Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
public:tutorial:vpnpppoverssh [2011/07/07 21:20] – créée ceric35 | public:tutorial:vpnpppoverssh [2023/02/13 13:39] (Version actuelle) – modification externe 127.0.0.1 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
====== VPN PPP over SSH ====== | ====== VPN PPP over SSH ====== | ||
- | But le client initie une connexion ssh et monte une interface ' | + | But le client initie une connexion ssh et monte une interface ' |
- | le serveur. | + | |
Le serveur NAT tout ce qui arrive sur cette interface sur le réseau local ' | Le serveur NAT tout ce qui arrive sur cette interface sur le réseau local ' | ||
et tout se arrive sur l' | et tout se arrive sur l' | ||
Dans cette configuration : | Dans cette configuration : | ||
- | | + | * le réseau lan est en 192.168.0.0/ |
- | - le réseau ppp est en 192.168.35.0/ | + | |
- | - l' | + | |
+ | |||
+ | ===== Installation ===== | ||
+ | |||
+ | Les kernel doivent être compilé avec le support de PPP: | ||
+ | * | ||
+ | * | ||
+ | * | ||
+ | * | ||
+ | * | ||
+ | * | ||
+ | * | ||
+ | |||
+ | '' | ||
===== Serveur ===== | ===== Serveur ===== | ||
Ligne 20: | Ligne 32: | ||
# NAT (LAN > VPN) | # NAT (LAN > VPN) | ||
- | $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state | + | $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state ! --state INVALID -j ACCEPT |
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED, | $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED, | ||
# NAT (VPN > VPN) | # NAT (VPN > VPN) | ||
- | $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state | + | $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state ! --state INVALID -j ACCEPT |
$IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED, | $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED, | ||
+ | |||
+ | Il faut egalement autorisé l' | ||
+ | pppd avec les droit root et sans mot de passe via sudo. | ||
+ | |||
+ | Editer les droit sudo via ' | ||
+ | < | ||
===== Clients ===== | ===== Clients ===== | ||
+ | Le client doivent lancer ce script (/ | ||
+ | |||
+ | < | ||
+ | # Copyright 1999-2011 Gentoo Foundation | ||
+ | # Distributed under the terms of the GNU General Public License v2 | ||
+ | # $Header: $ | ||
+ | |||
+ | # | ||
+ | PPPD=${PPPD: | ||
+ | SSH=${SSH: | ||
+ | |||
+ | depend() { | ||
+ | need net | ||
+ | after sshd | ||
+ | use logger dns | ||
+ | } | ||
+ | |||
+ | start() { | ||
+ | echo -n " | ||
+ | #echo ${PPPD} updetach noauth passive pty \" | ||
+ | ${PPPD} updetach noauth passive pty " | ||
+ | route add -net ${LAN_NETWORK} netmask ${LAN_NETMASK} gw ${SERVER_IFIPADDR} dev ppp0 | ||
+ | echo " vpn connected." | ||
+ | } | ||
+ | |||
+ | stop() { | ||
+ | echo -n " | ||
+ | PID=`ps ax | grep " | ||
+ | if [ " | ||
+ | kill $PID | ||
+ | echo " | ||
+ | else | ||
+ | echo " | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | restart() { | ||
+ | stop | ||
+ | start | ||
+ | }</ | ||
+ | |||
+ | et ''/ | ||
+ | |||
+ | < | ||
+ | # sending the connection request to: | ||
+ | SERVER_HOSTNAME=ceric35.net | ||
+ | |||
+ | # The TCP port used by sshd (usually 22) | ||
+ | SERVER_PORT=22 | ||
+ | |||
+ | # The username on the VPN server that will run the tunnel. | ||
+ | # For security reasons, this should NOT be root. (Any user | ||
+ | # that can use PPP can intitiate the connection on the client) | ||
+ | SERVER_USERNAME=vpn | ||
+ | |||
+ | # The VPN network interface on the server should use this address: | ||
+ | SERVER_IFIPADDR=192.168.35.254 | ||
+ | |||
+ | # ...and on the client, this address: | ||
+ | CLIENT_IFIPADDR=192.168.35.1 | ||
+ | |||
+ | # Lan behind vpn server uses this addresses: | ||
+ | LAN_NETWORK=192.168.0.0 | ||
+ | LAN_NETMASK=255.255.255.0 | ||
+ | |||
+ | # This tells ssh to use unprivileged high ports, even though it's | ||
+ | # running as root. This way, you don't have to punch custom holes | ||
+ | # through your firewall. | ||
+ | LOCAL_SSH_OPTS=" | ||
+ | |||
+ | ===== Sources ===== | ||
+ | |||
+ | http:// | ||