Poor Man’s VPN

SSLtunnel is one of the ways to setup PPP session over SSL. Its README says…

1. What is it?
==============

ssltunnel allows to mount a PPP session encapsulated into SSL. That allows
to make a poor man’s VPN between two Unix machines or two networks, without
requiring to set up an IPsec technology.

2. Why?
=======

For a simple reason: I often move, and I very often have, in a hotel or in a
corporate network, only a limited access to Internet, i.e.:
. through address translation (NAT)
. or worse, through only an HTTP or HTTPS relay.

In all these situations, it is impossible to use a protocol like IPsec,
which will be pitilessly filtered at the exit of the network.

I for a long time used PPP over SSH, even while passing through HTTPS relay
(by using a program like corkscrew or https-relay
(http://www.rominet.net/https-relay), but SSH has several problems:

. it isn’t SSL, and some HTTPS relays start to check that what cross-piece
them is definitely SSL.
. it inevitably asks to have an Unix account at the other end, which is
not inevitably ideal for the management of the authentications

I thus decided to write a “PPP over SSL” tunnel, by obviously using OpenSSL.
I could have made a “do-it-yourself” with stunnel, but I preferred to do
something clean.

3. How?
=======

The principle is to use the SSL client certificates, as in HTTPS:

– the server listens on port 443 of the destination machine;
– the client connects himself (if need be, through a relay like Squid,
ISA-Server, the proxy does not have *ANY* mean to check if it is a
navigator < - > HTTPS Web server session, because the beginning of the
not crypted session and the SSL negotiation are exactly identical);
– at the establishment of the connection, the server forks;
– the server sends its certificate, the client checks that it is well
signed by an authority it trusts;
– the client sends his certificate;
– the server checks this certificate and seeks if it corresponds to a
certificate declared in its base;
– the crypted session starts;
– the server sends its banner with its version number and its protocol
version;
– the client receives the banner, checks and sends his;
– the client forks, opens a pty, launches pppd in client mode on this pty,
without specifying which IP address it wants;
– the server gets PPP parameters from the user file, changes its identity,
opens a pty, forks and launches pppd on this pty with the options given
by the file;
– the PPP session is established between the two ends, the program at each
end cyphers/uncyphers and reads/sends the data in the pty connected to
pppd.