Linux Fu: VPN For Free With SSH

If you see a lot of banner ads on certain websites, you know that without a Virtual Private Network (VPN), hackers will quickly ravage your computer and burn down your house. Well, that seems to be what they imply. In reality, though, there are two main reasons you might want a VPN connection. You can pay for a service, of course, but if you have ssh access to a computer somewhere on the public Internet, you can set up your own VPN service for no additional cost.

The basic idea is that you connect to a remote computer on another network and it makes it look like all your network traffic is local to that network. The first case for this is to sidestep or enhance security. For example, you might want to print to a network printer without exposing that printer to the public Internet. While you are at the coffee shop you can VPN to your network and print just like you were a meter away from the printer at your desk. Your traffic on the shop’s WiFi will also be encrypted.

The second reason is to hide your location from snooping. For example, if you like watching the BBC videos but you live in Ecuador, you might want to VPN to a network in the UK so the videos are not blocked. If your local authorities monitor and censor your Internet, you might also want your traffic coming from somewhere else.

Using SSH for VPN will work for both cases, although if you are mostly interested in the first case, you are probably going to be happier using a dedicated router or a small computer like a Raspberry Pi dedicated to the task. However, if you are leasing a server somewhere, that option isn’t going to work for you.

Prerequisites

You really only need root access to both machines and SSH server on the remote machine along with the SSH client. There is some configuration required on both sides. I use KDE so I used NetworkManager to set things up, although that isn’t necessary. It just makes things easier.

The server needs a few special items set up, but those items may already be present. In /etc/ssh/sshd_config you will want PermitTunnel=yes and you may need to set AllowTCPForwarding to yes, as well.  The firewall may need some tweaks, too. The setup instructions for the NetworkManager plug-in will be useful even if you don’t want to use it.

Client Side

If you are using NetworkManager, you’ll need the plug-in. For Neon and other Debian-type distributions, you can find the network-manager-ssh package and that’s all you need. If you don’t want to use it, you can use this line from the plug-in author’s blog:


ssh -f -v -o Tunnel=point-to-point -o ServerAliveInterval=10 -o TCPKeepAlive=yes -w 100:100 root@YOUR_SSH_SERVER \
'/sbin/ifconfig tun100 172.16.40.1 netmask 255.255.255.252 pointopoint 172.16.40.2' && \
/sbin/ifconfig tun100 172.16.40.2 netmask 255.255.255.252 pointopoint 172.16.40.1

You will need to be root on both ends because you are creating a tunnel device. This leads to a few problems, even if you use the plug-in. Obviously, you aren’t going to want SSH bugging you for passwords and host key verifications, but if you establish the VPN manually, you could deal with that.

Problems

However, most modern systems don’t allow root login with a password, or even at all. So you’ll need to fix that first. In addition, when the NetworkManager runs SSH, it will be looking for host keys and such as root, not as your user. If it can’t find things, it will just die. So you’ll need to make sure that root can log in with no intervention.

To allow root logins to the server, you need to edit /etc/ssh/sshd_config and change PermitRootLogin to yes. I suggest you do this only long enough to do the next few steps. You’ll need to restart the sshd server which means something like:

systemctl restart sshd

or

/etc/init.d/ssh restart

Then, logged in as your normal user on your local machine, use ssh-copy-id to install your certificate to the host computer. As soon as that works, you should go back and change /etc/ssh/sshd_config to use “PermitRootLogin prohibit-password.” That way you can log in as root with a certificate, but not with a password.

If you’ve logged on from your root account once, SSH probably asked you if you want to accept the server key. If not, that’s going to be a problem. If you can, log in and answer yes so it quits asking. However, if you can’t, we can also turn off StrictHostKeyChecking.

In theory, you can pass extra ssh options to the NetworkManager plugin, but for some reason that doesn’t work on the version from the repositories. If you are starting manually, of course, you can add what you want. However, it is also possible to set root’s SSH configuration in /root/.ssh/configor the global configuration at /etc/ssh/ssh_config.

If you do change the global, consider using /etc/ssh/ssh_config.d if your system supports it. That lets you put snippets in for a particular host that won’t get written over on system upgrades. For example, you might make a file in that directory named hackaday.conf:


Host *.hackaday.com hackaday.com
StrictHostKeyChecking no
Tunnel yes

Again, if you object to the host key checking, then just log in from your root account once and manually accept the remote key. Or, if you are brave, manually edit /root/.ssh/known_hosts.

Prosper

That should do it. If you are using the NetworkManager plug in, just make a new connection. From there, pick the VPN connections section and select SSH.

You’ll have to put in a few parameters, including the certificate you want to use to log in to the remote machine:

Once you save the connection, you can activate it like you would any other network interface. If you want to see if it works, ask a website for your IP address. Then activate the VPN and do it again. If you have trouble getting the VPN to connect, you can look in the system log to find out what errors SSH is throwing.

Of Course…

There are other VPN solutions. However, since it is almost a sure bet that your remote computer has an SSH server on it, this is very simple to set up with very little planning.

You can do a lot with SSH if you know the tricks. We especially like using it to mount files.

44 thoughts on “Linux Fu: VPN For Free With SSH

  1. “sshuttle” is an alternative based on SSH that whilst not being a full VPN in that it does not transfer UDP other than DNS, it is far easier to setup.

    However, SSH is not bandwidth efficient, so I would go with WireGuard which is a full VPN and is easy to configure and very fast (faster than any other VPN out there as far as I know) and very secure!

    1. +1 for sshuttle, specially because you don’t need any root access on the remote machine, that makes it a lot more versatile and, as you said, super easy (just a one liner) to get an ‘almost full’ vpn connection.

  2. One other issue is that TCP over TCP is a bad idea, as you then have two flow control instances, which can cause issues. Proper VPNs, running on UDP, avoid that, in that the behaviour of UDP is the same as Etherent.

    1. “the behaviour of UDP is the same as Etherent.” (sic)

      Oh man, you’re out at sea on this one. Perhaps learn the 7 layers of the OSI model? Ethernet is layer 1, UDP is layer 4. Their behaviour isn’t even comparable, let alone the same.

      1. You sir, get back in the sea!

        Clearly we are talking about the specific element of congestion control.

        UDP: you send a datagram out. Most of the time it gets to its destination. If it doesn’t, UDP doesn’t care.
        Ethernet: you send a frame out on the Ether. Most of the time it gets to its destination. If it doesn’t, Ethernet doesn’t care.
        TCP: you send data out in segments. Most of the time they get to their destination. If they don’t, TCP will retransmit the segments that failed to arrive (as well as reducing its congestion window, thus throttling the transmit rate – AKA congestion control).

        Hence UDP smells surprisingly similar to Ethernet in this context.

  3. Admittedly, this is a bit OT. The primary reason that I use a VPN is to work around routing problems in AT&T’s rural Northern California network. For example, npm is unusable due to timeouts unless I go through my VPN. I’m using PIA, but I really wouldn’t “trust” them (or any other VPN provider) if I was trying to hide or keep anything secure.

    1. Trust is a tricky thing to find in a service you pay for – why should they care beyond not making you unhappy enough to use somebody else so they won’t get more of your money, or getting caught cheating so you can throw lawyers at them and get heaps of money out them…
      If you really need to trust it better roll it yourself – with code you have personally audited or written all the way along… Which is nearly impossible.

  4. “If you see a lot of banner ads on certain websites…” I don’t see any ads. I use an ad blocker. The internet would be essentially useless to me without it. If a site demands that I turn it off or has self-hosted ads, I go elsewhere. I will not wear clothes with a logo. I absolutely reject the concept of the world running on advertisements. Figure out a different way to fund your site.

    1. So how much of your money do you spend supporting websites you use directly?
      Adverts done right are minor inconveniences in general and occasionally actually really damn useful – that advert for targeted products like that IC or FPGA dev board you didn’t know existed that actually fits a need you have, selected because it matches the audience of a website like this. Who are more than likely interested in knowing about the products anyway…

      Can’t say I am a fan of the ever more obnoxious placements and increasingly common advert laden site, but they have to funded somehow, and many of them wouldn’t get be able to attract enough sponsors. You take adverts off the web and almost all that will be left is websites that are basically adverts in their entirety – being company x’s website for its products..

        1. Adverts are a pain in the Nether regions…not only Adverts but also the data collections. Luckily the EU has better data protection. It get worse on “Black Friday” and “Cyber monday” – one can really live without it all.

      1. Try moving to an internet 3rd world like Canada where you pay $1000 per GB of data in places, or find your data gets throttled to sub-dial up speeds. By the sounds of things dial-up is a foreign word to you but a reality for many people that don’t live in the immediate city limits. I’m not talking hours away, I’m talking city limits here. I can see fibre from my house but can’t get it, I can’t even get DSL if I paid $1M to the local phone monopoly to trench a line 1 km.

        I run a transparent proxy with DNS cache poisoning. Miraculously 25-30% of my network traffic is for useless “minor inconveniences” of data, javascript, tracking, video and image pop-up advertisements. I already pay an arm and a leg for my internet, I don’t want to pay for spam and scammer ads.

  5. This seems to be a lot of setup to essentially duplicate what WireGuard does for you. Also, WireGuard is built into the Linux kernel and SSH still requires a daemon. You are essentially taking a use case for setting up your own WireGuard VPN and shoehorning SSH tunneling to fit the bill. WireGuard is just another network interface, and as such is far less complicated than any other VPN solution. This is what earns it a spot within the Linux kernel-space.

    1. +1
      If it’s just for browsing, dynamic port forwarding is definitively the way to go.

      It’s also extremely useful if You need to manage multiple ssh hosts behind a jump-host (but depending on why the jump-host was setup (i,e, session monitoring for regulatory compliance) it might end up defeating the purpose)

    1. It doesn’t “see” that you’re using a VPN, it simply sees you coming from an IP address associated with a VPN provider. If a provider get’s a new IP range, then for while the BBC won’t know those IPs belong to a VPN so they wouldn’t put the ‘VPN detected” message up. Then after some period of time the BBC I suppose notices unusual traffic patters from a narrow range of IPs and flags this as a VPN provider.

      1. Pwerhaps you may be right, but this is what the BBC says:
        There are several reasons why BBC iPlayer thinks you’re outside the UK; the most common are either:

        Your IP address, which is the address websites use to determine where in the world you are, isn’t registered in the UK
        You’re using a VPN (Virtual Private Network), proxy, or similar service which masks your IP address

        I have used different Browsers, cleared cookies each time, use different cities to start the VPN.
        I keep womdering if somehow they are detecting VPN…Perhaps using browser data?

        1. No, as I said, they just have a list of IPs they know. I use a VPN to from foreign lands to a private broadband connection in the UK and it works fine. +1 user on an IP isn’t going to flag anything up, If they see maybe 50 users from a single IP then that starts bells ringing. CG-NAT would also give the same picture, but I would expect the Beeb are aware of domestic broadband providers using CG-NAT.

          1. OK, but I too am using a VPN (private Internet access (PIA) from a foriegn country and still no go. It does not depend on which City I use. I have written to PIA also. What VPN provider are you using??
            #

          2. You missed the bit where I said “private broadband connection”, not a commercial service. Your PIA is a commercial service, yes they have multiple cities, but the Beeb has already flagged their IPs. It’s a game of cat and mouse, and with a shortage of IPv4 addresses is going to be difficult to win. Does IPlayer work over IPv6? ;)

      2. Any idea how netflix and amazon detect vpn use? I sometimes get vpn/proxy warnings with these services (I use a speedify vpn to run channel bonding on dual 4g sim cards), but when I do I can kill the app on my nvidia shield, reopen it and it works fine. I’m not changing ip address

  6. Indeed, most adblockers seem to have some form control. So I do try to set it such that it doesn’t block stuff on the websites I really ‘need’ – as I want them to get enough funding to stick around (though most of the websites I frequent are not advert heavy if they have adverts at all, the ones that do deserve to get something for the work they put in).

    While I won’t say you are wrong, it could work out to less obnoxious ads in the end, at the moment I would say the increasing prevalence of ad blockers has lead to more adverts, more obnoxious adverts and more self hosted adverts the ad blockers won’t catch. Which I really notice every time I use a computer that isn’t set up in my usual fashion.

  7. Hello all, I enjoyed reading this discussion. I have a user who uses Anydesk to control a remote computer, but needs to print to their local printer, as configured on thei local PC. Anydesk/Teamviewer etc. do not offer this ability (why not?) Does anyone know of a similar solution, or more in context with this discussion, how could I use SSH tunnelling to accomplish this?

  8. ssh -D 8118 -f -C -q -N user@remote.server.org

    FireFox: Properties -> Network Settings

    select Manual proxy configuration

    leave everything above Socks Host blank

    Socks Host: 127.0.0.1 Port 8118

    Socksv5 Selected

    No Proxy for: 127.0.0.1,192.168.1.1/24 (the network would be adjusted to your local network)

    Selected: Proxy DNS when using SOCKS v5

    Enable DNS over HTTPS:Cloudflare (or your DNS provider of choice)

    you will now be able to browse through the ssh connection

  9. Yeah.. +1 on just running a socks5 proxy tunnel. Not only does it tunnel browser dns through to your remote exit node, but any application can be shared her over socks5 by tying the tunnel together with proxychains, allowing you to run different VPNs for different apps.

    I even wrote a little socks script you can put in your ~/bin/ dir and have a different cfg file for each socks tunnel:
    https://github.com/Tweeks-va/homedir-utils/blob/master/bin/socksit

    T.Weeks

  10. The fact that so many Americans seem to “need” an VPN service just shows how broken and backward the American infrastructure really is. And the insane distrust of the government they voted for themselves.

    I live in the Netherlands. I have 500Mbps speed down (not the fastest option which is 1000MBps) and no data limits and no filtering on the specific services I use. We have a law to prevent providers from slowing down protocols they don’t like or compete on (net neutrality). Speed is usually as promised. I do a lot of large conference calls these days with large teams and it works fine. Linux ISO are loaded in seconds.

    The only reason left for VPN is hiding my location from netflix or such. I don’t do this (I don’t feel the need) and is also against netflix and other streaming service rules. I do understand people using them for that goal. And I think geographic barriers on the internet are stupid. But when A VPN company advertises this use, they are advising breaking service user term which is strange to do.

    I do like a secure connection but that is what SSL and TLS and such are for and they come free with the browser.

    So all in all, unless you live in a dictatorship, VPN services for most uses are totally useless in advanced first world countries. Its all scaremongering.

    1. HI Bart, for me VPN’s are about cleanly jumping into remote networks, say in the instance that you want to web browse to devices inside your home from a remote location, and only want to open one port on your home firewall: just one a many examples of the usefulness of a VPN. With the paid for provider VPN’s like Nord are primarily for users to appear to come from a different location origin, in which I can see your point, but that’s just one small example of VPN’s purpose.

    2. I think most Americans with VPNs who know what they’re doing with them (i.e. not bought into the bullshit advertising) primarily use it to mask copywrite infringing torrent traffic to stay out of trouble.

  11. Consider using StrongSwan IPSec rather than clunky ssh VPNs. The project has recipes for most hosts. Wireguard, while nifty, has some serious limitations although it’s “cleaner” than IPSec or ssh VPNs. There are a number of ways of doing good Socks pipes, as described above, but beware simple solutions. At the end (pardon the pun), your exit node still has a static address, if you’re trying to spoof your location. You may need to understand how TOR works (and how to keep it safe) to really mask your location, although TOR exit nodes are now getting well known, too. Cat and mouse.

    And consider enhancing your IPtables detection with fail2ban.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.