手机版
你好,游客 登录 注册 搜索
背景:
阅读新闻

常用Linux命令使用技巧:利用ssh端口转发实现Site-to-Site简易VPN通道

[日期:2012-09-08] 来源:Linux社区  作者:chengkinhung [字体: ]

利用SSH的端口转发功能,可以轻易实现一个基于SSH加密通道的虚拟私人网络(VPN)。

─────────────────────────
man ssh;
─────────────────────────
-w local_tun[:remote_tun]

Requests tunnel device forwarding with the specified tun devices between the
client (local_tun) and the server (remote_tun).

The devices may be specified by numerical ID or the keyword “any”,
which uses the next available tunnel device.

If remote_tun is not specified, it defaults to “any”.
See also the Tunnel and TunnelDevice directives in ssh_config.

If the Tunnel directive is unset, it is set to the default tunnel mode, which is “point-to-point”.

 

SSH-BASED VIRTUAL PRIVATE NETWORKS

ssh contains support for Virtual Private Network (VPN) tunnelling using the tun
network pseudo-device, allowing two networks to be joined securely.

The sshd_config configuration option PermitTunnel controls whether the server
supports this, and at what level (layer 2 or 3 traffic).

─────────────────────────
man sshd_config;
─────────────────────────
PermitTunnel

  Specifies whether tun(4) device forwarding is allowed. The argument must be:

    * yes- permits both “point-to-point” and “ethernet”
    * point-to-point(layer3)-
    * ethernet(layer 2)-
    * no- The default is “no”

─────────────────────────
一个设置范例(Example)
─────────────────────────
Client Network:  10.0.2.0/24Server or gateway of client network;
Server Gateway:  192.168.56.1Must be gateway of remote network;
Remote Network:  192.168.57.0/24Can't connet with client network directly;
Point-to-Point:  10.1.1.1 - 10.1.1.2The VPN tunnel we should build;


(1) On the ssh server, change the sshd configuration:

# vi /etc/ssh/sshd_config;
------------------------------------------------------------------------------
PermitRootLogin yes
PermitTunnel yes
------------------------------------------------------------------------------

Reload ssh servcie
# service ssh reload;# for Debian/Ubuntu;
# service sshd reload;# for RedHat/CentOS;


(2) On the client site:

# ssh -f -w 0:0 192.168.56.1 true;

Check if tun0 build successfully(检查通道是否成功建立):
# ip addr show tun0;# Check if tun0 build successfully;
# ip addr show tun0;# Check ssh server site should have same tun0;
# ifconfig tun0;# Check the tun0 interface;


参数说明:

 -f        ssh连接之后将置于后端运行;
 -w 0:0   如通道tunnel建立成功后,将在Client和Server端分别出现名为tun0的界面;
 -w 1:1   如通道tunnel建立成功后,将在Client和Server端分别出现名为tun1的界面;
 true    

注意:不要混淆了Linux下面名为tunl0的预设Tunnel界面,请用 ip addr show 命令检查。

################################################################################
常见错误处理:
################################################################################
如果上述命令出现如下错误信息,请检查是否ssh连接两端已经存在名为tun0的通道界面:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
channel 0: open failed: administratively prohibited: open failed
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# ip addr show | grep tun;# Check both site if have already up this tun0;
# ip addr show | grep 10.;# Check both site if have already up this ip;

如有需要,可用如下命令删除预设tunl0的IP设置:
# ip addr flush tunl0;# flushe the contents of address labels;
# ip addr del 10.1.1.1/32 dev tunl0;# assume there is same IP on tunl0;
# ip addr del 10.1.1.2/32 dev tunl0;# assume there is same IP on tunl0;
________________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

(3) Still on the client server:

# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252

# route add -net 192.168.57.0/24 gw 10.1.1.2 dev tun0

# ifconfig tun0 | grep -A 1 tun0;
------------------------------------------------------------------------------
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.1.1.2  P-t-P:10.1.1.2  Mask:255.255.255.252
------------------------------------------------------------------------------

# route -n | grep tun0
------------------------------------------------------------------------------
10.1.1.0        0.0.0.0         255.255.255.252 U     0      0        0 tun0
192.168.57.0    10.1.1.2        255.255.255.0   UG    0      0        0 tun0
------------------------------------------------------------------------------

(4) On the ssh server:

# ifconfig tun0 10.1.1.2 10.1.1.1 netmask 255.255.255.252

# route add -net 10.0.2.0/24 gw 10.1.1.1 dev tun0

# ifconfig tun0 | grep -A 1 tun0
------------------------------------------------------------------------------
tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:10.1.1.1  P-t-P:10.1.1.1  Mask:255.255.255.252
------------------------------------------------------------------------------

# route -n | grep tun0
------------------------------------------------------------------------------
10.0.2.0        10.1.1.1        255.255.255.0   UG    0      0        0 tun0
10.1.1.0        0.0.0.0         255.255.255.252 U     0      0        0 tun0
------------------------------------------------------------------------------

(5) 进阶使用和注意事项(Advance configuration)

Client access may be more finely tuned via the ~/.ssh/authorized_keys file and
the PermitRootLogin server option.

The following entry would permit connections on tun device 1 from user “jane” and
on tun device 2 from user “john”, if PermitRootLogin is set to “forced-commands-only”:

       tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
       tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john

Since an SSH-based setup entails(意味着) a fair amount of overhead(开销),
it may be more suited to temporary setups, such as for wireless VPNs.
More permanent VPNs are better provided by tools such as ipsecctl and isakmpd.

(6) Dbugging tools and commands

# tcpdump -i any -nnn not port ssh
# ip addr show
# ip addr flush tun0
# ip route show table all
# traceroute -n 10.0.2.15
# traceroute -n 192.168.57.102

linux
相关资讯       SSH 
本文评论   查看全部评论 (0)
表情: 表情 姓名: 字数

       

评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款