Features Security Lessons: OpenSSH VPNs
Building SSH VPNs with OpenSSH Very Painless Networks OpenSSH VPN technology, installed by default on most TCP or UDP, whereas PPTP and SSH are restricted to TCP, only without making Linux, BSD, and Unix systems, lets you mix and match major modifications or using additional software to transfer the TCP packets By Kurt Seifried different clients and servers easily. over UDP. The Trouble with Standards hen it comes to VPN perfor- gigabyte or more of encrypted traffic. One Why aren’t VPN options like IPsec more mance, the problems used to of the biggest performance problems popular? IPsec provides authentication revolve around having faced by VPNs now is ISPs that either and encryption of network traffic. IPsec W enough CPU power to en- shape (that is to say they slow down) is supported on virtually every operating crypt and decrypt network traffic (watch- VPN traffic or block it completely. system and most network devices. Most ing a Pentium III struggle with 100Mb IPsec servers support a variety of strong traffic was always fun). Nowadays, CPU Some VPN Options encryption options. power is cheap, and On Linux, you have a number of popu- So, why don’t we use IPsec more? Al- now with Intel lar VPN options: IPsec, OpenVPN, PPTP, though IPsec has a well-defined stan- AES-NI and and SSH. All four will get you a secure dard, it is implemented by many differ- other vendors network between a combination of ent vendors, some of which have added supporting AES hosts and networks. As far as authenti- extensions or chosen slightly different with native in- cation, virtually all of them support the ways to implement certain things. In my structions, the use of pre-shared keys or secrets, and experience (between OpenBSD, Linux, good news is they can all be configured to use PAM, Windows, Cisco, and a few other net- that most sys- LDAP, and a variety of other authentica- work equipment makers), configuration tems can eas- tion back ends. However, they have and management of different clients and ily keep up some important differences. The biggest servers can be challenging. with a difference is the transport mechanisms Generally, if you stick to a heteroge- used. IPsec does basically everything at neous environment (e.g., all OpenBSD, the network layer – except the mutable all Windows, or all Cisco servers and headers (those that might be changed in Cisco client software on endpoints), you transit, e.g., the TTL and checksum). will be mostly fine, but if you start mix- OpenVPN, PPTP, and SSH basically all ing and matching, you will likely be in operate at the application for a world of pain. layer and simply encrypt data and then send it as the Why SSH? payload within a data Here, I will focus on building SSH VPNs. packet. The main difference One of the more compelling advantages is that OpenVPN can use either of SSH is that virtually all network plat- forms with a TCP/IP stack support SSH. Kurt Seifried Even better, about 99% of all systems running an SSH server/client are using Kurt Seifried is an Information Security Consultant specializing in Linux and net- OpenSSH [1], which ensures an ex- works since 1996. He often wonders how tremely high degree of compatibility be- it is that technology works on a large tween them. About the only systems that scale but often fails on a small scale. don’t ship with OpenSSH are Windows
46 November 2012 Issue 144 linux-magazine.com | Linuxpromagazine.com Features Security Lessons: OpenSSH VPNs
and lower end network equipment. Vir- can either set up an OpenSSH server in- # Controls IP packet forwarding tually all “proper” VPN setups require side the network or allow direct access net.ipv4.ip_forward = 1 root-level access because you will be (e.g., to the mail server, web server, modifying your systems’ network inter- etc.). Generally, setting up a separate and simply reboot. If you want to enable faces and routing tables. However, if you server is much safer and easier: Allow IP forwarding, you can run are only using OpenSSH port forwarding, port 22 to an external IP then allow that you can do this as a normal user with no DMZ host to connect to your trusted sys- sysctl ‑w net.ipv4.ip_forward = 1 additional privileges. tems. Please note that for this to work, the AllowTcpForwarding option in sshd_ You might also need to enable forward- OpenSSH on Windows config needs to be set to yes; however, ing in your firewall rules, although many OpenSSH installation on Linux is gener- this is the default setting (so it should Linux distributions allow forwarding by ally not required because almost all ven- work with no problems). default. dors ship it by default and enable it for For example, you can allow users to remote administration. To install connect to ports 25 (SMTP) and 143 OpenSSH VPN Config OpenSSH on Windows, you’ll need to (IMAP) from the DMZ host. By default, The use of OpenSSH for “real” VPNs has download Cygwin [2] then, during in- local port forwarding only binds to local- one critical configuration directive: Per‑ stallation, simply choose OpenSSH (in host (127.0.0.1), which is ideal for a lap- mitTunnel. For tunneling to work, you All | Net) for installation. Once installed top. To set up SSH port forwarding for need to enable this by either specifying on Windows, you need to enable localhost port 2500 to port 25 and port ethernet for Layer 2 tunneling or yes for OpenSSH: Right-click on the Cygwin 14300 to port 143 on the mail server, you Layer 3 and Layer 2 tunneling. However, menu item or icon, choose Run as ad- can use commands like: you probably don’t want to give users ministrator (running it as a normal user administrative access to your OpenSSH will not allow you enough access to con- ssh user@openssh.example.org U server so that they can log in and run figure OpenSSH), then simply run: ‑L 2500:mail.example.org:25 commands to modify the networking ssh [email protected] U configuration, for example. The easiest ssh‑host‑config ‑L 14300:mail.example.org:143 way to deal with this is to use either the ForceCommand directive, to run a set pro- When asked to enable privilege separa- In the above scenario, every user’s lap- gram or script once the user logs in, or tion, say yes. You’ll then be asked to cre- top mail client would connect to local- to modify the ~/.ssh/.authorized_keys ate a new local account, to which you host port 25 (to send email) and port 143 file, to include the commands you want also agree, then you will be asked (to receive email). to run and any SSH options: whether you want to install OpenSSH as It’s important to note that, by default, a service (you do). For the value of the when forwarding ports, OpenSSH only command="/opt/bin/vpn‑setup.sh",U CYGWIN daemon, enter ntsec. Finally, binds to localhost; thus, by extension, no‑port‑forwarding,U you will be prompted to create a user for only local users can connect to the for- no‑X11‑forwarding,U OpenSSH to run as; follow the prompts warded port. However, what if you want no‑pty