VTun

Link your home and office securely with a virtual private network.

The -s option tells vtund to run as the server, listening for connections on port 5000.

To access the server, you must be able to reach port 5000 on the office machine. Recall that, for the sake of this example, the office is accessible only by SSH, so you must use OpenSSH's port-forwarding mechanism to tunnel port 5000 from the office machine. From home, run:

ssh mydesktop.work.com -L 5000:localhost:5000

The -L option tells OpenSSH to forward port 5000 on the home machine to port 5000 on the office desktop. Connections to port 5000 on the home machine then are tunneled transparently through SSH to port 5000 on the office machine. This configuration has the additional benefit of encrypting all VPN traffic.

With the running server on the office machine now accessible from the home desktop, all that remains is to start the client. As root on the home desktop, run:

vtund -f /usr/local/etc/vtund-client.conf
↪my_tunnel localhost

The my_tunnel parameter tells the client and server what tunnel is being created. Both systems query their respective configuration files and run the commands within the up block of the my_tunnel stanza. The final parameter, localhost, specifies the hostname of the VTun server. In this case, the VTun server is localhost because you forwarded port 5000 from the home machine to the office desktop.

If the tunnel was created successfully, running ifconfig on each machine should list a tun0 interface. The home machine then has an IP address of 10.3.0.1 on tun0, and the office machine has IP 10.3.0.2. Drawing on the train station analogy, the track between the office desktop and home desktop has been laid, and you can now route trains between the machines over this track. To demonstrate this, create an SSH connection from your home desktop to 10.3.0.2.

Making It Real

You now have a working tunnel from home to the office. Next, you need to configure route and iptables so packets from home are masqueraded through the work desktop to the rest of the office LAN. Fortunately, this is as simple as adding a few lines to the configuration files on the client and server and restarting the vtund processes. VTun executes the appropriate route and iptables commands when the connection is established.

Returning to the train station analogy, you need to instruct the home desktop station that any trains destined for the office network should be routed through the newly created VTun track. You can accomplish this manually by running:

route add -net 192.168.5.0 netmask
↪255.255.255.0 gw 10.3.0.2
route add -net 192.168.100.0 netmask
↪255.255.255.0 gw 10.3.0.

Alternatively, you can add the commands as shown in Listing 3 to vtund-client.conf. These commands instruct iptables to forward all packets from the tun interface and to masquerade these packets as coming from the office desktop. Alternatively, we can add the commands shown in Listing 4 to vtund-server.conf and restart the server.

Once route and iptables are configured, you should have access to your entire corporate intranet from your home desktop. Browse around your internal Web servers, connect to the source code server and try exporting a graphical widget such as an xterm. Performance should be more than adequate for all these tasks, and the SSH tunnel ensures that all traffic is encrypted from prying eyes.

Now that you have a working tunnel, you may want to configure the server to start automatically. This process is distribution-specific. The VTun tarball includes a set of init scripts for different distributions, so you should consult the Readme to determine which will work best for you.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

little change

Anonymous's picture

the pass configuration value now is passwd

Re: VTun

Anonymous's picture

Very interesting. I currently have one network with three clients. Most importantly, there is a wireless leg, which requires better security. I tend to use all the hosts on the network from the wireless client and, fairly often, I'll use X programs remotely (thus, there is a lot of traffic.) The best solution may be to divide the LAN in two and bridge the halves with VTun over SSH.

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Upcoming Webinar
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
11am CDT, April 29th
Moderated by Linux Journal Contributor Mike Diehl

Sign up now

Sponsored by Skybot