通过 ssh 设置隧道,并将其互联网用于 VPN 客户端

通过 ssh 设置隧道,并将其互联网用于 VPN 客户端

我有两个 VPS centos 6.6 x64,带有公共 IP 地址,例如:1.1.1.12.2.2.2
VPS 具有1.1.1.1 是 VPN 服务器
我需要通过 ssh 将 1.1.1.1 连接到 2.2.2.2,
因此我的1.1.1.1 上的 VPN 客户端有 2.2.2.2公共 IP 地址
我该如何做?

答案1

查看 ssh 的手册页,其中提供了一个很好的示例:

man ssh

SSH-BASED VIRTUAL PRIVATE NETWORKS
 ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, allowing two networks to be joined securely.  The sshd_config(5) configuration option PermitTunnel controls whether the server sup-
 ports this, and at what level (layer 2 or 3 traffic).

 The following example would connect client network 10.0.50.0/24 with remote network 10.0.99.0/24 using a point-to-point connection from 10.1.1.1 to 10.1.1.2, provided that the SSH server running on the gateway to the remote network, at
 192.168.1.15, allows it.

 On the client:

       # ssh -f -w 0:1 192.168.1.15 true
       # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
       # route add 10.0.99.0/24 10.1.1.2

 On the server:

       # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
       # route add 10.0.50.0/24 10.1.1.1

 Client access may be more finely tuned via the /root/.ssh/authorized_keys file (see below) and the PermitRootLogin server option.  The following entry would permit connections on tun(4) device 1 from user ``jane'' and on tun device 2 from
 user ``john'', if PermitRootLogin is set to ``forced-commands-only'':

   tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
   tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john

 Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such as for wireless VPNs.  More permanent VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).

您还必须设置路线以确保流量流向正确的“接口”。

如果您正在寻找更永久的设置,您可能会考虑基于 OpenVPN 或 IPSec 的 VPN,因为它们更适合这项工作并且适应性更强。

不要使用公共 IP 作为 ifconfig 中的唯一 IP 来创建 VPN,你需要为每个服务器指定一个私有网络,例如

服务器@1.1.1.1-私有tun0 IP-10.0.100.0/28-10.0.100.1

服务器@2.2.2.2 - 私有 tun0 IP - 10.0.200.0/28 - 10.0.200.1

然后分别将流量从 10.0.100.1 路由到 10.0.200.1 或反之。

相关内容