My earlier article on ssh trickiness didn’t include mention of the newish “-w” option, which turns ssh into a full-on VPN solution rather than just a port-at-a-time port forwarder.
The useful piece of information which I haven’t seen elsewhere is this: you don’t need to allow root ssh logins to use it. Instead, you can use ‘tunctl’ to preconfigure tun or tap devices on each end with the -u option to set their permissions to a non-root user. The easiest place to do this, on Debian/Ubuntu systems, is in /etc/network/interfaces, for example:
in host1:/etc/network/interfaces
auto tap9
iface tap9 inet static
pre-up tunctl -u nick -t $IFACE
post-down tunctl -d $IFACE
address 10.1.9.1
netmask 255.255.255.0
in host2:/etc/network/interfaces
auto tap9
iface tap9 inet staticĀ
pre-up tunctl -u nick -t $IFACE
post-down tunctl -d $IFACE
address 10.1.9.2
netmask 255.255.255.0
Now you can ‘ifup’ those interfaces, and then start the VPN by running:
user@host2$ ssh -o Tunnel=Ethernet -w9:9 host1And the tunnel will be up and running, without needing to create the tunnel as root. You could easily take this one further for an automatic tunnel, setting up an guest user ‘vpn’ in a chroot or similar who exists only to manage the tunnels.
