ssh-based vpn and routing question.

George Hartzell hartzell at alerce.com
Mon Feb 13 13:57:51 PST 2006


I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and
a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE).

I can bring up a ppp link via an ssh tunnel and each side can ping the
address of the other side of the tunnel.

I would like to route all traffic from my laptop to the server's real
address (a routable static ip address from my ISP) so that it goes
across the tunnel instead (e.g. to tunnel through a firewall that
allows ssh but doesn't pass pop3s connections and the powers that be
don't want to touch the firewall rules but are ok w/ the tunnel...).

I've tried just adding a static host route pointing to the server end
of the ppp link, but that doesn't work (via "route add" and ppp's "add
command).

** Not only can I not ping the server's static ip address, but I can no
longer ping its end of the ppp link. **

When I remove the route I eventually regain the ability to ping the
remote end of the ppp link, the waiting time seems to be proportional
to how long I let the ping run while I had the link in place.

In order to test my sanity I tried to do it in reverse.  Once the link
was up I ssh'ed in to server, added a route to the outside address of
the laptop (which happened to be a 10.xxx.yyy.zzz address) via the
laptop end of the ppp link.  I was able to ping both the laptop's
outside 10.x addr and its end of the ppp link.

I tried setting net.inet.ip.forwarding=1 and it didn't make things
work in the server case, nor did it break the sanity-checking laptop
case.

I've tried this on both an older (sigh...) 5.3-STABLE server and a
recent 6.0-STABLE server.  They both behave identically.

There are no firewalls running on any of the freebsd boxes.

At this point I'm assuming that ppp is doing something asymmetric, but
I am stymied.  The fact that I can do the reverse of what I want is
driving me nuts....

Does anyone have any constructive commentary?

Thanks,

g.


More information about the freebsd-mobile mailing list