SSH: The VPN No One Remembers



For anyone that doesn't know about VPNs, its basically the ability to use your server's resources (drives, bandwidth sometimes, etc...) remotely. So, for example, say you want to mount your server's /dev/sda6 partition to your home PC. You can use a VPN to do this, and you'll be able to browse all of those files from the luxury of your home PC.

I'm sure everyone is aware as to what SSH (specifically OpenSSH) is, especially since there's been a lot of discussion about it on as of late. But, I don't know if many people actually realize just how powerful SSH can be. If used right, you can turn a regular SSH server into a non-resource intensive, very much free VPN server. While it won't be as robust as say, OpenVPN, its definitely better than buying a whole new server just for VPN functionality, and SSH can mount remote directories as well using sshfs.

How To Start

This guide is pretty short because the steps are rather easy. There is an assumption that you have an already-working SSH install, however. What we are going to do is take that install, and build on it.

What I did personally for my set up, because I wanted to have two different access lists, is create a new SSH configfile. For this, I just did the following;
cp /etc/ssh/sshd_config /etc/ssh/proxy_config

The reason for doing this is because I wanted to leave my SSH configuration separate from a proxy (and thus have two instances of SSH running, but the footprint is very minimal). I took out all of the commented stuff from the new proxy_config. Below are the most important parts to focus on:

Port ####

Of course change the "####" part, but change this from the regular SSH server.

PermitRootLogin no

You should never have this enabled to begin with, and just in case you flub up on your proxy account creation you'll want to make sure something bad doesn't happen.

PermitTunnel yes

I'm kind of on the fence about this one personally, it used to work without needing this but now its needed. Basically this lets you bind to the SSH server and make it act as a proxy server of sorts.

AllowUsers user1 user2 etc...
AllowGroups group1 group2 etc...

You can use one or both of these, but I'd highly recommend not using neither (as then it'd mean anyone can log into it). This is the meat and bones of the ACL of this proxy system. For the joy of not breaking anything, I only used AllowGroups and set it to my proxy group. Basically what happens is that SSH checks this list for each user authentication request, and if the user (or the user isn't in the specified group), SSH says "no entry!" and refuses the connection.


Now, assuming you made the appropriate changes to your firewall(s) and created any needed accounts or groups (highly advisable to NOT assign the user a shell, by the way), you should be ready to go. You can either copy & edit the startup script in similar fashion to the sshd_config file, or simply run this command:

/usr/sbin/sshd -f /etc/ssh/sshd_proxy

Side Note

Before continuing, I'd like to say something. If you decide to go the more flexible route and just copy & edit the SSH start up script, make sure you edit the PIDFILE variable, and whatever you name the pid (i.e.:, make sure you copy and rename the SSH file in /etc/conf.d/sshd to that as well. For example, if the pid is, your command will look like:

cp /etc/conf.d/sshd /etc/conf.d/sshd_proxy

Then edit that file change the name of the SSH config file. This might sound confusing, but when you look at it, it makes a lot more sense, I promise.

Connecting Remotely

Your SSH proxy all set up? The proxy running on the correct port? Good, now the coupe de grace. Fire up a terminal, and run the following command:

ssh -fND localhost:local_port_number -p port_proxy_is_running_on proxy_username@remote_server_hostname_or_ip

Making the appropriate changes, this will run the connection in the foreground (remove the "f" to make it run in the background, this is done to make sure everything runs smoothly). If all goes well, you'll see nothing happen, as in it'll look like its hung or frozen. For local_port_number, you should choose one that isn't used, and is higher than 1024. What you do now is use hostname localhost and port local_port_number (whatever it may be) for any programs you want to connect to via proxy (browser, IM client, e-mail program, etc...).

Just like any other proxy, the data for any programs using this proxy will be fed to the proxy server, so programs will always see the proxy's IP address as being yours. So for example, say we want to use local port 5555, the proxy is listening on port 9999, the proxy username is bob, and the server IP is The command will look like this:
ssh -fND localhost:5555 -p 9999 [email protected]

Members online