142 Jun 6 04:33:26 slave-lan sudo: vpn1 : user NOT in sudoers ; TTY=ttyp0 ; PWD=homevpn1 ; USER=root ; COMMAND=sbinroute Jun 6 05:32:12 slave-lan sudo: vpn1 : command not allowed ; TTY=ttyp0 ; PWD=homevpn1 ; USER=root ; COMMAND=sbinroute In the first entry, the user isnt found in the sudoers file and should be added. In the second, the user is found, but isnt allowed to execute that particular command as root. Again, sudoers should be edited and that command added to the Cmnd_Alias line shown earlier. You can also check to see if the PPP daemon executed correctly. If, in the messages file, it looks like it was never executed on the slave, try starting it up by hand and see if it works. You should at least see that it says it was started in the messages file. You can also check the syslog file for errors such as This system lacks kernel support for PPP. This, of course, means that you should recompile PPP into your kernel. On the master, you should check for similar PPP daemon errors in syslog, especially for messages such as this: Jun 4 20:51:41 master-lan pppd[19786]: Failed to open devptyp1: IO error This means that the PPP daemon is trying to start on a pseudo terminal that doesnt actually exist. It might be that your system uses a different naming convention for pseudo ttys from the one pty-redir is using. In this case, youll want to check our tip in Section 8.4.2.6 . Another possibility is that the SSH connection between the master and slave had not finished opening and the PPP daemon hadnt started completely on the slave, in which case youll want to increase the sleep time in the VPN script from 10 seconds to something higher. Finally, it could be that the SSH connection closed before PPP daemon started on the master. It should take longer than 10 seconds for the PPP daemon to time out, so you should probably look to SSH itself for the problem.

8.5.3 Getting Help with SSH

Because of its popularity, there is an enormous number of SSH users out there, so finding someone who has an answer to your particular question shouldnt be a problem. The best place may be the SSH mailing list, sshclinet.fi . To join the list, send email to majordomoclinet.fi with subscribe ssh in the body of the message. You may want to first check the list archive at http:www.cs.hut.fissh-archive . Theres also a USENET newsgroup, comp.security.ssh, that is gatewayed with the mailing list. Other resources can be found at the SSH Home Page. If you think youve found a bug in SSH, you can report it to ssh- bugscs.hut.fi .

8.6 A Performance Evaluation

We tested the performance of this method of creating a VPN to better give everyone an idea of the performance degradation caused by the various encryption methods of SSH, as well as the PPP connection. We used two 133 MHz Pentium systems slow by todays standards, but were looking only for relative values each with 10Base-T 10 Mbps Ethernet cards. The two systems were on the same switched-Ethernet backplane.