As an easier alternative to ipsec vpn's, trumpet the arrival of SSH's new "-w" option.

With openBSD(4.2) and openSSH(4.3+), there's a "-w" option, and with it an ip forwarding feature. Classically, ssh(8) is a port forwarder. Not so classically, the "-w" feature is an IP forwarder. The IP can be point to point or point to subnet(s), or subnet(s) to subnet(s) and, thusly, its applicability and efficacy as a [truer] VPN.

Client side is as follows.

(N.B.: My sshd-as-a-vpn listens on port 443, not 22, to allow the client to traverse any intermediate firewalls that may block certain ports.)

openBSD client-side variant# ssh -p443 -w 0:0 scott@mydomain.com
/*...authenticate per your ssh policy. */
# ifconfig tun0 10.0.0.2 10.0.0.1 netmask 255.255.255.252
# route add -inet 192.168.2.0/24 10.0.0.1ubuntu client-side variant# ssh -p443 -w 0:0 scott@mydomain.com
/*...authenticate per your ssh policy. */
# ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.252
/*yes, "pointopoint" is correct as shown */
# route add -net 192.168.2.0/24 gw 10.0.0.1

Here's the gateway side configuration...

/etc/hostname.tun0
inet 10.0.0.1 255.255.255.252 10.0.0.2 group tun/etc/hostname.tun1
inet 10.0.0.5 255.255.255.252 10.0.0.6 group tun/etc/hostname.tun2
inet 10.0.0.9 255.255.255.252 10.0.0.10 group tun/etc/hostname.tun3
inet 10.0.0.13 255.255.255.252 10.0.0.14 group tun/etc/ssh/sshd_config #
Protocol 2
LoginGraceTime 20
PermitRootLogin yes
Banner /etc/ssh/sshd_banner
PrintMotd yes
UseDNS no
MACs hmac-ripemd160,hmac-sha1
ciphers aes256-ctr,aes128-ctr,3des-cbc
ListenAddress vpn.mydomain.com:443
ClientAliveInterval 20
ClientAliveCountMax 3
StrictModes yes MaxAuthTries 3
PermitTunnel point-to-point
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
#
Subsystem sftp /usr/libexec/sftp-server
#
publickeys are the only authentication method. Client-side private keys are pass-phrase protected.

/etc/pf.conf fragment...



# -----
pass in log quick on outside inet proto tcp \
from !<BadSshVpn> to (outside:0) port 443 \
tag SSHVPN flags S/SFRA keep state \
queue(Q5VPN,Q7) \
(max-src-conn-rate 3/120, overload <BadSshVpn> flush global)
#
pass in log quick on tun inet \
from (tun:peer) to any \
tag TUNPKTS \
keep state
#
pass out log quick on inside inet \
tagged TUNPKTS keep state
# -----

Hrm, so using this, with passwordless private keys on remote servers, one could in theory replace OpenVPN with just SSH. Although I'm not sure how well this would scale for management purposes.

passwordless private keys...


I use passworded private keys, not passwordless;
I use this for road warrior client-to-gateway vpn, not site to site; and
Nothing stopping you your uses, though.

The challenge may be scaling, as you need a tun[0,...,n] interface for each concurrent connection on the gateway machine. This isn't a problem for my use, as three concurrent sessions is the upper need limit.

The feature of ssh -w (for me) is that,


the needed wares are already on every box I operate, therefore, nothing extra to install or maintain;
I use ssh already;
configuring the vpn tunnel is a whole heck of a lot easier then ipsec; and
so far, I can easily pass through tight firewalls and nat setups that are not under my control.


/S

Awesome feature! So just to clarify once I'm in a public hotspot I can ssh -w into my OBSD firewall assuming it has the proper firewall rules. Once I'm connected I can surf the net like I was connected at home?

Awesome feature! So just to clarify once I'm in a public hotspot I can ssh -w into my OBSD firewall assuming it has the proper firewall rules. Once I'm connected I can surf the net like I was connected at home?

Yep.

But the -w just -- and I mean j-u-s-t -- brings up the ssh encrypted tunnel. How you use the tunnel depends on what you do next. On the CLIENT side...

ifconfig tun0 10.3.0.2 255.255.255.252 10.3.0.1,
where .2 is the client and .1 is the gateway tunnel endpoint.

route add -host gw.mydomain.com <hotspot_default_gateway_address> iwi0
route add -net my_lan_subnet 10.3.0.1 tun0
route change 0.0.0.0 10.3.0.1 tun0

Where (1) you MUST preserve the route to your gw machine via the hotspot dhcp-obtained gateway ip, (2) route crypto to your work/home subnet; and (3) route crypto to the gateway and then off the gateway to the world.

These route commands can be scripted easily and may be built into the hostname.tun0 with the "!" prefix.

Thanks good buddy. :)