Ssh

通過 ssh 設置隧道並將其 Internet 用於 VPN 客戶端

  • June 23, 2015

我有兩個帶有公共 IP 地址的 VPS centos 6.6 x64 例如:1.1.1.12.2.2.2

帶有1.1.1.1 的 VPS 是一個 VPN 伺服器
我需要通過 ssh 將 1.1.1.1 連接到 2.2.2.2
所以我的VPN 客戶端在 1.1.1.1可以有 2.2.2.2公網IP地址

怎麼辦?

查看 ssh 的手冊頁,它為您提供了一個很好的範例:

man ssh

SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, allowing two networks to be joined securely.  The sshd_config(5) configuration option PermitTunnel controls whether the server sup-
ports this, and at what level (layer 2 or 3 traffic).

The following example would connect client network 10.0.50.0/24 with remote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway to the remote network, at
192.168.1.15, allows it.

On the client:

      # ssh -f -w 0:1 192.168.1.15 true
      # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
      # route add 10.0.99.0/24 10.1.1.2

On the server:

      # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
      # route add 10.0.50.0/24 10.1.1.1

Client access may be more finely tuned via the /root/.ssh/authorized_keys file (see below) and the PermitRootLogin server option.  The following entry would permit connections on tun(4) device 1 from user ``jane'' and on tun device 2 from
user ``john'', if PermitRootLogin is set to ``forced-commands-only'':

  tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
  tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john

Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such as for wireless VPNs.  More permanent VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).

您還必須設置路由以確保流量流向正確的“介面”。

如果您正在尋找更永久的設置,您可能會考慮基於 OpenVPN 或 IPSec 的 VPN,因為它們更適合這項工作並且更具適應性。

不要使用公共 IP 作為 ifconfig 中唯一的 IP 創建 VPN,例如,您需要為每個伺服器指定專用網路

伺服器 @ 1.1.1.1 - 專用 tun0 IP - 10.0.100.0/28 - 10.0.100.1

伺服器@ 2.2.2.2 - 私有 tun0 IP - 10.0.200.0/28 - 10.0.200.1

然後分別從 10.0.100.1 -> 10.0.200.1 或相反方向路由流量。

引用自:https://serverfault.com/questions/700942