Build a VPN using only OpenSSH

From Sfvlug



I have written about OpenSSH a few times in the past. It is an amazing tool that can do lots of things. Recently, some of us discovered it can completely replace dedicated VPN programs like OpenVPN. Don't get me wrong, OpenVPN is a great program, but under certain circumstances using OpenSSH can be a lot less effort.

To start with, you need root access on both ends of the VPN. If you don't have root access on one or both ends, then whoever does needs to set this up for you.

In this example, we will show a connection from a home computer to an office network. This example shows a one-to-many VPN relationship. It is possible to extend this configuration to a many-to-many VPN by repeating some of the steps from the office side on the home side.

Home Network

The home network will be Although it isn't important, for the sake of completeness, the client computer will have an address of

Office Network

The office network will be In our example, we will be making a connection to a computer which has an internal address of

VPN Network

In order to create our VPN, we need to set up tuntap networking on both sides before establishing the tunnel. We will use the network for this. On the home side, we will assign and on the office side it will be

Preparation: Office

Before we can set up a VPN tunnel, we need to create a tunnel network interface. So either prepare this via SSH, then log out and log back in with the tunnel, or do this all in advance before you leave for home. Simply run the following commands as root.

OpenSSH will not allow a tunnel to be created on the server side unless it is configured to do so. First edit /etc/ssh/sshd_config, and allow tunneling.

PermitTunnel yes

Restart sshd and enter these commands.

echo 1 > /proc/sys/net/ipv4/ip_forward
ip tuntap add tun0 mode tun user ''your username''
ip addr add dev tun0
ip link set peer dev tun0
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE


Now that we have a tunnel interface waiting for us on the remote end back at the office, let's configure the local tunnel interface and connect it to the remote.

ip tuntap add tun0 mode tun user ''your username''
ip addr add dev tun0
ip link set peer dev tun0
ip route add network via

Return to your unprivileged user account and log in.

ssh -w 0:0

Jeff 03:42, 21 August 2011 (UTC)

Personal tools
Other sites