First I will bring up a couple simple ubuntu docker containers. I have already setup vlans 10 and 20 in my network within docker using macvlan, so here i’m just assigning them specific IP addresses to use. You’ll also have to use privileged mode on these or else you won’t be able to bring up the tunnels. You will not need to worry about this unless you are using docker containers like I am.
docker run -itd --network vlan10
--ip 172.16.10.130
--hostname HOST1
--name HOST1
--privileged basic_host
docker run -itd --network vlan20
--ip 172.16.20.130
--hostname HOST2
--name HOST2
--privileged basic_host
I already have my own user account created on the basic_host image, so I can simply SSH to them after starting the SSH service
docker exec -it HOST1 bash service ssh start docker exec -it HOST2 bash service ssh start
Now I can just ssh to the new hosts directly:
NOTE: You must be root on both hosts in order to setup this tunnel as it builds a new tunnel interface. So, sudo up
jason@HOST1:~$ sudo -s root@HOST1:~# jason@HOST2:~$ sudo -s root@HOST2:~#
On both I now generate ssh keys. Only really need to do this on HOST1 and then paste the public key into HOST2’s ‘/root/.ssh/authorized_keys’ file.
I just accept all of the defaults and do not set a passphrase
root@HOST1:~# ssh-keygen ..... root@HOST1:~# cat /root/.ssh/id_rsa.pub
copy contents into HOST2’s ‘/root/.ssh/authorized_keys’ file
Now test out that you can ssh (from root) to HOST2 without entering a password:
root@HOST1:~# ssh 172.16.20.130 ... root@HOST2:~#
To build the tunnel:
root@HOST1:~# ssh -Nf -w 0:0 172.16.20.130 root@HOST1:~# channel 0: open failed: administratively prohibited: open failed
Note:
-N Do not execute a remote command
-f Tells ssh to run in the background so you get your prompt back.
Doesn’t work.
Add the below to the /etc/ssh/sshd_config on HOST2
PermitTunnel yes
Restart the SSH service
root@HOST2:~# service ssh restart
And let’s try again
root@HOST1:~# ssh -Nf -w 0:0 172.16.20.130
No errors, let’s see if the tun0 interface is now showing
root@HOST1:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Tunnel is built, but not configured or up. Let’s configure it and see if it works:
Configure 10.0.0.1 on HOST1 (you have to specify the remote end of the connection)
root@HOST1:~# ip addr add 10.0.0.1 remote 10.0.0.2 dev tun0 root@HOST1:~# ifconfig tun0 up
Configure 10.0.0.2 on HOST2 pointing back to 10.0.0.1
root@HOST2:~# ip addr add 10.0.0.2 remote 10.0.0.1 dev tun0 root@HOST2:~# ifconfig tun0 up
Now for a ping check
root@HOST1:~# ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.626 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.693 ms 64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.587 ms
Works!
Be First to Comment