Tag Archives: SSH tunnel

SSH VPN

Posted on by

I’ve been experimenting with using SSH as a VPN. That is to say not just tunnelling a single port but forwarding all traffic through the remote host like a router.

I’ve pulled together instructions from here and here and have this:

1. Enable root SSH with keys and allow tunnelling on the remote machine in /etc/ssh/sshd_config:

PermitTunnel yes
PermitRootLogin without-password

2. Generate root SSH keys on the local machine and copy the public one to the remote machine:

ssh-keygen -t rsa
scp id_rsa.pub remote-ip:/root/.ssh/authorized_keys

3. SSH as root (or using sudo) from local to remote to setup the VPN, this will actually give you a login as I found that if you don’t make that a login session (i.e. ssh -NTFw 0:0 remote-ip) then you can’t take down the tun0 device when you’re finished, which makes for all sorts of problems when you try to bring it up again later:

sudo ssh -w0:0 remote-ip

4. Whilst in the root SSH session on the remote machine, you can configure the tun0 device (on a /30 as its point-to-point, using a private IP range), enable IP forwarding and NAT. Obviously you can’t use the same subnet for the VPN as your normal routing, so assume here eth0 is 192.168.0.5:

ifconfig tun0 10.0.2.1 netmask 255.255.255.252 up
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

5. Back on the local machine (as root) setup the static routes you require to go down the VPN, in this case I’m connecting to the entire 10.93.x.x private network the other side of the tunnel. I found that the usual “route add….” syntax didn’t work, so moved to the new “ip” system as described here:

ifconfig tun0 10.0.2.2 netmask 255.255.255.252 up
ip route add 10.93.0.0/24 dev tun0

That’s it, now on the local machine any traffic you point at 10.93.x.x goes down the SSH tunnel and is forwarded onto the machines the other side, this is much better than a regular SSH tunnel which just connects you from local port A to remote port B, this allows any traffic from local A via remote B to target C.

If you wanted to forward all traffic via the remote machine, you’d just change step #5 to remove the default gateway and expand the scope of the VPN:

ifconfig tun0 10.0.2.2 netmask 255.255.255.252 up
route del default gw 192.168.0.1
ip route add 0.0.0.0/0 dev tun0

A bit easier and with less overhead than setting up OpenVPN.

RPM patching

Posted on by

I found that gSTM has a hardcoded “-o ConnectTimeout=5″ inside it, and changing ~/.ssh/config or /etc/ssh/ssh_config doesn’t override it, so I decided to remove it as sometimes my tunnel takes longer than 5secs to start:

diff -uNr gstm-1.2.orig/src/fnssht.c gstm-1.2/src/fnssht.c
--- gstm-1.2.orig/src/fnssht.c	2006-08-03 10:36:35.000000000 +0200
+++ gstm-1.2/src/fnssht.c	2010-07-22 17:56:15.016430000 +0200
@@ -213,8 +213,6 @@
 			free(tmp);
 		}
 		hargs->sshargs = gstm_ssht_addssharg(hargs->sshargs, "-o");
-		hargs->sshargs = gstm_ssht_addssharg(hargs->sshargs, "ConnectTimeout=5");
-		hargs->sshargs = gstm_ssht_addssharg(hargs->sshargs, "-o");
 		hargs->sshargs = gstm_ssht_addssharg(hargs->sshargs, "NumberOfPasswordPrompts=1");
 		hargs->sshargs = gstm_ssht_addssharg(hargs->sshargs, NULL); //end list

Also it won’t build cleanly on 64-Bit Fedora 13 as the XML2 and X11 libraries cannot be found by the linker. A quick fix is to set the LIBS environment variable to “-lX11 -lxml2″ before running configure, or just edit the LIBS line in the configure file itself (snipped below):

-          glib_save_LIBS="$LIBS"
+          glib_save_LIBS="$LIBS -lX11 -lxml2"

So I editted the two files and created a patch, but that conflicted with the enclosed autoconf patch from the Fedora11 SRPM I was working from. So then I had to apply the autoconf patch and re-edit the two files and create a big patch with the three modifications.

So first we have to extract the source from the SRPM:

rpm -ivh gstm-1.2-10.fc11.src.rpm
mkdir ~/rpmbuild/BUILD/

Then I extracted the tarball twice (original, and patch) into the BUILD directory, so we end up with a directory structure like this (only listed the files we’re interested in):

~/rpmbuild/
  SPECS/gstm.spec
  SOURCES/gstm-1.2.tar.gz
  BUILD/
    gstm-1.2/
      configure
        src/
          fnssht.c
    gstm-1.2.orig/
      configure
        src/
          fnssht.c

First we apply the autoconf patch:

cd ~/rpmbuild/BUILD/gstm-1.2/
cat ~/rpmbuild/SOURCES/gstm-1.2-autoconf.patch | /usr/bin/patch -s -p1  --fuzz=0

Then apply my changes to fnssht.c and the patched configure file. Then create a big patch:

cd ~/rpmbuild/BUILD/
diff -uNr gstm-1.2.orig gstm-1.2/ > ../SOURCES/gstm-1.2-autoconf-connecttimeout5-x11xml2libs.patch
rm -rf gstm-1.2*

Next we have to change the SPEC file to use the big patch instead of the old autoconf patch, I also upped the release version and added a little to the changelog:

Patch0:         gstm-1.2-autoconf-connecttimeout5-x11xml2libs.patch
Release:        11%{?dist}

Then rebuild the RPM and SRPM with the patches applied:

cd ~/rpmbuild/SPECS/
rpmbuild -ba gstm.spec

Finally we end up with a set of new RPM’s, downloadable from here:

gaskpass-1.2-11.fc13.x86_64.rpm
gstm-1.2-11.fc13.src.rpm
gstm-1.2-11.fc13.x86_64.rpm
gstm-debuginfo-1.2-11.fc13.x86_64.rpm

Some of the commands were based on this tutorial.

Update 1: I did the same with GIP – applied a libsigcpp patch, edited SPEC and rebuilt RPM’s for F13 x86_64. Download from here.

Update 2: I’ve also patched/rebuilt cx_Freeze and knockd RPM’s for Fedora 13 x86_64.

Wednesday

Posted on by

My nephew came over today for a few hours, we played various Xbox games – he’s mad on driving games like Burnout3 and MX vs ATV Unleashed, although not so keen on Outrun2. He’s much better at Sonic The Hedgehog than me. Surprisingly for a 4-year-old, he could read things like “2 player”, “Sega” etc; and even navigate through the setup menu’s to start a different game. Then finished off with pizza (which he plastered in Tabasco sauce!) cooked in the new oven and doing some washing and a quick walk down the road. We discovered he quite likes gherkins and mixing mayonnaise with tomato ketchup, but doesn’t like green bell peppers (only red ones!?)

I’ve been playing around with WordPress and thought I’d try the WYSIWYG editor again, its been a while so I wondered if the annoyances had been fixed and some real functionality added, but it turns out there’s no difference from when I tried it back in v1.7 days. The way you add links still is not as easy as just putting the HTML in, and the linebreaks are annoying, plus its not exactly Dreamweaver. I think the visual editor in Plone was better.

I’ve also been playing with SSH tunnelling – the magical ProxyCommand in ssh_config allows you to do things like use another machine as a gateway, so host A can go through host B to get to host C and so on. I even managed to tunnel a HTTP session from a machine three hops away to my desktop web browser! Its all described as part of the book Hacking Linux Exposed.

I thought I’d try to see how VirtualBox handles running more guest OSes than the host has CPU cores, so I ran CentOS 4, CentOS 5, Win2003, XP Pro and Windows7 all at the same time. From the screenshot you can see that it still only uses a few percent of the CPU, and I’ve still got plenty of the 8Gb RAM left over; plus look at the fancy Compiz window opacity, ooh pretty…..

I just watched Bill Bailey’s Tinselworm standup show, it was OK, pretty average stuff for BB. Frankie Boyle Live was much better, although it did seem to degenerate into slagging off the audience and swearing at them after a while, I guess the guy can’t take heckling!