1 SSH VPN
2 =======
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6 == {doctitle}
7
8 Nope, I didn't just yell at you using all caps in the subject. Just for the fun
9 of it, let's expand that one out.
10
11 "Secure Shell Virtual Private Network"
12
13 That sure sounds like a phrase you'd hear in some bad hacker movie.
14
15 All sarcasm aside, this is probably one of the coolest things you can do with
16 SSH in my opinion. I wrote link:SSH_Tunnel_Forwarding[ a post] about this a
17 ways back, but it was limited only to forwarding and reverse forwarding SSH
18 tunnels. I recently discovered though that SSH can open this cool thing called
19 a http://en.wikipedia.org/wiki/SOCKS[SOCKS proxy] (short for Socket Secure
20 Proxy) when using the *-D* switch. SOCKS proxies, unlike SSH tunnels, allow you
21 to funnel all protocols/traffic through this one port, just like a VPN. The one
22 downside is to use this for everything, you either have to be masterful with
23 iptables, have http://sourceforge.net/projects/tsocks/[tsocks] installed, or
24 have the BSD version of netcat installed to work some magic.
25
26
27 [[real-application]]
28 == Real Application
29
30 At work this comes in handy because of the way the networks are set up.
31 Avoiding all bias about how right or wrong our networks are configured, I often
32 need to connect to a particular remote system that sits in a subnet accessible
33 only through two jump systems ( jump0 -> jump1 -> destination ). The only way
34 for me to get into that subnet is through two jump boxes. Jump box 1 is only
35 accessible from jump box 0 and the remote system I need access to is only
36 accessible from jump box 1. That means to get to my remote system, I need to
37 ssh to jump box 0, from there ssh to jump box 1, and from there ssh to my
38 destination system. This is really cumbersome when I need to work on multiple
39 systems within this far off subnet.
40
41 Using an SSH SOCKS proxy though, I can have everything set up so I don't have
42 to keep opening three nested SSH sessions just to access a single box. Here's
43 how it's done.
44
45
46 [[how-its-done]]
47 == How it's Done
48
49 * SSH to jump box 0 using the following command
50 ** +ssh -L 1080:localhost:1080 jiminy@jump0+
51 * Using the previously established session, ssh to jump box 1 using the
52 following command
53 ** +ssh -D 1080 jiminy@jump1+
54
55 We now have two nested ssh sessions. The first forwards remote port 1080 to
56 localhost:1080. The second ssh command opens a SOCKS proxy on jump box 0
57 through to jump box 1. Remember how port 1080 is forwarded to our local box
58 with the first ssh session?
59
60 Now, just open an ssh session to any system that is only accessible from jump
61 box 1 and your traffic will be forwarded straight on through.
62
63 ----
64 tsocks ssh jiminy@WayFarOut
65 ----
66
67 Yay!
68
69
70 [[one-last-thing...]]
71 == One Last Thing...
72
73 There was one thing I discovered that was problematic for me on jump box
74 0. It turns out that the default configuration for SSH won't allow
75 forwarding of SSH traffic. If you're seeing an error like this
76
77 ----
78 channel 0: open failed: administratively prohibited: open failed
79 ----
80
81 ...you need to set *PermitTunnel* in /etc/sshd_config to _yes_ on any boxes
82 forwarding the SOCKS proxies.
83
84
85 Category:SSH
86 Category:Linux
87
88
89 // vim: set syntax=asciidoc:
|
