TunTap pseudo-VPN Over SSH

ssh-tuntap-vpn.md

Poor Man's VPN over SSH

If you have ssh then you can setup a "bridge" to any external network or server in minutes.

This doesn't replace standard VPN solutions, but it has the advantage of being really simple and fast and will serve a lot of use-cases.

Drawbacks

• Each client must have a separate TUN device on the target server (TODO: Check if this is really true)

Set up

For demonstration purposes the following parameters are used:

• VPN Virtual Network Subnet: 10.5.5.0/24
• VPN Server Virtual Network Address: 10.5.5.1
• VPN Server Virtual Network TUN Device: tun5
• VPN Server Host: vpn-server.example.com
• VPN Server SSHD Port: 22
• VPN Server SSH Username: root
• VPN Client Virtual Network TUN Device: tun5

Server (Linux)

You should already have an SSH server running with access set up.

Configure SSH daemon

The configuration is usually in /etc/ssh/sshd_config. After changed reload the service via systemctl reload sshd or service sshd reload.

Ensure that tunnelling is permitted

PermitTunnel yes

Enable client keepalive

ClientAliveInterval 60
ClientAliveCountMax 10

Disable Reverse Path Filtering

This is not needed usually, most distros have this disabled by default.

sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.tun0.rp_filter=0

Linux Client

MacOS Client

ssh \
  -o PermitLocalCommand=yes \
  -o LocalCommand="ifconfig tun0 10.13.40.10 10.13.40.1 netmask 255.255.255.0 up" \
  -w 0:0 \
  -N \
  -v \
  user@target

References

• Arch Linux - SSH VPN Guide
• StackOverflow - MacOS Virtual Network Interface
• StackOverflow - Linux Tun/Tap Setup