OpenSSH pseudo VPN plugin for NetworkManager
C Shell
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
auth-dialog
common-gnome
doc
m4
po
properties
src
.gitignore
AUTHORS
COPYING
ChangeLog
MAINTAINERS
Makefile.am
NEWS
README
TODO
autogen.sh
configure.ac
gnome-mime-application-x-openssh-settings.png
nm-openssh-service.conf
nm-openssh-service.name.in
nm-openssh.desktop.in

README

NetworkManager-openssh -- OpenSSH pseudo VPN plugin for NetworkManager

OpenSSH supports IP/Ethernet tunneling using the TUN/TAP interface.
This plugin makes it easy to use the feature from NetworkManager.

* Build

 $ sudo apt-get install libssh2-1-dev libnm-glib-vpn-dev
 $ ./autogen.sh --prefix=/usr --sysconfdir=/etc \
                --libexecdir=/usr/lib/NetworkManager
 $ make
 $ sudo make install

* Setup

 # Install tunctl with OpenSUSE fixes.  Note that tunctl in
 # uml-utilities is too old to be used with NM-openssh.
 remote$ wget http://downloads.sourceforge.net/project/tunctl/tunctl/1.5/tunctl-1.5.tar.gz
 remote$ tar xf tunctl-1.5.tar.gz
 remote$ cd tunctl-1.5
 remote$ make
 remote$ sudo make install

 # Create a tun device and initialize it.
 remote$ sudo modprobe tun
 remote$ sudo tunctl -u $USER -n
 remote$ sudo ip addr add 10.0.1.3 peer 10.0.1.1 dev tun0
 remote$ sudo ip link set tun0 up

 # Enable "PermitTunnel" in /etc/ssh/sshd_config and restart sshd.
 remote$ sudo sh -c 'echo PermitTunnel yes >> /etc/sshd/sshd_config'
 remote$ sudo /etc/init.d/ssh restart

 # Create a client IP setup script
 remote$ cat > nm_openssh_setup
 #!/bin/sh

 cat <<EOF
 ADDR 10.0.1.1
 PEER_ADDR 10.0.1.3
 NETMASK 255.255.255.0
 GW_ADDR <remote-ip>
 EOF
 ^D
 remote$ chmod +x nm_openssh_setup

 # Create a keypair and add the public key to the remote keyring.
 local$ ssh-keygen -t rsa -f ~/.ssh/tun
 local$ { echo -n 'tunnel=0 '; cat ~/.ssh/tun.pub } | \
        ssh remote 'cat >> ~/.ssh/authorized_keys'

Now you can create a VPN connection from NetworkManager applet.

* How does it work

NetworkManager-openssh internally spawns a setuid'ed process doing the
actual job of relaying IP/Ethernet packets over SSH.

The child process first opens "tun@openssh.com" channel (see the
PROTOCOL documentation in the OpenSSH source tree), and then opens
another channel to get a client IP configuration, which is a poor
man's approach not to require DHCP/PPP server setup.

The core implementation of NetworkManager-openssh is a small library
sshtun.c.  The library can be used as follows.  All function calls
shall not block.

 /* Allocate memory for a handle */
 sshtun_new (&handle);

 /* Set parameters of the handle */
 sshtun_set_params (handle,
                    SSHTUN_PARAM_TUN_MODE, tun_mode, ...
                    SSHTUN_PARAM_TUN_OWNER, tun_owner, ...
                    0);

 /* Start a tunneling task (this forks internally) */
 sshtun_start (handle);

 /* Dispatch events from the child process */
 pfds[0].fd = sshtun_event_fd (handle);
 while (1) {
   pfds[0].events = POLLIN;
   ret = poll (pfds, 1, -1);
   if (ret > 0 && pfds[0].revents & POLLIN)
     sshtun_dispatch_event (handle);
 }

 /* Stop the tunneling task */
 sshtun_stop (handle);

 /* Deallocate memory for the handle */
 sshtun_del (handle);

* References

- Davide Brini's precise tutorial on the TUN/TAP interface:
  http://waldner.netsons.org/d2-tuntap.php

* Disclaimer

This plugin is alpha quality; please use at your own risk.

OpenSSH TUN/TAP tunneling involves the problems regarding TCP over
TCP: http://sites.inka.de/bigred/devel/tcp-tcp.html.  For a serious
use, consider using OpenVPN (or other VPN software).