netbsd-help: VPN using ssh-ip-tunnel -- success report.

Subject: VPN using ssh-ip-tunnel -- success report.
To: Ricardo <ricardorsj@uol.com.br>
From: Gan Uesli Starling <oinkfreebiker@att.net>
List: netbsd-help
Date: 03/02/2002 10:22:09
Ricardo and all,

Howdy. Got my VPN going. Thanks to everyone who put up with me in the 
meantime. I'll write up a full how-to this weekend. This msg is mainly for 
the archive -- a sum-up of the working solution.

About proxyarp in the /etc/ppp/options file:

Turns out that proxyarp was not required. It did not hurt anything. But I got 
error messages like "...can't obtain ethernet address for proxyarp" when I 
read down the /etc/ppp/ppp.log file. The VPN works fine without proxyarp for 
the PPP. 

Here's what the VPN was for:

I have two LAN's, one in each of two cities. Both LAN's are islands, but 
within patch-cord length of a common company WAN. I need to remote control a 
bank of WinNT's on the remote LAN from a Win32 box on the local LAN but 
remain aloof from everyone on the WAN in between.

So I set up a VPN from one LAN to the other LAN over the WAN. For this VPN I 
rescued a pair of older i386 boxes from death row on the "spares" shelf and 
installed NetBSD 1.5.2 on them, along with package "ssh-ip-tunnel". 

I did not have a modem for either of these death-row ex-patriots. So I ftp'd 
pkgsrc in from my NetBSD laptop.

And, as/per recommendation (on this list), I wiped VNC 3.3.X off from 
everywhere and substitued TightVNC instead. Then I put a shortcut to 
TightVNC.exe ineach remote WinNT's startup file. That way, I don't need to 
have someone there turn it on for me.

Now, the only thing joining either LAN to the WAN is a NetBSD box at either 
end. For security, I turn off everything in /etc/inetd.conf file. I have sshd 
start up automatically by listing it in /etc/rc.local file.

Here's how I get it going:

Then, when I need to fire up the VPN (from one end only -- that is, from 
either end, but without any help at the other end) I do...

bar: {44} vpn foo start # foo is peer-name-file at /usr/pkg/etc/vpn/peers/foo

...which is just as/per ssh-ip-tunnel's "man vpn". Then next, though obvious 
in retrospect, was not in "man vpn". I must set routes on the REMOTE machine. 
For this I do...

bar: {45} ssh -v vpnuser@foo.something.com

...where foo.something.com is in /etc/hosts file. Then, when ssh connects, I 
get this...

foo: {1}

...where I do...

foo: {1} su
Password:
foo: {1} route add -net 192.168.3 192.168.100.2
foo: {2} exit
foo: {1} exit
bar: {46}

...assuming vpnuser is in wheel group. I thereby tell the REMOTE machine what 
route it needs to connect the LOCAL machine over PPP.

The "-net 192.168.3" is the LOCAL network, and the "192.168.100.2" is the 
LOCAL end of the PPP tunnel. The two exists close, first su-to-root, second 
the ssh connection, leaving me back at the LOCAL machine, again...

Now I tell the LOCAL machine its route to the REMOTE network...

bar: {47} route add -net 192.168.2 192.168.100.1
bar: {48}

...where "-net 192.168.2" is the REMOTE network, and "192.168.100.1" is the 
REMOTE end of the PPP connection.

Then my connection is up. I can ping from LOCAL to REMOTE, thus...

bar: {49} ping -c1 192.168.2.9

...to test from this end. And/or I can ssh to REMOTE and ping from that end 
to myself on the LOCAL machine.

I write this just for any who search the netbsd-help archive. A fuller 
write-up will be on my how-to web site in a few days. I'll give it diagrams 
and everything. See the signature below for the URL.

Thanks all,

Gan 

-- 

Mysterious Starling -- Rarest Extinct Bird
     _
   <(+)__        Gan Uesli Starling
     ((__/)=-    Kalamazoo, MI, USA
      `||`
       ++        http://starling.ws

Newbie-2-Newbie NetBSD Unix How-To Pages at...
http://om-ah-hum.com/share/gus_netbsd_index.html