PPTP or PPP over SSH? - SSH

This is a discussion on PPTP or PPP over SSH? - SSH ; I have an application which has a server running at the companies HQ and a client at a remote site. Both the server and client are running on Linux machines. The HQ and remote site are connected over a VPN ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: PPTP or PPP over SSH?

  1. PPTP or PPP over SSH?

    I have an application which has a server running at the companies HQ
    and a client at a remote site. Both the server and client are running
    on Linux machines.
    The HQ and remote site are connected over a VPN with only ssh enabled.
    Client and server programs have a strange way to communicate:
    - both server and client can start a TCP connection to the other.
    - They pick almost random TCP ports from a given range.
    - And very important: they need the actual source and destination IP
    addresses to work well.

    So (I think) I need a tool which runs at both the server and the client
    that takes communication directed to the other side, tunneling it over
    ssh to the other side, where it is released with the original source
    and destination IP addresses. It needs to do this for only the given
    range of TCP ports.

    I spend the afternoon googling for terms like VPN, tunneling, SSH and
    found that
    PPTP or PPP over SSH might be the solution.

    Can the above be realized by PPTP or PP over SSH or are there other
    options?

    Thanks

    Ray


  2. Re: PPTP or PPP over SSH?


    On 23 Feb 2006 06:58:37 -0800, r_vanbeek@hotmail.com wrote:

    >I have an application which has a server running at the companies HQ
    >and a client at a remote site. Both the server and client are running
    >on Linux machines.
    >The HQ and remote site are connected over a VPN with only ssh enabled.
    >Client and server programs have a strange way to communicate:
    >- both server and client can start a TCP connection to the other.
    >- They pick almost random TCP ports from a given range.
    >- And very important: they need the actual source and destination IP
    >addresses to work well.
    >
    >So (I think) I need a tool which runs at both the server and the client
    >that takes communication directed to the other side, tunneling it over
    >ssh to the other side, where it is released with the original source
    >and destination IP addresses. It needs to do this for only the given
    >range of TCP ports.
    >
    >I spend the afternoon googling for terms like VPN, tunneling, SSH and
    >found that
    >PPTP or PPP over SSH might be the solution.
    >
    >Can the above be realized by PPTP or PP over SSH or are there other
    >options?
    >
    >Thanks
    >Ray



    Suggested reading. "Why TCP Over TCP Is A Bad Idea" by Olaf Titz.

    http://sites.inka.de/sites/bigred/devel/tcp-tcp.html


















  3. Re: PPTP or PPP over SSH?


    Anonymous wrote:
    >
    > Suggested reading. "Why TCP Over TCP Is A Bad Idea" by Olaf Titz.
    >
    > http://sites.inka.de/sites/bigred/devel/tcp-tcp.html


    Thanks,

    I already read that, but it did not help me in selecting (another)
    right protocol.

    Any help appreciated though....

    Ray


  4. Re: PPTP or PPP over SSH?

    On 2006-02-23, r_vanbeek@hotmail.com wrote:
    >
    > Anonymous wrote:
    >> Suggested reading. "Why TCP Over TCP Is A Bad Idea" by Olaf Titz.
    >> http://sites.inka.de/sites/bigred/devel/tcp-tcp.html


    Actually that should be "Why TCP over IP over TCP..." (more on why later).

    You could probably mitigate some of the potential problems by configuring
    the SSH connection to be sensitive to network failures (eg by setting
    ClientAliveInterval to a couple of seconds and ClientAliveIntervalMax to 1
    or 2).

    In theory this would cause it to look more like a "lossy" link to the
    upper TCP during brief network problems or congestion. It's probably
    unusable on links with consistently high packet loss, though.

    > I already read that, but it did not help me in selecting (another)
    > right protocol.


    Can you SOCKSify your app (either directly, via LD_PRELOAD or via the
    system's stack itself)? If so then you could use DynamicForwards.

    [now it gets weird]

    On a slightly related note, here's a neat hack from the I'm
    amazed-that-it-works dept (absolutely not a production-quality solution,
    though :-)

    You can stack pppd, slirp (anyone remember slirp?) and SSH dynamic (SOCKS)
    forwarding. It sounds insane but I just tried it and it works for TCP
    connections: you can transparently tunnel them over SSH as direct-tcpip
    channel requests.

    For those that aren't familiar with it, slirp is a Unix app that looks
    like a SLIP or PPP interface on one side but a regular(ish) Unix network
    application on the other. It basically implements a little TCP/IP
    stack and reassembles TCP connections (and UDP packets) then makes the
    equivalent connect/bind/whatever calls on the Unix host. It was used
    quite a bit back in the dark days before dialup SLIP/PPP services were
    common.

    Anyway, I built a socksified slirp binary (using dante socks), ran it
    under pppd, configured socks.conf to send socksified connections via an
    ssh DynamicForward and added a route to ppp0.

    Amazingly, this kinda worked. Making a connection to something down
    that route results in:

    app -TCP/IP-> ppp0 -> slirp -SOCKS-> ssh -tunnel-> sshd -> TCP -> server

    The TCP connections travel over the SSH tunnel as port forward requests
    and without the extra IP layer that may cause the problems described.
    UDP services don't work, though.

    In case anyone else is nutty enough to try this, the recipe I used is:

    ssh: ssh -D1080 somehost
    dante: standard install, configured to forward via localhost:1080
    slirp: CFLAGS="-include socks.h" LIBS="-ldsocks" ./configure
    pppd: /usr/sbin/pppd debug nodetach pty "slirp -P"

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: PPTP or PPP over SSH?

    >>>>> "RV" == r vanbeek writes:

    RV> Anonymous wrote:
    >> Suggested reading. "Why TCP Over TCP Is A Bad Idea" by Olaf Titz.
    >>
    >> http://sites.inka.de/sites/bigred/devel/tcp-tcp.html


    RV> Thanks,

    RV> I already read that, but it did not help me in selecting (another)
    RV> right protocol.

    OpenVPN might help you (openvpn.net).

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread