常用Linux命令使用技巧:利用ssh端口转发实现Site-to-Site简易VPN通道(linux常用命令使用范例)
利用SSH的端口转发功能,可以轻易实现一个基于SSH加密通道的虚拟私人网络(VPN)。
─────────────────────────
man ssh;
─────────────────────────
-w local_tun[:remote_tun]
Requests tunnel device forwarding with the specified tun devices between the
client (local_tun) and the server (remote_tun).
The devices may be specified by numerical ID or the keyword “any”,
which uses the next available tunnel device.
If remote_tun is not specified, it defaults to “any”.
See also the Tunnel and TunnelDevice directives in ssh_config.
If the Tunnel directive is unset, it is set to the default tunnel mode, which is “point-to-point”.
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using the tun
network pseudo-device, allowing two networks to be joined securely.
The sshd_config configuration option PermitTunnel controls whether the server
supports this, and at what level (layer 2 or 3 traffic).
─────────────────────────
man sshd_config;
─────────────────────────
PermitTunnel
Specifies whether tun(4) device forwarding is allowed. The argument must be:
* yes- permits both “point-to-point” and “ethernet”
* point-to-point(layer3)-
* ethernet(layer 2)-
* no- The default is “no”
─────────────────────────
一个设置范例(Example)
─────────────────────────
Client Network: 10.0.2.0/24Server or gateway of client network;
Server Gateway: 192.168.56.1Must be gateway of remote network;
Remote Network: 192.168.57.0/24Can't connet with client network directly;
Point-to-Point: 10.1.1.1 - 10.1.1.2The VPN tunnel we should build;
(1) On the ssh server, change the sshd configuration:
# vi /etc/ssh/sshd_config;
------------------------------------------------------------------------------
PermitRootLogin yes
PermitTunnel yes
------------------------------------------------------------------------------
Reload ssh servcie
# service ssh reload;# for Debian/Ubuntu;
# service sshd reload;# for RedHat/CentOS;
(2) On the client site:
# ssh -f -w 0:0 192.168.56.1 true;
Check if tun0 build successfully(检查通道是否成功建立):
# ip addr show tun0;# Check if tun0 build successfully;
# ip addr show tun0;# Check ssh server site should have same tun0;
# ifconfig tun0;# Check the tun0 interface;
参数说明:
-f ssh连接之后将置于后端运行;
-w 0:0 如通道tunnel建立成功后,将在Client和Server端分别出现名为tun0的界面;
-w 1:1 如通道tunnel建立成功后,将在Client和Server端分别出现名为tun1的界面;
true
注意:不要混淆了Linux下面名为tunl0的预设Tunnel界面,请用 ip addr show 命令检查。
################################################################################
常见错误处理:
################################################################################
如果上述命令出现如下错误信息,请检查是否ssh连接两端已经存在名为tun0的通道界面:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
channel 0: open failed: administratively prohibited: open failed
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# ip addr show | grep tun;# Check both site if have already up this tun0;
# ip addr show | grep 10.;# Check both site if have already up this ip;
如有需要,可用如下命令删除预设tunl0的IP设置:
# ip addr flush tunl0;# flushe the contents of address labels;
# ip addr del 10.1.1.1/32 dev tunl0;# assume there is same IP on tunl0;
# ip addr del 10.1.1.2/32 dev tunl0;# assume there is same IP on tunl0;
________________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(3) Still on the client server:
# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
# route add -net 192.168.57.0/24 gw 10.1.1.2 dev tun0
# ifconfig tun0 | grep -A 1 tun0;
------------------------------------------------------------------------------
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.2 P-t-P:10.1.1.2 Mask:255.255.255.252
------------------------------------------------------------------------------
# route -n | grep tun0
------------------------------------------------------------------------------
10.1.1.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
192.168.57.0 10.1.1.2 255.255.255.0 UG 0 0 0 tun0
------------------------------------------------------------------------------
(4) On the ssh server:
# ifconfig tun0 10.1.1.2 10.1.1.1 netmask 255.255.255.252
# route add -net 10.0.2.0/24 gw 10.1.1.1 dev tun0
# ifconfig tun0 | grep -A 1 tun0
------------------------------------------------------------------------------
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1 P-t-P:10.1.1.1 Mask:255.255.255.252
------------------------------------------------------------------------------
# route -n | grep tun0
------------------------------------------------------------------------------
10.0.2.0 10.1.1.1 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
------------------------------------------------------------------------------
(5) 进阶使用和注意事项(Advance configuration)
Client access may be more finely tuned via the ~/.ssh/authorized_keys file and
the PermitRootLogin server option.
The following entry would permit connections on tun device 1 from user “jane” and
on tun device 2 from user “john”, if PermitRootLogin is set to “forced-commands-only”:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
Since an SSH-based setup entails(意味着) a fair amount of overhead(开销),
it may be more suited to temporary setups, such as for wireless VPNs.
More permanent VPNs are better provided by tools such as ipsecctl and isakmpd.
(6) Dbugging tools and commands
# tcpdump -i any -nnn not port ssh
# ip addr show
# ip addr flush tun0
# ip route show table all
# traceroute -n 10.0.2.15
# traceroute -n 192.168.57.102《常用Linux命令使用技巧:利用ssh端口转发实现Site-to-Site简易VPN通道(linux常用命令使用范例)》来自互联网同行内容,若有侵权,请联系我们删除!