Have you ever needed to access a site that had an IP restriction, or one inside your remote network? Recently I need to access a customers remote monitoring site, but its restricted to a small subnet of IPs. They had no VPN setup for me, so I had to come up with something new…
The answer was creating an ssh connection to their network firewall, which happened to be a custom Linux box I had access to. The setup is actually quite simple, and requires no changes to the remote host. The following command will create a local proxy for your machine to use on port 8080.
hackpro:~# ssh -q2nCTN -D 8080 user@hostname
The only caveat to this setup is that you will need key authentication setup, it will not work with standard password authentication. The following is a list of the options used..
- -q = Quiet
- -2 = SSHv2
- -n = Do not read from stdin (This is why you need to have private key authentication set up!)
- -C = Compression
- -T = Disable pseuto-tty allocation
- -N = Do not execute a remote command or launch a shell. Uses the ssh connection for port forwarding
- -D = Allocate a socket to listen on the locally. Whenever a connection is made to this port,
the connection is forwarded over the secure channel. ( Requires root )
The only thing left to configure is your browser. Set it to use localhost:8080 as a SOCKS proxy. Quick, simple, and perfect! As usual, if you have any questions please feel free to leave a comment below.
Who writes this crap?
Tony Mattke is a network engineer for a financial institution in Indiana. In the past he has worked for ISPs, data centers, networking manufactures, and the occasional enterprise. For feedback, please leave a comment on the article in question. For everything else including fan mail or death threats, contact him via twitter.
{ 1 comment… read it below or add one }
For a L3 connection through ssh,
search for a more detailed explaination of "ssh "-w"" option.
this (if run as root and needed modules loaded) creates a tunx interfaces on the client and server.
Give both client and server an ip address on the tunx interfaces, ( linux starts with tun0 and osx with tun15)
the 2 machines can communicate now securly over the internet and you can use internal ip addresses for communication
but we can go further
whole network forwarding over vpn
add your routing " route add -net remote_ip/maskbit "other_point_ip"
for example
route add -net 192.168.0.0/24 10.0.0.254
and add in your router the ip addresses of the networks to the vpn machines.
and oullah, a vpn setup with 4 commands ;)
i start it all in a screen session and detach after everything is done and the vpn with be intact ;)