Roll Your Own VPN with ssh and VNC

DISCLAIMER

This article describes the chaining together of several open source freeware tools to create a secure tunnel between two computer networks. Your employer's security department may or may not get upset with you for trying these techniques. They may get downright hostile. If you decide to apply these techniques, you are accepting responsibility for doing so. No guarantee is made as to the fitness of these techniques for any particular purpose and the author will accept no liability for the use or misuse of these techniques. Everything described here is published elsewhere in the documentation for the tools described.

Bi-directional ssh tunnel diagram

This article describes a technique to allow you to set up a connection from your machine at work to your machine at home such that you can access your home machine from work and your work machine from home in a manner that does not open up holes to let the bad guys in. We are assuming you have a broadband connection at home with a stable IP address.

This is not a description of a general purpose VPN where you can attach to a computer from an arbitrary location. It describes a technique to link a home network to a work network for a particular user. It works best if you have your own UNIX box at work.

A separate related article describes the case where you have two machines at separate households and you would like to be able to ssh between them. In this case we are assuming that one or both of the IP addresses may change on a regular basis and you want to automatically update your /etc/hosts (or windows hosts) file and your /etc/hosts.allow file.

Note that these techniques can be used to create a VPN which is quite secure. In some ways, it is more secure than traditional VPN since you have to list which ports are allowed through the tunnel. It is however, only as secure as your machine. As these techniques do not cut the client machine off from the rest of the local network, as do most VPN clients, if you have been hacked and the hacker is on your machine, you are providing them a pipe into your work computer.

Ovewrview

The basic layout of the technique is as follows:

Assumptions

From Work to Home

SSH Setup

In the ssh setup page we talked about getting ssh working on your home Sun Solaris machine so you can connect from work to home. With a Linux box, the machine comes with sshd ready to go.

It is possible that some firewall between your work and home blocks port 22. This is unfortunate but not a show stopper. In your sshd_config file (/etc/ssh on Linux and /usr/local/etc on Solaris) you can change the port used by sshd. Most work shops that allow internet access from work allow port 80 (http) and port 443 (https). Port 8080 is also often open. If port 443 is open, and you are not running your own secure web server, adjust your sshd_config file to read:


Port 443
X11Forwarding yes

Adjust your home firewall to forward port 443 instead of 22 to your UNIX box. The X11Forwarding yes line allows you to specify X11 forwarding (display back) on the client side.

In your /etc/hosts.allow file put in the IP address of your machine at work. Easier said than done. Your work firewall may do network address translation (NAT). In addition NAT may be turned on for the ssh port or it may not. You may have to put the external IP address in your hosts.allow file or your actual machine IP address.

Example in /etc/hosts/allow:

# Work machines internal
ALL: 123.132.321.111

SSH From Work to Home

The next trick is to test out the connection. Log into a UNIX box at work and run the ssh command specifying the IP address of your home network. This will be the IP address assigned by your ISP. You can get your current external IP address from the page REMOTE_ADDR.shtml. You have to look at the above link from home to get your home IP address and carry it in to work.

If you had to change the default port for sshd, you will have to modify the $HOME/.ssh/config file at work to show the new port.
Example in $HOME/.ssh/config:


 Host home
 Hostname 213.321.25.182
 Port 443
 HostKeyAlias home

If you can complete an ssh from your work machine to your home machine, you have the guts of your VPN working. The remainder is fine tuning.

Real VNC

The Real VNC home page http://www.realvnc.com/ allows you do download a freeware remote access program which operates on both UNIX and Windows. It can be a client or a server on either UNIX or Windows. It allows you to drive a PC remotely from another PC or a UNIX platform. It also allows you to drive a UNIX platform from a PC or a different UNIX platform.

How to use VNC is outside the scope of this article, but it is important because it will allow you drive your PC at home or your work PC from other machine via your VPN. When a VNC server is running on a PC or Window platform, you specify what display it is using as a number. This number is added to 5900 to determine what port the server listens on. Thus if you tell the server to use display 2, the server will listen on port 5902. This is important for the next section on port forwarding.

Driving Your Home PC From a Work UNIX box

For the sake of this example, let us assume:

In your $HOME/.ssh/config file on your work machine, update the file to look like:

ForwardX11  yes

Host home
 Hostname 213.321.25.182
 Port 443
 HostKeyAlias home
 LocalForward  5902  192.168.1.2:5902

Note the addition of the LocalFoward line. It is telling ssh on your work machine to listen to port 5902 when an ssh connection is up. Any connections from the work machine to LOCALHOST:5902 will be tunneled to your home network and passed to 192.168.1.2:5902.
 
From a UNIX prompt at work, start an ssh session to your home machine. Then, at a unix prompt in a different terminal window on the UNIX machine at work, type:

vncviewer localhost:2

You should get a password prompt. Type the VNC password for your home PC running VNC server. You should now get a window with your home machine's desktop.

From Home to Work

SSH Setup at Work

The basic idea here is that we are going to leave the ssh from work to home up and then use this connection to run the ssh the other way. Modify your work machine's .ssh/config file as follows:


ForwardX11  yes

Host home
 Hostname 213.321.25.182
 Port 443
 HostKeyAlias home
 LocalForward  5902  192.168.1.2:5902
 RemoteForward 2222  144.144.144.144:22

Note that we added a RemoteForward line.

Start an ssh session to your home machine, lock your machine and go home leaving the ssh session up.

SSH Setup at Home

Modify your $HOME/.ssh/config as follows:


Host work
 ForwardX11  yes
 Hostname local host
 Port 2222
 HostKeyAlias work
 #GatewayPorts yes
 LocalForward 5900  144.144.144.145:5900

The above identifies a host named work. When you ssh to work, you actually connect to the local host port 2222 which is the RemoteForward port you set up at work. In addition, once we establish an ssh connection, we will forward local port 5900 to port 5900 on the work PC. This will allow the work PC to be driven from a home machine.

In the above example, the GatewayPorts yes line is commented out. If you uncomment this line, other machines on your home network can use port 5900 on your home UNIX box to get to the VNC server on your work PC. This would allow you to drive your work PC from your home PC and your work UNIX box from your home UNIX box.

At this point you have rolled your own personal VPN.

Automation

Leaving your UNIX workstation logged on may not be pleasing to you. In addition, with the above examples, if you start a second concurrent ssh session from work to home, you will get errors about being unable to use ports 5902 and 2222 because they are in use (from the first ssh session). This section describes some things you can do about this.

The Special ssh Session at Work

Consider the following version of the work $HOME/.ssh/config file:


ForwardX11  yes

Host homea
 Hostname 213.321.25.182
 Port 443
 HostKeyAlias home
 LocalForward  5902  192.168.1.2:5902
 RemoteForward 2222  144.144.144.144:22

Host home
 Hostname 213.321.25.182
 Port 443
 HostKeyAlias home

If we ssh to homea, we get the port forwarding, if we ssh to home, we get just get X11 forwarded back.

Run the command on the work machine:

nohup ssh -N -f styma8a

The above command will prompt you for your password and then go to background. The port forwarding between the two machines and will survive logging off. This has to be run once per reboot. It also has to be rerun if network connectivity is lost. This can be automated but is the subject of the next article. Note that anyone logged on to the UNIX machine at work can attempt to use these ports. They have to have a login and password on your home machine to get anywhere. The sshd on your home machine can be configure to log failed login attempts.

Living Real Dangerously

Consider the following from the ssh man page:

     ssh implements the RSA authentication protocol automatically.  The  user
     creates  his/her RSA key pair by running ssh-keygen(1).  This stores the
     private    key   in   $HOME/.ssh/identity   and  the   public   key   in
     $HOME/.ssh/identity.pub  in the user's home directory.  The user  should
     then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
     directory on the remote machine (the authorized_keys file corresponds to
     the  conventional  $HOME/.rhosts file, and has one key per line,  though
     the  lines  can be very long).  After this, the user can log in  without
     giving the password.  RSA authentication is much more secure than rhosts
     authentication.

So, we run ssh-keygen -t rsa at work and then sftp the $HOME/.ssh/identity.pub to the home machine with the name $HOME/.ssh/authorized_keys. Now, when you ssh to your home machine (from your work account) you will not need a password.

Anyone logged on to the UNIX machine at work can attempt to use these ports. If they can get on the UNIX machine as root and then become you, they can ssh to your home machine without a password. Thus this should be used with great caution.

Summary

  1. On your work UNIX machine, in your $HOME/.ssh/config file:
    # Allow display back from home to work
    ForwardX11  yes
    
    # Name used by the ssh instance just forwarding ports.
    Host homea
       # 213.321.25.182 is the external IP address of your home machine assigned by your ISP
       Hostname 213.321.25.182
       # If you cannot use port 22 (the default) you could use the SHTTP port
       Port 443
       # Tell ssh to use the same encryption key for home as homea.
       HostKeyAlias home
       # For VNC forward localhost:4 to your Windows PC running VNC server at home
       # 192.168.1.4 is your windows PC at home
       LocalForward  5904  192.168.1.4:5904
       # Forward port 7777 to echo server for keep alive program
       # 192.168.1.8 is your UNIX/Linux box at home running sshd and the TCP echo server via inetd.
       # only needed if you are going to run the keep alive cron job.
       LocalForward  7777  192.168.1.8:7
       # Reverse forward port 2222 so you can ssh back into work.
       # 144.144.144.144 is replaced with the IP address of your work UNIX machine running sshd
       RemoteForward 2222  144.144.144.144:22
    
    # Name used for normal ssh from work to home
    Host home
       Hostname 213.321.25.182
       Port 443
       HostKeyAlias home
    
    
  2. This part is only needed if you are going to run the keep alive cron job.
    In your work $HOME/.ssh directory run ssh -t rsa to create your
    id_rsa and id_rsa.pub files.
    Rename is_rsa to isa_rsa_a and ftp your id_rsa.pub file to your home machine naming it $HOME/.ssh/authorized_keys to allow non-password connections in certain cases.
     
  3. Run the command:
    nohup ssh -N -f homea
    from your work UNIX machine. You will be prompted for a password. If you are going to run the keep alive cron job, run:
    nohup ssh -i ~/.ssh/id_rsa_a -N -f homea
    and you will not be prompted for a password. This sets up the tunneled ports.
     
  4. On your home UNIX machine, in your $HOME/.ssh/config file:
    
    # Allow display back from work to home
    ForwardX11  yes
    
    Host work
       # Use the reverse forwarded port from work to get to ssh at work
       Hostname localhost
       Port 2222
       #  Tell ssh to use the same encryption key for work.
       HostKeyAlias work
       #  Allow VNC on your Home Windows PC to forward to your work PC
       GatewayPorts yes
       #  Forward UNIX machine at home display 0 to your work PC running VNC server
       #  144.144.144.145 is your work PC.
       LocalForward 5900  144.144.144.145:5900
    
    
    # Same as work, but no forwarded ports
    Host work1
     ForwardX11  yes
     Hostname localhost
     Port 2222
     HostKeyAlias work
    
    
  5. This part is only needed if you are going to run the keep alive cron job.
    On your home UNIX machine, make sure the TCP echo server is running on port 7. On Linux, running xinetd, this can be done with redhat-config-services (for a RedHat or Fedora system) or by editing /etc/xinetd.d/echo. On systems running inetd, make sure the /etc/services line for echo is uncommented:
    echo 7/tcp
     


Back to Sun At Home Home Page
Last Maintained, 08/17/2005 by R. E. Styma