[NCLUG] Speaking of SSH and Tunnels...

Gabriel L. Somlo gsomlo at gmail.com
Wed Oct 11 12:46:50 MDT 2017


Hi NCLUG,

> Bob Proulx talked about the 'sshuttle' self described as "where
> transparent proxy meets VPN meets ssh".  This is a combined arms
> tactic strategy to proxy TCP connections such as http or other through
> an ssh tunnel very efficiently.  It does not require root on the
> remote server that is used to proxy through.  Just ssh shell access.
> 
>   http://sshuttle.readthedocs.io/en/stable/manpage.html
>   https://github.com/apenwarr/sshuttle

Speaking of ssh and tunneling, I've been using vtun on Fedora to
implement a sort of "distributed Ethernet switch over IP" for a
project, a kind of "layer-2 VPN", if you will.

I'm trying to replace it with ssh, since that's likely to be better
supported in the future.

So, on the server side, let's assume the physical interface (eth0) is
now enslaved to a virtual bridge (br0):

	ip link add br0 type bridge
	ip link set br0 up
	ip link set eth0 master br0
	ip addr flush eth0
	dhclient br0

and that in /etc/ssh/sshd_config we specified:

	PermitRootLogin yes
	PermitTunnel yes

Now, on the client, we can do something like this:

	ssh -f -o Tunnel=ethernet -w any:any <server_ip> true

which will create a pair of tap devices on both client and server.

Most of the online guides on how to do this use hard-coded device
numbers, e.g. "-w 5:5" which creates 'tap5' interfaces on both client
and server, then manually proceed to enslave the hardcoded tap5 to the
bridge on the server side:

	ip link set tap5 up
	ip link set tap5 master br0


The problem with this is lack of scalability. I may have several
clients, and I don't want to manually pick a different tapX number
for each one!

So I'm trying to figure out how I could tell what tap device names
were allocated on the server (preferably also on the client) when
"-w any:any" is used on the client side, then automatically enslave
whatever that interface name was to br0 without user (well, admin)
intervention.

Using "-vvv" with ssh will get me LOTS of debug info, but nothing
about which interface names were picked. Also, there's no environment
variable on the server side that would indicate what device name was
created (so instead of 'true' I could actually run
'ip link set $TAP ...' over the very same ssh connection :)

Alternatively, if anyone knows how to get NetworkManager or udev or
any other (Fedora-specific, preferably) network management daemon to
automatically detect when a tap device is created and run an unattended
configuration script on it, that'd be great!

Thanks much for any ideas and suggestions!

--Gabriel


More information about the NCLUG mailing list