Nick Moore

My earlier article on ssh trickiness didn’t include mention of the newish “-w” option, which turns ssh into a full-on VPN solution rather than just a port-at-a-time port forwarder.

The useful piece of information which I haven’t seen elsewhere is this: you don’t need to allow root ssh logins to use it. Instead, you can use ‘tunctl’ to preconfigure tun or tap devices on each end with the -u option to set their permissions to a non-root user. The easiest place to do this, on Debian/Ubuntu systems, is in /etc/network/interfaces, for example:

in host1:/etc/network/interfaces

auto tap9
iface tap9 inet static
    pre-up tunctl -u nick -t $IFACE
    post-down tunctl -d $IFACE
    address 10.1.9.1
    netmask 255.255.255.0

in host2:/etc/network/interfaces

auto tap9
iface tap9 inet static 
    pre-up tunctl -u nick -t $IFACE
    post-down tunctl -d $IFACE
    address 10.1.9.2
    netmask 255.255.255.0

Now you can ‘ifup’ those interfaces, and then start the VPN by running:

user@host2$  ssh -o Tunnel=Ethernet -w9:9 host1

And the tunnel will be up and running, without needing to create the tunnel as root. You could easily take this one further for an automatic tunnel, setting up an guest user ‘vpn’ in a chroot or similar who exists only to manage the tunnels.