The web server we are using at work is NATed it is not very convenient when working from home. Thankfully SSH tunnelling comes to the rescue. I will explain a little about my setup.
The work computer is NATed behind a Firewall that I do not have controll over and it runs a Web and SSH servers which I would like them to be accessible from home. The home computer also runs SSH and Web servers which I want them to be accessible from the Internet. My Linksys WRT54g router has the following configuration:
| Firmware | OpenWrt White Russian - With X-Wrt Extensions 0.9 | |
| Kernel | Linux 2.4.30 #1 Sat Feb 3 13:16:08 CET 2007 | |
| MAC | 00:00:00:00:00:00 | |
| Device | Linksys WRT54G/GS/GL | |
| Board | Broadcom BCM947XX | |
| Username | root | |
| Web mgt. console | Webif² | |
| Version | r4580 |
I will show following steps in my configuration:
- How to make SSH and Web home servers Internet accessible.
- How to make the SSH server on the Linksys router Internet Accessible.
- How to setup on Linksys SSH key-based authentication.
- How to setup remote tunnels.
Making Home SSH, HTTP and HTTPS servers Internet accessible
First you have to assign a static IP to the home computer via a DHCP reservation. First you need to find the MAC address of the Home Computer network card. To do this on Windows open a command window and type ipconfig /all. On linux and MAC OS X open a terminal and type ifconfig. The value you are looking for is 12 digit value seperated by colons or dashes (i.e. xx:xx:xx:xx:xx:xx).
Now go to the router web configuration page (usually http://192.168.1.1) click on Network Tab and subsequently to the Hosts sub-tab. On the Static IP addresses (for DHCP) section and on the MAC Address text box (on the left) type the MAC Address and on the IP Address text box (right) type 192.168.1.x where x is the the IP Address you would like to address the home computer in your local LAN. Then click add, Save Changes and Apply changes. Disconnect and reconnect your LAN and make sure that your home computer has the assigned IP address.
Now navigate again to the router web configuration page and click on Network>Firewall. You need now to create 3 rules for forwarding external traffic to the home computer. The forwarding rules look like this:
| Match | Target | Port | ||
|---|---|---|---|---|
| Protocol: tcp Destination Ports: 22 |
192.168.1.x | 22 | Up Down |
Edit Delete |
| Protocol: tcp Destination Ports: 80 |
192.168.1.x | 80 | Up Down |
Edit Delete |
| Protocol: tcp Destination Ports: 443 |
192.168.1.x | 443 | Up Down |
Edit Delete |
Ports 22 (SSH), 80 (HTTP), 443 (HTTPS).
Now click and apply changes and the home servers will be accessible from the internet.
Making the SSH server on the Linksys router Internet Accessible
The SSH server on the Linksys router should be accessible from your LAN out of the box. If not that probably means that you have not installed dropbear SSH server. You can install it by navigating to System>Packages. First of all you need to move the SSH server from the default port 22 to another port (2222) to avoid conflicting with the home computer SSH server when accessing it from the internet. To change the port ssh to the Linksys router and edit the file /etc/init.d/S*dropbear. Then edit the last line from:
/usr/sbin/dropbear
to
/usr/sbin/dropbear -p 2222
Now reboot the router and test that the SSH server on Linksys has indeed moved to port 2222
reboot
ssh -p 2222 linksys
To make the server internet accessible go to the router’s web interface Network>Firewall and add an accept rule for protocol tcp and port 2222.
| Match | Target | Port | ||
|---|---|---|---|---|
| Protocol: tcp Destination Ports: 2222 |
accept | Up Down |
Edit Delete |
|
Now click and apply changes and the Linksys SSH server will be accessible from the internet on port 2222.
Setting up SSH key-based authentication on Linksys
The first step is to create a public and private SSH key pairs. On Linux and MAC OS X this can be done with the command
ssh-keygen -t rsa
This will create a directory ~/.ssh/ with the files id_rsa.pub and id_rsa. The former is the public key and the latter the private key.
If you are using PuTTY on windows you need to download PuTTYgen program to generate the keys.
Note: The public key format from the PuTTYgen application is not recognised by *nix SSH servers your need to convert it by removing new line characters and headers and footers. More about this later.
Now copy the id_rsa.pub from your home network to the router using the commands
scp -P 2222 ~/.ssh/id_rsa.pub root@linksys:
ssh -p 2222 root@linksys
cat ~/id_rsa.pub >> /etc/dropbear/authorized_keys
exit
Now try to ssh to the Linksys router and it will not ask you for password.
Now repeat the same procedure but this time from a terminal in the work computer.
Once you can SSH without a password from work and home computers you can disable password authentication on the Linksys router. This will tighten your security and avoid brute force password guessing threats that run on the internet. You are strongly advice to disable password authentication but this step is still optional.
To disable password authentication, ssh on the Linksys router and edit again the file /etc/init.d/S*dropbear and this time add another addition switch on the init script “-s”. The dropbear init script line now looks like this:
/usr/sbin/dropbear -p 2222 -s
Now reboot the router.
Setting up remote tunnels
From the work computer you can now set up remote tunnels to the Linksys router with the following commands.
ssh -p 2222 myhomenetwork.no-ip.org -R linksys:9000:workComputerIP:80 \
-R linksys:9001:workComputerIP:443 \
-R linksys:9002:workComputerIP:22
The above commands creates an SSH connection from the work computer to the Linksys router on port 2222 and sets up 3 tunnels. The first tunnel is from port 9000 of the router to the apache web server on the work computer, the second from port 9001 to the ssl apache webserver on the work computer and the last tunnel from port 9002 of the Linksys router to the SSH server on the work computer. This means that the Linksys router is now able to connect to the 3 services (HTTP, HTTPS and SSH) provided by the work computer via ports 9000-9002. If the web server is not running on workComputerIP but on another server inside the network you can still set up the tunnels by adjusting the workComputerIP to reflect the webserver’s address. i.e.
ssh -p 2222 myhomenetwork.no-ip.org -R linksys:9000:workWebServer:80 \
-R linksys:9001:workWebServer:443 \
-R linksys:9002:workSSHServer:22
The tunnels are now up and running but you would still like to access these services from the home computer rather than the Linksys router. To achieve this you need to reconfigure dropbear SSH server on the Linksys router to allow remote hosts to connect to the forwarded ports. To do this SSH to the router and append the -a option in the /etc/init.d/S*dropbear file. i.e. change the line from:
/usr/sbin/dropbear -p 2222 -s
to
/usr/sbin/dropbear -p 2222 -s -a
Now reboot and navigate from your home computer web browser to http://linksys:9000/ or https://linksys:90001/ and for the work’s SSH server do: ssh -p 9002 linksys
Done
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment