Virtual Private Networking

SSH and Port Forwarding

PPP Tunneling (w/ ssh)

Joe Clarke, from Cisco Systems, and a UM alumnus, suggests another method. Another method, with several advantages is to use PPP to create interface endpoints named /dev/tun at either end of the VPN channel. An ssh session connects them. A combination of routing and NAT'ing is required to complete the connection.

PPP setup.

Call the server S and the client C. The client is attached to the internet via some provider and might have some local address, say The server might be sherman, with address

On S, the /etc/ppp/ppp.conf reads

       set timeout 0
       set log phase lcp ipcp command
       allow mode direct
       set ifaddr
       allow users burt
       disable dns
       accept dns
       set dns
Actually, we haven't gotten the dns to work well, but that might be due to OS X.

On P, here is /etc/ppp/options:

pty "/usr/bin/ssh -l burt -e none -q -t -t /usr/sbin/ppp -direct vpnserver"
The pty command pipes the tun device on C into an ssh session. On start of session, ssh will execute /usr/sbin/ppp and pipe through it. The other end is connected to the tun device on S. Public-key authentication is required for this to work, as you will have no opportunity to respond to any command prompt from ssh. We had to suid root pppd for this to work (in order to create a device?).

In this configuration, the C:tun is address, and S:tun is address (check this) Now trafic for the 172/8 net should be directed towards the tun device:

route add -net
Now ping should work.

The advantage of this method is that any port on is available. However, unless NAT is used somewhere, or default routes to are installed in various places, the rest of 172/8 is still unavailable.

Joe has gotten much farther along on this then this notes describe. Come back for more information.


Burton Rosenberg, 30 July 2002
Upate: 6 August