Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1835
  • Last Modified:

VPN or SSH Tunnel for routing traffic

I'm currently using an SSH tunnel to connect to a Squid HTTP proxy running on a remote machine. I've configured my browser to use the ssh tunnel/proxy except while connecting to addresses on the local network.

I'd like to make this more robust and tunnel all my traffic through some sort of ssh tunnel. Would it be possible to setup have connections to local addresses be routed to the local router as they would normally be handled, but have all other connections (to remote addresses) be routed through the ssh tunnel to my home linux box and then routed normally by that machine's routes? Can this be done so I don't need an HTTP proxy and don't need to tell each application to go through the tunnel... so my routing table will know what to do with the connections?

How would I go about setting this up? Can it be done with just ssh tunnels or do I need to setup something like openvpn? Thanks!
0
RedACE
Asked:
RedACE
  • 3
  • 2
  • 2
  • +1
1 Solution
 
jojuCommented:
Best option is openVPN

http://www.linuxjournal.com/comment/reply/7881
some extract:

OpenSSH:

 OpenSSH is a good tool for tunneling traffic from specific applications running on specific hosts; it can be used in this way in both remote-access and point-to-point VPN scenarios. It is less useful, however, for tunneling all traffic between remote networks or users.

Stunnel:

The main difference between Stunnel and SSH is that Stunnel is much more limited; all it does is encrypted port forwarding. Also, because Stunnel really is a sort of front end for OpenSSL, Stunnel requires you to configure and install digital certificates, which perhaps offsets some of its simplicity. Otherwise, Stunnel shares OpenSSH's limitations as a VPN tool.

openVPN:

Because no special kernel modules or modifications are necessary, OpenVPN runs purely in user space, making it much easier to port across operating systems than IPSec implementations. And, by virtue of using the standard OpenSSL libraries, OpenVPN, like Stunnel, does a minimum of wheel re-invention. Unlike homegrown cryptosystems, such as those used in the CIPE and tinc VPN packages,all of OpenVPN's critical operations are handled by OpenSSL. OpenSSL itself certainly isn't flawless, but it's under constant scrutiny for security flaws and is maintained by some of the Open Source community's finest crypto programmers.

Thanx,
Joju
0
 
fixnixCommented:
/me agrees

SSH tunnels are great...and I use them often, but for some things they're just a pain!  FTP comes to mind...also forgetting about the occasional needs for ports you haven't pre-configured for forwarding (like if one day you decide to jump on IRC from work cause you need to ask a bud something real quick but haven't set up bnc at your shell).
0
 
RedACEAuthor Commented:
I've read through most of the openvpn (2.0) howto. The section on "routing all traffic (including web-traffic) through the vpn" (http://openvpn.net/howto.html#redirect) seems to be what I want. It looks like the server pushes an option to the client telling it to route all its traffic through the vpn. Can I customize this at all or simply modify the routes on my clients manually without using this option? I don't want to route *all* my traffic. I want connections to the client's local network to go out through the local gateway and everything else (to the internet) to go through the vpn. On the server side, the faq suggests that adding a NAT rules to iptables will allow the server to route my connections through the vpn out to the internet. Does this seem correct?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ahoffmannCommented:
this is a routing and not ssh or VPN problem, hence the solution is to use iptables for example
something like:

iptables -t nat -A PREROUTING  ! -d IP-of-you-local-LAN -j DNAT --to-destination IP-of-your-VPN-tunnel

then the settings in your openVPN (as described in the howto) should do the rest
0
 
RedACEAuthor Commented:
Okay. Thank you for your help. I will play around with openvpn and iptables.

Can I give partial points to ahoffmann? How does this work?
0
 
ahoffmannCommented:
> Can I give partial points
you can split points when grading
Should this question be reopend so that you can split points?
0
 
RedACEAuthor Commented:
I didn't see that option, sorry. I'm new to EE. Can I fix this?
0
 
jojuCommented:
No issues on my side.. Admin can take points assigned to me back.

Thanx,
Joju.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now