VPN over SSH

Published on Author admin

VPN over SSH

VPN over SSH
SSH Tunnel
SSH based tunneling


Since OpenSSH 4.3 tun/tap device can be used to encrypt a tunnel and create VPN over SSH. This is much like other TLS based VPN solutions e.g. OpenVPN. The main advantage to use SSH based tunneling is no need to install and configure additional software. Other one is to use ssh-keys. But the poor performance that comes from encapsulation which is done over TCP can result in slow speed connection. SSH based tunneling is relying on a single (fragile) TCP connection. This type of VPN is very useful when you need to connect to points for a short period of time in several minutes.


  • quick setup
  • secure
  • no additional software
  • no additional configuration
  • no limitation as with the
    single TCP port forward

  • poor performance (slow speed link)
    To setup VPN over SSH you you need to sshd_conf add:

    After config has been changed, restart of the sshd is needed.

    My experiences show that it is a good idea to be logged in on the host where you are going to restart ssh with one more session. the reason is simple – something might go wrong and you may lose the connection within ssh. This case, opened session, as the connection is in memory, will help you to fix config without asking kvm.

    To setup Single P2P connection:

    To connect 2 hosts – client and server with a peer to peer tunnel the connection is started from client to server and is done as root.


    To create VPN over SSH we will create a device tun5(any device number is ok).

    Here the next steps:

  • Connect with SSH using the tunnel option -w
  • Configure the IP addresses of the tunnel. Once on the server and once on the client.
  • Connect to the server
  • Connection started on the client and commands are executed on the server. All commands must be executed under root!

    Configuring the server:

    case Linux:

    after you perform from client ssh command, you will be automatically(yeah, ssh works this way, yours Captain Obvious)

    ‘-w5:5’ is for tun5. If your interface is tun6, ‘-w6:6’

    case FreeBSD:

    Configuring the client:

    case Linux:

    case FreeBSD:

    Finally, two hosts are now connected using VPN over SSH and can transparently communicate with any layer 3/4 protocol.