VTun

Link your home and office securely with a virtual private network.

The -s option tells vtund to run as the server, listening for connections on port 5000.

To access the server, you must be able to reach port 5000 on the office machine. Recall that, for the sake of this example, the office is accessible only by SSH, so you must use OpenSSH's port-forwarding mechanism to tunnel port 5000 from the office machine. From home, run:

ssh mydesktop.work.com -L 5000:localhost:5000

The -L option tells OpenSSH to forward port 5000 on the home machine to port 5000 on the office desktop. Connections to port 5000 on the home machine then are tunneled transparently through SSH to port 5000 on the office machine. This configuration has the additional benefit of encrypting all VPN traffic.

With the running server on the office machine now accessible from the home desktop, all that remains is to start the client. As root on the home desktop, run:

vtund -f /usr/local/etc/vtund-client.conf
↪my_tunnel localhost

The my_tunnel parameter tells the client and server what tunnel is being created. Both systems query their respective configuration files and run the commands within the up block of the my_tunnel stanza. The final parameter, localhost, specifies the hostname of the VTun server. In this case, the VTun server is localhost because you forwarded port 5000 from the home machine to the office desktop.

If the tunnel was created successfully, running ifconfig on each machine should list a tun0 interface. The home machine then has an IP address of 10.3.0.1 on tun0, and the office machine has IP 10.3.0.2. Drawing on the train station analogy, the track between the office desktop and home desktop has been laid, and you can now route trains between the machines over this track. To demonstrate this, create an SSH connection from your home desktop to 10.3.0.2.

Making It Real

You now have a working tunnel from home to the office. Next, you need to configure route and iptables so packets from home are masqueraded through the work desktop to the rest of the office LAN. Fortunately, this is as simple as adding a few lines to the configuration files on the client and server and restarting the vtund processes. VTun executes the appropriate route and iptables commands when the connection is established.

Returning to the train station analogy, you need to instruct the home desktop station that any trains destined for the office network should be routed through the newly created VTun track. You can accomplish this manually by running:

route add -net 192.168.5.0 netmask
↪255.255.255.0 gw 10.3.0.2
route add -net 192.168.100.0 netmask
↪255.255.255.0 gw 10.3.0.

Alternatively, you can add the commands as shown in Listing 3 to vtund-client.conf. These commands instruct iptables to forward all packets from the tun interface and to masquerade these packets as coming from the office desktop. Alternatively, we can add the commands shown in Listing 4 to vtund-server.conf and restart the server.

Once route and iptables are configured, you should have access to your entire corporate intranet from your home desktop. Browse around your internal Web servers, connect to the source code server and try exporting a graphical widget such as an xterm. Performance should be more than adequate for all these tasks, and the SSH tunnel ensures that all traffic is encrypted from prying eyes.

Now that you have a working tunnel, you may want to configure the server to start automatically. This process is distribution-specific. The VTun tarball includes a set of init scripts for different distributions, so you should consult the Readme to determine which will work best for you.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

little change

Anonymous's picture

the pass configuration value now is passwd

Re: VTun

Anonymous's picture

Very interesting. I currently have one network with three clients. Most importantly, there is a wireless leg, which requires better security. I tend to use all the hosts on the network from the wireless client and, fairly often, I'll use X programs remotely (thus, there is a lot of traffic.) The best solution may be to divide the LAN in two and bridge the halves with VTun over SSH.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix