SSH TAP VPN: Using SSH to Create a Layer 2 VPN between Two Machines

SSH truly is the best protocol ever invented by humans in my opinion, and you can quote me on that. It is a Swiss army knife, and in the right hands, it can be used for any situation. One of the things it can be used for is a Layer 2 VPN through a TAP adapter. Its quite useful, as many networks that bock VPN’s wont always block ssh.


First, we need to set some local options. With the -o flag, you can set an SSH configuration option. In this instance, we need to set PermitLocalCommand to yes to allow a local command to execute after a successful connection. with the option -o "PermitLocalCommand=yes" it will set this option for this command only.


Now we need to run the local command after a successful connection. you will need to modify this for your desired setup, but for mine, I run -o "LocalCommand=ifconfig tap5 up && ifconfig tap5 netmask", with tap5 being the TAP adapter created on the local machine going to the remote machine.


Next, we need to set the option for the tunnel to be a Layer 2 tunnel. with the option -o Tunnel=ethernet


Now we need to set the TAP adapter number. I would not leave it default. With the option -w 5:5 I set the tap adapter to be tap5 on both local and remote machines.


Next, set the remote server with the option -t root@yourip


I’d recommend that you change the connection timeout to something like 10 seconds. use -o ConnectTimeout=10 to set it for the command.


Lastly, run a command on the remote machine to set the TAP adapter ip address. with "ifconfig tap5 up && ifconfig tap5 netmask" at the end of the command, it will execute it on the remote computer upon a successful connection.


Now stitch the giant command together and you got your one liner command to create an SSH tunnel. Here is mine:

ssh -o "PermitLocalCommand=yes" \
-o "LocalCommand=ifconfig tap5 up && ifconfig tap5 netmask" \
-o Tunnel=ethernet \
-w 5:5 \
-t $RemoteUsername@$RemoteServerIP \
-o ConnectTimeout=10 \
"ifconfig tap5 up && ifconfig tap5 netmask"

You can add a “-v” to verify that the connection is successful. You will need to setup firewall rules if you want to use this for something. I use this basically as a 2 host network with the remote host acting as a gateway/router for getting into services on the local machine. If you plan on doing this in production, make sure to use key biased authentication instead of password, as that is much more secure.

Tags: , ,

About: Ryan Parker

I'm a former captain of the Cyber Defense team, Current Infrastructure Security Specialist. I also have a side job helping small to medium business with anything technology doing everything imaginable. One of my hobbies is building out infrastructures for myself, friends, and clients. I current maintain a homelab with about 400GB of RAM, 100+ TB of storage, and tons of CPU cores.

Leave a Reply

Your email address will not be published. Required fields are marked *