Tuesday, July 8, 2014

Poor man's SSL-VPN with socat

Another cool feature of socat is the ability to create TUN/TAP network interfaces. It can allow to quickly merge two remote networks. Of course, you can use any address type that socat supports, but here we're going to setup an OpenSSL mutually-trusted VPN.

Imagine the following setup: You want to make your home network remotely accessible from your work's computer, securely over a trusted [as long as you keep your private keys safe] SSL channel.

First we'll generate client and server private keys and certificates:

#!/bin/bash
function generate_cert()
{
 openssl genrsa -out $1.key 1024
 openssl req -new -key $1.key -x509 -days 365 -out $1.crt
 cat $1.key $1.crt > $1.pem
 chmod 600 $1.key $1.pem
}

# Generate server certificate
generate_cert socat_server

# Generate client certificate
generate_cert socat_client

  • Answer a few questions to create the certificates.
  • Copy the socat_server.pem and socat_client.crt files to the server-side machine at home.
  • Copy the socat_client.pem and socat_server.crt files to the client workstation.

1. Server-side configuration


On the server-side (home), run socat as an OpenSSL Server and make it create the TUN/TAP interface.

Note: If the TUN interface address that you choose to isn't part of your home network's subnet, you may want to enable IP forwarding on the server machine to be able to access other resources on your home network. For quick and dirty VPN, you can just choose to use an arbitrary IP address within your home subnet and you will be able to access resources on that subnet.

socat -d -d OPENSSL-LISTEN:9111,bind=192.168.0.254,cert=socat_server.pem,cafile=socat_client.crt,reuseaddr,fork TUN:10.1.1.1/24,up

You might want to create a port forwarding rule on your home router to map an external port to the socat server's listening port.

2. Client-side configuration


On the client-side (work) bring up the socat TUN interface by connecting to the server: (5.6.7.8 is the home ISP's public IP address).

If you can connect directly:
socat -d -d OPENSSL:5.6.7.8:9111,cert=socat_client.pem,cafile=socat_server.crt TUN:10.1.1.10/24,iff-up=1

if you need to go through a proxy, an additional socat will be required:

a. Create the TCP forwarder
socat TCP4-LISTEN:65432,bind=127.0.0.1,reuseaddr,fork PROXY:proxy.mycompany.com:5.6.7.8:9111,proxyport=3128 &

b. Create the OpenSSL tunnel over the proxy tunnel:
socat -d -d OPENSSL:127.0.0.1:65432,cert=socat_client.pem,cafile=socat_server.crt TUN:10.1.1.10/24,iff-up=1


You should now be able to access your home computers from your client workstation. If required, you can add routes on your workstation to access any remote network through the socat VPN gateway (10.1.1.1).


Posted by at
Labels: , ,

1 comment:

  1. Nick B.October 21, 2019 at 1:17 AM

    Where can generate_cert be found? Is this a shell script or a placeholder for openssl commands?

    Thanks for sharing this, I love the versatility of Socat :)

    ReplyDelete

Subscribe to: Post Comments (Atom)