-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
106 lines (80 loc) · 3.14 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
NetworkManager-openssh -- OpenSSH pseudo VPN plugin for NetworkManager
OpenSSH supports IP/Ethernet tunneling using the TUN/TAP interface.
This plugin makes it easy to use the feature from NetworkManager.
* Build
$ sudo apt-get install libssh2-1-dev libnm-glib-vpn-dev
$ ./autogen.sh --prefix=/usr --sysconfdir=/etc \
--libexecdir=/usr/lib/NetworkManager
$ make
$ sudo make install
* Setup
# Install tunctl with OpenSUSE fixes. Note that tunctl in
# uml-utilities is too old to be used with NM-openssh.
remote$ wget http://downloads.sourceforge.net/project/tunctl/tunctl/1.5/tunctl-1.5.tar.gz
remote$ tar xf tunctl-1.5.tar.gz
remote$ cd tunctl-1.5
remote$ make
remote$ sudo make install
# Create a tun device and initialize it.
remote$ sudo modprobe tun
remote$ sudo tunctl -u $USER -n
remote$ sudo ip addr add 10.0.1.3 peer 10.0.1.1 dev tun0
remote$ sudo ip link set tun0 up
# Enable "PermitTunnel" in /etc/ssh/sshd_config and restart sshd.
remote$ sudo sh -c 'echo PermitTunnel yes >> /etc/sshd/sshd_config'
remote$ sudo /etc/init.d/ssh restart
# Create a client IP setup script
remote$ cat > nm_openssh_setup
#!/bin/sh
cat <<EOF
ADDR 10.0.1.1
PEER_ADDR 10.0.1.3
NETMASK 255.255.255.0
GW_ADDR <remote-ip>
EOF
^D
remote$ chmod +x nm_openssh_setup
# Create a keypair and add the public key to the remote keyring.
local$ ssh-keygen -t rsa -f ~/.ssh/tun
local$ { echo -n 'tunnel=0 '; cat ~/.ssh/tun.pub } | \
ssh remote 'cat >> ~/.ssh/authorized_keys'
Now you can create a VPN connection from NetworkManager applet.
* How does it work
NetworkManager-openssh internally spawns a setuid'ed process doing the
actual job of relaying IP/Ethernet packets over SSH.
The child process first opens "tun@openssh.com" channel (see the
PROTOCOL documentation in the OpenSSH source tree), and then opens
another channel to get a client IP configuration, which is a poor
man's approach not to require DHCP/PPP server setup.
The core implementation of NetworkManager-openssh is a small library
sshtun.c. The library can be used as follows. All function calls
shall not block.
/* Allocate memory for a handle */
sshtun_new (&handle);
/* Set parameters of the handle */
sshtun_set_params (handle,
SSHTUN_PARAM_TUN_MODE, tun_mode, ...
SSHTUN_PARAM_TUN_OWNER, tun_owner, ...
0);
/* Start a tunneling task (this forks internally) */
sshtun_start (handle);
/* Dispatch events from the child process */
pfds[0].fd = sshtun_event_fd (handle);
while (1) {
pfds[0].events = POLLIN;
ret = poll (pfds, 1, -1);
if (ret > 0 && pfds[0].revents & POLLIN)
sshtun_dispatch_event (handle);
}
/* Stop the tunneling task */
sshtun_stop (handle);
/* Deallocate memory for the handle */
sshtun_del (handle);
* References
- Davide Brini's precise tutorial on the TUN/TAP interface:
http://waldner.netsons.org/d2-tuntap.php
* Disclaimer
This plugin is alpha quality; please use at your own risk.
OpenSSH TUN/TAP tunneling involves the problems regarding TCP over
TCP: http://sites.inka.de/bigred/devel/tcp-tcp.html. For a serious
use, consider using OpenVPN (or other VPN software).