Radarcape:SSH Tunneling: Difference between revisions

From Beast Wiki
Jump to navigation Jump to search
imported>Dl4mea
mNo edit summary
imported>Beastadmin
No edit summary
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Imagine you know a remote location with internet access, some far off and not reachable from your home network, where you like to place a Radarcape. Unfortunately this network is not directly accessible from your home network, as no domain name (like modesbeast.com) is given to it. In that case you can let the Radarcape establish a tunnel connection to a known address, reachable by both, the user and the Radarcape. Such a SSH tunnel is secured by SSH, and this is the common way in networking.
{|
|[[File:Expert.png|For Experts]]
|''Required Linux/Unix skills to execute this task: Advanced''
|}
 
__TOC__
 
=SSH Tunneling Howto=
 
Imagine you know a remote location with internet access, someway far off and not reachable from your home network, where you like to place a Radarcape. Unfortunately this network is not directly accessible from your home network, as no domain name (like modesbeast.com) is given to it. In that case you can let the Radarcape establish a tunnel connection to a known address, reachable by both, the user and the Radarcape. Such a SSH tunnel is secured by SSH, and this is the common way in networking.


== Firewall Port Opening ==
== Firewall Port Opening ==
One way to achieve access is to open the firewall into the remote network. This is known as port mapping. Therefore, consult your router/firewall manual and enter the ports required into the mapping table. In most cases it also is necessary to give it a DNS name, as mostly the IP adress is not stable. Unfortunately that weakens its security, and sometimes the administrator/owner of the far end local network does not permit doing so.


== Tunneling of the receiver access through firewalls (SSH tunneling) ==
== Tunneling of the receiver access through firewalls (SSH tunneling) ==
Line 13: Line 24:
===== Radarcape essentials =====
===== Radarcape essentials =====


First, generate a SSH key pair on the local Radarcape
* Generate a SSH key pair on the local Radarcape
cd ~/.ssh
<source lang="bash">
dropbearkey -t rsa -f id_rsa
cd ~/.ssh
Set attributes of ~, .ssh and authorized_keys are set to 600.
dropbearkey -t rsa -f id_rsa
</source>
* note the given public key string. If forgotten, you may later retrieve it with
<source lang="bash">
dropbearkey -t rsa -f ~/.ssh/id_rsa -y
</source>
* set attributes of ~, .ssh and authorized_keys to 600
* check that on the Radarcape the /home/root is also owned by user root. Recently it occured sometimes that xroot:xroot was the owner
<source lang="bash">
chown root:root /home/root
</source>
 
 
The file id_rsa is the so called <ins>private key</ins>, a file which never should leave your room. You should not transfer it over public lines. Another information, the so public key, which most probable starts with ''ssh-rsa AAAAB3NzaC1y'' and ends with ''root@radarcape'', needs to be inserted into the file ~/.ssh/authorized_keys on the computer you want to connect (aka server). This phrase is safe to be published.


===== Server essentials =====
===== Server essentials =====


The server is the common connection point for the user and the Radarcape. It is not necessarily a computer for its own, it can even be the computer.
The server is the common connection point for the user and the Radarcape. It is not necessarily a computer for its own, it can even be the computer that hosts the PC application, or even a Radarcape by its own.
 
Copy the public key given from above command to the server folder ~/.ssh/authorized_keys. Maybe you need to use an editor in order to edit the given single line public key to an existing file. Mind that the attributes of ~, .ssh and authorized_keys are set to 600.<br>If correctly done, you must be able to login via ssh from the Radarcape to the server without entering a password. As long as this does not work, there is still some fault. dropbear ssh, which is used on the Radarcape, does not automatically use the ssh keys. Therefore, you need to specify


Next, copy the public key given from above command to the server folder ~/.ssh/authorized_keys. Mind that the attributes of ~, .ssh and authorized_keys are set to 600. If correctly done, you must be able to login via ssh from the Radarcape to the server without entering a password. As long as this does not work, there is still some fault.
<source lang="bash">
ssh -i ~/.ssh/id_rsa <your_servername_or_ip>
</source>


===== Radarcape 2nd step =====
===== Radarcape 2nd step =====
Line 29: Line 57:
  ./autossh -M 6667 -f -p <server_ssh_port> -i /home/root/.ssh/id_rsa -N -R *:8002:localhost:80 -R *:1302:localhost:10003 -R *:2202:localhost:22 root@<server_domain> &  
  ./autossh -M 6667 -f -p <server_ssh_port> -i /home/root/.ssh/id_rsa -N -R *:8002:localhost:80 -R *:1302:localhost:10003 -R *:2202:localhost:22 root@<server_domain> &  
Now the local Radarcape's ports 80, 10003 and 22 are accessible on <server_domain> under port 8002, 1302 and 2202.
Now the local Radarcape's ports 80, 10003 and 22 are accessible on <server_domain> under port 8002, 1302 and 2202.
'''Note:''' autossh is a tool we have locally compiled and will provide on the server later


==== Server Settings ====
==== Server Settings ====


If the server is also a Radarcape, and in case that you want to get access from external devices to the ports through the tunnel, you need to add switch "'''-a'''" to the dropbear startup file '''/lib/systemd/system/[email protected]'''.
If the server is also a Radarcape, and in case that you want to get access from external devices to the ports through the tunnel, you need to add switch "'''-a'''" to the dropbear startup file '''/lib/systemd/system/[email protected]'''.
----
[[Radarcape:Contents]]

Latest revision as of 19:25, 25 March 2015

For Experts Required Linux/Unix skills to execute this task: Advanced

SSH Tunneling Howto

Imagine you know a remote location with internet access, someway far off and not reachable from your home network, where you like to place a Radarcape. Unfortunately this network is not directly accessible from your home network, as no domain name (like modesbeast.com) is given to it. In that case you can let the Radarcape establish a tunnel connection to a known address, reachable by both, the user and the Radarcape. Such a SSH tunnel is secured by SSH, and this is the common way in networking.

Firewall Port Opening

One way to achieve access is to open the firewall into the remote network. This is known as port mapping. Therefore, consult your router/firewall manual and enter the ports required into the mapping table. In most cases it also is necessary to give it a DNS name, as mostly the IP adress is not stable. Unfortunately that weakens its security, and sometimes the administrator/owner of the far end local network does not permit doing so.

Tunneling of the receiver access through firewalls (SSH tunneling)

EXPERTS ONLY

Installation of a SSH tunnel

The SSH tunnel is a way to prepare a connection without opening a firewall. With this methode, the Radarcape establishes a connection to a given server and provides its ports right there.

Radarcape essentials
  • Generate a SSH key pair on the local Radarcape
cd ~/.ssh
dropbearkey -t rsa -f id_rsa
  • note the given public key string. If forgotten, you may later retrieve it with
dropbearkey -t rsa -f ~/.ssh/id_rsa -y
  • set attributes of ~, .ssh and authorized_keys to 600
  • check that on the Radarcape the /home/root is also owned by user root. Recently it occured sometimes that xroot:xroot was the owner
chown root:root /home/root


The file id_rsa is the so called private key, a file which never should leave your room. You should not transfer it over public lines. Another information, the so public key, which most probable starts with ssh-rsa AAAAB3NzaC1y and ends with root@radarcape, needs to be inserted into the file ~/.ssh/authorized_keys on the computer you want to connect (aka server). This phrase is safe to be published.

Server essentials

The server is the common connection point for the user and the Radarcape. It is not necessarily a computer for its own, it can even be the computer that hosts the PC application, or even a Radarcape by its own.

Copy the public key given from above command to the server folder ~/.ssh/authorized_keys. Maybe you need to use an editor in order to edit the given single line public key to an existing file. Mind that the attributes of ~, .ssh and authorized_keys are set to 600.
If correctly done, you must be able to login via ssh from the Radarcape to the server without entering a password. As long as this does not work, there is still some fault. dropbear ssh, which is used on the Radarcape, does not automatically use the ssh keys. Therefore, you need to specify

ssh -i ~/.ssh/id_rsa <your_servername_or_ip>
Radarcape 2nd step

On the local Radarcape, add the command below to cape.sh. Remember that cape.sh runs without user settings, so you need to specify the path to the SSH key absolute.

./autossh -M 6667 -f -p <server_ssh_port> -i /home/root/.ssh/id_rsa -N -R *:8002:localhost:80 -R *:1302:localhost:10003 -R *:2202:localhost:22 root@<server_domain> & 

Now the local Radarcape's ports 80, 10003 and 22 are accessible on <server_domain> under port 8002, 1302 and 2202.

Note: autossh is a tool we have locally compiled and will provide on the server later

Server Settings

If the server is also a Radarcape, and in case that you want to get access from external devices to the ports through the tunnel, you need to add switch "-a" to the dropbear startup file /lib/systemd/system/[email protected].




Radarcape:Contents