VPN or SSH Tunnel for routing traffic

I'm currently using an SSH tunnel to connect to a Squid HTTP proxy running on a remote machine. I've configured my browser to use the ssh tunnel/proxy except while connecting to addresses on the local network.

I'd like to make this more robust and tunnel all my traffic through some sort of ssh tunnel. Would it be possible to setup have connections to local addresses be routed to the local router as they would normally be handled, but have all other connections (to remote addresses) be routed through the ssh tunnel to my home linux box and then routed normally by that machine's routes? Can this be done so I don't need an HTTP proxy and don't need to tell each application to go through the tunnel... so my routing table will know what to do with the connections?

How would I go about setting this up? Can it be done with just ssh tunnels or do I need to setup something like openvpn? Thanks!
RedACEAsked:
Who is Participating?
 
jojuConnect With a Mentor Commented:
Best option is openVPN

http://www.linuxjournal.com/comment/reply/7881
some extract:

OpenSSH:

 OpenSSH is a good tool for tunneling traffic from specific applications running on specific hosts; it can be used in this way in both remote-access and point-to-point VPN scenarios. It is less useful, however, for tunneling all traffic between remote networks or users.

Stunnel:

The main difference between Stunnel and SSH is that Stunnel is much more limited; all it does is encrypted port forwarding. Also, because Stunnel really is a sort of front end for OpenSSL, Stunnel requires you to configure and install digital certificates, which perhaps offsets some of its simplicity. Otherwise, Stunnel shares OpenSSH's limitations as a VPN tool.

openVPN:

Because no special kernel modules or modifications are necessary, OpenVPN runs purely in user space, making it much easier to port across operating systems than IPSec implementations. And, by virtue of using the standard OpenSSL libraries, OpenVPN, like Stunnel, does a minimum of wheel re-invention. Unlike homegrown cryptosystems, such as those used in the CIPE and tinc VPN packages,all of OpenVPN's critical operations are handled by OpenSSL. OpenSSL itself certainly isn't flawless, but it's under constant scrutiny for security flaws and is maintained by some of the Open Source community's finest crypto programmers.

Thanx,
Joju
0
 
fixnixCommented:
/me agrees

SSH tunnels are great...and I use them often, but for some things they're just a pain!  FTP comes to mind...also forgetting about the occasional needs for ports you haven't pre-configured for forwarding (like if one day you decide to jump on IRC from work cause you need to ask a bud something real quick but haven't set up bnc at your shell).
0
 
RedACEAuthor Commented:
I've read through most of the openvpn (2.0) howto. The section on "routing all traffic (including web-traffic) through the vpn" (http://openvpn.net/howto.html#redirect) seems to be what I want. It looks like the server pushes an option to the client telling it to route all its traffic through the vpn. Can I customize this at all or simply modify the routes on my clients manually without using this option? I don't want to route *all* my traffic. I want connections to the client's local network to go out through the local gateway and everything else (to the internet) to go through the vpn. On the server side, the faq suggests that adding a NAT rules to iptables will allow the server to route my connections through the vpn out to the internet. Does this seem correct?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
ahoffmannCommented:
this is a routing and not ssh or VPN problem, hence the solution is to use iptables for example
something like:

iptables -t nat -A PREROUTING  ! -d IP-of-you-local-LAN -j DNAT --to-destination IP-of-your-VPN-tunnel

then the settings in your openVPN (as described in the howto) should do the rest
0
 
RedACEAuthor Commented:
Okay. Thank you for your help. I will play around with openvpn and iptables.

Can I give partial points to ahoffmann? How does this work?
0
 
ahoffmannCommented:
> Can I give partial points
you can split points when grading
Should this question be reopend so that you can split points?
0
 
RedACEAuthor Commented:
I didn't see that option, sorry. I'm new to EE. Can I fix this?
0
 
jojuCommented:
No issues on my side.. Admin can take points assigned to me back.

Thanx,
Joju.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.