VPN server (beachhead) without root?
Clash Royale CLAN TAG#URR8PPP
up vote
6
down vote
favorite
How can I set up a VPN server on a host where I don't have root?
I have the following constraints:
- On the server A, I have no root. I can only operate in my home directory. In particular, I also cannot create
tundevices. - On the client B, I have complete control and can install what I want.
- SSH port forwarding (-L/-R) and SOCKS proxy (-D) works, but not in my case. The software on my client uses many different ports so I'd be inclined to use SOCKS, but it also runs at kernel level, so I can't convince it with
tsocksto use the proxy. One thing that would work would by to run my client software in a VM on B, and socksify the whole VM - but I'd really rather not go that route. - I don't need priviliged ports, so non-root on A should be OK.
- It doesn't have to be a "real" VPN, but something similar in spirit would be enough. My process on B should be able to communicate with processes on A (and connected devices) as if they were on one machine, without rewriting them.
I don't believe there is an elegant way to do this - the correct way would be to just ask the admin of A, or plug B into the same net - but now I'm just curious if this can be done as a proof of concept.
vpn ssh-tunneling
asked Jan 15 '16 at 12:59
jdm
30419
add a comment |Â
up vote
6
down vote
favorite
How can I set up a VPN server on a host where I don't have root?
I have the following constraints:
- On the server A, I have no root. I can only operate in my home directory. In particular, I also cannot create
tundevices. - On the client B, I have complete control and can install what I want.
- SSH port forwarding (-L/-R) and SOCKS proxy (-D) works, but not in my case. The software on my client uses many different ports so I'd be inclined to use SOCKS, but it also runs at kernel level, so I can't convince it with
tsocksto use the proxy. One thing that would work would by to run my client software in a VM on B, and socksify the whole VM - but I'd really rather not go that route. - I don't need priviliged ports, so non-root on A should be OK.
- It doesn't have to be a "real" VPN, but something similar in spirit would be enough. My process on B should be able to communicate with processes on A (and connected devices) as if they were on one machine, without rewriting them.
I don't believe there is an elegant way to do this - the correct way would be to just ask the admin of A, or plug B into the same net - but now I'm just curious if this can be done as a proof of concept.
vpn ssh-tunneling
asked Jan 15 '16 at 12:59
jdm
30419
add a comment |Â
up vote
6
down vote
favorite
up vote
6
down vote
favorite
How can I set up a VPN server on a host where I don't have root?
I have the following constraints:
- On the server A, I have no root. I can only operate in my home directory. In particular, I also cannot create
tundevices. - On the client B, I have complete control and can install what I want.
- SSH port forwarding (-L/-R) and SOCKS proxy (-D) works, but not in my case. The software on my client uses many different ports so I'd be inclined to use SOCKS, but it also runs at kernel level, so I can't convince it with
tsocksto use the proxy. One thing that would work would by to run my client software in a VM on B, and socksify the whole VM - but I'd really rather not go that route. - I don't need priviliged ports, so non-root on A should be OK.
- It doesn't have to be a "real" VPN, but something similar in spirit would be enough. My process on B should be able to communicate with processes on A (and connected devices) as if they were on one machine, without rewriting them.
I don't believe there is an elegant way to do this - the correct way would be to just ask the admin of A, or plug B into the same net - but now I'm just curious if this can be done as a proof of concept.
vpn ssh-tunneling
asked Jan 15 '16 at 12:59
jdm
30419
How can I set up a VPN server on a host where I don't have root?
I have the following constraints:
- On the server A, I have no root. I can only operate in my home directory. In particular, I also cannot create
tundevices. - On the client B, I have complete control and can install what I want.
- SSH port forwarding (-L/-R) and SOCKS proxy (-D) works, but not in my case. The software on my client uses many different ports so I'd be inclined to use SOCKS, but it also runs at kernel level, so I can't convince it with
tsocksto use the proxy. One thing that would work would by to run my client software in a VM on B, and socksify the whole VM - but I'd really rather not go that route. - I don't need priviliged ports, so non-root on A should be OK.
- It doesn't have to be a "real" VPN, but something similar in spirit would be enough. My process on B should be able to communicate with processes on A (and connected devices) as if they were on one machine, without rewriting them.
I don't believe there is an elegant way to do this - the correct way would be to just ask the admin of A, or plug B into the same net - but now I'm just curious if this can be done as a proof of concept.
vpn ssh-tunneling
vpn ssh-tunneling
asked Jan 15 '16 at 12:59
jdm
30419
asked Jan 15 '16 at 12:59
jdm
30419
asked Jan 15 '16 at 12:59
jdm
30419
asked Jan 15 '16 at 12:59
jdm
30419
asked Jan 15 '16 at 12:59
jdm
30419
30419
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
6
down vote
Well, this "I have no root" access on Server A can be a problem to create a good VPN solution since:
ip-ip tunneling requires interface manipulation;
pptp also requires root privileges to create interfaces;
OpenVPN can even run as unprivileged user, but some tricks need to be done like allowing sudo to theipcommand to allow the creation oftuninterface;
strongSwan with reduced privileges requiresCAP_NET_ADMINorCAP_NET_RAWto work, and running IKE daemon as non-root user breaks support for iptables updown script.
What remains to you my friend: Rely on SSH socks proxy. On your local machine, and as root, run:
ssh -C2qTnN -D 8080 username@serverA
Means: Compression, SSH2 only, Quiet, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Now, all you have to do is to run your application. If it has native SOCKSv5 support like Firefox, it's just a matter of configuring "localhost:8080" as the proxy server.
If your application does not support this proxy natively, run it with proxychains. Just install on your client and you are good to go.
The only solution you don't want to adopt seems to be the only one, unfortunately.
Links:
- Proxy Firefox through a SSH tunnel
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
Well, this "I have no root" access on Server A can be a problem to create a good VPN solution since:
ip-ip tunneling requires interface manipulation;
pptp also requires root privileges to create interfaces;
OpenVPN can even run as unprivileged user, but some tricks need to be done like allowing sudo to theipcommand to allow the creation oftuninterface;
strongSwan with reduced privileges requiresCAP_NET_ADMINorCAP_NET_RAWto work, and running IKE daemon as non-root user breaks support for iptables updown script.
What remains to you my friend: Rely on SSH socks proxy. On your local machine, and as root, run:
ssh -C2qTnN -D 8080 username@serverA
Means: Compression, SSH2 only, Quiet, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Now, all you have to do is to run your application. If it has native SOCKSv5 support like Firefox, it's just a matter of configuring "localhost:8080" as the proxy server.
If your application does not support this proxy natively, run it with proxychains. Just install on your client and you are good to go.
The only solution you don't want to adopt seems to be the only one, unfortunately.
Links:
- Proxy Firefox through a SSH tunnel
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
add a comment |Â
up vote
6
down vote
Well, this "I have no root" access on Server A can be a problem to create a good VPN solution since:
ip-ip tunneling requires interface manipulation;
pptp also requires root privileges to create interfaces;
OpenVPN can even run as unprivileged user, but some tricks need to be done like allowing sudo to theipcommand to allow the creation oftuninterface;
strongSwan with reduced privileges requiresCAP_NET_ADMINorCAP_NET_RAWto work, and running IKE daemon as non-root user breaks support for iptables updown script.
What remains to you my friend: Rely on SSH socks proxy. On your local machine, and as root, run:
ssh -C2qTnN -D 8080 username@serverA
Means: Compression, SSH2 only, Quiet, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Now, all you have to do is to run your application. If it has native SOCKSv5 support like Firefox, it's just a matter of configuring "localhost:8080" as the proxy server.
If your application does not support this proxy natively, run it with proxychains. Just install on your client and you are good to go.
The only solution you don't want to adopt seems to be the only one, unfortunately.
Links:
- Proxy Firefox through a SSH tunnel
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
add a comment |Â
up vote
6
down vote
up vote
6
down vote
Well, this "I have no root" access on Server A can be a problem to create a good VPN solution since:
ip-ip tunneling requires interface manipulation;
pptp also requires root privileges to create interfaces;
OpenVPN can even run as unprivileged user, but some tricks need to be done like allowing sudo to theipcommand to allow the creation oftuninterface;
strongSwan with reduced privileges requiresCAP_NET_ADMINorCAP_NET_RAWto work, and running IKE daemon as non-root user breaks support for iptables updown script.
What remains to you my friend: Rely on SSH socks proxy. On your local machine, and as root, run:
ssh -C2qTnN -D 8080 username@serverA
Means: Compression, SSH2 only, Quiet, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Now, all you have to do is to run your application. If it has native SOCKSv5 support like Firefox, it's just a matter of configuring "localhost:8080" as the proxy server.
If your application does not support this proxy natively, run it with proxychains. Just install on your client and you are good to go.
The only solution you don't want to adopt seems to be the only one, unfortunately.
Links:
- Proxy Firefox through a SSH tunnel
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
Well, this "I have no root" access on Server A can be a problem to create a good VPN solution since:
ip-ip tunneling requires interface manipulation;
pptp also requires root privileges to create interfaces;
OpenVPN can even run as unprivileged user, but some tricks need to be done like allowing sudo to theipcommand to allow the creation oftuninterface;
strongSwan with reduced privileges requiresCAP_NET_ADMINorCAP_NET_RAWto work, and running IKE daemon as non-root user breaks support for iptables updown script.
What remains to you my friend: Rely on SSH socks proxy. On your local machine, and as root, run:
ssh -C2qTnN -D 8080 username@serverA
Means: Compression, SSH2 only, Quiet, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Now, all you have to do is to run your application. If it has native SOCKSv5 support like Firefox, it's just a matter of configuring "localhost:8080" as the proxy server.
If your application does not support this proxy natively, run it with proxychains. Just install on your client and you are good to go.
The only solution you don't want to adopt seems to be the only one, unfortunately.
Links:
- Proxy Firefox through a SSH tunnel
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
edited Sep 27 at 16:28
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
answered Jan 15 '16 at 19:21
nwildner
13.4k14073
13.4k14073
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255526%2fvpn-server-beachhead-without-root%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
