Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Feb 2006 13:48:32 +0100 (CET)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-mobile@FreeBSD.ORG, hartzell@alerce.com
Subject:   Re: ssh-based vpn and routing question.
Message-ID:  <200602161248.k1GCmWLk072714@lurza.secnetix.de>
In-Reply-To: <17393.214.512151.13869@satchel.alerce.com>

next in thread | previous in thread | raw e-mail | index | archive | help
George Hartzell <hartzell@alerce.com> wrote:
 > I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and
 > a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE).
 > 
 > I can bring up a ppp link via an ssh tunnel and each side can ping the
 > address of the other side of the tunnel.

You could try to use the new OpenSSH 4.3p1 that was
released two weeks ago.  It supports tunneling IP or
even ethernet through the ssh connection natively,
using tun(4) or tap(4) interfaces, respectively,
so you don't need ppp at all.

However, note that tunnelig TCP connections over ssh
(which in turn is a TCP connection itself) doesn't
work very well, especially on connections with long
delays or packet loss, because the retransmit algorithms
of the nested TCP connections interfere badly with each
other.  Here's a fairly good explanation:

http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

A much better solution is to use OpenVPN.  Basically
it does the same thing, i.e. tunneling IP or ethernet
using tun(4) or tap(4), but it uses UDP as the under-
lying protocol by default, so it doesn't suffer that
badly from the above problem.  However, it requires
that those UDP packets are allowed to go through your
firewall.

If tcp/22 is your only choice, then go for OpenSSH 4.3.

(YMMV, of course.)

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

With Perl you can manipulate text, interact with programs, talk over
networks, drive Web pages, perform arbitrary precision arithmetic,
and write programs that look like Snoopy swearing.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602161248.k1GCmWLk072714>