Differences

This shows you the differences between two versions of the page.

--- osx:start [2017/12/05 12:54]
robm [VPN over SSH]
+++ osx:start [2017/12/05 13:03]
robm [VPN over SSH]
@@ Line 671: / Line 671: @@
 Configure IPv4 (ICMP+TCP+UDP) forwarding and Network Address Translation (NAT):
-   - In the root shell on the **server**: <code>
+   - In the root shell on the **server** (only needs to be done one per boot): <code>
-   - echo 1 > /proc/sys/net/ipv4/ip_forward
+# Prepare networking stack for use by forced commands in
-/sbin/iptables -t nat -F
+# /root/.ssh/authorized_keys that creates a point-to-point network (via tun0)
-/sbin/iptables -t nat -A POSTROUTING ! --destination 172.16.0.2  -j MASQUERADE
+# between 172.16.0.1 (this host) and 172.16.0.2 (remote end).
+# We then want to enabling forwarding of IPv4 traffic, i.e. we want to act as a
+# router. We enable this in the kernel, and then ensure traffic originating
+# from the remote side of the point-to-point link is accepted, and any
+# responses are likewise accepted
+echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/iptables -F
-/sbin/iptables -A FORWARD ! --source 172.16.0.2 --destination 172.16.0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD ! --source 172.16.0.2 --destination 172.16.0.2 \
+        -m state --state RELATED,ESTABLISHED -j ACCEPT
 /sbin/iptables -A FORWARD --source 172.16.0.2 ! --destination 172.16.0.2 -j ACCEPT
+# Any traffic originating from the remote side should go through Network
+# Address Translation (NAT), so responses from (e.g.) DNS servers are sent to
+# this host, so *we* can forward it to the remote end. This is the MASQUERADE
+# rule.
+/sbin/iptables -t nat -F
+/sbin/iptables -t nat -A POSTROUTING ! --destination 172.16.0.2  -j MASQUERADE
 # Monitor packets

RobMeerman.co.uk

User Tools

Site Tools

Differences

Page Tools