Tag Archives: VPN

sshtunnel

Howto use ssh as VPN tunnel

SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections.

What is SSH Tunneling?

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. … It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH.

sshuttle

sshuttle is not exactly a VPN, and not exactly port forwarding. It’s kind of both, and kind of neither.

It’s like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the “real” IP addresses of each host rather than faking port numbers on localhost.

On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn’t care about individual connections; ie. it’s “stateless” with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.

Installation

“` sudo pip install sshuttle“`

Example

“`$ sshuttle –dns -v -r <remote-host> 0/0“`

ssh-tunnel

* This will forward all connections including DNS requests…

Usage

usage: sshuttle [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>

positional arguments:
 IP/MASK[:PORT[-PORT]]...
 capture and forward traffic to these subnets
 (whitespace separated)

optional arguments:
 -h, --help show this help message and exit
 -l [IP:]PORT, --listen [IP:]PORT
 transproxy to this ip address and port number
 -H, --auto-hosts continuously scan for remote hostnames and update
 local /etc/hosts as they are found
 -N, --auto-nets automatically determine subnets to route
 --dns capture local DNS requests and forward to the remote
 DNS server
 --ns-hosts IP[,IP] capture and forward DNS requests made to the following
 servers
 --to-ns IP[:PORT] the DNS server to forward requests to; defaults to
 servers in /etc/resolv.conf on remote side if not
 given.
 --method TYPE auto, nat, nft, tproxy, pf, ipfw
 --python PATH path to python interpreter on the remote server
 -r [USERNAME@]ADDR[:PORT], --remote [USERNAME@]ADDR[:PORT]
 ssh hostname (and optional username) of remote
 sshuttle server
 -x IP/MASK[:PORT[-PORT]], --exclude IP/MASK[:PORT[-PORT]]
 exclude this subnet (can be used more than once)
 -X PATH, --exclude-from PATH
 exclude the subnets in a file (whitespace separated)
 -v, --verbose increase debug message verbosity
 -V, --version print the sshuttle version number and exit
 -e CMD, --ssh-cmd CMD
 the command to use to connect to the remote [ssh]
 --seed-hosts HOSTNAME[,HOSTNAME]
 comma-separated list of hostnames for initial scan
 (may be used with or without --auto-hosts)
 --no-latency-control sacrifice latency to improve bandwidth benchmarks
 --wrap NUM restart counting channel numbers after this number
 (for testing)
 --disable-ipv6 disable IPv6 support
 -D, --daemon run in the background as a daemon
 -s PATH, --subnets PATH
 file where the subnets are stored, instead of on the
 command line
 --syslog send log messages to syslog (default if you use
 --daemon)
 --pidfile PATH pidfile name (only if using --daemon) [./sshuttle.pid]
 --user USER apply all the rules only to this linux user
 --firewall (internal use only)
 --hostwatch (internal use only)
 --no-sudo-pythonpath do not set PYTHONPATH when invoking sudo

How to configure IPsec/L2TP VPN Clients on Linux

After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.

Commands must be run as root on your VPN client.

To set up the VPN client, first install the following packages:

# For Ubuntu & Debian
apt-get update
apt-get -y install strongswan xl2tpd

# For RHEL/CentOS
yum -y install epel-release
yum --enablerepo=epel -y install strongswan xl2tpd

yum -y install strongswan xl2tpd

Create VPN variables (replace with actual values):

VPN_SERVER_IP=your_vpn_server_ip
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password

Configure strongSwan:

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp2048!
  esp=aes128-sha1-modp2048!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets

Configure xl2tpd:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client

The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.

Create xl2tpd control file:

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Restart services:

service strongswan restart
service xl2tpd restart

Start the IPsec connection:

# Ubuntu & Debian
ipsec up myvpn

# CentOS/RHEL & Fedora
strongswan up myvpn

Start the L2TP connection:

echo "c myvpn" > /var/run/xl2tpd/l2tp-control

Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

ip route

Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server’s IP from the new default route (replace with actual value):

route add YOUR_VPN_SERVER_IP gw X.X.X.X

If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X

Add a new default route to start routing traffic via the VPN server:

route add default dev ppp0

The VPN connection is now complete. Verify that your traffic is being routed properly:

wget -qO- http://ipv4.icanhazip.com; echo

The above command should return Your VPN Server IP.

To stop routing traffic via the VPN server:

route del default dev ppp0

To disconnect:

# Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn

# CentOS/RHEL & Fedora
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn

Installing SoftEther VPN server on Ubuntu

This tutorial is to show you how to install a SoftEther VPN on Ubuntu 12.04 & Ubuntu 14.04.
After installing a fresh copy of Ubuntu or your machine, run following commands to update the packages.

apt-get update -y
apt-get upgrade -y

 

After updating add SoftEther PPA:

add-apt-repository ppa:dajhorn/softether

 

Update package list again & install softether package.

apt-get update
apt-get install softether

After installing run following commands to check for any errors.

vpncmd

Select option 1.  And press Enter for the rest. Then run command check.

check

 

2015-12-25 19_51_20-Clipboard

 

If you get output same as above image, then you have successfully installed SoftEther VPN server on your machine.