-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
143 lines (98 loc) · 4.75 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
Overview:
This script establishes and maintains an ssh reverse tunnel connection
from one location to another.
Problem:
Your work box sits behind a NAT router in the office, and you
want/need to access it from home whenever you need to via ssh, scp or
nx.
Solution:
This script will generate a reverse ssh tunnel from work to home
and make sure it stays up, re-establishing it whenever it drops.
Setup @ work
---------------------------------------------------------------------
Make sure this script (revpipe) is executable.
There are two configuration settings you MUST set in the revpipe
script itself.
youasroot@work emacs ~/bin/revpipe
Set HOME_ADDR and PORT variables as appropriate.
Here's a handy one-liner to run from a pc (e.g. your home desktop)
to get your current external IP address:
$ wget -q -O http://myexternalip.com/raw
Save the line above to ~/bin/getip, and chmod it to 755.
Then you can use 'getip' whenever you need to grab your ip.
In order for your tunnel to work, you'll need to be able to ssh
into your home pc as root, from work as root, as in:
youasroot@work~# ssh root@your_house
without a password, using ssh keys from work into your home pc.
To get your keys setup:
youasroot@work~# ssh-copy-id -i <pubkeyfile> root@your_house
where <pubkeyfile> is typically either of:
~/.ssh/id_dsa.pub or ~/.ssh/id_rsa.pub
Note:
revpipe must be run as root on your work box, and should be run
from root's crontab like so:
# crontab example to restart tunnel
MAILTO=''
#m h dom mon dow command
@reboot /path/to/revpipe 2>&1 >/dev/null
*/5 * * * * /path/to/revpipe 2>&1 >/dev/null
youasroot@work~# crontab -e
Use above command to edit root's crontab.
The crontab above will check the connection on reboot, and every 5
minutes thereafter while your work box is running. If the connection
test fails 5 times during a cron cycle, it will recreate the tunnel.
Advanced Work-side Configuration Options
---------------------------------------------------------------------
If you want to use a faster but less secure tunnel cipher, such as
arcfour or blowfish, you'll need to setup a Host section in your
~/.ssh/config file. Create the file if it does not already exist.
Example ~/.ssh/config Host section
Host <my.homepc.com OR my_home_ip_address>
Ciphers arcfour,arcfour128,arcfour256,blowfish-cbc
BatchMode yes
Compression yes
Setup @ home
---------------------------------------------------------------------
To get to your desktop at home, you'll need to configure your home
router to forward incoming ssh (port 22) to your box inside, and
make sure sshd is running on your box, and that you can ssh in as
root. (/etc/ssh/sshd_config)
PermitRootLogin yes
It's a VERY good idea, AFTER you have keys working from work to
disable password authentication in /etc/ssh/sshd_config on your
home desktop, as in:
PasswordAuthentication no
That way, login can only occur via keys, and that helps reduce
your exposure from the internet. You can also adjust your
firewall to limit access to only your Work's external ip address.
Using the Tunnel
---------------------------------------------------------------------
With this script connected from work to your home pc, accessing your
work pc from home is done by ssh-ing to localhost, on the configured
port, as in:
you@home$ ssh -p2222 workyou@localhost
This will go back through the local reverse tunnel endpoint, which
is at localhost:2222, dropping you right onto your work pc. Or, to
copy files to your work desktop:
you@home$ scp -P2222 /my/local/file workyou@localhost:~/Desktop/
NX server, from nomachine (www.nomachine.com), works great to deliver
a full graphical desktop experience over this reverse tunnel. To use
it, setup nxserver on your work box and use nxclient on your home
machine. In the client configuration, set your target to be
localhost, on the port you specified above. I'm writing this on my
work desktop from home. It spans two monitors fullscreen, and it
feels almost as fast as being there. Try it - it blows vnc away.
Other stuff
---------------------------------------------------------------------
Some other ssh settings to read up on:
ServerAliveCountMax
ServerAliveInterval
Use 'apropos ssh' for a list of related ssh manpages. ssh_config is a
good manpage to read. If the tunnel is isolated by your firewall by
IP addresses, you might consider a less robust tunnel cipher to
improve performance, like arcfour. Use root's ~/.ssh/config to modify
the cipher for this connection only.
See Advanced Work-side Configuration Options above for more
information. This cipher will only affect the tunnel, your sessions
back through the tunnel are still encrypted using your default
cipher.