* Author: Christian Birchinger * Last modified: 23. June 2008 * Example values: - Server VPN IP 192.168.5.1 - Client VPN IP 192.168.5.2 - Server tun device tun0 - Client tun device tun0 - Server public IP 1.2.3.4 * Requirements - The server's sshd config needs "without-password" or "forced-commands-only" on "PermitRootLogin". I don't recommend "yes". - Tun/Tap support. * Key Setup: - Client: Create a pair of ssh keys. # ssh-keygen -t dsa -f /etc/sshvpn/id_dsa-tun0 - Server: Install the public key (id_dsa-tun0.pub) with command restrictions on the server. ~/.ssh # cat authorized_keys2 tunnel="0",command="/etc/init.d/net.tun0 stop zap &>/dev/null; /etc/init.d/net.tun0 start" ssh-dss root@client * /etc/conf.d/net configuration setup: WARNING: Server based "/etc/conf.d/net" methods are all flawed. Consider using the server side helper script (see optional stuff). - Server (/etc/conf.d/net): ------------------------------------------------------------------------------ # Tunnels # config_tun0=( "192.168.5.1 pointopoint 192.168.5.2" ) ------------------------------------------------------------------------------ The problem with this solution is that the server's net.tun0 stays "started" when the client exists. As alternative solution on the server you can configure the interface directly in the ssh remote command or use a helper (see optional stuff): ~/.ssh # cat authorized_keys2 tunnel="0",command="/sbin/ifconfig tun0 192.168.5.1 pointopoint 192.168.5.2 up" ssh-dss root@client - Client (/etc/conf.d/net): ------------------------------------------------------------------------------ # SSH/tuntap client RC_NEED_tun0="net.eth0" config_tun0=( "192.168.5.2 pointopoint 192.168.5.1" ) preup() { if [ "${IFACE}" = "tun0" ]; then ssh -i /etc/sshvpn/id_dsa-"${IFACE}" -S /var/run/ssh-"${IFACE}"-control -M -f -w 0:0 1.2.3.4 true || return 1 until ifconfig "${IFACE}" up 2>/dev/null; do sleep 1; done return 0 fi } postdown() { if [ "${IFACE}" = "tun0" ]; then ssh -S /var/run/ssh-"${IFACE}"-control -O exit 1.2.3.4 || return 1 return 0 fi } ------------------------------------------------------------------------------ * Optional Stuff: - Additional routes on the client (/etc/conf.d/net): ------------------------------------------------------------------------------ routes_tun0=( "10.0.0.0/8 dev tun0" ) ------------------------------------------------------------------------------ - Server side helper script: ------------------------------------------------------------------------------ #!/bin/bash # # Usage: copy to /etc/sshvpn/server-tun0 and configure "authorized_keys" with: # # tunnel="0",command="/etc/sshvpn/server-tun0" ssh-dss root@client # # INTERFACE="tun0" SERVER_IP="192.168.5.1" CLIENT_IP="192.168.5.2" IFCONFIG="/sbin/ifconfig" LOGGER="/usr/bin/logger" remote="${SSH_CLIENT/ /:}" remote="${remote// *}" ${IFCONFIG} ${INTERFACE} ${SERVER_IP} pointopoint ${CLIENT_IP} up retval=$? [ -x "${LOGGER}" ] || exit ${retval} if [ "$retval" = 0 ]; then ${LOGGER} -t sshvpn -p daemon.info "SSH VPN Connection with ${remote} established." else ${LOGGER} -t sshvpn -p daemon.error "SSH VPN Connection from ${remote} failed." fi exit ${retval} ------------------------------------------------------------------------------