Re: [tlug] SSH tunneling restrictions

["Patrick Niessen" <tlug.niessen@example.com>]

On 8/14/06, Gerald Naughton <naughton123@example.com> wrote:
> Have you looked at openvpn at
> http://openvpn.net/

Yes, looked at it as well as openswan.  It seems that openvpn requires
a lot more configuration both on client and server.  Most articles
describe the bridged mode, which I don't want to use as it requires
"safe" client computers.

The complication is in the routing setup for the clients if a new set
of IPs must be assigned.

Additional safety features must be installed like virus checkers and
personal firewalls, that block access to foreign networks but allow
enough traffic to acquire an IP and gateway from  where they connect.
They must also realise when the PC is back in the company's lan so
that normal network traffic is permitted.

But with the Openssh solution you only require one line to create the tunnel:

ssh -i private.key -C -L 13389:ip_of_pc_to_be_controled:3389
remoteusername@example.com

On the server side you need to paste public keys for each client into
.ssh/authorized_keys2 and let the often already running sshd do the
rest.

Because only picture data is transmitted by RDP from the internal lan,
no danger of data escaping from our company exists.  And even if the
client PC is infected by virus and worm, it can not propagate over
rdp.  Of course the firewall prevents access from gateway to internal
network on other than rdp port, otherwise even remote windows
explouits could be tunneled by ssh.

Patrick