# SSH VPN routing/NAT for Road Warrior?



## Blobule (Jan 7, 2014)

I am trying to configure an SSH VPN (using its -w option) to secure my FreeBSD laptop*'*s _I_nternet connection whilst on the road. So far I have the actual VPN connection, but I am quite confused as to how I should best go about doing the routing required to route all of the laptop*'*s traffic through the VPN.

The current configuration is very simple, FreeBSD laptop connecting to FreeBSD server:

Laptop, re0: 192.168.1.2, gateway: 192.168.1.1, tun0: 10.0.3.2

Laptop, /root/.ssh/config:

```
Host FreeBSDServer
  HostName 22.22.22.22
  User root
  IdentityFile ~/.ssh/id_rsa
  Tunnel yes
  TunnelDevice 0:any
  PermitLocalCommand yes
  LocalCommand /bin/echo > /dev/tun0; /sbin/ifconfig tun0 10.0.3.2/30 10.0.3.1
```
Server, em0: 22.22.22.22, Gateway: 22.22.22.1, tun0: 10.0.3.1

Server, /root/.ssh/authorized_keys:

```
tunnel="0",command="/sbin/ifconfig tun0 10.0.3.1/30 10.0.3.2" ssh-rsa <PUBLIC KEY HERE> == me@Laptop
```

The tunnel is created when SSH'ing to the server and the machines can ping each other via 10.0.3.1 and 10.0.3.2, but I am unsure how to best proceed in order to get all of the laptop*'*s traffic going via the server.

On the laptop I can add a route to the server via the laptop*'*s existing gateway (22.22.22.22 via 192.168.1.1), then change the laptop*'*s default route to the tunnel IP of FreeBSD server (10.0.3.1) - This results in traffic being passed to the VPN, when setting `sysctl net.inet.ip.forwarding=1` I can see ICMP requests on the server via tcpdump on both em0 and tun0 - but no ICMP replies.

What are the best way to finish this, I assume I need some form of NAT for example using pf or natd?

If anyone can provide me with some examples I would be extremely grateful!


----------



## Blobule (Jan 7, 2014)

I now seem to have a working setup doing NAT via pf.

I have added two route changes to the LocalCommand section of the *l*aptop's /root/.ssh/config.

On the *l*aptop:

Add additional routes, /root/.ssh/config

```
Host FreeBSDServer
  HostName 22.22.22.22
  User root
  IdentityFile ~/.ssh/id_rsa
  Tunnel yes
  TunnelDevice 0:any
  PermitLocalCommand yes
  LocalCommand /bin/echo > /dev/tun0; /sbin/ifconfig tun0 10.0.3.2/30 10.0.3.1; /sbin/route add -host 22.22.22.22 192.168.1.1; /sbin/route change default 10.0.3.1
```
On the Server:

Enable IP forwarding, `sysctl net.inet.ip.forwarding=1` and /etc/sysctl.conf

```
net.inet.ip.forwarding=1
```
Configure NAT in /etc/pf.conf

```
nat on em0 from 10.0.3.2 to any -> (em0)
```
If anyone can point out any glaring errors, or has any suggestions please post them!

What other methods could be used if pf was not available?


----------



## Zare (Jan 7, 2014)

ipfw(8) in conjunction with natd() is another option.


----------

