Re: PPP VPN solution over ssh tunnel?

From: Wayne Throop (throopw_at_sheol.org)
Date: 03/11/04 

Date: Thu, 11 Mar 2004 19:37:26 GMT

: Chris <ceo@nospan.on.net>
: I run an ssh tunnel home from work all day long. (How many network
: dawgs DON'T???) Works great. I could run a traditional VPN connection
: home, but the free VPN that comes with Windoze only sees one network
: or the other (either the one at work, or the one at home).
:
: So I thought I'd just create a virtual PPP connection home through my
: existing tunnel. Window (as stupid as it is) would just think it's a
: PPP connection (well, it would be), and treat it as such. So I'd be
: PPP/VPN'd into the house, and still connected at work.

The traditional objection to this, and why it doesn't get routinely
documented in a HOWTO, is that routing datagram protocols via stream
protocols especially TCP can result in horrible snafus. That said, I've
done this using pppd->slirp and expect to glue all the ends together;
similar things could be done with ppp on both ends. Performed horribly,
but it worked for some things socks proxy did not. Part of the problem
is, stock pppd and slirp want very much to talk to ttys, and that's
icky. So mostly, other tunneling methods tend to be recommended for
these sorts of reasons.

One thing you might try is use of runsocks or dante socksify
libraries along with a socks proxy. It doesn't tunnel UDP and other
datagram protocols (or at least not well), but it's good for a *lot*
of networking apps. Further, ssh nowdays has the -D option, so that
you can use the sshd as your remote socks server, and the local ssh
as the proxy for it.

     -D port
             Specifies a local ``dynamic'' application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, and whenever a connection is made to this port, the connec-
             tion is forwarded over the secure channel, and the application
             protocol is then used to determine where to connect to from the
             remote machine. Currently the SOCKS4 protocol is supported, and
             ssh will act as a SOCKS4 server. Only root can forward privi-
             leged ports. Dynamic port forwardings can also be specified in
             the configuration file.

Socks4 is not nearly as good as socks5, so if that becomes a big deal,
you run a socks server and forward with -L 1080:localhost:1080 instead.

Of course, combinations of the above work; eg, use -D, then
http://www.imasy.or.jp/~gotoh/ssh/connect.c and expect, so you
can bring up and tear down the ppp tunnel to varying remote
points without respinning the ssh port forwards. That connect.c
is a very nice thing to have around as tcp stream glue; good for
some things netcat isn't. For example, you can arrange for ssh
via socks proxy, even though it isn't usually compiled in, by using

     -o 'ProxyCommand connect -S localhost %h %p'

and the such. Other things that can be done using socks proxy,
mount filesystems useing ssh/lufs. Access pop/imap/http
and other servers using most readers/browsers. Forward multicast
over TCP despite it being subject to problems, via
http://www.cs.columbia.edu/~lennox/udptunnel/
And so on and so on.

So while there may be a better way to do it, I ended up
glueing together a ppp server and a ppp client via expect, just to try
it out. However for my day-to-day use, socks5 proxy performs better,
and is very nearly as capable, depending on exactly what you want to do.
I recommend you try the socks proxy route, unless you positively,
absolutely, need something it can't do. Which is rare.

I think there are also tunnel client-ends that use socks proxy,
but I haven't been able locate them; that'd be very nice also.
If anybody knows of that, perhps you could post about it.

So. To sum up the tools mentioned. Slirp. Expect. Connect.
     Runsocks/socksify. Ssh -D. Lufs. Udptunnel.
     Google is your friend in finding out more about all of these.

Wayne Throop throopw@sheol.org http://sheol.org/throopw

Relevant Pages

  • Re: What is The SSH?
    ... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ...
    (microsoft.public.windows.server.networking)
  • SSH TCP forwarding: works with v1, not with v2 ssh
    ... that they're setting up the tunnels with no problem, ... I can get to the work ssh daemon: ... debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 ... something answers (if I get "connection refused" there's no listener); ...
    (FreeBSD-Security)
  • Re: SSH TCP forwarding: works with v1, not with v2 ssh
    ... >that they're setting up the tunnels with no problem, ... >I can get to the work ssh daemon: ... > debug1: Entering interactive session. ... > Connection closed by foreign host. ...
    (FreeBSD-Security)
  • Re: sftp over two connections
    ... from there I log onto LIN and I can work on the console. ... > X tunneling works as well, and I tunnel additional ports to control ... > connection be tunneled through SSH so that I could mount LIN's ...
    (comp.security.ssh)
  • using a SOCKS proxy from SSH
    ... How can I have SSH _use_ a SOCKS proxy to make a connection? ... I know it can _create_ a SOCKS proxy with the -D option or DynamicForward ... I can certainly direct SSH to a specific port. ...
    (comp.security.ssh)