Date: Mon, 13 Feb 2006 18:03:55 -0800 From: George Hartzell <hartzell@alerce.com> To: hartzell@alerce.com Cc: freebsd-mobile@freebsd.org Subject: Re: ssh-based vpn and routing question. Message-ID: <17393.14987.286847.977332@satchel.alerce.com> In-Reply-To: <17393.214.512151.13869@satchel.alerce.com> References: <17393.214.512151.13869@satchel.alerce.com>
next in thread | previous in thread | raw e-mail | index | archive | help
George Hartzell writes: > > I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and > a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE). > > I can bring up a ppp link via an ssh tunnel and each side can ping the > address of the other side of the tunnel. > > I would like to route all traffic from my laptop to the server's real > address (a routable static ip address from my ISP) so that it goes > across the tunnel instead (e.g. to tunnel through a firewall that > allows ssh but doesn't pass pop3s connections and the powers that be > don't want to touch the firewall rules but are ok w/ the tunnel...). > > I've tried just adding a static host route pointing to the server end > of the ppp link, but that doesn't work (via "route add" and ppp's "add > command). > > ** Not only can I not ping the server's static ip address, but I can no > longer ping its end of the ppp link. ** > > When I remove the route I eventually regain the ability to ping the > remote end of the ppp link, the waiting time seems to be proportional > to how long I let the ping run while I had the link in place. > > In order to test my sanity I tried to do it in reverse. Once the link > was up I ssh'ed in to server, added a route to the outside address of > the laptop (which happened to be a 10.xxx.yyy.zzz address) via the > laptop end of the ppp link. I was able to ping both the laptop's > outside 10.x addr and its end of the ppp link. > > I tried setting net.inet.ip.forwarding=1 and it didn't make things > work in the server case, nor did it break the sanity-checking laptop > case. > > I've tried this on both an older (sigh...) 5.3-STABLE server and a > recent 6.0-STABLE server. They both behave identically. > > There are no firewalls running on any of the freebsd boxes. > > At this point I'm assuming that ppp is doing something asymmetric, but > I am stymied. The fact that I can do the reverse of what I want is > driving me nuts.... > > Does anyone have any constructive commentary? Ok, I think that the *most* constructive comment might be something about pulling ones self up by one's own bootstraps..... Pithier possibilies leap to mind too. What I'm trying to do won't work. And, now that I see it I'm pretty much mortified that I even tried it, let alone asked anyone else. First, I establish an ssh connection to a machine (aka TheServer) and run a ppp session across it. Then, I try to add a route that sends all of the packets to that same machine (TheServer) down the tunnel. The problem is, of course, that they can no longer make it to the other end of the ssh session. Presumably it works coming the other way because the TheServer thinks that the ssh session is coming from the firewall's address and so it doesn't get confused.... Sigh. Bad geek, no beer. g.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17393.14987.286847.977332>