From Hentschel
Jump to: navigation, search
(Setting up add'l hosts via Apache ProxyPass)
Line 104: Line 104:
 
server.hentschel.net is running CentOS. Files are in non-standard locations. To setup isy.hentschel.net on port 443:
 
server.hentschel.net is running CentOS. Files are in non-standard locations. To setup isy.hentschel.net on port 443:
 
* create a 'subdomain' on the hoster.  
 
* create a 'subdomain' on the hoster.  
[[File:hm-panel01.png|400px]][[File:hm-panel02.png|400px]]
+
[[File:hm-panel01.png|400px|left]]
 +
[[File:hm-panel02.png|400px|left]]

Revision as of 23:33, 26 March 2017

Setting up VPN via SSHD

from this link

  • enable
    • PermitTunnel yes
  • disable
    • AllowTcpForwarding yes

Important: Both sides need to run as root to create the tunnel device. Thus, 'ssh -w 0:0 root@www.hentschel.net' must run as root on the client side too.

        +---------------+            OpenSSH 4.3           +---------------+
        |   hentschel   | tun0 -- Tunnel Interface -- tun0 |   zm.home     |
        |  Has a tunnel | <------------------------------->|  Has a tunnel |  
        |  and ethernet | 10.0.0.100            10.0.0.200 |  and ethernet |
        +-------+-------+     point to point connection    +-------+-------+
           eth0 |                 creates a bridge                 | eth0  
 198.57.xxx.xxx |               that plugs machine B               | 192.168.1.100
       Routable |                  into network A                  |          
       address  |                                                  |
        here    |                                                  |
        +-------+-------+                                  +-------+-------+ 
        |   Network A   |                                  |   Network B   |
        |  The Internet |                                  | 192.168.1.1/24|
        |  Has internet |                                  |  Has internet |
        |               |                                  |  NAT gateway  |
        +---------------+                                  +---------------+

First, on zm.home, ensure IP forwarding is enabled via
sysctl net.ipv4.ip_forward
, and set it to enabled in /etc/sysctl.config if not.

Second, the gateway (default router) on network B needs to be modified to redirect traffic destined for host hentschel via eth0 on host zm.home. We don't redirect all internet traffic via the tunnel, just what is destined for the hentschel host. On the Asus router, that looks like this:

Under LAN->Route

To actually create the tunnel, here is what needs to happen:

on zm.home
  1. start ssh with -w0:0 (creates tun0 interfaces on both ends), both sides need to be logged in as root
  2. set tun0 to up
  3. assign ip address to tun 0
ssh -NTCf -w0:0 root@198.57.xxx.xxx 
ip link set tun0 up
ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0
# not needed --> arp -Ds 10.0.0.200 eth0 pub     
once logged in on hentschel, the following needs to happen on that end
  1. set tun0 to up
  2. assign ip address to tun 0
  3. add route to network B
ip link set tun0 up
ip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0
ip route add 192.168.1.0/24 via 10.0.0.100

At this point, a request for any host on network B that originates on host hentschel will be answered. At the same time, traffic for hentschel from network B will be directed there via zm.home. Note that the web server on hentschel does not answer since it's interface is only set to the public interface.

Automating the login

remote script on hentschel

#!/bin/bash

/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0
sleep 4
/sbin/ip route add 192.168.1.0/24 via 10.0.0.100

local script on zm.home:

#!/bin/bash

ssh -n -w 0:0 root@server.hentschel.net /bin/bash /root/bin/ssh-vpn-remote.sh &
sleep 1
/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0

Here a few tricks at this link

Add the following to ~/.ssh/config (client side):

host targetserver
    ControlMaster auto
    ControlPath ~/.ssh/cm_sockets/%r@%h:%p

Then this will work:

$ ssh -fNT -Llocalport:remoteserver:remoteport targetserver
$ ssh -O check targetserver
Master running (pid=23450)
$ <do your stuff>
$ ssh -O exit targetserver
Exit request sent.
$ ssh -O check targetserver
Control socket connect(/home/sorin/.ssh/cm_socket/sorin@192.0.2.3:22): No such file or directory

Also, there seem to be timing dependencies between the commands and when they execute

Setting up add'l hosts via Apache ProxyPass

server.hentschel.net is running CentOS. Files are in non-standard locations. To setup isy.hentschel.net on port 443:

  • create a 'subdomain' on the hoster.
Hm-panel01.png
Hm-panel02.png