Warning:
Show this hint to network management and your legal advisor before implementing this. You can surf the intranet and launch any network application that uses TCP/UDP as well. Query databases, mount network shares, hop over the corporate networks. Basically because you have SSH and a Unix machine on the inside (also possible with VirtualPC!), you are now in full control of the network, so use it wisely and bail out now if you do not forsee the consequences.
[robg adds: I have not tested this one, and I'll be honest and admit that some of it is clearly over my head...]
Here's the hint, with the following names used in this example:
workmac.firm: The Mac inside the work network, on IP range 192.168
fw.work.com: The firewall machine at your work
homemac: Your home mac
VPN network: home 10.9.8.7, work 10.9.8.6 (unlikely subnet?)
At work: Install Remote Desktop
Add these two lines to the sudoers file of workmac.firm that you got root (sudo visudo):
Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route
%vpn ALL=(ALL) NOPASSWD: VPN
You should install your ssh-keys on fw.work.com. Then start an ssh-tunnel with workmac's ssh port forwarded over the tunnel from homemac:
ssh -X -L 2222:workmac.intra:22 fwuser@fw.work.com
You will install root@homemac's ssh-keys on workmac.intra over the tunnel. For PPP tunneling, it is important to get rid of any output on stdout. So touch your ~/.hushlogin to get rid of banners and disable any funny output if you get it at login. Test all SSH logins before proceding: as yourself, as your homeroot to the firewall and to the workmac. All hosts should be accepted now, and you cannot have prompts for password. You should use the ssh-keys. Open a new shell and type:
$ sudo su -
$ ssh-keygen -t dsa
# just enter till your done (no passphrase)
$ ssh -p 2222 -l workuser localhost 'mkdir .ssh && chmod 700 .ssh'
$ scp ~/.ssh/id_dsa.pub -P 2222 ~/.ssh/id_dsa.pub workuser@localhost:.ssh/pub
$ ssh -p 2222 -l workuser localhost 'cat .ssh/pub >> .ssh/authorized_keys2'
# logout all remote shells, to add fw.work.com as known host for root@homemac
$ sudo ssh fwuser@fw.work.com
logout
# open the tunnel again (tunnelhost will resolve internal DNS)
ssh -X -L 2222:workmac.firm:22 fwuser@fw.work.com
Now run install and run this script, and then ping 10.9.8.6. Get the routing working at home (Apple needs to work on this; it does not seem to work the first try, but the second try will work):
$ sudo route delete -net 192.168 10.9.8.6
$ sudo route add -net 192.168 10.9.8.6
$ ping some 192.168_host_you_know
You could add the IP of an internal nameserver in Network Prefs to resolve the internal DNS. SSH to workmac and add routes if needed. You now have the same network access as your office Mac -- all from the comfort of your home. You can control the Mac if you launch Remote Desktop and add the Mac, entering the IP and your login on workmac.firm.
To kill when done:
sudo kill -9 `ps wax|grep pppd|grep -v grep|awk '{print $1;}'`

