10

To route your network traffic through SSH, most people would tell you to pass the -D option to create a SOCKS proxy on localhost that you can configure your applications to use.

However, a simple proxy isn't the most practical solution for me. Is there any way to access a SSH tunnel as it's own interface, perhaps with TUN/TAP?

I'm using Linux.

Improve this question
2
  • 2
    Yes, there is. Look up Tunnel and TunnelDevice in the ssh_config(5) manpage and the -w option in the ssh(1). I won't make this an answer because it's a long time I've tried that, and I've only used for testing, and I don't know how good it works. Anyway, you'll have to set the owner of the tun/tap devices with eg. tunctl(8) if you're to use that as a regular user. Commented Jun 16, 2019 at 7:17
  • @mosvy It works great, but has some caveats, use it infrequently. Commented Jun 16, 2019 at 7:57

1 Answer 1

Reset to default
18

Using OpenSSH in Linux, tunnels can be created over SSH using either TUN or TAP interfaces, as long as proper routing is setup and ip forwarding where appropriate.

For creating a TUN tunnel, will leave here a practical script, from Ip Tunnel Over Ssh With Tun ; the script assumes you are running as root.

Add “PermitTunnel yes” to /etc/ssh/sshd_config
Now, on the client it’s as easy as to run ssh with some parameters, my script for launching it is:

#!/bin/sh
HOST=REMOTE_PARTY_ADDRESS
HOST_PORT=22
TUN_LOCAL=0   # tun device number here.
TUN_REMOTE=0  # tun device number there
IP_LOCAL=192.168.111.2 # IP Address for tun here
IP_REMOTE=192.168.111.1 # IP Address for tun there.
IP_MASK=30 # Mask of the ips above.
NET_REMOTE=192.168.0.0/16 # Network on the other side of the tunnel
NET_LOCAL=192.168.8.0/24  # Network on this side of the tunnel

echo "Starting VPN tunnel ..." 
modprobe tun
ssh -w ${TUN_LOCAL}:${TUN_REMOTE} -f ${HOST} -p ${HOST_PORT} "\
ip addr add ${IP_REMOTE}/${IP_MASK} dev tun${TUN_REMOTE} \
&& ip link set tun${TUN_REMOTE} up \
&& ip route add ${NET_LOCAL} via ${IP_LOCAL} \
&& true"
sleep 3
ip addr add ${IP_LOCAL}/${IP_MASK} dev tun${TUN_LOCAL}
ip link set tun${TUN_LOCAL} up
ip route add ${NET_REMOTE} via ${IP_REMOTE}
echo "... done."

If you want to access/tunnel a network instead of a single machine, you also have to activate ip forwarding, as in:

sudo sysctl -w net.ipv4.ip_forward=1

You also have a script at https://github.com/trustedsec/tap/blob/master/scripts/ssh-tunnel.sh for creating an OpenSSH tunnel over a TAP interface.

Improve this answer
3
  • I cannot recall whether net.ipv4.conf.all.rp_filter=0 has to be set or not. Commented Jun 16, 2019 at 16:00
  • So root access is required? Commented Aug 17, 2022 at 10:00
  • 1
    @KenSharp Several operations there need root. Commented Aug 17, 2022 at 15:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.