Home

VTun

Issue 112

From Issue #112
August 2003

Jul 31, 2003  By Ryan Breen
 in
Link your home and office securely with a virtual private network.

The -s option tells vtund to run as the server, listening for connections on port 5000.

To access the server, you must be able to reach port 5000 on the office machine. Recall that, for the sake of this example, the office is accessible only by SSH, so you must use OpenSSH's port-forwarding mechanism to tunnel port 5000 from the office machine. From home, run: 

ssh mydesktop.work.com -L 5000:localhost:5000

The -L option tells OpenSSH to forward port 5000 on the home machine to port 5000 on the office desktop. Connections to port 5000 on the home machine then are tunneled transparently through SSH to port 5000 on the office machine. This configuration has the additional benefit of encrypting all VPN traffic.

With the running server on the office machine now accessible from the home desktop, all that remains is to start the client. As root on the home desktop, run: 

vtund -f /usr/local/etc/vtund-client.conf
↪my_tunnel localhost

The my_tunnel parameter tells the client and server what tunnel is being created. Both systems query their respective configuration files and run the commands within the up block of the my_tunnel stanza. The final parameter, localhost, specifies the hostname of the VTun server. In this case, the VTun server is localhost because you forwarded port 5000 from the home machine to the office desktop.

If the tunnel was created successfully, running ifconfig on each machine should list a tun0 interface. The home machine then has an IP address of 10.3.0.1 on tun0, and the office machine has IP 10.3.0.2. Drawing on the train station analogy, the track between the office desktop and home desktop has been laid, and you can now route trains between the machines over this track. To demonstrate this, create an SSH connection from your home desktop to 10.3.0.2.

Making It Real

You now have a working tunnel from home to the office. Next, you need to configure route and iptables so packets from home are masqueraded through the work desktop to the rest of the office LAN. Fortunately, this is as simple as adding a few lines to the configuration files on the client and server and restarting the vtund processes. VTun executes the appropriate route and iptables commands when the connection is established.

Returning to the train station analogy, you need to instruct the home desktop station that any trains destined for the office network should be routed through the newly created VTun track. You can accomplish this manually by running: 

route add -net 192.168.5.0 netmask
↪255.255.255.0 gw 10.3.0.2
route add -net 192.168.100.0 netmask
↪255.255.255.0 gw 10.3.0.

Alternatively, you can add the commands as shown in Listing 3 to vtund-client.conf. These commands instruct iptables to forward all packets from the tun interface and to masquerade these packets as coming from the office desktop. Alternatively, we can add the commands shown in Listing 4 to vtund-server.conf and restart the server.

Listing 3. Complete vtund-client.conf

options {
   port 5000;

   # Path to various programs
   ifconfig   /sbin/ifconfig;
   firewall   /sbin/iptables;
   route       /sbin/route;
}

# Default session options
default {
   compress no;   # Compression is off
   encrypt no;    # ssh does the encryption
   speed 0;       # By default maximum speed
   keepalive yes;
   stat yes;
}

my_tunnel {
   pass  XXXXXXXX;    # Password
   type  tun;         # IP tunnel
   proto tcp;         # TCP protocol

   up {
      # 10.3.0.1 = fake tunnel interface (home-end)
      # 10.3.0.2 = fake tunnel interface (work-end)
      # 192.168.5.0/24 = actual work network 1
      # 192.168.100.0/24 = actual work network 2
      ifconfig
        "%% 10.3.0.1 pointopoint 10.3.0.2 mtu 1450";
      route "add -net 192.168.5.0 netmask
      ↪255.255.255.0 gw 10.3.0.2";
      route "add -net 192.168.100.0 netmask
      ↪255.255.255.0 gw 10.3.0.2";
   };
   down{
      ifconfig "%% down";
      route "del -net 192.168.5.0 netmask
      ↪255.255.255.0 gw 10.3.0.2";
      route "del -net 192.168.100.0 netmask
      ↪255.255.255.0 gw 10.3.0.2";
   };
}

Listing 4. Complete vtund-server.conf

options {
   port 5000;

   # Path to various programs
   ifconfig   /sbin/ifconfig;
   firewall   /sbin/iptables;
   route      /sbin/route;
}

# Default session options
default {
   compress no;   # Compression is off
   encrypt no;    # ssh does the encryption
   speed 0;       # By default maximum speed
   keepalive yes;
   stat yes;
}

my_tunnel {
   pass  XXXXXXXX;    # Password
   type  tun;         # IP tunnel
   proto tcp;         # TCP protocol

   up {
      # 10.3.0.1 = fake tunnel interface (home-end)
      # 10.3.0.2 = fake tunnel interface (work-end)
      # 192.168.1.0/24 = actual home network
      ifconfig
        "%% 10.3.0.2 pointopoint 10.3.0.1 mtu 1450";
      route "add -net 192.168.1.0 netmask
      ↪255.255.255.0 gw 10.3.0.1";
      firewall "-t nat-A POSTROUTING -o %%
      ↪-j MASQUERADE";
      firewall "-AFORWARD -i %% -j ACCEPT";
   };
   down{
      ifconfig "%% down";
      route "del -net 192.168.1.0 netmask
      ↪255.255.255.0 gw 10.3.0.1";
   };
}

Once route and iptables are configured, you should have access to your entire corporate intranet from your home desktop. Browse around your internal Web servers, connect to the source code server and try exporting a graphical widget such as an xterm. Performance should be more than adequate for all these tasks, and the SSH tunnel ensures that all traffic is encrypted from prying eyes.

Now that you have a working tunnel, you may want to configure the server to start automatically. This process is distribution-specific. The VTun tarball includes a set of init scripts for different distributions, so you should consult the Readme to determine which will work best for you.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

little change

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 04/07/2009 - 03:15.

the pass configuration value now is passwd

Re: VTun

Anonymous's picture
Submitted by Anonymous on Mon, 05/31/2004 - 02:00.

Very interesting. I currently have one network with three clients. Most importantly, there is a wireless leg, which requires better security. I tend to use all the hosts on the network from the wireless client and, fairly often, I'll use X programs remotely (thus, there is a lot of traffic.) The best solution may be to divide the LAN in two and bridge the halves with VTun over SSH.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions