кроме проброса портов
man ssh
SSH-BASED VIRTUAL PRIVATE NETWORKS
ssh contains support for Virtual Private Network (VPN) tunnelling using
the tun(4) network pseudo-device, allowing two networks to be joined
securely. The sshd_config(5) configuration option PermitTunnel controls
whether the server supports this, and at what level (layer 2 or 3 traf‐
fic).
The following example would connect client network 10.0.50.0/24 with
remote network 10.0.99.0/24, provided that the SSH server running on the
gateway to the remote network, at 192.168.1.15, allows it:
# ssh -f -w 0:1 192.168.1.15 true
# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
Client access may be more finely tuned via the /root/.ssh/authorized_keys
file (see below) and the PermitRootLogin server option. The following
entry would permit connections on the first tun(4) device from user
“jane” and on the second device from user “john”, if PermitRootLogin is
set to “forced-commands-only”:
tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john
Since a SSH-based setup entails a fair amount of overhead, it may be more
suited to temporary setups, such as for wireless VPNs. More permanent
VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8).