rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
🇫🇷 Fr

Setting Up a VPN tunnel with OpenSSH with Debian

OpenSSH Logo

Intro

In one of my many projects, I needed to access a network that only had an SSH server. I knew that SSH tools were capable of providing a VPN tunnel, but I'd never tried it. It's quite easy to implement and can come in handy in many cases.

So I'm going to show you step-by-step in this article how to set up a temporary VPN with OpenSSH.

Network diagram

Diagram illustrating an SSH VPN tunnel configuration between a Debian server (Destination) and an Arch Linux client (Source), including IP addresses, network roles, and traffic flow through a VPN SSL connection.

Debian (Destination)

  • IP configuration:
    • eth0: 192.168.1.10/24
    • tun0: 10.110.0.100/32

Prerequisites

Edit sshd configuration

  • Edit /etc/ssh/sshd_config and enable root login and tunnelling:
PermitRootLogin yes PermitTunnel yes root@host:~# systemctl restart sshd

Set NAT

We need a masquerade rule to allow the client to access the remote network. We'll look at how to do this using iptables or nftables.

  • Whether using iptables or nftables, you need to enable ip forwarding (routing):
root@host:~# echo 1 | tee /proc/sys/net/ipv4/ip_forward
  • With iptables:
root@host:~# iptables -t nat -A POSTROUTING -d 192.168.1.0/24 -o eth0 -j MASQUERADE
  • With nftables:
root@host:~# nft add table ip NAT root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }' root@host:~# nft add rule NAT my_masquerade ip daddr { 192.168.1.0/24 } oifname eth0 counter masquerade

Now that we've finished pre-configuring our Debian server, we need to start the SSH tunnel from the client.

Source : Archlinux

  • IP configuration:
    • eth0: 192.168.2.10/24
    • tun0: 10.110.0.200/32

Commands

  • -w local_tun[:remote_tun]: Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).
  • -N: Do not execute a remote command
  • -f: Requests ssh to go to background just before command execution
root@host:~# ssh -Nf -w 0:0 -p 22 root@1.1.1.1
  • Set the IP address of the tun0 interface:
root@host:~# ip addr add 10.110.0.200/32 peer 10.110.0.100 dev tun0
  • Activate the interface:
root@host:~# ip link set tun0 up
  • Add the route to the remote network:
root@host:~# ip route add 192.168.1.0/24 via 10.110.0.100

Establishing the tunnel (Debian)

With the previous command (ssh -Nf -w 0:0) run from the client, the tun0 virtual device should appear on the Debian server. The last step is to activate and configure it on the Debian side.

  • Set tun0 address:
root@host:~# ip addr add 10.110.0.100/32 peer 10.110.0.200 dev tun0
  • Set the IP address of the tun0 interface:
root@host:~# ip link set tun0 up

That's it! The 192.168.1.0/24 network should now be reachable from the client.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address