|Required Linux/Unix skills to execute this task: Advanced|
SSH Tunneling Howto
Imagine you know a remote location with internet access, someway far off and not reachable from your home network, where you like to place a Radarcape. Unfortunately this network is not directly accessible from your home network, as no domain name (like modesbeast.com) is given to it. In that case you can let the Radarcape establish a tunnel connection to a known address, reachable by both, the user and the Radarcape. Such a SSH tunnel is secured by SSH, and this is the common way in networking.
Firewall Port Opening
One way to achieve access is to open the firewall into the remote network. This is known as port mapping. Therefore, consult your router/firewall manual and enter the ports required into the mapping table. In most cases it also is necessary to give it a DNS name, as mostly the IP adress is not stable. Unfortunately that weakens its security, and sometimes the administrator/owner of the far end local network does not permit doing so.
Tunneling of the receiver access through firewalls (SSH tunneling)
Installation of a SSH tunnel
The SSH tunnel is a way to prepare a connection without opening a firewall. With this methode, the Radarcape establishes a connection to a given server and provides its ports right there.
- Generate a SSH key pair on the local Radarcape
cd ~/.ssh dropbearkey -t rsa -f id_rsa
- note the given public key string. If forgotten, you may later retrieve it with
dropbearkey -t rsa -f ~/.ssh/id_rsa -y
- set attributes of ~, .ssh and authorized_keys to 600
- check that on the Radarcape the /home/root is also owned by user root. Recently it occured sometimes that xroot:xroot was the owner
chown root:root /home/root
The file id_rsa is the so called , a file which never should leave your room. You should not transfer it over public lines. Another information, the so public key, which most probable starts with ssh-rsa AAAAB3NzaC1y and ends with root@radarcape, needs to be inserted into the file ~/.ssh/authorized_keys on the computer you want to connect (aka server). This phrase is safe to be published.
The server is the common connection point for the user and the Radarcape. It is not necessarily a computer for its own, it can even be the computer that hosts the PC application, or even a Radarcape by its own.
Copy the public key given from above command to the server folder ~/.ssh/authorized_keys. Maybe you need to use an editor in order to edit the given single line public key to an existing file. Mind that the attributes of ~, .ssh and authorized_keys are set to 600.
If correctly done, you must be able to login via ssh from the Radarcape to the server without entering a password. As long as this does not work, there is still some fault. dropbear ssh, which is used on the Radarcape, does not automatically use the ssh keys. Therefore, you need to specify
ssh -i ~/.ssh/id_rsa <your_servername_or_ip>
Radarcape 2nd step
On the local Radarcape, add the command below to cape.sh. Remember that cape.sh runs without user settings, so you need to specify the path to the SSH key absolute.
./autossh -M 6667 -f -p <server_ssh_port> -i /home/root/.ssh/id_rsa -N -R *:8002:localhost:80 -R *:1302:localhost:10003 -R *:2202:localhost:22 root@<server_domain> &
Now the local Radarcape's ports 80, 10003 and 22 are accessible on <server_domain> under port 8002, 1302 and 2202.
Note: autossh is a tool we have locally compiled and will provide on the server later
If the server is also a Radarcape, and in case that you want to get access from external devices to the ports through the tunnel, you need to add switch "-a" to the dropbear startup file /lib/systemd/system/dropbear@.service.