-1
I have four machines in network which can talk with password-less ssh to each other and themselves.
Now, I want to make the communication between them secure.
How I can create a VPN between them?
In such case which machine will be server and which will be client?
Vikram
Posted 2016-06-07T09:20:47.953
Reputation: 119
2
You have several options. One is to use ssh's built-in port forwarding mechanism. For example, adding -L 1235:remotehost:1234 creates a local TCP listening socket on port 1235. When your local application connects to that port, the connection will be forwarded (securely via ssh) to port 1234 on remotehost.
To create a VPN, I suggest using openswan or libreswan to simplify the configuration. Here's what a configuration looks like:
https://libreswan.org/wiki/Host_to_host_VPN
With a VPN, there need not be a central "server," as you suggest. Instead, it's just a set of encrypted tunnels between peer systems.
You can also set up a VPN manually with the "ip tunnel" and "ip xfrm" commands to set up point-to-point links between your systems that are protected by IPsec.
James Carlson
Posted 2016-06-07T09:20:47.953
Reputation: 21
1SSH (also known as Secure Socket Shell) is secure. What are you trying to achieve? – Mikael Kjær – 2016-06-07T09:25:49.960
Agreed. But there are other processes running on one machine which can access data from other machine. I want all communication between them to be secure. – Vikram – 2016-06-07T09:40:38.473
1If those processes are not already secure you can tunnel them through SSH. You could also set up VPN, but that seems like overkill. – Mikael Kjær – 2016-06-07T09:41:56.607
okies. Still if I decided to go with VPN; how should be my design ? Which node will be client and which will be server ? – Vikram – 2016-06-07T09:47:16.570
That is impossible to say without knowing more about your setup. – Mikael Kjær – 2016-06-07T09:51:20.873
These are four virtual machines, rhel7 server edition, in one network. – Vikram – 2016-06-07T09:57:58.017
You should make it clear from whom you want to secure the communication. SSH encrypts the data in transfer between the machines, so others in the network don't know what is being transmitted (that's ok, don't trust the network). But it seems you also don't trust the machines themselves? But alternatives to SSH will not help for this, you will need to setup the machines differently (e.g. encryption/app armor or selinux/...) – Wilbert – 2016-06-07T10:03:40.023
this may be useful – hkdtam – 2016-06-07T10:15:34.407