Your Linux Data Center Experts

In the past I've used PPP over SSH to do simple network tunnels. This is not recommended for any serious networking, but last week I was doing some VoIP testing and wanted to isolate NAT on both ends from being the problem. You typically don't want a TCP tunnel for a VPN, but I just needed something simple for an hour of testing.

I found that SSH now has a “-w” option which will set up “tun” devices on either end and transport the traffic between them. If you say “ssh -w 0:0 hostname”, it will set up a “tun0” on both ends. Then you just need to ifconfig the two tunnel endpoints. You can use the “LocalCommand” setting to do one ifconfig and the remote command to do the other, for example:

ssh -o PermitLocalCommand=yes \
    -o LocalCommand="ifconfig tun0 192.168.0.1 netmask 255.255.255.252" \
    -w 0:0 $HOSTNAME \
    'ifconfig tun0 192.168.0.2 netmask 255.255.255.252; sleep 900000'

Note that on the server you will need to set “PermitTunnel yes” in /etc/ssh/sshd_config and restart SSH. This needs to run as root on both ends to build the tunnel interface.

It looks like this functionality is not exactly new, but I hadn't heard about it before. I tend to avoid tunneling over SSH, because TCP over TCP tends to react badly, so I haven't looked at it in probably a decade. But in this case I just needed something simple, and GRE tunneling would have been problematic because of NAT on both ends.

comments powered by Disqus

Join our other satisfied clients. Contact us today.