diff --git a/README.md b/README.md index 92afead..2d60f61 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,8 @@ Start at +* #### [Forward ports with a reverse SSH tunnel](ssh_tunnel.md) + * #### [JoinMarket on the RaspiBlitz](joinmarket/README.md) * #### [BTCPayServer on the RaspiBlitz](BTCPayServer/README.md) diff --git a/ssh_tunnel.md b/ssh_tunnel.md new file mode 100644 index 0000000..93a56f6 --- /dev/null +++ b/ssh_tunnel.md @@ -0,0 +1,92 @@ +# Forward ports with a reverse SSH tunnel + +## Advantages: +* no port forwarding needed on the LAN of the host +* encrypted connection +* hides the IP of the host + +## Requirements: +* a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month +* root access on the VPS - only root can forward ports under no. 1000 +* ssh access to the host computer (from where the ports will be forwarded from) + +## On the host computer + +* Check for an ssh public key: +`$ cat ./.ssh/*.pub` + +* if there is none generate one (keep pressing ENTER): +`$ ssh-keygen -t rsa -b 4096` + +* copy the ssh publick key over to the VPS (fill in the VPS_IP_ADDRESS). +Will be prompted for the root password of the VPS. +`$ cat ~/.ssh/id_rsa.pub | ssh root@VPS_IP_ADDRESS 'cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh/'` + +## Working on the VPS + +* login as root or run: +`sudo su -` + +* edit the sshd config: +`sudo nano /etc/ssh/sshd_config` + +* make sure these entries are active (uncommented, meaning there is no `#` at the beggining of the line). +Can just paste these on the end of the file: + ``` + RSAAuthentication yes + PubkeyAuthentication yes + GatewayPorts yes + AllowTcpForwarding yes + ClientAliveInterval 60 + ``` + CTRL+O, ENTER to save, CTRL+X to exit. + +* restart the sshd service (WARNING: you can lose acccess at this point if the config is wrong): +`sudo systemctl restart sshd` + +## Back to the host computer + +### Set up a systemd service + +* create the service file: +`sudo nano /etc/systemd/system/autossh-tunnel.service` + +* Paste the following and fill in the VPS_IP_ADDRESS. +Add more ports as required. + + ``` + [Unit] + Description=AutoSSH tunnel service + After=network.target + + [Service] + User=root + Group=root + Environment="AUTOSSH_GATETIME=0" + ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R 9735:localhost:9735 -R 443:localhost:443 -R 80:localhost:80 -R root@VPS_IP_ADDRESS + StandardOutput=journal + + [Install] + WantedBy=multi-user.target + ``` +* Enable and start the service: +`$ sudo systemctl enable autossh-tunnel` +`$ sudo systemctl start autossh-tunnel` + +* The port forwarding with a reverse ssh-tunnel is now complete. +You should be able access the of the host computer ports/services through the IP of the VPS. + +## Monitoring + +* Check if there are any errors on the host computer: +`$ sudo journalctl -f -n 20 -u autossh-tunnel` + +* To check if a tunnel is running on the VPS: +`$ netstat -tulpn` + + +## Resources + +https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md#how-to-setup-port-forwarding-with-a-ssh-tunnel + +https://stadicus.github.io/RaspiBolt/raspibolt_20_pi.html#login-with-ssh-keys \ No newline at end of file