From owner-freebsd-mobile@FreeBSD.ORG Thu Feb 16 12:48:50 2006 Return-Path: X-Original-To: freebsd-mobile@FreeBSD.ORG Delivered-To: freebsd-mobile@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D05B16A420 for ; Thu, 16 Feb 2006 12:48:50 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3F5B43D4C for ; Thu, 16 Feb 2006 12:48:49 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (bqjylq@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k1GCmX2W072715; Thu, 16 Feb 2006 13:48:38 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k1GCmWLk072714; Thu, 16 Feb 2006 13:48:32 +0100 (CET) (envelope-from olli) Date: Thu, 16 Feb 2006 13:48:32 +0100 (CET) Message-Id: <200602161248.k1GCmWLk072714@lurza.secnetix.de> From: Oliver Fromme To: freebsd-mobile@FreeBSD.ORG, hartzell@alerce.com In-Reply-To: <17393.214.512151.13869@satchel.alerce.com> X-Newsgroups: list.freebsd-mobile User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 16 Feb 2006 13:48:38 +0100 (CET) Cc: Subject: Re: ssh-based vpn and routing question. X-BeenThere: freebsd-mobile@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-mobile@FreeBSD.ORG, hartzell@alerce.com List-Id: Mobile computing with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 12:48:50 -0000 George Hartzell wrote: > I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and > a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE). > > I can bring up a ppp link via an ssh tunnel and each side can ping the > address of the other side of the tunnel. You could try to use the new OpenSSH 4.3p1 that was released two weeks ago. It supports tunneling IP or even ethernet through the ssh connection natively, using tun(4) or tap(4) interfaces, respectively, so you don't need ppp at all. However, note that tunnelig TCP connections over ssh (which in turn is a TCP connection itself) doesn't work very well, especially on connections with long delays or packet loss, because the retransmit algorithms of the nested TCP connections interfere badly with each other. Here's a fairly good explanation: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html A much better solution is to use OpenVPN. Basically it does the same thing, i.e. tunneling IP or ethernet using tun(4) or tap(4), but it uses UDP as the under- lying protocol by default, so it doesn't suffer that badly from the above problem. However, it requires that those UDP packets are allowed to go through your firewall. If tcp/22 is your only choice, then go for OpenSSH 4.3. (YMMV, of course.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. With Perl you can manipulate text, interact with programs, talk over networks, drive Web pages, perform arbitrary precision arithmetic, and write programs that look like Snoopy swearing.