====== Tunnel Interfaces ======
If you are looking to establish an SSH tunnel between two networks and treat the tunnel as an interface, this may help.

  * First I would recommend enabling rc.ip_forward in /etc/rc.d/ (on local and target machines) <code bash>
root@darkstar:~# chmod +x /etc/rc.d/rc.ip_forward
</code> or for a temporary (lose at reboot) way use <code bash>
root@darkstar:~# echo "1" > /proc/sys/net/ipv4/ip_forward
</code>
  * Almost forgot you will need to enable tunneling in /etc/ssh/sshd_conf.  Find this part //#PermitTunnel no// uncomment and change to yes (on the target machine) you can use vi to edit or try the below code:<code bash>
root@darkstar:~# /usr/bin/sudo /bin/sed -e "s/#PermitTunnel\ no/PermitTunnel\ yes\ #changed\ `date '+%Y%m%d' \
`\ by\ `/bin/whoami`/" -i.stock_slackware-`/bin/awk '{print $2}' /etc/slackware-version` /etc/ssh/sshd_config</code> 
  * Next I'm using autossh found at [[http://slackbuilds.org/result/?search=autossh|slackbuilds.org]] . The below script requires it (there is an alternate method mentioned at the bottom. Replace line 20.)
  * You will also want to have non-interactive ssh connections set up.  Meaning [[howtos:security:sshkeys|authorized_keys setup with public/private keys]].  
  * Also assuming you have sudo privileges and user on the remote machine (using the ''NOPASSWD: ALL'' option in ''/etc/sudoers'') \\ Example: as root type "''visudo''" and add your user like this <code bash>
rich ALL=(ALL) NOPASSWD: ALL
</code>
  * Next I'm using a simple bash script which I will explain after peeking at it. <file bash rc.tunnel>
#!/bin/bash

###########################################################
#
#Enter the ip of the target you wish to make a tunnel with.
#By ip address or hostname
#
target=74.79.121.210
port=22
#
###########################################################
# suggestions contact rich at lehcar.duckdns.org
# with thanks to Billy T (for idea and assistance)
###########################################################
#load module
/usr/bin/sudo /sbin/modprobe tun
#load remote module
/usr/bin/ssh -p $port $target "/usr/bin/sudo /sbin/modprobe tun"
/bin/sleep 1

/usr/bin/sudo /usr/bin/autossh -p $port -M 0 -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -fw 0:0 $target /bin/true
/bin/sleep 4
/usr/bin/ssh -p $port $target "/usr/bin/sudo /sbin/ifconfig tun0 192.168.5.2 pointopoint 192.168.5.1 netmask 255.255.255.252 broadcast 192.168.5.3"
/usr/bin/sudo /sbin/ifconfig tun0 192.168.5.1 pointopoint 192.168.5.2 netmask 255.255.255.252 broadcast 192.168.5.3
/usr/bin/sudo /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

/usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
/usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
/usr/bin/ssh -p $port $target "/usr/bin/sudo /usr/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT"

</file>

  * To direct traffic over the tunnel try: <code bash>
user@darkstar:~$ sudo /sbin/route add -net 74.125.131.0 netmask 255.255.255.0 dev tun0
</code>

  * To substitute normal ssh rather than autossh substitute this line below for the one with autossh (line 20)<code bash>
/usr/bin/sudo /usr/bin/ssh -p $port -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -fw 0:0 $target /bin/true
</code>

To recap some of the options:  "''-fw 0:0''" forks the ssh process to the background / opens a tunnel and "''0:0''" picks the local and remote interfaces (ie tun0 and tun0). The "''-o''" options are used to specify parameters for openSSH.   

==== Results ====

Now you can access the remote computer using "''192.168.5.2''" and your communications will go through the ssh tunnel.  In the above script you may wish to modify the network and mask to fit your needs. I chose "''192.168.5''" but your configuration will likely be different.

I'm not going to be able to elaborate on the iptables rules still a little green there, but they work.

**Here are a couple usage examples.**  
Directing traffic to the tunnel interface.  first example 10.10.132.0-255 second just 10.10.182.15 
<code bash>/sbin/route add -net 10.10.132.0 netmask 255.255.255.0 dev tun0
/sbin/route add -net 10.10.182.15 netmask 255.255.255.255 dev tun0</code>
====== Sources ======
<!-- If you are copying information from another source, then specify that source -->
<!-- * Original source: [[http://some.website.org/some/page.html]] -->
<!-- Authors are allowed to give credit to themselves! -->
  * Originally written by [[wiki:user:ricky_cardo | ricky_cardo]] 
<!-- * Contributions by [[wiki:user:yyy | User Y]] -->

<!-- Please do not modify anything below, except adding new tags.-->
{{tag>howtos tunnel tun0 author_ricky_cardo}}