Pptp-ssh

From SOWNWiki
Jump to: navigation, search

PPTP over SSH

Since SSH 4.3 you can now connect 2 tunnel endpoints over SSH, the overhead is likely to be quiet a lot however we can cut this down with lesser encryption. This was an alternative proposed by Kevin Page to be used instead of OpenVPN to provide a way to tunnel connections from SOWN[at]HOME nodes back to the SOWN network.

Advantages

The nodes are already running an SSH server so no further software is required.

OpenVPN is a program which is designed primarily for being a VPN server and not a secure tunnel so may carry extra bloat which could be avoided by building on the minimalistic PPTP over SSH tunnel.

Disadvantages

To set-up the tunnel you need to be able to SSH into the remote server as root. Because it is possible to view the contents of the flash on a Meraki it would be possible for a malicious user to gain root access to the VPN server. It is likely that this problem could be worked around however it was decided to use OpenVPN instead as it was able to work out of the box.

The current Debian stable (as of 2007-09-01) does not use Open SSH 4.3.

How To

Here is how to set-up PPTP over SSH

Tunnel Broker

in sshd_config:

  PermitRootLogin yes
  PermitTunnel yes

in ripd.conf

  Redistribute Connected

On sown[at]home node

  ssh -w X:X root@broker
  ifconfig tunX 10.13.X.254 pointopoint 10.13.X.253 netmask 255.255.255.0
  (back to sown[at]home node)
  ifconfig tunX 10.13.X.253 pointopoint 10.13.X.254 netmask 255.255.255.0
  route add -net 10.13.0.0/16 dev tunX

Links

Another good guide is available [1]

Test Node

10.13.15.253 is my desktop box inside the ECS firewall, which is accessible from sown.

Although this all sounds like a great idea look which level of access is required to broker :( so not ideal to systems from which users can ssh on their own. Should be fine on the sown[at]home nodes.