PPP over SSH

Posted in Linux Corner on March 12th, 2010 by Friedrich Schäuffelhut – Be the first to comment

Ever thought of tunneling PPP through SSH? It’s not that hard at all. I’ve been running it for years now.

We’ll start with the server side:

  1. Create a new user “pppvpn”.
  2. Set the password to “disabled”, since we use ssh keys as login
  3. Create a three line shell script:
    /home/pppvpn/bin/ppp-server:
    #!/bin/bash
    cd /home/pppvpn
    env -i /usr/bin/sudo /usr/sbin/pppd call vpn-server
    
  4. Make the script executable.
  5. Edit /etc/sudoers, eg by using the command “visudo” and add
    pppvpn ALL= NOPASSWD: /usr/sbin/pppd call vpn-server
  6. Change the “pppvpn” users login shell to “/home/pppvpn/bin/ppp-server”.
  7. Create the ppp peer definition
    /etc/ppp/peers/vpn-server:
    lcp-echo-interval 30
    lcp-echo-failure  3
    local
    #proxyarp
    auth
    debug
    name gateway
    :
    notty
    
  8. Create a password and assign an ip adress to your client.
    /etc/ppp/pap-secrets:
    "client"    "PASSWORD"
    

Now lets setup the client:

  1. Exchange key with the server
  2. Try to login to your server ssh pppvpn@server, you should see lots of braces…
  3. make a password entry on the client side:
    /etc/pap-secrets:
    client * "PASSWORD"
  4. Create a peer definition to call the server
    /etc/ppp/peers/server:
    pty '/etc/ppp/peers/ssh-pty.sh pppvpn '
    ipcp-accept-local
    ipcp-accept-remote
    lcp-echo-interval 180
    lcp-echo-failure 3
    lcp-restart 60
    maxfail 10
    persist
    #demand
    #holdoff 60
    #idle    108000 # 30 min
    #updetach
    connect '/bin/true'
    linkname baloo
    ipparam baloo
    :
    #nolog
    debug
    user client
    
  5. Create a shell script which creates the connection
    /etc/ppp/ssh-pty.sh:
    #!/bin/bashuser=$1
    server=$2
    if ping -c 2 $server > /dev/null
    then
    exec env -i /usr/bin/ssh -T -e none -x \
    -oForwardAgent=no\
    -oClearAllForwardings=yes\
    -c blowfish\
    $user@$server
    else
    sleep 5
    /bin/false
    fi
    
  6. Call the server
    pppd call server

Leave a Reply


+ 6 = twelve