SSH VPN

Problem:
Server benötigte eine öffentliche IPv4 (Im Folgenden als Client bezeichnet).
Anschluss hatte DualStack Light ohne Upgradepfad.
"vServer" mit zusätzlicher IP gemietet und Verkehr per VPN und virtuelle
Netzwerkkarte transparent weitergeleitet. Beide Systeme hatten OpenBSD.


vServer:
# nano /etc/ssh/sshd_config
...
PermitRootLogin yes
...
Match User root
	PermitTunnel yes
	ForceCommand mv ~/.ssh/authorized_keys ~/.ssh/authorized_keys~
...
	
# nano /etc/hostname.vio0
`inet alias 1.2.Public.IP 255.255.255.255` auskommentieren
# nano /etc/hostname.tun0
10.255.255.7 1.2.Public.IP netmask 255.255.255.255
# ifconfig tun0 10.255.255.7 1.2.Public.IP netmask 255.255.255.255
# nano /etc/pf.conf
...
ext_if = "vio0"
ext_ip = "1.2.Public.IP"
rdr_if = "tun0"
rdr_ip = "1.2.Public.IP"
#rdr_ip = "10.1.1.2"
rdr_ports = "{1234, 16882, 44666, 32872 }"
tcpudp = "{ tcp, udp }"

pass in on $ext_if proto $tcpudp from any to $ext_ip port $rdr_ports rdr-to $rdr_ip
#pass out on $rdr_if proto $tcpudp to $rdr_ip port $rdr_ports received-on $ext_if nat-to $rdr_if # Das braucht man nur wenn das Gateway zurück ein anderes währe.

# pfctl -f /etc/pf.conf
# sysctl net.inet.ip.forwarding=1
# nano /etc/sysctl.conf
net.inet.ip.forwarding=1


Client:
# ssh-keygen -t ed25519 -C `hostname`
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sw2
# cat /root/.ssh/id_ed25519.pub
Ausgabe nach Server-/root/.ssh/authorized_keys kopieren
# nano /etc/hostname.tun0
1.2.Public.IP 10.255.255.7 netmask 255.255.255.255
!route add default 10.255.255.7
# nano /etc/hostname.re0
`!route add default 192.168.0.254` auskommentieren
# pkg_info -Q autossh
# pkg_add autossh-1.4e
# nano /etc/rc.d/autossh_vpn_v4
#!/bin/sh

daemon="/usr/local/bin/autossh"
daemon_flags="-M0 -f  -2 -q -N \
	-o ServerAliveCountMax=2 \
	-o ServerAliveInterval=31 \
	-o ExitOnForwardFailure=yes \
	-w 0:0 \
	server.example.com -p 11226"
export AUTOSSH_PIDFILE="/var/run/autossh_vpn_v4.pid"

. /etc/rc.d/rc.subr

rcexec="su -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
rc_reload=NO

rc_check() {
	ps -p `cat $AUTOSSH_PIDFILE`
}

rc_stop() {
	kill `cat $AUTOSSH_PIDFILE`
}

rc_cmd $1

# chmod 555 /etc/rc.d/autossh_vpn_v4
# nano /etc/rc.conf.local
pkg_scripts="autossh_vpn_v4 ..."
# /etc/rc.d/autossh_vpn_v4 start