My earlier article on ssh trickiness didn’t include mention of the newish “-w” option, which turns ssh into a full-on VPN solution rather than just a port-at-a-time port forwarder.
The useful piece of information which I haven’t seen elsewhere is this: you don’t need to allow root ssh logins to use it. Instead, you can use ‘tunctl’ to preconfigure tun or tap devices on each end with the -u option to set their permissions to a non-root user. The easiest place to do this, on Debian/Ubuntu systems, is in /etc/network/interfaces, for example:
auto tap9 iface tap9 inet static pre-up tunctl -u nick -t $IFACE post-down tunctl -d $IFACE address 10.1.9.1 netmask 255.255.255.0
auto tap9 iface tap9 inet static pre-up tunctl -u nick -t $IFACE post-down tunctl -d $IFACE address 10.1.9.2 netmask 255.255.255.0
Now you can ‘ifup’ those interfaces, and then start the VPN by running:
user@host2$ ssh -o Tunnel=Ethernet -w9:9 host1
And the tunnel will be up and running, without needing to create the tunnel as root. You could easily take this one further for an automatic tunnel, setting up an guest user ‘vpn’ in a chroot or similar who exists only to manage the tunnels.