User Tools

Site Tools


vpn-ssh-tap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
vpn-ssh-tap [2020/07/25 01:36]
robm
vpn-ssh-tap [2020/08/06 11:48] (current)
robm [VPN via SSH TAP interfaces]
Line 10: Line 10:
  
 VM, where eth1 is connected to the network I want to make my RPi appear in: VM, where eth1 is connected to the network I want to make my RPi appear in:
 +
 +Vagrantfile (based on using [[https://www.parallels.com/|Parallels]], rather than VirtualBox):
  
 <code> <code>
-ip link add br0 up type bridge             Create a bridge +-*- mode: ruby -*- 
-ip address add 192.168.167.134/24 dev br0  Copy the address and netmask of eth1 +vi: set ft=ruby :
-ip address flush dev eth1                  # Remove eth1's addresses completely +
-ip link set eth1 master br0                # Attach eth1 to the bridge +
-</code>+
  
-Raspberry Pi:+BRIDGE_ADAPTORS=[ 
 +  "en0Wi-Fi (AirPort)", # MacBook Pro (MacOS v10.15, Catalina), VirtualBox 
 +  "en0",                  # MacBook Pro (MacOS v10.15, Catalina), Parallels 
 +  "eno1",                 # Ubuntu 16.04 LTS 
 +  # Add your OS's default here 
 +  ]
  
-<code+Vagrant.configure("2") do |config| 
-sudo ip link add br0 up type bridge +  config.vm.box = "bento/ubuntu-20.04" 
-sudo ssh \ +  config.vm.network "public_network", bridge: BRIDGE_ADAPTORS 
-  -o PermitLocalCommand=yes \ + 
-  -o "LocalCommand=ip link set tap5 up master br0" \ +  config.vm.provider "parallels" do |prl| 
-  -o Tunnel=ethernet \ +    # Cf. http://download.parallels.com/doc/pcs/html/Parallels_Cloud_Server_Command_Line_Reference_Guide/32912.htm 
-  -w 5:5 \ +    prl.customize ["set", :id, 
-  -t \ +                   "--device-set", "net0",  
-  root@192.168.167.237 +                   "--ipfilter", "no", 
-  "ip link set tap5 up master br0"+                   "--macfilter", "no", 
 +                   "--preventpromisc", "no"
 +    prl.customize ["set", :id, 
 +                   "--device-set", "net1",  
 +                   "--ipfilter", "no", 
 +                   "--macfilter", "no", 
 +                   "--preventpromisc", "no"
 +  end 
 + 
 +  config.vm.provision "shell", 
 +    privileged: true, 
 +    inline: <<-SHELL 
 +      # Secure Shell daemon configuration changes 
 +      echo "PermitTunnel yes" >> /etc/ssh/sshd_config 
 +      echo "PermitRootLogin yes" >> /etc/ssh/sshd_config 
 +      systemctl reload sshd 
 + 
 +      # Root account is disabled by default (password begins with literal '!'), 
 +      # so we'll change the password to re-enable the account 
 +      usermod -p '*' root 
 + 
 +      # Install GadgetPi's ~/.ssh/id_rsa.pub, so it can login as root without 
 +      # requiring an operator 
 +      umask 0077 
 +      mkdir /root/.ssh 
 +      echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx963D3ErL6s9uWmSye1ZU+TCS4aDAJBbQI/NZLqg05EXnYVfXEPm2ZuStij4JjsIgdFbL+E73vd/alNgUBpe1YD73+oP9ndSdsAU/kXrx/zy0qCRWsi4fma6MmGIU0sYFuNvnwKsyjoFu0g5Y4SKQeD/0J7f+AmP4XOSnR2mhcFFE96wFYdq1UJanky0YI/oJcz2CRny5tO+iCjqm98BcvnEI/3vQOH4fOtffzW1SvqDobiQtP58POHd2NfRJo9ygVemCFqdvV9v17tvuhW0AxBZcBm1TZ9wb/oQnWvR8OvqO0XSYGZYuC+DERCSC+3dLSNL/LmoDDDdIjgHXTUNv root@raspberrypi 
 +" >> /root/.ssh/authorized_keys 
 + 
 +      # Enable acting as a router (forwarding packets) 
 +      echo "" >> /etc/sysctl.conf  # In case the file does not end with a newline 
 +      echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf 
 +      sysctl --load /etc/sysctl.conf 
 +    SHELL 
 + 
 +    config.vm.post_up_message = <<-EOF 
 +      Run the following on this VM: 
 + 
 +        ETH1_IP=192.168.167.100/24 
 +        sudo ip link add br0 up type bridge     # Create a bridge 
 +        sudo ip address add ${ETH1_IP} dev br0  # Copy the address and netmask of eth1 
 +        sudo ip address flush dev eth1          # Remove eth1's addresses completely 
 +        sudo ip link set eth1 master br0        # Attach eth1 to the bridge 
 + 
 +      Run the following on the GadgetPi: 
 +       
 +        REMOTE_HOST=192.168.167.237 
 +        sudo ip link add br0 up type bridge 
 +        sudo ip link set eth0 up master br0 
 +        sudo ssh \
 +            -o PermitLocalCommand=yes \
 +            -o "LocalCommand=ip link set tap5 up master br0" \
 +            -o Tunnel=ethernet \
 +            -w 5:5 \
 +            -t \
 +            root@${REMOTE_HOST} \
 +            "ip link set tap5 up master br0" 
 +    EOF 
 +end
 </code> </code>
 +===== Debugging =====
 +
 +I found [[https://www.wireshark.org/docs/man-pages/tshark.html| tshark - Dump and analyze network traffic]] useful, as it can capture ethernet frames to a file (such as ''/vagrant/tshark'') which you can then load into the Wireshark GUI after the fact.
vpn-ssh-tap.1595640973.txt.gz · Last modified: 2020/07/25 01:36 by robm