Creating a VPN with SSH2: Step-by-Step Installing and Configuring

4. Step-by-Step Installing and Configuring

Here is how to install and configure the VPN.

Install all the programs, compile and activate the kernel with ppp support.
Compile pty-redir on the master To do this, create a temporary directory, e.g. /tmp/pty-redir, place the tar.gz file into it and untar/unzip it. If you are using RedHat or Slackware as your distribution you'll have to edit pty-redir.c and change line 84 (in v0.1 of pty-redir) from
```
fprintf(stderr,"/dev/pty%c%c",a,b);
```
to
```
fprintf(stderr,"/dev/tty%c%c",a,b);
```
For other distributions you'll have to test it either way.
All you have to do now is to say make and it should compile without problems, and copy the resulting binary to a location in your path like /usr/bin/ or /usr/local/bin/.
Create a VPN account on the slave, in this example I use vpn1 This is simply done as root with the command useradd vpn1.
Generate an ssh2 key for your master account (root) To do this use the ssh-keygen command (which is in fact a link to ssh2-keygen) Be aware that if you are using RedHat with the appropriate ssh2 rpms at installation time the hostkey is automatically generated. The "normal" ssh2 key for user root has to be created via ssh-keygen and is found in /etc/ssh2/id_dsa_1024_a (secret key, NEVER EXCHANGE!!!) and /etc/ssh2/id_dsa_1024_a.pub (public key, exchangeable). Use a null passphrase (answering the passphrase prompt with only carriage return twice). This has to be done because you might want to automatically start the vpn at boot time without the need of typing in a password every time you boot, e.g. after a power failure at night ;)
Generate an ssh2 key for your slave account (here vpn1) To do this use the ssh-keygen command (which is in fact a link to ssh2-keygen). This will create the ssh2 key-pair in ~/.ssh2 called id_dsa_1024_a (secret key, NEVER EXCHANGE!!!) and id_dsa_1024_a.pub (public key, exchangeable). Here you should set a hard to crack passphrase, it won't be used because of automatic ssh setup.

Set up automatic ssh login for the slave account THERE'S NO NEED TO CREATE A ~/.rhosts FILE WITH SSH2, as sometimes read. Create the file ~/.ssh2/identification which holds the name of the secret key on the slave. In this example the file looks like this:

IdKey id_dsa_1024_a

Copy the public key of user root from the master (/etc/ssh2/id_dsa_1024_a.pub) to the slave, user vpn1 (named e.g. ~/.ssh2/master.root.pub).

Create a file called ~/.ssh2/authorization with the following entry:

Key     master.root.pub

where master.root.pub is the name of the copied public key file of the master's root account (see above).

Now change the permissions in ~/.ssh2 to look like the following list:

drwx------   3 vpn1     vpn1         1024 Mar 29 15:12 .
drwx------   3 vpn1     vpn1         1024 Apr  1 10:02 ..
-rw-------   1 vpn1     vpn1           66 Mar 29 09:51 authorization
drwx------   2 vpn1     vpn1         1024 Mar 29 11:39 hostkeys
-rw-------   1 vpn1     vpn1          887 Mar 19 09:11 id_dsa_1024_a
-rw-------   1 vpn1     vpn1          756 Mar 19 10:34 id_dsa_1024_a.pub
-rw-------   1 vpn1     vpn1           20 Mar 19 09:59 identification
-rw-------   1 vpn1     vpn1          754 Mar 19 10:07 master.root.pub
-rw-------   1 vpn1     vpn1          512 Mar 29 09:54 random_seed

Set up /etc/ssh2/sshd2_config on the slave Edit /etc/ssh2/sshd2_config and add or change the following entries:
```
        PasswordAuthentication          no
        RSAAuthentication               yes
        RhostsRSAAuthentication         no
        RhostsAuthentication            no
        StrictModes                     yes
        PermitRootLogin                 no
```
It seems that the option AllowHosts is no longer supported in version 2 of ssh (sshd2 shows a warning if setting it in /etc/ssh2/sshd2_config under RedHat).
Restart sshd2 by issuing /etc/rc.d/init.d/sshd2 restart (replace the path with your path to the init scripts) and make sure no warning/error messages come up.
Set up /etc/services (optional) You may want to add an entry to /etc/services for ssh to look like
```
ssh             22/tcp          ssh2
```
This is optional but eases e.g. debugging via tcpdump.
Check the ssh2 connection Use the command ssh -l vpn1 slave to connect from the master as user root to the slave machine without the need of typing a passphrase. If this does not work you'll have to check all the above items again, or take a look at http://www.vpn.outer.net/2e/vpnssh.html, Troubleshooting section.
Set up pppd on both the master and the slave Make sure you compiled your kernel with ppp support on both the master and the slave first! On the slave's vpn1 account create a ~/.ppprc file containing only the word passive.
Configuring sudo on the slave sudo is used to run privileged programs as root without the need to setuid it. sudo is configured via a single file called /etc/sudors which MUST only be edited via the visudo tool as root! You may use any editor you like, therefore set the environment variable EDITOR to your preferred one, the default is vi. Add the following entries via visudo:
```
# Cmnd alias specification
Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route

# User privilege specification
root    ALL=(ALL) ALL
vpn1    ALL=NOPASSWD: VPN
```
This ensures that the user vpn1 on the slave has the approprite rights to use /usr/sbin/pppd and /sbin/route (you may have to use other paths depending on your linux system).
To check if sudo works log in on the slave as vpn1 and try the command
sudo /usr/sbin/pppd
You should then see garbage on your screen for about 30 seconds, that's what's expected and shows that it works.
If you encounter problems take a look at the syslog (either in /var/log/messages or /var/adm/syslog). There you may find some useful information.
If it worked then try to issue the following command as root on the master:
ssh -t -l vpn1 slave sudo /usr/sbin/pppd
Again you should see garbage for about 30 seconds, that's ok (don't forget to replace slave with the appropriate name or ip address of your slave machine).
Check if pty-redir works To check the pty-redir program you have to issue the following command: pty-redir /usr/bin/ssh -t -l vpn1 slave sudo /usr/sbin/pppd REMEMBER: You'll have to use the complete path to ssh (simply use what the command which ssh says)! Since you do not get any output from this command you have to have a look at the syslog on the slave if pppd fires up. You should get a similiar output like this one:
```
Apr  7 10:50:42 xbgh5088 sudo:     vpn1 : TTY=ttyp3 ; PWD=/home/vpn1 ; USER=root ; COMMAND=/usr/sbin/pppd 
Apr  7 10:50:42 xbgh5088 pppd[1879]: pppd 2.3.5 started by vpn1, uid 0
Apr  7 10:50:42 xbgh5088 pppd[1879]: Using interface ppp0
Apr  7 10:50:42 xbgh5088 pppd[1879]: Connect: ppp0 <--> /dev/ttyp3
Apr  7 10:51:12 xbgh5088 pppd[1879]: LCP: timeout sending Config-Requests
Apr  7 10:51:12 xbgh5088 pppd[1879]: Connection terminated.
Apr  7 10:51:13 xbgh5088 pppd[1879]: Exit.
Apr  7 10:51:13 xbgh5088 sshd2[1876]: Remote host disconnected: Connection closed.
```
Don't be scared about any timeout messages. The only thing we are interested in at this time is if pppd fires up or not.
If there's a problem you may have to change pty-redir.c to use the other type of pseudo terminal (see pty-redir section).

Setting up the VPN script on the master Here is the script I used to test the connection which is derived from Arpad's VPN-mini-HOWTO:

#! /bin/sh
# skeleton      example file to build /etc/init.d/ scripts.
#               This file should be used to construct scripts for /etc/init.d.
#
#               Written by Miquel van Smoorenburg <miquels@cistron.nl>.
#               Modified for Debian GNU/Linux
#               by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version:      @(#)skeleton  1.6  11-Nov-1996  miquels@cistron.nl
#

PATH=/usr/sbin:/sbin:/bin:/usr/sbin:/usr/bin
PPPAPP=/home/vpn1/ppp
ROUTEAPP=/home/vpn1/route
PPPD=/usr/sbin/pppd
NAME=VPN
REDIR=/usr/bin/pty-redir
SSH=/usr/bin/ssh
MYPPPIP=192.168.253.3
TARGETPPPIP=192.168.253.4
TARGETNET=192.168.102.0
MYNET=192.168.1.0
SLAVEWALL=192.168.253.2
SLAVEACC=vpn1

test -f $PPPD || exit 0

set -e

case "$1" in
  start)
        echo setting up vpn
        $REDIR $SSH -o 'Batchmode yes' -t -l $SLAVEACC $SLAVEWALL sudo $PPPAPP 2>/tmp/device

        TTYNAME=`cat /tmp/device`
        sleep 10s
        if [ ! -z $TTYNAME ]
        then
        $PPPD $TTYNAME ${MYPPPIP}:${TARGETPPPIP}
        else
                echo FAILED!
                logger "vpn setup failed"
        fi
        sleep 5s

        # here you may add additional routes to be defined for the VPN like
        # route add -net $TARGETNET gw $TARGETPPPIP
        $SSH -o 'Batchmode yes' -t -l $SLAVEACC $SLAVEWALL sudo $ROUTEAPP
    ;;
  stop)
        ps ax | grep "ssh -t -l $SLAVEACC " | grep -v grep | awk '{print $1}' | xargs kill
    ;;
  *)
    echo "Usage: /etc/rc.d/init.d/$NAME {start|stop}"
    exit 1
    ;;
esac

exit 0

Variable Definitions

PPPAPP The name of the script on the slave which is used to start the ppp connection via ssh2.
ROUTEAPP The name of the script on the slave which is used to set the appropriate routes for the ssh2 connection.
MYPPPIP The ip address of the master's side of the ppp (vpn) connection.
MYNET The network address on the master's LAN interface.
TARGETPPPIP The ip address of the slave's side of the ppp (vpn) connection, which will be set dynamically when the ppp connection is established (you could have a look at the slave's syslog when initiating the ppp connection).
TARGETNET The network address on the slave's LAN interface.
SLAVEWALL The ip address or the hostname of the slave.
SLAVEACC The name of the slave's vpn account.
PPPD, REDIR, SSH These variables hold the complete path of the required programs (same as the output of the which(1) command for the programs).

Put this script into the directory with the init scripts, these may be either /etc/rc.d/init.d or /etc/init.d depending on the distribution. Additionally you may add a link to the vpn script to the list of start scripts to automatically create the vpn connection at boot time. With RedHat this is done in /etc/rc.d/rc3.d, e.g. lrwxrwxrwx 1 root root 19 Mar 18 16:22 S99vpn -> ../init.d/VPN

Creating the scripts on the slave The master's vpn start script makes use of two scripts on the slave for initiating the ppp connection and for setting the required routes. These are very simple and have to reside in the vpn1's home directory:

-rwx------   1 vpn1     vpn1           77 Mar 30 06:57 ppp
-rwx------   1 vpn1     vpn1          239 Mar 30 09:55 route

Take care of the permissions set on these files! ~/ppp

#!/bin/sh
# call ppp for the VPN to create the ssh connection
/usr/sbin/pppd

~/route

#!/bin/sh
# create required routes for VPN
# add a route to the required network
# here it will be left clear because the needed routes are 
# set up automatically at boot time

# next line for debugging (log to syslog)
logger -i "Running /home/vpn1/route"

Next Previous Contents