Mesh VPN based on ssh TUN support.
Unfortunately, this project did not yield the stability or portability I was looking for, so, for now I have abandoned this work in favor of another VPN called tinc. If you are looking for a good mesh VPN then I would suggest you check them out at:
Thanks for your interest,
- Greg
I created this because I was having issues with openvpn performance due to the centralized nature of openvpn. Also, openvpn was not always installed on every system I needed vpn access to.
This script depends on ssh client and relatively minor configuration changes to sshd:
- PermitTunnel yes
The ssh2vpn script allows you to create a simple VPN using the SSH TUN support. Configuration file is designed so that it can be identical on each host in the mesh.
- the local Host name is used to activate the relevent ports of the config file.
- this avoids creating and managing a separate config file for each host.
- sychronization of the configuration is easier.
It operates in a mesh, so it performs fairly well (well enough to run NFS with my AWS EC2 machine).
Without and command args, the status of connections will be displayed (for running or failed connections).
- Add an 'all' command which shows all possible connections and their state.
- Improve the output of status so it shows persistent connections which are awaiting re-connection.
Using the ssh2vpn start or persist commands, you can run the tunnel without systemd or another service wrapper.
- the difference between start and persist, is that persist will continuously restart the tunnel if it fails, where as, start will run the tunnel only once.
For locally managed (non systemd) connections, this stops the connection (kills the ssh tun session).
If you do not want to store private keys or certificates on disk, but still want the ability to create persistent tunnels, you can create a dedicated ssh-agent that will be used only by ssh2vpn. In this way, you can load the keys into that agent (and provide the passphrases interactively), then start a persistent tunnel.
Load private keys (and certificates) into the ssh-agent. If the private keys are protected by a passphrase, then you will be prompted to provide it.
- this ssh-agent is separate from your personal ssh-agent, and is only used by ssh2vpn.
If you prefer to use a certificate-authority, you can generate certificates that can only be used for ssh2vpn access (and not general login access). The generated certificates restrict clients to their configured subnet.
Try an create a template wrapper that will work for multiple tunnels.
- Documentation of config
- Certificate creation
- Documentation of agent use and authorized_keys.