VPN over SSH: State of the art?

Jan Bergner jan.bergner at indurad.com
Sat Jan 5 00:55:45 AEDT 2019

Am 04.01.19 um 14:10 schrieb Jochen Bern:
> On 01/04/2019 10:57 AM, Thomas Güttler wrote:
>> What is the current state of the art if you want to create VPN over ssh?
> It might depend on your Platform (I've been essentially Linux-only these
> past years), but I have a section "SSH-BASED VIRTUAL PRIVATE NETWORKS"
> in the "ssh" manpage of even rather old OpenSSH versions ...
> (It requires *root* access on both ends to configure tun* interfaces,
> but since you were discussing installing additional proxying(?)
> software, I guess that you have that.)
> (It also assumes that the subnets involved don't have addresse
> collisions. I suppose that one *could* resolve that with NATing in both
> peers' iptables, but it'ld promise to be quite a lot of careful work IMHO.)
> On 01/04/2019 12:50 PM, Jan Bergner wrote:
>> I see your point. Remote work on a production system always makes my
>> heart beat faster, too. ^^
> You don't have production systems installed at colo/hosting/housing
> provider sites, then. ;-) :-S
That is not remote. I can use their web-VNC or even call them if
something goes wrong.

For my company, I sometimes have to remote-configure devices in
customers' networks at locations on another continent that might be
several hundred kilometers away from the next airport while the internet
uplink is 2G to 3G. Screwing up might mean a one-week-travel for
someone, if the customer does not understand his own network and is able
to fix an issue by himself. ;-)

> (Preparing for semisolids-in-the-gas-moving-device situations by having
> remote OOB access to "consoles" - from modem-at-the-RS232-port to
> servers' management NICs offering ILO/iDRAC/EXPRESSSCOPE/whatsitsname -
> and hardware health monitoring quickly becomes second nature, including
> on "local" platforms - in case you're actually *not* "local" when the
> cell phone rings and have to VPN into the company "L"AN beforehand.)
> Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190104/5a98aafe/attachment.asc>

More information about the openssh-unix-dev mailing list