Setting up a Layer 3 VPN tunnel with SSH


Commercial VPN solutions can be deployed to allow outside access to a network from Windows PCs. However, these solutions frequently don't work with Linux PCs.

The firewall at my work allows outgoing ssh connections. So for several years, I have been using a "reverse ssh tunnel" based on the old local and remote port forwarding capabilities of ssh. However, this approach is high maintenance and doesn't easily allow the forwarding of more complex protocols, e.g., to provide access to an internal AFS server.

I recently installed Fedora 7 on my home and work computers and noted with interest the VPN tunneling support that openssh version 4.3 and greater provides. This note describes how I've set up layer 3 tunneling (which allows my computer to appear in the IP address space of my work).

My starting point was the description given in This provides a good description of the various aspects of a working layer 3 tunnel. However, it describes a setup where both the work and home computers are behind NAT front ends. In addition, the instructions are somewhat specific to Ubuntu instead of Fedora.


There are 4 scripts which you can download here Read on for a desciption of how to use these scripts.


I have root access to my work and home desktop computers. Both computers have public IP numbers (no private or NAT network). The firewall at work permits outgoing ssh connections. The goal is to use openssh to connect to my home from work and to set up a tunnel so that my home computer is on the work network.

This turned out to be impossible (as far as I can tell) unless I installed a second network interface on my work computer (with its own IP address in the work network) and routed the initial outgoing ssh connection through this second interface. This was the magic that allowed tunneling to work.

So here are the requirements for the method described here to work:

I use Fedora 7 on both computers. The same technique should work with minor modifications for other Linux distributions.

My work and home IP numbers are public. However, this is not essential. Everything should work the same if either or both networks are private provided you can establish an ssh connection from HOSTA to HOSTB. (This will require redirection of port 22 if HOSTB is on a private network.) In addition, you'll have to take steps to use your work DNS to get the private work IP names resolved.



Charles Karney (2007-10-12)
Back to main page.