Network Security Hacks [Electronic resources] نسخه متنی

Hack 78 Tunnel with VTun and SSH

Connect two networks using VTun and a single
SSH connection.

VTun is a user-space tunnel server,
allowing entire networks to be tunneled to each other using the
tun universal tunnel kernel driver.
An encrypted tunnel such as
VTun allows roaming wireless clients to secure
all of their IP traffic using strong encryption. It currently runs
under Linux, BSD, and Mac OS X.
The examples in this hack assume that you are using Linux.

The procedure described next will allow a host with a private IP
address (10.42.4.6) to bring up a new tunnel interface with a real,
live, routed IP address (208.201.239.33) that works as expected, as
if the private network weren't even there. Do this
by bringing up the tunnel, dropping the default route, and then
adding a new default route via the other end of the tunnel.

To begin with, here is the (pretunneled) network
configuration:

root@client:~# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:02:2D:2A:27:EA 
inet addr:10.42.3.2 Bcast:10.42.3.63 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:662 errors:0 dropped:0 overruns:0 frame:0
TX packets:733 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100 
RX bytes:105616 (103.1 Kb) TX bytes:74259 (72.5 Kb)
Interrupt:3 Base address:0x100 
root@client:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.42.3.0 * 255.255.255.192 U 0 0 0 eth2
loopback * 255.0.0.0 U 0 0 0 lo
default 10.42.3.1 0.0.0.0 UG 0 0 0 eth2

As you can see, the local network is 10.42.3.0/26, the IP is
10.42.3.2, and the default gateway is 10.42.3.1. This gateway
provides network address translation (NAT) to
the Internet. Here's what the path looks like to
yahoo.com:

root@client:~# traceroute -n yahoo.com
traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets
1 10.42.3.1 2.848 ms 2.304 ms 2.915 ms
2 209.204.179.1 16.654 ms 16.052 ms 19.224 ms
3 208.201.224.194 20.112 ms 20.863 ms 18.238 ms
4 208.201.224.5 213.466 ms 338.259 ms 357.7 ms
5 206.24.221.217 20.743 ms 23.504 ms 24.192 ms
6 206.24.210.62 22.379 ms 30.948 ms 54.475 ms
7 206.24.226.104 94.263 ms 94.192 ms 91.825 ms
8 206.24.238.61 97.107 ms 91.005 ms 91.133 ms
9 206.24.238.26 95.443 ms 98.846 ms 100.055 ms
10 216.109.66.7 92.133 ms 97.419 ms 94.22 ms
11 216.33.98.19 99.491 ms 94.661 ms 100.002 ms
12 216.35.210.126 97.945 ms 93.608 ms 95.347 ms
13 64.58.77.41 98.607 ms 99.588 ms 97.816 ms

In this example, we are connecting to a tunnel server on the Internet
at 208.201.239.5. It has two spare live IP addresses (208.201.239.32
and 208.201.239.33) to be used for tunneling. We'll
refer to that machine as the server, and our
local machine as the client.

Now let's get the tunnel running. To begin with,
load the tun driver on both machines:

# modprobe tun

It is worth noting that the tun driver will
sometimes fail if the server and client kernel versions
don't match. For best results, use a recent kernel
(and the same version, e.g., 2.4.20) on both machines.

On the server machine, save
this file to
/usr/local/etc/vtund.conf:

options {
port 5000;
ifconfig /sbin/ifconfig;
route /sbin/route;
syslog auth;
}
default {
compress no;
speed 0;
}
home {
type tun;
proto tcp;
stat yes;
keepalive yes;
pass sHHH; # Password is REQUIRED.
up {
ifconfig "%% 208.201.239.32 pointopoint 208.201.239.33";
program /sbin/arp "-Ds 208.201.239.33 %% pub";
program /sbin/arp "-Ds 208.201.239.33 eth0 pub";
route "add -net 10.42.0.0/16 gw 208.201.239.33";
};
down {
program /sbin/arp "-d 208.201.239.33 -i %%";
program /sbin/arp "-d 208.201.239.33 -i eth0";
route "del -net 10.42.0.0/16 gw 208.201.239.33";
};
}

Launch the vtund server like so:

root@server:~# vtund -s

Now you'll need a
vtund.conf file for the client side. Try this
one, again in
/usr/local/etc/vtund.conf:

options {
port 5000;
ifconfig /sbin/ifconfig;
route /sbin/route;
}
default {
compress no;
speed 0;
}
home {
type tun;
proto tcp;
keepalive yes;
pass sHHH; # Password is REQUIRED.
up {
ifconfig "%% 208.201.239.33 pointopoint 208.201.239.32 arp";
route "add 208.201.239.5 gw 10.42.3.1";
route "del default";
route "add default gw 208.201.239.32";
};
down {
route "del default";
route "del 208.201.239.5 gw 10.42.3.1";
route "add default gw 10.42.3.1";
};
}

Finally, run this command on the client:

root@client:~# vtund -p home server

Presto! Not only do you have a tunnel up between client and server,
but also a new default route via the other end of the tunnel. Take a
look at what happens when we traceroute to
yahoo.com with the tunnel in place:

root@client:~# traceroute -n yahoo.com
traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets
1 208.201.239.32 24.368 ms 28.019 ms 19.114 ms
2 208.201.239.1 21.677 ms 22.644 ms 23.489 ms
3 208.201.224.194 20.41 ms 22.997 ms 23.788 ms
4 208.201.224.5 26.496 ms 23.8 ms 25.752 ms
5 206.24.221.217 26.174 ms 28.077 ms 26.344 ms
6 206.24.210.62 26.484 ms 27.851 ms 25.015 ms
7 206.24.226.103 104.22 ms 114.278 ms 108.575 ms
8 206.24.238.57 99.978 ms 99.028 ms 100.976 ms
9 206.24.238.26 103.749 ms 101.416 ms 101.09 ms
10 216.109.66.132 102.426 ms 104.222 ms 98.675 ms
11 216.33.98.19 99.985 ms 99.618 ms 103.827 ms
12 216.35.210.126 104.075 ms 103.247 ms 106.398 ms
13 64.58.77.41 107.219 ms 106.285 ms 101.169 ms

This means that any server processes running on the client are now
fully available to the Internet, at IP address 208.201.239.33. This
has all happened without making a single change (e.g., port
forwarding) on the gateway 10.42.3.1.

Here's what the new tunnel interface looks like on
the client:

root@client:~# ifconfig tun0
tun0 Link encap:Point-to-Point Protocol 
inet addr:208.201.239.33 P-t-P:208.201.239.32 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10 
RX bytes:2220 (2.1 Kb) TX bytes:1560 (1.5 Kb)

And here's the updated routing table (note that we
still need to keep a host route to the tunnel
server's IP address via our old default gateway;
otherwise, the tunnel traffic can't get
out):

root@client:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
208.201.239.5 10.42.3.1 255.255.255.255 UGH 0 0 0 eth2
208.201.239.32 * 255.255.255.255 UH 0 0 0 tun0
10.42.3.0 * 255.255.255.192 U 0 0 0 eth2
10.42.4.0 * 255.255.255.192 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 208.201.239.32 0.0.0.0 UG 0 0 0 tun0

To bring down the tunnel, simply kill the vtund
process on client. This restores all network settings back to their
original states.

This method works fine if you trust VTun to use strong encryption and
to be free from remote exploits. Personally, I don't
think you can be too paranoid when it comes to machines connected to
the Internet. To use VTun over
SSH (and therefore rely on the strong
authentication and encryption that SSH provides), simply forward port
5000 on the client to the same port on the server. Give this a try:

root@client:~# ssh -f -N -c blowfish -C -L5000:localhost:5000 server
root@client:~# vtund -p home localhost
root@client:~# traceroute -n yahoo.com
traceroute to yahoo.com (64.58.79.230), 30 hops max, 40 byte packets
1 208.201.239.32 24.715 ms 31.713 ms 29.519 ms
2 208.201.239.1 28.389 ms 36.247 ms 28.879 ms
3 208.201.224.194 48.777 ms 28.602 ms 44.024 ms
4 208.201.224.5 38.788 ms 35.608 ms 35.72 ms
5 206.24.221.217 37.729 ms 38.821 ms 43.489 ms
6 206.24.210.62 39.577 ms 43.784 ms 34.711 ms
7 206.24.226.103 110.761 ms 111.246 ms 117.15 ms
8 206.24.238.57 112.569 ms 113.2 ms 111.773 ms
9 206.24.238.26 111.466 ms 123.051 ms 118.58 ms
10 216.109.66.132 113.79 ms 119.143 ms 109.934 ms
11 216.33.98.19 111.948 ms 117.959 ms 122.269 ms
12 216.35.210.126 113.472 ms 111.129 ms 118.079 ms
13 64.58.77.41 110.923 ms 110.733 ms 115.22 ms

In order to discourage connections to vtund on
port 5000 of the server, add a net filter rule to drop connections
from the outside world:

root@server:~# iptables -A INPUT -t filter -i eth0 \
-p tcp --dport 5000 -j DROP

This allows local connections to get through (since they use
loopback), and therefore requires an SSH tunnel to the server before
accepting a connection.

As you can see, this can be an extremely handy tool to have around.
In addition to giving live IP addresses to machines behind a NAT, you
can effectively connect any two networks if you can obtain a single
SSH connection between them (originating from either direction).

If your head is swimming from this vtund.conf
configuration or you're feeling lazy and
don't want to figure out what to change when setting
up your own client's vtund.conf
file, take a look at the automatic
vtund.conf generator [Hack #79] .

Rob Flickenger (Linux Server Hacks)

Network Security Hacks [Electronic resources] نسخه متنی

فارسی

کردی

العربیه

اردو

Türkçe

Русский

English

Français

کانال فیلم من

تبیان من

فایلهای من

کتابخانه من

پنل پیامکی

وبلاگ من

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Network Security Hacks [Electronic resources] - نسخه متنی

Andrew Lockhart

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

فونت

اندازه قلم

حالت نمایش

Hack 78 Tunnel with VTun and SSH