System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Don't get SSH VPN Tunneling to work

SOLVED
Go to solution
Ralph Grothe
Honored Contributor

Don't get SSH VPN Tunneling to work

Hi,

as of OpenSSH's 4.3 release the relatively new SSH feature of VPN tunneling should work.

So I downloaded and installed HP's latest Secure Shell (OpenSSH port) for B.11.11 and configured to PermitRootLogins as well as PermitTunnel point-to-point for the SSH server on the HP-UX box which should function as the VPN gateway.

However, when I initiate (so far only manually, when things do work this should be done scripted by RSA authentication) a VPN ssh connection from a Linux SSH client (OpenSSH 4.3) I cannot discover the tun devices, neither on SSH server (HP-UX) nor SSH client (Linux).

Maybe I have missed something?
Has anyone tried the VPN feature with HP's Secure Shell who could give me a hint?

Here's the server side on the HP-UX box:

# uname -srv
HP-UX B.11.11 U

# swlist|grep -i secure\ shell
T1471AA A.05.10.045 HP-UX Secure Shell

# /usr/sbin/sshd -v 2>&1|head -3
sshd: illegal option -- v
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.045, HP-UX Secure Shell version

# /usr/sbin/sshd -T|grep -e permitroot -e permittunnel
permitrootlogin yes
permittunnel point-to-point


IP forwarding on the SSH server should also be enabled.

# ndd -h ip_forwarding

ip_forwarding:

Controls how IP hosts forward packets: Set to 0 to inhibit
forwarding; set to 1 to always forward; set to 2 to forward
only if the number of logical interfaces on the system is 2
or more. [0,2] Default: 2


# ndd -get /dev/ip ip_forwarding
2



From the Linux SSH client I issued the following:

# uname -sriv
Linux 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i386

# rpm -q openssh
openssh-4.3p2-16.el5

# ssh -S /var/run/my_%h_tun.sock -fMN -w 0:0 newa
root@newa's password:

# ssh -S /var/run/my_newa_tun.sock -O check newa
Master running (pid=16268)

# ps -fp 16268
UID PID PPID C STIME TTY TIME CMD
root 16268 1 0 09:55 ? 00:00:00 ssh -S /var/run/my_%h_tun.sock -fMN -w 0:0 newa


Now, according to the documentation I read, there should be tun devices be visible and configurable as endpoints for the VPN tunnel on both SSH client and server.

But these don't appear, so that I cannot continue to setup the tunnel.

What went wrong?

No tun device on the Linux SSH client:

# ifconfig -a|grep -c tun
0


None either on the HP-UX SSH server:

# ifconfig tun0
ifconfig: no such interface

# netstat -in|grep -c tun
0

Madness, thy name is system administration
7 REPLIES
paolo barila
Valued Contributor

Re: Don't get SSH VPN Tunneling to work

similar problem here


OpenSSH_5.3p1, OpenSSL 0.9.8k 25 Mar 2009

# uname -a
HP-UX epstvm01 B.11.23 U ia64

# ssh -w5:5 0

Tunnel interfaces are not supported on this platform

!!!

share share share
mvpel
Trusted Contributor

Re: Don't get SSH VPN Tunneling to work

You guys are using the OpenSSH build, rather than the HP-UX Secure Shell build.

Try uninstalling OpenSSH and installing the T1471AA package - I'm using version A.05.20.013, and A.05.30 is available now.

https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=T1471AA

My ssh command doesn't complain about the -w option, though I have Tunnels turned off in the config for security so I can't say for sure if it would actually work if it were enabled.

It may be that whoever built the OpenSSH you're using didn't link it with or enable the tun() pieces.
paolo barila
Valued Contributor

Re: Don't get SSH VPN Tunneling to work

I tried also with

OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8l 5 Nov 2009
HP-UX Secure Shell-A.05.30.008, HP-UX Secure Shell version

but same answer:

# ssh -w5:5 0
Tunnel interfaces are not supported on this platform
Tunnel device open failed.



share share share
Laurent Menase
Honored Contributor
Solution

Re: Don't get SSH VPN Tunneling to work

forget it,
tun driver on HPUX is restricted to ppp use only
so ssh will not be able to use tun to open vpn,
the only available vpn on hpux are with ipsec.
mvpel
Trusted Contributor

Re: Don't get SSH VPN Tunneling to work

Nevermind - I misread the post.
paolo barila
Valued Contributor

Re: Don't get SSH VPN Tunneling to work

Thank you very much Laurent
I can't assign you points, cause is not my question, so I'll open one about vpn

Pablo
share share share
Dennis Handly
Acclaimed Contributor

Re: Don't get SSH VPN Tunneling to work