Poor mans VPN over SSH, script which can help to setup VPN based on OpenSSH version 4.3+, creates a ssh tunnel to connect two networks, require root, works with Linux.
CentOS:
yum install tunctl
Debian/Ubuntu:
sudo apt-get install uml-utilities
which ip iptables
The script also need the 'ip' command (from the 'iproute' package) and 'iptables' command (from the 'iptables' package), install them in both the local and remote computers.
vim /etc/ssh/sshd_config
PermitRootLogin yes PermitTunnel yes ClientAliveInterval 30 ClientAliveCountMax 6
CentOS:
/etc/init.d/sshd restart
Debian/Ubuntu:
sudo /etc/init.d/ssh restart
vim /etc/ssh/ssh_config
ServerAliveInterval 30 ServerAliveCountMax 6
Edit svpn.sh, just run it on client.
SERVER_SSH_PORT="22" SERVER_SSH_IP="1.2.3.4" CLIENT_ETHERNET="eth0" SERVER_ETHERNET="eth0" CLIENT_TUNNEL="tun2" SERVER_TUNNEL="tun1" CLIENT_TUN_IP="10.0.0.2" SERVER_TUN_IP="10.0.0.1" CLIENT_NET="192.168.2.0/24" CLIENT_GATEWAY="192.168.2.1" SERVER_NET="192.168.1.0/24" SERVER_GATEWAY="192.168.1.1"
svpn.sh -start
svpn.sh -stop
- Server: Machine A/Host A
- Client: Machine B/Host B
Has internet Has internet 192.168.1.0/24 (netA)|gateA <-> gateB|192.168.2.0/24 (netB) +------------------+ OpenSSH 4.3 +-----------------+ | Machine A | tun1 -- Tunnel Interface -- tun2 | Machine B | | Has a tunnel | <-------------------------------->| Has a tunnel | | and ethernet | 10.0.0.1 10.0.0.2 | and ethernet | +----------+-------+ point to point connection +---------+-------+ | eth0 eth0 | | 192.168.1.100 192.168.2.100 | | port 22 | | forwarded | | here | +----------+----------+ +-~-~-~-~-~-~-~-+ +-------+-------+ | Network A | | | | Network B | | 192.168.1.0/24 | 1.2.3.4 | The Internet | | 192.168.2.0/24| | Has internet |<-------->| |<----->| Has internet | | NAT gateway | Routable | | | NAT gateway | +---------------------+ Address +-~-~-~-~-~-~-~-+ +---------------+
hostA hasn't internet Has internet 192.168.1.0/24 (netA)|gateA <-- hostB|1.2.3.4 +------------------+ OpenSSH 4.3 +-----------------+ | Machine A | tun1 -- Tunnel Interface -- tun2 | Machine B | | Has a tunnel | <-------------------------------->| Has a tunnel | | and ethernet | 10.0.0.1 10.0.0.2 | and ethernet | +----------+-------+ point to point connection +---------+-------+ | eth0 eth0 | | 192.168.1.100 1.2.3.4 | | port 22 Has internet | | forwarded | | here | +----------+----------+ +-~-~-~-~-~-~-~-+ | | Network A | | | | | 192.168.1.0/24 | 4.3.2.1 | The Internet | | | Hasn't internet |<-------->| |<--------------+ | NAT gateway | Routable | | +---------------------+ Address +-~-~-~-~-~-~-~-+
Edit svpn.sh
36: ip route replace default via ${SERVER_GATEWAY} 37: # ip route del ${CLIENT_NET} via ${SERVER_TUN_IP} 47: # ip route add ${CLIENT_NET} via ${SERVER_TUN_IP} 48: ip route replace default via ${SERVER_TUN_IP} 77: ip route replace default via ${SERVER_GATEWAY} 78: # ip route del ${CLIENT_NET} via ${SERVER_TUN_IP}
Has internet Has internet 192.168.2.0/24 (netB)|gateB --> hostA|1.2.3.4 --> GFW or 4.3.2.1|hostB --> hostA|1.2.3.4 --> GFW +------------------+ OpenSSH 4.3 +-----------------+ | Machine B | tun2 -- Tunnel Interface -- tun1 | Machine A | | Has a tunnel | <-------------------------------->| Has a tunnel | | and ethernet | 10.0.0.2 10.0.0.1 | and ethernet | +----------+-------+ point to point connection +---------+-------+ | ^ | eth0 | | 1.2.3.4 | | Has internet | | | +----------+----------+ +-~-~-~-~-~-~-~-+ | | Network B | | | | | 192.168.2.0/24 | 4.3.2.1 | The Internet | | | Has internet |<-------->| |---------------+ | NAT gateway | Routable | | +---------------------+ Address +-~-~-~-~-~-~-~-+
Edit svpn.sh
62: # ip route add ${SERVER_NET} via ${CLIENT_TUN_IP} 63: ip route replace default via ${CLIENT_TUN_IP} 64: # iptables -t nat -A POSTROUTING -s ${SERVER_TUN_IP}/32 -o ${CLIENT_ETHERNET} -j MASQUERADE 65: # iptables -A FORWARD -p tcp --syn -s ${SERVER_TUN_IP}/32 -j TCPMSS --set-mss 1356 90: ip route replace default via ${CLIENT_GATEWAY} 91: # ip route del ${SERVER_NET} via ${CLIENT_TUN_IP} 93: # iptables -t nat -D POSTROUTING -s ${SERVER_TUN_IP}/32 -o ${CLIENT_ETHERNET} -j MASQUERADE 94: # iptables -D FORWARD -p tcp --syn -s ${SERVER_TUN_IP}/32 -j TCPMSS --set-mss 1356
Installing VMware Workstation 11 on Machine A (Windows 7).
+-~-~-~-+-~-~-~-+ | Gateway G | | 192.168.1.1 | +-~-~-~-+-~-~-~-+ | +------------------------+------------------------+ | | | +-------+-------+ +-------+-------+ +-------+-------+ | Machine A | | Machine B | | Machine C | | 192.168.1.4 | | 192.168.1.2 | | 192.168.1.3 | +-------+-------+ +---------------+ +---------------+ | +------------------------+------------------------+ | | | | +-~-~-~-+-~-~-~-+ +-~-~-~-+-~-~-~-+ | | NAT | | Host-only | | | Gateway E | | Gateway F | | | 192.168.72.1 | | 192.168.19.1 | | +-~-~-~-+-~-~-~-+ +-~-~-~-+-~-~-~-+ | Bridge | | +-------+-------+ +-------+-------+ +-------+-------+ | VM Machine D1 | | VM Machine D2 | | VM Machine D3 | | 192.168.1.5 | | 192.168.72.2 | | 192.168.19.2 | +---------------+ +---------------+ +---------------+
Machine B --> ssh --> Machine A --> port forwarded --> VM Machine D3 ^ ^ | SSH Tunnel Interface | tun2 | 10.0.0.2 point to point connection 10.0.0.1 | tun1 +-------------------------------------------------------+ rtt avg D3 -> D3 ping -c 50 192.168.19.2 0.074 ms D3 -> F ping -c 50 192.168.19.1 0.414 ms D3 -> A ping -c 50 192.168.1.4 3.636 ms D3 -> G ping -c 50 192.168.1.1 2.514 ms D3 -> B ping -c 50 192.168.1.2 2.488 ms D3 -> C ping -c 50 192.168.1.3 2.522 ms B -> D3 ping -c 50 192.168.19.2 1.938 ms B -> F ping -c 50 192.168.19.1 2.179 ms B -> D3 ping -c 50 10.0.0.1 1.930 ms
D1 -> D1 ping -c 50 192.168.1.5 0.074 ms D1 -> A ping -c 50 192.168.1.4 0.452 ms D1 -> G ping -c 50 192.168.1.1 1.421 ms D1 -> B ping -c 50 192.168.1.2 1.361 ms D1 -> C ping -c 50 192.168.1.3 1.429 ms
D2 -> D2 ping -c 50 192.168.72.2 0.074 ms D2 -> E ping -c 50 192.168.72.1 0.411 ms D2 -> F ping -c 50 192.168.19.1 1.127 ms D2 -> A ping -c 50 192.168.1.4 1.155 ms D2 -> G ping -c 50 192.168.1.1 1.996 ms D2 -> B ping -c 50 192.168.1.2 1.997 ms D2 -> C ping -c 50 192.168.1.3 1.931 ms