8 December 2006

Making IP Tunnel over SSH

Posted under: at 01:14

As long as I’ve been a TelkomSpeedy customer, I’ve never been able to log on to any IM services. Yahoo! Messenger, MSN Messenger, Jabber, ICQ, AIM: all didn’t work at all. I’m not alone, other Speedy customers like Devi and Tya also experienced the same problem. I’m still curious why they chose to filter all IM traffic on their router.

They do allow SSH though, and this is how I managed to ‘fix’ the problem by redirecting IM traffic over an SSH tunnel.

First, the prerequisite. I need a server, directly connected to the Internet, and a root access for it. This may be a tough requirement for casual users, but thankfully I do have root access on several dozens of servers.

Second, I need to prepare the server for NAT. For my intent and purposes, this server will act as a (second) gateway for my computer. This needs to be done on the server:

iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface ppp+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Not much different from my usual NAT setup, except this time it is the other way around: –out-interface is now eth0, and –in-interface is now ppp+, because eth0 is the interface connected directly to the Internet, and ppp0 becomes a link between the server and my computer.

And now, to create the tunnel itself. This needs to be done on my computer:

/usr/sbin/pppd updetach noauth silent nodeflate pty \
        "/usr/bin/ssh root@server.example.com /usr/sbin/pppd \
        nodetach notty noauth" ipparam vpn 10.0.0.1:10.0.0.2

Substitute server.example.com with the real server name. This should create a new ppp0 interface on both the server and my computer. I should now be able to ping 10.0.0.2 and it should respond back.

Next, I need to modify my routes. First I need a dedicated route to my current gateway, so that the tunnel doesn’t get dropped: route add server.example.com gw 192.168.1.1 where server.example.com is the server hostname and 192.168.1.1 is my current gateway. And second, I need to change my default gateway to the tunnel: route del default ; route add default gw 10.0.0.2.

All done, now all traffic will be redirected to my server. Any connection that originates from my computer will be translated by the server, and the destination will see the server as the origin of connection, not my computer.

Please note that tonight they already fixed the problem and for the first time I can run IM without tunneling. I don’t know if my little chat with KWW yesterday has anything to do with this :).

53 Responses

Trackback: Use this URI to trackback this entry. Use your web browser's function to copy it to your blog posting.

Comment RSS: You can track conversation in this page by using this page's Comments RSS (XML)

Gravatar: You can have a picture next to each of your comments by getting a Gravatar.

Leave a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Warning: Comments carrying links to questionable sites will be removed!