SSH: The VPN No One Remembers

[ehansen]

Introduction
For anyone that doesn't know about VPNs, its basically the ability to use your server's resources (drives, bandwidth sometimes, etc...) remotely. So, for example, say you want to mount your server's /dev/sda6 partition to your home PC. You can use a VPN to do this, and you'll be able to browse all of those files from the luxury of your home PC.

I'm sure everyone is aware as to what SSH (specifically OpenSSH) is, especially since there's been a lot of discussion about it on LinuxForum.com as of late. But, I don't know if many people actually realize just how powerful SSH can be. If used right, you can turn a regular SSH server into a non-resource intensive, very much free VPN server. While it won't be as robust as say, OpenVPN, its definitely better than buying a whole new server just for VPN functionality, and SSH can mount remote directories as well using sshfs.

How To Start
This guide is pretty short because the steps are rather easy. There is an assumption that you have an already-working SSH install, however. What we are going to do is take that install, and build on it.

What I did personally for my set up, because I wanted to have two different access lists, is create a new SSH config file. For this, I just did the following;

Code:

cp /etc/ssh/sshd_config /etc/ssh/proxy_config

The reason for doing this is because I wanted to leave my SSH configuration separate from a proxy (and thus have two instances of SSH running, but the footprint is very minimal). I took out all of the commented stuff from the new proxy_config. Below are the most important parts to focus on:

Code:

Port ####

Of course change the "####" part, but change this from the regular SSH server.

Code:

PermitRootLogin no

You should never have this enabled to begin with, and just in case you flub up on your proxy account creation you'll want to make sure something bad doesn't happen.

Code:

PermitTunnel yes

I'm kind of on the fence about this one personally, it used to work without needing this but now its needed. Basically this lets you bind to the SSH server and make it act as a proxy server of sorts.

Code:

AllowUsers user1 user2 etc...
AllowGroups group1 group2 etc...

You can use one or both of these, but I'd highly recommend not using neither (as then it'd mean anyone can log into it). This is the meat and bones of the ACL of this proxy system. For the joy of not breaking anything, I only used AllowGroups and set it to my proxy group. Basically what happens is that SSH checks this list for each user authentication request, and if the user (or the user isn't in the specified group), SSH says "no entry!" and refuses the connection.

Testing
Now, assuming you made the appropriate changes to your firewall(s) and created any needed accounts or groups (highly advisable to NOT assign the user a shell, by the way), you should be ready to go. You can either copy & edit the start up script in similar fashion to the sshd_config file, or simply run this command:

Code:

/usr/sbin/sshd -f /etc/ssh/sshd_proxy

Side Note
Before continuing, I'd like to say something. If you decide to go the more flexible route and just copy & edit the SSH start up script, make sure you edit the PIDFILE variable, and whatever you name the pid (i.e.: sshd_proxy.pid), make sure you copy and rename the SSH file in /etc/conf.d/sshd to that as well. For example, if the pid is sshd_proxy.pid, your command will look like:

Code:

cp /etc/conf.d/sshd /etc/conf.d/sshd_proxy

Then edit that file change the name of the SSH config file. This might sound confusing, but when you look at it, it makes a lot more sense, I promise.

Connecting Remotely
Your SSH proxy all set up? The proxy running on the correct port? Good, now the coupe de grace. Fire up a terminal, and run the following command:

Code:

ssh -fND localhost:local_port_number -p port_proxy_is_running_on proxy_username@remote_server_hostname_or_ip

Making the appropriate changes, this will run the connection in the foreground (remove the "f" to make it run in the background, this is done to make sure everything runs smoothly). If all goes well, you'll see nothing happen, as in it'll look like its hung or frozen. For local_port_number, you should choose one that isn't used, and is higher than 1024. What you do now is use hostname localhost and port local_port_number (whatever it may be) for any programs you want to connect to via proxy (browser, IM client, e-mail program, etc...).

Just like any other proxy, the data for any programs using this proxy will be fed to the proxy server, so programs will always see the proxy's IP address as being yours. So for example, say we want to use local port 5555, the proxy is listening on port 9999, the proxy username is bob, and the server IP is 255.244.222.111. The command will look like this:

Code:

ssh -fND localhost:5555 -p 9999 bob@255.244.222.111

[lightpriest]

For applications not supporting a connection through a SOCKS proxy, one could use tsocks.
Basically, tell tsocks which port the SOCKS proxy listens and execute any command you want with tsocks.

[ehansen]

For applications not supporting a connection through a SOCKS proxy, one could use tsocks.
Basically, tell tsocks which port the SOCKS proxy listens and execute any command you want with tsocks.

You can use tsocks or Tor for a SOCKS proxy, but if you're privacy paranoid then you could always do it this way too. You do make a good point though and thank you for mentioning that.

[lightpriest]

The -D option of ssh client causes it to act as a SOCKS server.
I meant that if someone wants to use an application that doesn't support SOCKS over the SSH tunnel, he could do this with tsocks.

For me, tsocks is already globally configured on my laptop to the same port I usually configure for SSH to listen on. So, when I want to direct some command to go through the proxy created by SSH (like wget, curl, git, w/e) I use tsocks.

This actually is quicker because I don't have to remember (or manually set) any of the proxy configuration options and/or global variables for various commands. I just use it on demand.
I know it can also be done with nc, but I find tsocks more comfortable.

Just a personal recommendation, I usually set the bind address to 127.0.0.2 instead of 127.0.0.1 (the default localhost). I do this mainly to avoid taking a listen port that some other software might decide to use (chat, voice calls, remote debugging, etc.)

[carbon333]

Keep in mind that if a website requiers flash or java it may not work as you wished. In this case try the regular VPN, then all your connections will go thru your server.

[goodselfme]

Can this be remotely accomplished by another person who does some applications for me from another state?I am wondering if it has to be done by me the primary owner of the computer.

[ehansen]

Can this be remotely accomplished by another person who does some applications for me from another state?I am wondering if it has to be done by me the primary owner of the computer.

Depends on what you're referencing to. To make SSH act like a proxy it has to be done by someone who has access to the server (physical or remote).

If you're NOT the only one that uses the server though, then in all good will I would say make sure everyone else is fine with you doing this before you do it though, as it can leave a security hole open if not done properly.