端口转发没有限制，并且在所有 3/4 层协议像 ICMP、TCP/UDP 等上都可用。不管怎么样，下面这些选择在 sshd_conf 文件中是必须的：

PermitRootLogin yes
PermitTunnel yes

单个 P2P 连接

这里，我们用点对点隧道连接 hclient 和 hserver 两个主机。这个连接是_从 hclient 开始_到 hserver 的，并且是用 root 来做。这个通道的连接点是 10.0.1.1(服务端)和 10.0.1.2(客户端)，然后我们创建设备 tun5(当然也可以是其它数字)。这个过程非常简单：

使用 SSH 的通道选项 -w 来连接

设置隧道的 IP 地址。服务端和客户端各一次。

连接到服务端

连接始于客户端,然后再服务端执行命令。

Linux上的服务端

cli># ssh -w5:5 
root@hserversrv># ifconfig tun5 10.0.1.1 netmask 255.255.255.252   # 在服务端 shell 上执行

FreeBSD上的服务端

cli># ssh -w5:5 root@hserversrv># ifconfig tun5 10.0.1.1 10.0.1.2                  # 在服务端 shell 上执行

连接到客户端

在客户端上执行命令：

cli># ifconfig tun5 10.0.1.2 netmask 255.255.255.252   # Linux上的客户端
cli># ifconfig tun5 10.0.1.2 10.0.1.1                  # FreeBSD上的客户端

现在两个主机都连上了，并且可以在任何 3/4 层协议上使用此通道 IP 地址透明的通讯。

连接两个网络

除上面的 p2p 设置外，一个更有用的是SSH VPN 用两个 gate 连接两个私有网络。假设有这样一个例子，netA 为 192.168.51.0/24 还有 netB 为 192.168.16.0/24。设置过程同上面相似，我们只需要添加 routing。如果 gate 不同于默认网关，那在私有网络接口上必须开启 NAT。
192.168.51.0/24 (netA)|gateA <-> gateB|192.168.16.0/24 (netB)

使用隧道选项 -w 连接 SSH。

配置隧道的 IP 地址。服务端和客户端各一次。

为两个网络添加 routing。

如果需要，在 gate 的私有网络接口上开启 NAT。
设置是_从 netA 中的 gasteA 开始的_.

连接 gateA 到 gateB

连接从 gateA 开始，命令执行于 gateB。

Linux 上的 gateB

gateA># ssh -w5:5 
root@gateBgateB># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # 在 gateB 的 shell 中执行
gateB># route add -net 192.168.51.0 netmask 255.255.255.0 dev tun5
gateB># echo 1 > /proc/sys/net/ipv4/ip_forward         # 如果不是默认网关
gateB># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

FreeBSD 上的 gateB

gateA># ssh -w5:5 root@gateB                          # 创建 tun5 设备
gateB># ifconfig tun5 10.0.1.1 10.0.1.2               # 在 gateB 的 shell 中执行
gateB># route add 192.168.51.0/24 10.0.1.2
gateB># sysctl net.inet.ip.forwarding=1               # 如果不是默认网关
gateB># natd -s -m -u -dynamic -n fxp0                # 看 NATgateA># sysctl net.inet.ip.fw.enable=1

配置 gateA

在 gateA 上执行命令：

Linux 上的 gateA

gateA># ifconfig tun5 10.0.1.2 netmask 255.255.255.252
gateA># route add -net 192.168.16.0 netmask 255.255.255.0 dev tun5
gateA># echo 1 > /proc/sys/net/ipv4/ip_forward
gateA># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

FreeBSD 上的 gateA

gateA># ifconfig tun5 10.0.1.2 10.0.1.1
gateA># route add 192.168.16.0/24 10.0.1.2
gateA># sysctl net.inet.ip.forwarding=1
gateA># natd -s -m -u -dynamic -n fxp0                # 看 NAT
gateA># sysctl net.inet.ip.fw.enable=1

现在两个私有网络都可以通过 SSH VPN 来透明的连接。如果 gate 不是默认网关，那么 IP 转发和 NAT 设置都是必须的。在这种情况下，客户端将不知道在哪里转发响应(response)，并且 NAT 必须是开启的。

from https://www.kancloud.cn/kancloud/unix-toolbox/50744

-------------------

相关帖子：http://briteming.blogspot.sg/2015/11/sshvpnsshvpn.html

Total Pageviews