RobMeerman.co.uk

User Tools

Site Tools

You are here: RobMeerman.co.uk » OSX (MacOS)
Trace:
osx:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
osx:start [2018/06/15 14:13]
robm [Middle-click via the trackpad] 		osx:start [2019/02/25 14:40]
robm [VPN over SSH] Add instructions for automating via SSH config files
Line 754: Line 754:
  
 More thorough networking (Ethernet layer, instead of link layer): http://sgros.blogspot.co.uk/2011/11/ssh-vpns-bridged-connection-to-lan.html More thorough networking (Ethernet layer, instead of link layer): http://sgros.blogspot.co.uk/2011/11/ssh-vpns-bridged-connection-to-lan.html
 +
 +===== Automating via SSH configuration files =====
 +
 +  - **As root** on your client system, generate a new SSH keypair to use for VPN. <code>ssh-keygen -f ~/.ssh/id_rsa_vpn -N ''</code>
 +  - Install new public key into remote system, and prefix with a ForeCommand which is run whenever this key is used to authenticate:<code>( \
 +  printf 'tunnel="0",command="ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2" ' ; \
 +  cat ~/.ssh/id_rsa_test.pub \
 +) | ssh root@www.robmeerman.co.uk tee -a .ssh/authorized_keys</code>
 +  - Configure client via ''~/.ssh/config''. Add the following to the end of ''.ssh/config'' (create it if it does not exist) and replace ''$SERVER'' with your server's hostname: <code>Host vpn
 +  Hostname $SERVER
 +  User root
 +  # Remote's .ssh/authorised_keys entry for this identity is prefixed with:
 +  # tunnel="0",command="ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2" ssh-rsa
 +  IdentityFile ~root/.ssh/id_rsa_vpn
 +  Tunnel yes
 +  TunnelDevice 0:0
 +  PermitLocalCommand yes
 +  LocalCommand ~root/.ssh/vpn.sh %h %T
 +  # Disable connection sharing, otherwise closing VPN may not actually reset
 +  # network settings because vpn.sh (cf. LocalCommand) continues to wait
 +  # for the `ssh` process to exit (which it may not if another session is
 +  # active)
 +  ControlPath none
 +  # Disable use of ssh-agent, as it seems to prevent our preferred identity
 +  # (cf. IdentityFile) being applied, which in turn means we don't trigger the
 +  # ForceCommand of the remote's authorized_keys file
 +  IdentityAgent none</code>
 +  - Create a new script on your client machine at ''~root/.ssh/vpn.sh'' which configures your Mac to route traffic headed to your server via the current gateway, and then change the default gateway (that applies to all __other__ traffic) to go via the new SSH ''tun'' device at 172.16.0.1, then wait for the ''ssh'' process to exit before returning settings to normal: <code>#!/bin/bash
 +# .ssh/config: LocalCommand vpn.sh %h %T
 +REMOTE_HOST=$1
 +TUNNEL_DEVICE=$2
 +
 +ifconfig $TUNNEL_DEVICE inet 172.16.0.2 172.16.0.1
 +ROUTE=$(route get $REMOTE_HOST)
 +GATEWAY=$(sed -ne 's/^ *gateway: //p' <<<"$ROUTE")
 +INTERFACE=$(sed -ne 's/^ *interface: //p' <<<"$ROUTE")
 +route add $REMOTE_HOST $GATEWAY
 +route add 10/8 $GATEWAY
 +route change default 172.16.0.1
 +WAIT_PID=$PPID
 +(
 +while kill -0 $WAIT_PID >/dev/null 2>&1; do sleep 0.5; done
 +# The route gets deleted when the SSH tunnel closes gracefully and tun0 disappears
 +route change default $GATEWAY
 +route add default $GATEWAY
 +route delete 10/8 $GATEWAY
 +route delete $REMOTE_HOST $GATEWAY
 +) &</code>
 +  - Make the new script executable: <code>chmod a+x ~root/.ssh/vpn.sh</code>
 +  - Test it by running <code>ssh vpn</code>
 +
 +Sample session showing the output from the commands above:
 +
 +<code>
 +# ssh-keygen -f ~/.ssh/id_rsa_vpn -N ''
 +Generating public/private rsa key pair.
 +Your identification has been saved in /var/root/.ssh/id_rsa_vpn.
 +Your public key has been saved in /var/root/.ssh/id_rsa_vpn.pub.
 +The key fingerprint is:
 +SHA256:4c8jh23lnMr7ZEmiDCCenKEEo6ROBDIku3XCmKLqqcw root@roberts-mbp
 +The key's randomart image is:
 ++---[RSA 2048]----+
 +|X+               |
 +|OB               |
 +|Bo* o          |
 +|** B . . .       |
 +|+.=   . S . o    |
 +|.      o * * o   |
 +|.       = B B    |
 +|+ .      = =     |
 +|oE        +o.    |
 ++----[SHA256]-----+
 +
 +# ( \
 +#   printf 'tunnel="0",command="ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2" ' ; \
 +#   cat ~/.ssh/id_rsa_test.pub \
 +# ) | ssh root@www.robmeerman.co.uk tee -a .ssh/authorized_keys
 +tunnel="0",command="ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pPee+HqiExk28lwKGcjoAMnkWRVKoQsn8b+90ST3HteZq1oCKtig49YOtlXDZGma0vR/y9Xbelk26xJfZO32BR3GCPou6XYSU67qwC8wK256H0LfTUlquUufklmKd3BaKamAtXU0JwhVxQCFH0hToG6dgc0FLelqs1r8u6cPni1wTxaId6epHrYCBrKvP+fwYz0S0K3e2opcqZUTwMyPYwu280UxQr2HYvzykdoJeiJtsKgneFRxhX7gnlKCYoia0fToKHel24GfUFfqipFrJbsm8LDYuVh5KVgx1J1Hx19Fu0LM3IIqoXQESob91TjTx1bq41iIMZ0n0td5gDVj root@roberts-mbp
 +
 +# ssh vpn
 +add host www.robmeerman.co.uk: gateway 10.1.36.1
 +add net 10: gateway 10.1.36.1
 +change net default: gateway 172.16.0.1
 +
 +# Nothing further appears to happen. VPN is up and running! Try `traceroute
 +# google.com` in another terminal to verify that the traffic is going via your
 +# server and not its default route.
 +
 +# When all done, press ^C to kill the VPN and restore default settings. Your
 +# prompt will return first, and *then* the clean-up code will execute and
 +# print:
 +^C
 +route: writing to routing socket: not in table
 +change net default: gateway 10.1.36.1: not in table
 +add net default: gateway 10.1.36.1
 +delete net 10: gateway 10.1.36.1
 +delete host www.robmeerman.co.uk: gateway 10.1.36.1
 +</code>
  
 ====== Global Keyboard Shortcut to toggle Skype microphone ====== ====== Global Keyboard Shortcut to toggle Skype microphone ======
osx/start.txt · Last modified: 2022/05/13 13:19 by robm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki