Ip Tunnel Over Ssh With Tun

Today I had some connection problems in one of our offices, so I needed to connect in some alternative way. A good moment for experimenting… The alternative connection was my laptop acting as a router connected with my mobile phone via bluetooth.

The problem’s come with the VPN connections, IPSec is nice, but you can hate it on lots of things… i.e. all tunnels are setup using static ip addresses so in order to use the alternate connection (dynamic IP) I need to change the ipsec config of the other offices.

So today I wanted to try something new, tunneling ip traffic from one network to another over an ssh connection. And it works, Gentoo’s wiki has some information on the subject: here

In brief, you need to, on the server:

Add “PermitTunnel yes” to /etc/ssh/sshd_config Now, on the client it’s as easy as to run ssh with some parameters, my script for launching it is:

#!/bin/sh
HOST=REMOTE_PARTY_ADDRESS
HOST_PORT=22
TUN_LOCAL=0   # tun device number here.
TUN_REMOTE=0  # tun device number there
IP_LOCAL=192.168.111.2 # IP Address for tun here
IP_REMOTE=192.168.111.1 # IP Address for tun there.
IP_MASK=30 # Mask of the ips above.
NET_REMOTE=192.168.0.0/16 # Network on the other side of the tunnel
NET_LOCAL=192.168.8.0/24  # Network on this side of the tunnel
 
echo "Starting VPN tunnel ..."
modprobe tun
ssh -w ${TUN_LOCAL}:${TUN_REMOTE} -f ${HOST} -p ${HOST_PORT} "\
	ip addr add ${IP_REMOTE}/${IP_MASK} dev tun${TUN_REMOTE} \
	&amp;&amp; ip link set tun${TUN_REMOTE} up \
	&amp;&amp; ip route add ${NET_LOCAL} via ${IP_LOCAL} \
	&amp;&amp; true"
sleep 3
ip addr add ${IP_LOCAL}/${IP_MASK} dev tun${TUN_LOCAL}
ip link set tun${TUN_LOCAL} up
ip route add ${NET_REMOTE} via ${IP_REMOTE}
echo "... done."

You’ll maybe want to run this as root, because of the “ip” commands, and so ;)

It’s still far from perfect (i.e: the tunnel dies too often for some reason… although keep alive is set). But at least people around can print again! Luckily VoIP is handled out of the VPN.