Workings of a Virtual Private Network, Part 1
Once authenticated, the local user can freely operate as the specified user on the remote machine. There, on his behalf, sshd runs the requested command or shell and sends any standard output back to the local machine, but not before first encrypting it. Direct conversation between the machines is all between ssh and sshd. So, ssh is there on the receiving end, knowing what to do with the incoming data stream (decrypt it) and how (using the agreed key). The same thing happens with reverse traffic, ssh encrypting and sshd decrypting.
You might think the encryption key used on each machine for outbound data would be the public key of the other machine's user. However, for performance reasons, ssh and sshd settle instead on a different, secret-key during their initial negotiation phase, and both use that same key for encrypting the session. While ssh-keygen's public/private keys play the central role in authentication, their role in encryption is solely to impenetrably encrypt the initial exchange of this secret key, overcoming the key exchange weakness in secret key cryptography. For ongoing message encryption, however, the public/private keys are not used. Secret-key algorithms are faster than public/private-key algorithms. The securely exchanged secret key, called the “session key”, is used to encrypt the rest of the session.
The important point is that once the session gets underway, ssh and sshd operate as transparent intermediary processes such that the entire session gets encrypted. Nothing moves between the machines unscrambled, so meaningful interception is impossible.
Now we can put together our VPN. The trick is to strategically submit a certain command for ssh to launch remotely. That command is pppd, the point-to-point protocol daemon.
We know that during a session, ssh and sshd encrypt the entire dataflow of whatever command(s) they launch as it passes between them. The duration of a session is as long as the command takes to execute. So, for commands that run straightaway to termination like ls /home, the session is transient because the command is transient. Not all commands are this expeditious, for example, an editor or pppd.
This command stays up all day—you have to kill it to stop it.
Critical for achieving VPN functionality, pppd is itself a traffic carrier for other programs. This implies that everything passing between two computers via a pppd interface launched under ssh control automatically goes through the encryption mill.
Combined with routing, this bilateral umbilical link broadens into a general-purpose bridge that can carry conversations between any pair of workstations on opposite sides. Routing lets each workstation on one LAN see those on the opposite LAN by IP address—one big happy family. At the same time, ssh denies that visibility to the outside world. This is precisely the effect of having all the workstations local. With this setup, you have the equivalent of a single LAN, but because that's not truly what you have, your consolidated network is “virtual”.
What can workstations on opposite LANs do here? Whatever a pair of workstations on the same LAN can—more generally, whatever any machines mutually addressable by IP addresses can. In my experience, examples of actual operations between remote machine pairs on a Linux VPN include:
Microsoft computers conducting MS peer-to-peer resource sharing.
A Linux machine serving resources to MS machines by running Samba.
An MS machine running a terminal emulator on an IBM AIX UNIX machine.
A Linux or MS machine using TELNET to log into another Linux or UNIX machine.
Interacting machines don't know their conversation is being encrypted for much of its journey. They just launch packets at one another by IP address and let their routing tables figure it out. Upon reaching their VPN server, the routing table there points these packets across the ppp interface operated by ssh. That's where the security comes in; otherwise, it's nothing more than routing as usual.
That's it for the theory. It's virtual. It's private. It's a network. So, I trust you'd agree, it's a virtual private network. Part 2 will cover practical operation of the VPN HOWTO script in detail.
- Readers' Choice Awards 2013
- Linux Kernel News - November 2013
- December 2013 Issue of Linux Journal: Readers' Choice
- Mars Needs Women
- RSS Feeds
- Sublime Text: One Editor to Rule Them All?
- Raspberry Pi: the Perfect Home Server
- Advanced Hard Drive Caching Techniques
- Web Administration Scripts
- IBM Will Minimize Impact of Future Disasters
- thanks for share, great
6 hours 20 min ago
- There are factors which are
11 hours 20 min ago
- Gnome 3 ?
12 hours 5 min ago
- Reply to comment | Linux Journal
16 hours 12 min ago
- "Redis RethinkDB 4.5%" on Best NoSQL Databases
1 day 2 hours ago
- on the ground
1 day 8 hours ago
- I was able to read the whole
1 day 10 hours ago
- since i have read the title i
1 day 13 hours ago
- Belanja Online Cari Voucher Diskon
1 day 13 hours ago
- The kernel doesn't really
2 days 1 hour ago