User-Space VPN and SSH tunnels

6 05 2005

I tried setting up a VPN for the first time, just because the DSL line is sometimes unbearably slow with some sites, while the connection from work, using the DFN backbone, has no problems at all. The connection from the DSL line to the DFN is usually very fast, too, so the idea to relay the connections came naturally.

Because I’m not root on the system at work I created my own RPM tree. This is pretty easy: just a cd; mkdir rpm; cp -R /var/lib/rpm ~/rpm and after that one can install RPMs in his own local repository by rpm --relocate /=~/rpm --dbpath ~/rpm/rpm <whatever>

The first candidate I picked up to setup a VPN in userspace was OpenVPN. The machine at work is (luckily?) a standard SuSE Linux system, so it wasn’t too hard to get RPMs for that. But I resented the idea to install OpenVPN after I saw all the depencies that would yet have to be fulfilled to install it.
The next candidate on the list was CIPE – which is known to be insecure, but that isn’t an issue here, any VPN software is good aslong as it features a windows client. The installation of CIPE in my own local RPM tree was successful, but running the daemon requires root privileges, so I resented that one, too.
After this I had a look at httptunnel, which has windows clients aswell. Installation of the RPMs succeeded, starting the software succeeded, too, but there was a big drawback: Only one single connection can be tunneled between client and server and it has to be set up explicitly. This is just the same as tunneling over SSL, which I wanted to eliminate, or rather automate. Still no success.

Now I reconsidered using something like tinyproxy and just focus on tunneling HTTP connections. But wait – a SOCKS proxy might be an option too! The developer of CIPE had created something called usocksd, user SOCKS daemon, which I wanted to try out first. There wasn’t a RPM available for it, but installing it didn’t require more than the usual unpacking of the tar archive followed by a configure; make where you just have to ignore the compilation errors. I tried running the daemon, and finally – it worked! Great, on to the client side, then.

mIRC worked right away after configuring it to use the tunneled SOCKS proxy, but Firefox had some issues – where should I input the SOCKS username and password to properly configure it? Has it to be in the format user:pass@host or what? So, another try: I downloaded SocksCap32 which can use the SOCKS server transparently in the background for any program that builds on WinSock. Installed it, configured it, used it with MSIE – works! Used it with Firefox – doesn’t work!

Then I somehow stumbled over Bitvise Tunnelier. This is a SSH/SFTP/RDesktop-Client with built-in SOCKS server, which is free for individual use. The built-in local SOCKS server can automatically tunnel anything over the SSH connection, an ingenious feature. There was just one problem: I couldn’t connect to the SSH server because it required keyboard-interactive as authentification method, and unlike puTTY and WinSCP the Tunnelier doesn’t support that yet. But the other authentification method that is accepted by the server, publickey, is supported by it as it seems. I just had to generate a key with the built-in tool from Tunnelier, export the key in OpenSSH format, and put it on the server as .ssh/authorized_keys
Now I’m all set. Great software!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: