DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default VPN alternative: ssh -w

As an easier alternative to ipsec vpn's, trumpet the arrival of SSH's new "-w" option.

With openBSD(4.2) and openSSH(4.3+), there's a "-w" option, and with it an ip forwarding feature. Classically, ssh(8) is a port forwarder. Not so classically, the "-w" feature is an IP forwarder. The IP can be point to point or point to subnet(s), or subnet(s) to subnet(s) and, thusly, its applicability and efficacy as a [truer] VPN.

Client side is as follows.

(N.B.: My sshd-as-a-vpn listens on port 443, not 22, to allow the client to traverse any intermediate firewalls that may block certain ports.)

openBSD client-side variant
Code:
# ssh -p443 -w 0:0 scott@mydomain.com
  /*...authenticate per your ssh policy. */
# ifconfig tun0 10.0.0.2 10.0.0.1 netmask 255.255.255.252
# route add -inet 192.168.2.0/24 10.0.0.1
ubuntu client-side variant
Code:
# ssh -p443 -w 0:0 scott@mydomain.com
  /*...authenticate per your ssh policy. */
# ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1 netmask 255.255.255.252
  /*yes, "pointopoint" is correct as shown */
# route add -net 192.168.2.0/24 gw 10.0.0.1
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 5th May 2008 at 02:46 PM.
Reply With Quote
  #2   (View Single Post)  
Old 5th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Here's the gateway side configuration...

Code:
/etc/hostname.tun0 
inet 10.0.0.1 255.255.255.252 10.0.0.2 group tun
Code:
/etc/hostname.tun1 
inet 10.0.0.5 255.255.255.252 10.0.0.6 group tun
Code:
/etc/hostname.tun2
inet 10.0.0.9 255.255.255.252 10.0.0.10 group tun
Code:
/etc/hostname.tun3
inet 10.0.0.13 255.255.255.252 10.0.0.14 group tun
Code:
/etc/ssh/sshd_config #
 Protocol 2 
LoginGraceTime 20 
PermitRootLogin yes 
Banner /etc/ssh/sshd_banner 
PrintMotd yes 
UseDNS no 
MACs hmac-ripemd160,hmac-sha1 
ciphers aes256-ctr,aes128-ctr,3des-cbc 
ListenAddress vpn.mydomain.com:443 
ClientAliveInterval 20 
ClientAliveCountMax 3 
StrictModes yes MaxAuthTries 3 
PermitTunnel point-to-point 
PubkeyAuthentication yes 
AuthorizedKeysFile %h/.ssh/authorized_keys 
PasswordAuthentication no 
ChallengeResponseAuthentication no 
#
Subsystem sftp /usr/libexec/sftp-server 
#
publickeys are the only authentication method. Client-side private keys are pass-phrase protected.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 5th May 2008 at 02:47 PM.
Reply With Quote
  #3   (View Single Post)  
Old 5th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

/etc/pf.conf fragment...

Code:
# ----- 
pass in log quick on outside inet proto tcp \
 from !<BadSshVpn> to (outside:0) port 443 \
 tag SSHVPN flags S/SFRA keep state \ 
 queue(Q5VPN,Q7) \ 
 (max-src-conn-rate 3/120, overload <BadSshVpn> flush global) 
# 
pass in log quick on tun inet \
 from (tun:peer) to any \
 tag TUNPKTS \
 keep state 
# 
pass out log quick on inside inet \
 tagged TUNPKTS keep state 
# -----
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 5th May 2008 at 02:54 PM.
Reply With Quote
  #4   (View Single Post)  
Old 5th May 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Hrm, so using this, with passwordless private keys on remote servers, one could in theory replace OpenVPN with just SSH. Although I'm not sure how well this would scale for management purposes.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 5th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by fjwcash View Post
passwordless private keys...
  1. I use passworded private keys, not passwordless;
  2. I use this for road warrior client-to-gateway vpn, not site to site; and
  3. Nothing stopping you your uses, though.
The challenge may be scaling, as you need a tun[0,...,n] interface for each concurrent connection on the gateway machine. This isn't a problem for my use, as three concurrent sessions is the upper need limit.

The feature of ssh -w (for me) is that,
  1. the needed wares are already on every box I operate, therefore, nothing extra to install or maintain;
  2. I use ssh already;
  3. configuring the vpn tunnel is a whole heck of a lot easier then ipsec; and
  4. so far, I can easily pass through tight firewalls and nat setups that are not under my control.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 5th May 2008 at 04:58 PM.
Reply With Quote
  #6   (View Single Post)  
Old 5th May 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

Awesome feature! So just to clarify once I'm in a public hotspot I can ssh -w into my OBSD firewall assuming it has the proper firewall rules. Once I'm connected I can surf the net like I was connected at home?
Reply With Quote
  #7   (View Single Post)  
Old 6th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by revzalot View Post
Awesome feature! So just to clarify once I'm in a public hotspot I can ssh -w into my OBSD firewall assuming it has the proper firewall rules. Once I'm connected I can surf the net like I was connected at home?
Yep.

But the -w just -- and I mean j-u-s-t -- brings up the ssh encrypted tunnel. How you use the tunnel depends on what you do next. On the CLIENT side...

Code:
ifconfig tun0 10.3.0.2 255.255.255.252 10.3.0.1, 
where .2 is the client and .1 is the gateway tunnel endpoint.
  1. route add -host gw.mydomain.com <hotspot_default_gateway_address> iwi0
  2. route add -net my_lan_subnet 10.3.0.1 tun0
  3. route change 0.0.0.0 10.3.0.1 tun0
Where (1) you MUST preserve the route to your gw machine via the hotspot dhcp-obtained gateway ip, (2) route crypto to your work/home subnet; and (3) route crypto to the gateway and then off the gateway to the world.

These route commands can be scripted easily and may be built into the hostname.tun0 with the "!" prefix.
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 6th May 2008 at 02:21 AM.
Reply With Quote
  #8   (View Single Post)  
Old 9th May 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

Thanks good buddy.
Reply With Quote
  #9   (View Single Post)  
Old 29th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'm dredging up this old thread to ask a clarifying question: what happens when your laptop is on the same RFC1918 subnet as the private LAN you're attempting to route to?

e.g.: In your example, s2scott, the destination subnet is 192.168.2/24. But ... what happens if where you're connecting from is in the same or an overlapping subnet? e.g.: connecting from 192.168.2.221? or 192.168.50.100 when the netmask is 255.255.0.0?

I ask because I happened to see the IPSec/NAT article just pubbed in the Journal, and thought about address collisions with NAT. Would NAT via the tun(4) device be a possible play?

http://undeadly.org/cgi?action=artic...20090127205841

Last edited by jggimi; 29th January 2009 at 08:29 PM.
Reply With Quote
Old 1st February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Having experimented, I have determined it is possible to avoid RFC1918 collisions or interference with any other IPv4 address: Use IPv6 addressing on the tun device instead of IPv4. But unless you also set up a gif(4) tunnel for IPv4, NAT is the only way to ensure no routing problems.

Having played with tunneling ipv4 over ipv6 with gif; I find it easier to set up IPSec.
Reply With Quote
Old 2nd February 2009
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Default

Quote:
Originally Posted by jggimi View Post
Having experimented, I have determined it is possible to avoid RFC1918 collisions or interference with any other IPv4 address: Use IPv6 addressing on the tun device instead of IPv4. But unless you also set up a gif(4) tunnel for IPv4, NAT is the only way to ensure no routing problems.

Having played with tunneling ipv4 over ipv6 with gif; I find it easier to set up IPSec.
Would like to see a cool how to on this jggimi.
Reply With Quote
Old 2nd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I hate "howtos" -- even if I use them as a learning tool, myself. But ok, I will find some time to sit down with four virtual machines and run this again (since I'd promptly forgotten what I did, once I did it). I'll take notes.
Reply With Quote
Old 3rd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default Problem statement and solution architecture

As I'd stated above, IPSec is easier because one doesn't need to deal with a virtual subnet on the tunnel itself, as we do with SSH. When I tested this, I just used NAT on tun0 -- but this more robust solution, below, is a possibility. I may use BINAT and NAT in combination, if I determine it makes a simpler solution.

I'll be testing this and coming up with sample scripts and config files this week, but I thought I would publish an initial architecture beforehand... just in case I've missed something obvious. And it's easy to miss something; there are six virtual IP subnets in the solution.

Problem:



Solution:



Last edited by jggimi; 3rd February 2009 at 08:21 PM.
Reply With Quote
Old 4th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I set up the virtual infrastructure last evening, and got it working. 5 QEMU virtual machines with 4 unique vlans.

The first thing I learned was that dhclient will not communicate with tun(4) devices, nor will it operate properly even if the tun device is driven through a bridge(4).

I stopped at that point, and will pick it up again either tonight or on the weekend.

Last edited by jggimi; 4th February 2009 at 07:32 PM.
Reply With Quote
Old 8th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I've been unable to configure binat so that traffic that will pass to the tun device.
Reply With Quote
Old 16th April 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by jggimi View Post
I'm dredging up this old thread to ask a clarifying question: what happens when your laptop is on the same RFC1918 subnet as the private LAN you're attempting to route to?
Sorry for a long absence ...

I usually use 169.254.n.n for the tun address spaces. It is a "reserved" range but will almost never collide.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sysjail alternative Stellar OpenBSD General 7 4th September 2009 04:38 PM
Alternative Architecture Laptops JMJ_coder General Hardware 6 7th October 2008 05:05 PM
Alternative to FoxPro? michaelrmgreen Programming 2 18th July 2008 11:40 AM
iTunes alternative stukov Off-Topic 8 14th June 2008 01:55 PM
There is an alternative way to find a packages? aleunix OpenBSD Packages and Ports 23 6th June 2008 07:18 AM


All times are GMT. The time now is 07:00 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick