VPN Tunnel using ssh+pppd

Premise

The idea of these scripts is to maintain a simple PPP tunnel though a SSH connection. The initiator script makes the PPP connection, and the remote script checks to see if the connection is established, and if so, sets up routes to allow access to my private subnets at home.

Notes

  • I have the initiator side log into the remote side via a SSH key, so the whole process can be automated via cron. I currently have the scripts on the initiator and remote sides cronned to run once a minute.
  • I set the scripts to force the interface name using the “unit $DEVNUM” parameters for pppd. This makes the routing and firewalling much easier since I don’t have to try to determine the interface name on either side.
  • Throughput isn’t that great in my setup, but that could be because my router box at home is pretty slow. Performance might be improved with faster hardware.

 

Initiator Side

#!/bin/bash
DEVNUM=10
SSHHOST="xxx.xxx.xxx.xxx"
LOCALIP="192.168.3.200"
REMOTEIP="192.168.3.1"
REMOTESUBNET="192.168.3.0/24"

if [ -e "/proc/sys/net/ipv4/neigh/ppp$DEVNUM" ];
then    
       echo "ppp$DEVNUM interface is up."
else    
       echo "ppp$DEVNUM is not up! Attempting to connect"
       /usr/sbin/pppd unit $DEVNUM updetach noauth passive pty "ssh root@$SSHHOST /usr/sbin/pppd unit $DEVNUM nodetach proxyarp notty noauth" $LOCALIP:$REMOTEIP
       sleep 5

       echo "Adding Routes..."
       /sbin/route del $REMOTEIP
       /sbin/route del $REMOTEIP
       /sbin/route add -net $REMOTESUBNET dev ppp$DEVNUM

       echo "Configuring Firewall"
       /root/firewall/firewall-colotunnel

       echo "Applying traffic shaping rules"
       /root/bin/trafficshaper
fi

Notes

  • The SSHHOST variable is an external public IP, and is the IP SSH connects to when making the tunnel. The LOCALIP and REMOTEIP variables are the endpoints of the PPP tunnel, and are in the same private subnet, which is defined by the REMOTESUBNET variable.
  • The script calls my¬†traffic shaper script¬†at the end, after the connection is up and firewall rules are set. The traffic shaper has special rules to ensure that the SSH traffic to SSHHOST is given higher priority to make sure latency inside the tunnel is kept as low as possible.

Remote Side

This script is run to bring up routes to my private network at homeif the PPP tunnel exists. 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 are all private subnets I’ve got set up at home.

#!/bin/bash
DEVNUM=10

if [ -e "/proc/sys/net/ipv4/neigh/ppp$DEVNUM" ];
then    
        /sbin/route add -net 192.168.0.0/24 dev ppp$DEVNUM
        /sbin/route add -net 192.168.1.0/24 dev ppp$DEVNUM
        /sbin/route add -net 192.168.2.0/24 dev ppp$DEVNUM
fi

Notes

  • This script could probably be a little smarter to see if the routes already exist before blindly setting them, but I’ve got the output piped to /dev/null in my cron entry, so I don’t care so much.

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>