https://baszerr.eu/ Tue, 28 Apr 2026 12:14:33 +0000 FeedCreator 1.8 https://baszerr.eu/lib/exe/fetch.php?media=wiki:dokuwiki.svg https://baszerr.eu/ https://baszerr.eu/doku.php?id=blog:2014:09:02:connection_tunneling_with_ssh <h1 class="sectionedit1" id="connection_tunneling_with_ssh">2014-09-02 - connection tunneling with SSH</h1> <div class="level1"> <p> <a href="https://baszerr.eu/lib/exe/detail.php?id=blog%3A2014%3A09%3A02%3Aconnection_tunneling_with_ssh&amp;media=blog:2014:09:02:openssh_logo.png" class="media" title="blog:2014:09:02:openssh_logo.png"><img src="https://baszerr.eu/lib/exe/fetch.php?media=blog:2014:09:02:openssh_logo.png" class="mediaright" align="right" loading="lazy" title="OpenSSH logo" alt="OpenSSH logo" /></a> everyone knows that <a href="https://en.wikipedia.org/wiki/OpenSSH" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/OpenSSH">OpenSSH</a> can do port forwarding. not everyone knows, that it can (nearly) as easily do connection tunneling, using <a href="https://en.wikipedia.org/wiki/TUN/TAP" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/TUN/TAP">tun</a>. the spell is <em>ssh -w 0:0 hostname</em>. now you have tun0 interfaces on both ends of communication channel (note: “0:0” means tun0 on both ends). the simple script to setup whole communication and do masquerade to enable tunneled network connection for a remote end can be easily created, using following steps. </p> <p> first TUN interfaces need to be created on both sides – this is done by ssh. assume some-remote-host is a host tunnel needs to be established with. before you start add a following line to the /etc/ssh/sshd_config: </p> <pre class="code">PermitTunnel yes</pre> <p> this enables tunnels creation. this option is disabled by default, and most likely it is not present even in a commented-out for in the config. add it manually, if needed and restart ssh daemon. having this done establish tunel interfaces on both sides: </p> <pre class="code">ssh -f -w 0:0 some-remote-host true</pre> <p> next configure tunnel on the remote end. network will consist of two hosts: 192.168.66.6 (local machine) and 192.168.66.7 (on some-remote-host). </p> <pre class="code">ssh root@some-remote-host ifconfig tun0 192.168.66.7 netmask 255.255.255.0 up ssh root@some-remote-host route add -net 192.168.66.0/24 dev tun0</pre> <p> now configure tunnel locally. </p> <pre class="code">ifconfig tun0 192.168.66.6 netmask 255.255.255.0 up sleep 0.3 # needed for tun0 to become ready... dunno why - race? route add -net 192.168.66.0/24 dev tun0</pre> <p> at this stage both machines are able to ping each other (assuming firewalls are not blocking the traffic). </p> <p> to enable network, tunneled via newly setup tun0 interfaces, local machine needs to be added as a default gateway on the remote end: </p> <pre class="code">ssh root@some-remote-host route add default gw 192.168.66.6 dev tun0</pre> <p> …and masquerade needs to be enabled, along with forwarding: </p> <pre class="code">echo 1 &gt; /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -P FORWARD ACCEPT</pre> <p> technically that&#039;s all folks! :) if you do this often, this can be scripted easily. if you have via-key authorization configured, this will be fully automated. </p> </div> anonymous@undisclosed.example.com (Anonymous) Tue, 15 Jun 2021 20:08:55 +0000