ssh tip of the day
And my ssh tip of the day would be that combined with the use of libtsocks (LD_PRELOAD=/usr/lib/libtsocks.so), ssh -D works wonders as a VPN without having to worry about stupid flaky Crisco VPN clients that run in the kernel for no apparent reason whatsoever.
I use debian's libtsocks, with the patch that I've been trying to included in bug#471112 (sigh, some DDs annoy me, when they only ever see one purpose to their code and fail to be able to generalise the application no matter how little work is involved) so as I can make specific networks use the ssh tunnel, but the rest of the network defaults to using the native libc sockets implementation. Then I run
ssh -n -T -o PasswordAuthentication=no -N -D 1081 -C user@host
(you probably want to put a wrapper around that to restart it when the ssh connection dies).
and in .tsocks.conf:
# all networks are "local" in tsocks' sense, by default, meaning it gets passed up to the native libc sockets implentation
local = 0.0.0.0/255.255.255.255
# and each ssh gateway needs to be "local" as well, so ssh -D can get to it in the first place.
local = 136.186.12.14/255.255.255.255
# and then define whichever networks go to whichever ssh -D ports:
path {
reaches = 136.186.0.0/255.255.0.0
server = 127.0.0.1
server_type = 5
server_port = 1081
}
And then, once you can natively ssh to a host in each network you have defined, you never have to put up with Crisco kernel modules ever again (yay!).
If you run 32 bit apps in your 64 bit kernel, you may come across the annoyance that there is no LD_PRELOAD32 and LD_PRELOAD64 in lunix land. You'll simply have to tweak LD_PRELOAD to point at the 32 bit version of libtsocks you have also compiled and installed in a special place, as part of the shell wrapper you write to run these 32 bit apps, if you care for them to access such networks.
Over the top of this ssh -D socks tunnel, I also run sshfs:
# allowothers="-o allow_other"
sshfs -o workaround=rename -o transform_symlinks -o idmap=user -o cache_timeout=300 -o cache_stat_timeout=10 -o cache_dir_timeout=10 -o kernel_cache -o cache_link_timeout=10 -o ssh_command=$HOME/bin/agent-ssh -o no_readahead -o reconnect $allowothers -C ${userhost}:/ $HOME/mnt/$userhost && echo "got $userhost"
If the network or the tunnel goes down, sshfs -o reconnect will reconnect at the first available opportunity. Meanwhile, if that link is never going to come back up, just kill the sshfs and corresponding ssh process (fusermount -u might timeout). This is the way I implement "nfs" over "vpn" over unpriveleged accounts. Just make sure you don't have the backup solution at work backup your computers at home because you accidentally supply -o allow_other on the wrong host.
I use debian's libtsocks, with the patch that I've been trying to included in bug#471112 (sigh, some DDs annoy me, when they only ever see one purpose to their code and fail to be able to generalise the application no matter how little work is involved) so as I can make specific networks use the ssh tunnel, but the rest of the network defaults to using the native libc sockets implementation. Then I run
ssh -n -T -o PasswordAuthentication=no -N -D 1081 -C user@host
(you probably want to put a wrapper around that to restart it when the ssh connection dies).
and in .tsocks.conf:
# all networks are "local" in tsocks' sense, by default, meaning it gets passed up to the native libc sockets implentation
local = 0.0.0.0/255.255.255.255
# and each ssh gateway needs to be "local" as well, so ssh -D can get to it in the first place.
local = 136.186.12.14/255.255.255.255
# and then define whichever networks go to whichever ssh -D ports:
path {
reaches = 136.186.0.0/255.255.0.0
server = 127.0.0.1
server_type = 5
server_port = 1081
}
And then, once you can natively ssh to a host in each network you have defined, you never have to put up with Crisco kernel modules ever again (yay!).
If you run 32 bit apps in your 64 bit kernel, you may come across the annoyance that there is no LD_PRELOAD32 and LD_PRELOAD64 in lunix land. You'll simply have to tweak LD_PRELOAD to point at the 32 bit version of libtsocks you have also compiled and installed in a special place, as part of the shell wrapper you write to run these 32 bit apps, if you care for them to access such networks.
Over the top of this ssh -D socks tunnel, I also run sshfs:
# allowothers="-o allow_other"
sshfs -o workaround=rename -o transform_symlinks -o idmap=user -o cache_timeout=300 -o cache_stat_timeout=10 -o cache_dir_timeout=10 -o kernel_cache -o cache_link_timeout=10 -o ssh_command=$HOME/bin/agent-ssh -o no_readahead -o reconnect $allowothers -C ${userhost}:/ $HOME/mnt/$userhost && echo "got $userhost"
If the network or the tunnel goes down, sshfs -o reconnect will reconnect at the first available opportunity. Meanwhile, if that link is never going to come back up, just kill the sshfs and corresponding ssh process (fusermount -u might timeout). This is the way I implement "nfs" over "vpn" over unpriveleged accounts. Just make sure you don't have the backup solution at work backup your computers at home because you accidentally supply -o allow_other on the wrong host.