With a 2 megabit/second ADSL connection, the occasional day spent working from home is now a practical proposition for me. The main obstacle to this, up to now, has been my employers use of a semi-proprietary VPN solution for our office LAN. I have been side-stepping this issue by having a port open on the company firewall to allow an SSH connection to the Linux box on my desk, and then using SSH port forwarding to make specific LAN services available to my home PC via the ADSL connection. While this approach is okay for one or 2 specific applications, what I really wanted was a way to put my home PC on the office LAN, using the same range of IP's as the office LAN and with access to the same shared resources as any other PC on the office LAN.
I lifted most of this straight out of the VPN PPP-SSH Mini-HOWTO, with some tweaks to make the setup slightly more maintainable.
You'll need to have OpenSSH installed, a kernel that supports PPP and at least a vague grasp of networking and TCP/IP in a UNIX/Linux environment. Oh, and you'll need a machine on your office LAN running an OpenSSH server with kernel support for PPP and the PPP daemon package installed.
Read the disclaimer at the bottom of this page very carefully. Then read it again and ensure you understand it. Then, and only then, ensure you seek permission for what you're about to do from your immediate superior and/or network supervisor before proceeding.
As you'll be accessing potentially sensitive data on a corporate network, it makes sense to implement the best security that you can. This means:
- Turning off all un-needed services on your Linux box at work - it's apalling how many Linux users, even experienced ones, forget this simple precaution
- Ensuring you're fully up to date with the relevant security patches for your chosen distro
- Using TCP wrappers to restrict the range of IP adresses that can access your machine at work
- Disabling SSH root logins
- Disabling password-only authentication for SSH connections
- Using a private/public key pair for authentication rather than a password
- Configuring the company firewall to only open up tcp port 22 to the machine on your desk. Your company does have a firewall, doesn't it....? :-O
$ ssh-keygen -t rsa -f ~/.ssh/vpn-key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase):Press enter at this point to create a key with no passphrase. This may seem to conflict with the security issues raised earlier, but having one doesn't add a great deal more security and just makes your VPN slightly more cumbersome to use. If you (or your employers) insist on having one, then see man ssh-agent for some tips.
Make an SSH connection to your machine at work. In the rest of these notes, I'll refer to this connection as session #1. It's important that you keep this session open, since there is a possibility of you locking yourself out of your machine at work if you make a typo! Once connected, type su - to become root.
Ensure that /etc/hosts.deny at the server end contains the following lines:
ALL: ALLYou should then put the following lines into /etc/hosts.allow on the server:
ALL: 127.0.0.1 sshd: a.b.c.d/255.255.255.xSusbstitute your own (home) IP address and netmask for a.b.c.d/255.255.255.x
Start a new shell session on your home machine. Verify that you can still make an SSH connection to the box at work. If you can't, go back to session #1 and look at the logs to see what's wrong. man hosts.allow may help with diagnosing problems. if all is okay, close the second SSH session and go back to session #1.
Staying as root on your machine at work, check that /etc/sshd/sshd_config has the following lines un-commented:
Protocol 2,1 PermitRootLogin no PasswordAuthentication noIf you had to change anything, then save the file and type service sshd restart. Go back to a shell session on your home PC and check that you can start a new SSH session to the box at work. Again, if you have problems, check the logs to see what's wrong.
Go back to session #1 and create a non-root user on the machine at work that you can run the PPP daemon as:
# useradd vpn # passwd vpn Changing password for user vpn. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.Next, you need to configure the sudo command so that the vpn user is allowed to run the PPP daemon (and a few other bits and bobs that we'll need later) as root. Type visudo and add the following to the bottom of the file:
Cmnd_Alias VPN=/usr/sbin/pppd Cmnd_Alias IFCONFIG=/sbin/ifconfig Cmnd_Alias IPTABLES=/sbin/iptables Cmnd_Alias PS=/bin/ps Cmnd_Alias KILLALL=/usr/bin/killall vpn ALL=NOPASSWD: VPN vpn ALL=NOPASSWD: IFCONFIG vpn ALL=NOPASSWD: IPTABLES vpn ALL=NOPASSWD: PS vpn ALL=NOPASSWD: KILLALLThen set the SSH options for the vpn user to allow login access from your home PC:
# su - vpn $ mkdir .ssh $ chmod 755 .ssh $ cd .ssh $ vi authorized_keysIn the vi session, paste in the contents of your ~/.ssh/vpn-key.pub file from your machine at home. Save the file and set its ownership and permissions appropriately:
$ chown vpn:vpn /home/vpn/.ssh/authorized_keys $ chmod 600 /home/vpn/.ssh/authorized_keysLastly, obtain from your network administrator a second, fixed, LAN ip address for your machine at work. This interface will be used to NAT the traffic that travels through the PPP tunnel - it is this which allows the PPP tunnel to connect your machine at home to the office LAN.
Okay, we're almost done now! Open a root shell on your machine at home and add the following to /etc/sysconfig/vpnopts:
# config file for VPN access to the office # IP address of the machine at work we connect to SERVER_HOSTNAME=mypc.officedomain.com # username on the server that we run the tunnel as SERVER_USERNAME=vpn # use these IP addresses for the client and server ends of # the PPP session CLIENT_IFIPADDR=192.168.3.1 SERVER_IFIPADDR=192.168.3.2 # change these to match your network at work SERVER_LAN2=10.0.0.0 SERVER_LAN2_IF=10.0.100.0 SERVER_LAN2_MASK=255.255.255.0 # various SSH options for the client side LOCAL_SSH_OPTS="-P -p 22" LOCAL_VPNKEY=/home/phile/.ssh/vpn-rsa # pppd options for the client and server LOCAL_PPP_OPTS="updetach noauth passive ipparam vpn" REMOTE_PPP_OPTS="nodetach notty noauth"
You can download the script (1048 bytes) by clicking on the link. Uncompress it and save it somewhere on your path - I keep mine in ~/bin, but it doesn't really matter. Bringing the VPN up is then just a simple matter of typing vpn-pppssh start and watching the script do its thing. You can shut it down again with the command vpn-pppssh stop.
In day to day use, this VPN has proven to be very reliable. The only problems I've had have been:
- I have a VMWare install on my machine at home, and the virtual networking in VMWare breaks the routing quite badly. The only solution I've found to this is to stop the VMWare service before bringing the VPN up. This could probably be avoided altogether by changing the IP addresses I use for my VMWare services, but I haven't done any more investigation on this to date - it's not a big enough problem for me at the moment.
- DNS services are a problem - we have internal DNS servers on the private IP's on our office LAN - my ADSL connection uses Mistrals public DNS servers, which don't have the internal LAN zone on them for security reasons. I've got round this by just putting entries in my local /etc/hosts file for the resources on the office LAN that I need to access.
