|This article describes the chaining together of several open source freeware tools to create a secure tunnel between two computer networks. Your employer's security department may or may not get upset with you for trying these techniques. They may get downright hostile. If you decide to apply these techniques, you are accepting responsibility for doing so. No guarantee is made as to the fitness of these techniques for any particular purpose and the author will accept no liability for the use or misuse of these techniques. Everything described here is published elsewhere in the documentation for the tools described.|
This article describes a technique to allow you to set up a connection from your machine at work to your machine at home such that you can access your home machine from work and your work machine from home in a manner that does not open up holes to let the bad guys in. We are assuming you have a broadband connection at home with a stable IP address.
This is not a description of a general purpose VPN where you can attach to a computer from an arbitrary location. It describes a technique to link a home network to a work network for a particular user. It works best if you have your own UNIX box at work.
A separate related article describes the case where you have two machines at separate households and you would like to be able to ssh between them. In this case we are assuming that one or both of the IP addresses may change on a regular basis and you want to automatically update your /etc/hosts (or windows hosts) file and your /etc/hosts.allow file.
Note that these techniques can be used to create a VPN which is quite secure. In some ways, it is more secure than traditional VPN since you have to list which ports are allowed through the tunnel. It is however, only as secure as your machine. As these techniques do not cut the client machine off from the rest of the local network, as do most VPN clients, if you have been hacked and the hacker is on your machine, you are providing them a pipe into your work computer.
The basic layout of the technique is as follows:
In the ssh setup page we talked about getting ssh working on your home Sun Solaris machine so you can connect from work to home. With a Linux box, the machine comes with sshd ready to go.
It is possible that some firewall between your work and home blocks port 22. This is unfortunate but not a show stopper. In your sshd_config file (/etc/ssh on Linux and /usr/local/etc on Solaris) you can change the port used by sshd. Most work shops that allow internet access from work allow port 80 (http) and port 443 (https). Port 8080 is also often open. If port 443 is open, and you are not running your own secure web server, adjust your sshd_config file to read:
Port 443 X11Forwarding yes
Adjust your home firewall to forward port 443 instead of 22 to your UNIX box. The X11Forwarding yes line allows you to specify X11 forwarding (display back) on the client side.
In your /etc/hosts.allow file put in the IP address of your machine at work. Easier said than done. Your work firewall may do network address translation (NAT). In addition NAT may be turned on for the ssh port or it may not. You may have to put the external IP address in your hosts.allow file or your actual machine IP address.
Example in /etc/hosts/allow:
# Work machines internal ALL: 123.132.321.111
The next trick is to test out the connection. Log into a UNIX box at work and run the ssh command specifying the IP address of your home network. This will be the IP address assigned by your ISP. You can get your current external IP address from the page REMOTE_ADDR.shtml. You have to look at the above link from home to get your home IP address and carry it in to work.
If you had to change the default port for sshd, you will have to modify the
$HOME/.ssh/config file at work to show the new port.
Example in $HOME/.ssh/config:
Host home Hostname 213.321.25.182 Port 443 HostKeyAlias home
If you can complete an ssh from your work machine to your home machine, you have the guts of your VPN working. The remainder is fine tuning.
The Real VNC home page http://www.realvnc.com/ allows you do download a freeware remote access program which operates on both UNIX and Windows. It can be a client or a server on either UNIX or Windows. It allows you to drive a PC remotely from another PC or a UNIX platform. It also allows you to drive a UNIX platform from a PC or a different UNIX platform.
How to use VNC is outside the scope of this article, but it is important because it will allow you drive your PC at home or your work PC from other machine via your VPN. When a VNC server is running on a PC or Window platform, you specify what display it is using as a number. This number is added to 5900 to determine what port the server listens on. Thus if you tell the server to use display 2, the server will listen on port 5902. This is important for the next section on port forwarding.
For the sake of this example, let us assume:
In your $HOME/.ssh/config file on your work machine, update the file to look like:
ForwardX11 yes Host home Hostname 213.321.25.182 Port 443 HostKeyAlias home LocalForward 5902 192.168.1.2:5902
Note the addition of the LocalFoward line. It is telling ssh on your
work machine to listen to port 5902 when an ssh connection is up. Any connections
from the work machine to LOCALHOST:5902 will be tunneled to your home network
and passed to 192.168.1.2:5902.
From a UNIX prompt at work, start an ssh session to your home machine. Then, at a unix prompt in a different terminal window on the UNIX machine at work, type:
You should get a password prompt. Type the VNC password for your home PC running VNC server. You should now get a window with your home machine's desktop.
The basic idea here is that we are going to leave the ssh from work to home up and then use this connection to run the ssh the other way. Modify your work machine's .ssh/config file as follows:
ForwardX11 yes Host home Hostname 213.321.25.182 Port 443 HostKeyAlias home LocalForward 5902 192.168.1.2:5902 RemoteForward 2222 126.96.36.199:22
Note that we added a RemoteForward line.
Start an ssh session to your home machine, lock your machine and go home leaving the ssh session up.
Modify your $HOME/.ssh/config as follows:
Host work ForwardX11 yes Hostname local host Port 2222 HostKeyAlias work #GatewayPorts yes LocalForward 5900 188.8.131.52:5900
The above identifies a host named work. When you ssh to work, you actually connect to the local host port 2222 which is the RemoteForward port you set up at work. In addition, once we establish an ssh connection, we will forward local port 5900 to port 5900 on the work PC. This will allow the work PC to be driven from a home machine.
In the above example, the GatewayPorts yes line is commented out. If you uncomment this line, other machines on your home network can use port 5900 on your home UNIX box to get to the VNC server on your work PC. This would allow you to drive your work PC from your home PC and your work UNIX box from your home UNIX box.
At this point you have rolled your own personal VPN.
Leaving your UNIX workstation logged on may not be pleasing to you. In addition, with the above examples, if you start a second concurrent ssh session from work to home, you will get errors about being unable to use ports 5902 and 2222 because they are in use (from the first ssh session). This section describes some things you can do about this.
Consider the following version of the work $HOME/.ssh/config file:
ForwardX11 yes Host homea Hostname 213.321.25.182 Port 443 HostKeyAlias home LocalForward 5902 192.168.1.2:5902 RemoteForward 2222 184.108.40.206:22 Host home Hostname 213.321.25.182 Port 443 HostKeyAlias home
If we ssh to homea, we get the port forwarding, if we ssh to home, we get just get X11 forwarded back.
Run the command on the work machine:
nohup ssh -N -f styma8a
The above command will prompt you for your password and then go to background. The port forwarding between the two machines and will survive logging off. This has to be run once per reboot. It also has to be rerun if network connectivity is lost. This can be automated but is the subject of the next article. Note that anyone logged on to the UNIX machine at work can attempt to use these ports. They have to have a login and password on your home machine to get anywhere. The sshd on your home machine can be configure to log failed login attempts.
Consider the following from the ssh man page:
ssh implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in $HOME/.ssh/identity and the public key in $HOME/.ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional $HOME/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. RSA authentication is much more secure than rhosts authentication.
So, we run ssh-keygen -t rsa at work and then sftp the $HOME/.ssh/identity.pub to the home machine with the name $HOME/.ssh/authorized_keys. Now, when you ssh to your home machine (from your work account) you will not need a password.
Anyone logged on to the UNIX machine at work can attempt to use these ports. If they can get on the UNIX machine as root and then become you, they can ssh to your home machine without a password. Thus this should be used with great caution.
# Allow display back from home to work ForwardX11 yes # Name used by the ssh instance just forwarding ports. Host homea # 213.321.25.182 is the external IP address of your home machine assigned by your ISP Hostname 213.321.25.182 # If you cannot use port 22 (the default) you could use the SHTTP port Port 443 # Tell ssh to use the same encryption key for home as homea. HostKeyAlias home # For VNC forward localhost:4 to your Windows PC running VNC server at home # 192.168.1.4 is your windows PC at home LocalForward 5904 192.168.1.4:5904 # Forward port 7777 to echo server for keep alive program # 192.168.1.8 is your UNIX/Linux box at home running sshd and the TCP echo server via inetd. # only needed if you are going to run the keep alive cron job. LocalForward 7777 192.168.1.8:7 # Reverse forward port 2222 so you can ssh back into work. # 220.127.116.11 is replaced with the IP address of your work UNIX machine running sshd RemoteForward 2222 18.104.22.168:22 # Name used for normal ssh from work to home Host home Hostname 213.321.25.182 Port 443 HostKeyAlias home
# Allow display back from work to home ForwardX11 yes Host work # Use the reverse forwarded port from work to get to ssh at work Hostname localhost Port 2222 # Tell ssh to use the same encryption key for work. HostKeyAlias work # Allow VNC on your Home Windows PC to forward to your work PC GatewayPorts yes # Forward UNIX machine at home display 0 to your work PC running VNC server # 22.214.171.124 is your work PC. LocalForward 5900 126.96.36.199:5900 # Same as work, but no forwarded ports Host work1 ForwardX11 yes Hostname localhost Port 2222 HostKeyAlias work