142 Jun 6 04:33:26 slave-lan sudo: vpn1 : user NOT in sudoers ; TTY=ttyp0 ; PWD=homevpn1 ; USER=root ; COMMAND=sbinroute Jun 6 05:32:12 slave-lan sudo: vpn1 : command not allowed ; TTY=ttyp0 ; PWD=homevpn1 ; USER=root ; COMMAND=sbinroute In the first entry, the user isnt found in the sudoers file and should be added. In the second, the user is found, but isnt allowed to execute that particular command as root. Again, sudoers should be edited and that command added to the Cmnd_Alias line shown earlier. You can also check to see if the PPP daemon executed correctly. If, in the messages file, it looks like it was never executed on the slave, try starting it up by hand and see if it works. You should at least see that it says it was started in the messages file. You can also check the syslog file for errors such as This system lacks kernel support for PPP. This, of course, means that you should recompile PPP into your kernel. On the master, you should check for similar PPP daemon errors in syslog, especially for messages such as this: Jun 4 20:51:41 master-lan pppd[19786]: Failed to open devptyp1: IO error This means that the PPP daemon is trying to start on a pseudo terminal that doesnt actually exist. It might be that your system uses a different naming convention for pseudo ttys from the one pty-redir is using. In this case, youll want to check our tip in Section 8.4.2.6 . Another possibility is that the SSH connection between the master and slave had not finished opening and the PPP daemon hadnt started completely on the slave, in which case youll want to increase the sleep time in the VPN script from 10 seconds to something higher. Finally, it could be that the SSH connection closed before PPP daemon started on the master. It should take longer than 10 seconds for the PPP daemon to time out, so you should probably look to SSH itself for the problem.

8.5.3 Getting Help with SSH

Because of its popularity, there is an enormous number of SSH users out there, so finding someone who has an answer to your particular question shouldnt be a problem. The best place may be the SSH mailing list, sshclinet.fi . To join the list, send email to majordomoclinet.fi with subscribe ssh in the body of the message. You may want to first check the list archive at http:www.cs.hut.fissh-archive . Theres also a USENET newsgroup, comp.security.ssh, that is gatewayed with the mailing list. Other resources can be found at the SSH Home Page. If you think youve found a bug in SSH, you can report it to ssh- bugscs.hut.fi .

8.6 A Performance Evaluation

We tested the performance of this method of creating a VPN to better give everyone an idea of the performance degradation caused by the various encryption methods of SSH, as well as the PPP connection. We used two 133 MHz Pentium systems slow by todays standards, but were looking only for relative values each with 10Base-T 10 Mbps Ethernet cards. The two systems were on the same switched-Ethernet backplane. 143 In our test, we transferred a 7 MB compressed binary file using the FTP protocol. We first did it ten times with just straight FTP to get a baseline. Next, we set up the VPN and did it with no encryption for ten trials. Finally, we performed ten trials each on three different ciphers: IDEA, Blowfish, and 3DES. The highest and lowest numbers were thrown out for each type of transfer, and an average was taken. We didnt test DES or arcfour, since theyre disabled by default and arent recommended by SSHs authors. Table 8-1 shows the results of the test in the average amount of kilobytes per second transferred and the average percent efficiency versus plain FTP. The fourth column is the percent efficiency versus a VPN with no encryption. The term VPN just describes the PPP connection through SSH, with the type of encryption used in parentheses. Table 8-1. VPN Performance Showing Average KbytesSecond Transferred and Percent Efficiency Connection Type encryption type Kilobytessecond Efficiency vs. Plain FTP Efficiency vs. VPN with no Encryption Plain FTP none 480 — 233 VPN none 206 43 — VPN Blowfish 174 36 85 VPN IDEA 124 26 60 VPN 3DES 96 20 47 As you can see, the VPN connection of just PPP through SSH causes a considerable amount of performance degradation. This performance degradation is due to just the PPP and SSH protocols overhead. Its interesting to note that, overall, adding encryption to the connection doesnt cause that much of an additional bottleneck. Obviously, though, some ciphers are more efficient than others, with Blowfish edging out over IDEA, and leaving 3DES in the dust. [1] 1 Note that the percentage efficiencies versus no encryption that we calculated in our test are roughly equal to the percentages given by the SSH authors in the README.CIPHERS file that comes with the SSH distribution.