User Tools

Site Tools


osx:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
osx:start [2018/06/15 14:13]
robm [Middle-click via the trackpad]
osx:start [2019/02/25 14:42] (current)
robm [Automating via SSH configuration files]
Line 754: Line 754:
  
 More thorough networking (Ethernet layer, instead of link layer): http://​sgros.blogspot.co.uk/​2011/​11/​ssh-vpns-bridged-connection-to-lan.html More thorough networking (Ethernet layer, instead of link layer): http://​sgros.blogspot.co.uk/​2011/​11/​ssh-vpns-bridged-connection-to-lan.html
 +
 +===== Automating via SSH configuration files =====
 +
 +<note important>​All commands here are run as **root** on the client system</​note>​
 +
 +  - **As root** on your client system, generate a new SSH keypair to use for VPN. <​code>​ssh-keygen -f ~/​.ssh/​id_rsa_vpn -N ''</​code>​
 +  - Install new public key into remote system, and prefix with a ForeCommand which is run whenever this key is used to authenticate:<​code>​( \
 +  printf '​tunnel="​0",​command="​ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2"​ ' ; \
 +  cat ~/​.ssh/​id_rsa_test.pub \
 +) | ssh root@www.robmeerman.co.uk tee -a .ssh/​authorized_keys</​code>​
 +  - Configure client via ''​~/​.ssh/​config''​. Add the following to the end of ''​.ssh/​config''​ (create it if it does not exist) and replace ''​$SERVER''​ with your server'​s hostname: <​code>​Host vpn
 +  Hostname $SERVER
 +  User root
 +  # Remote'​s .ssh/​authorised_keys entry for this identity is prefixed with:
 +  # tunnel="​0",​command="​ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2"​ ssh-rsa
 +  IdentityFile ~root/​.ssh/​id_rsa_vpn
 +  Tunnel yes
 +  TunnelDevice 0:0
 +  PermitLocalCommand yes
 +  LocalCommand ~root/​.ssh/​vpn.sh %h %T
 +  # Disable connection sharing, otherwise closing VPN may not actually reset
 +  # network settings because vpn.sh (cf. LocalCommand) continues to wait
 +  # for the `ssh` process to exit (which it may not if another session is
 +  # active)
 +  ControlPath none
 +  # Disable use of ssh-agent, as it seems to prevent our preferred identity
 +  # (cf. IdentityFile) being applied, which in turn means we don't trigger the
 +  # ForceCommand of the remote'​s authorized_keys file
 +  IdentityAgent none</​code>​
 +  - Create a new script on your client machine at ''​~root/​.ssh/​vpn.sh''​ which configures your Mac to route traffic headed to your server via the current gateway, and then change the default gateway (that applies to all __other__ traffic) to go via the new SSH ''​tun''​ device at 172.16.0.1, then wait for the ''​ssh''​ process to exit before returning settings to normal: <​code>#​!/​bin/​bash
 +# .ssh/​config:​ LocalCommand vpn.sh %h %T
 +REMOTE_HOST=$1
 +TUNNEL_DEVICE=$2
 +
 +ifconfig $TUNNEL_DEVICE inet 172.16.0.2 172.16.0.1
 +ROUTE=$(route get $REMOTE_HOST)
 +GATEWAY=$(sed -ne 's/^ *gateway: //p' <<<"​$ROUTE"​)
 +INTERFACE=$(sed -ne 's/^ *interface: //p' <<<"​$ROUTE"​)
 +route add $REMOTE_HOST $GATEWAY
 +route add 10/8 $GATEWAY
 +route change default 172.16.0.1
 +WAIT_PID=$PPID
 +(
 +while kill -0 $WAIT_PID >/​dev/​null 2>&​1;​ do sleep 0.5; done
 +# The route gets deleted when the SSH tunnel closes gracefully and tun0 disappears
 +route change default $GATEWAY
 +route add default $GATEWAY
 +route delete 10/8 $GATEWAY
 +route delete $REMOTE_HOST $GATEWAY
 +) &</​code>​ This script is unlikely to work on other OS
 +  - Make the new script executable: <​code>​chmod a+x ~root/​.ssh/​vpn.sh</​code>​
 +  - Test it by running <​code>​ssh vpn</​code>​
 +
 +Sample session showing the output from the commands above:
 +
 +<​code>​
 +# ssh-keygen -f ~/​.ssh/​id_rsa_vpn -N ''​
 +Generating public/​private rsa key pair.
 +Your identification has been saved in /​var/​root/​.ssh/​id_rsa_vpn.
 +Your public key has been saved in /​var/​root/​.ssh/​id_rsa_vpn.pub.
 +The key fingerprint is:
 +SHA256:​4c8jh23lnMr7ZEmiDCCenKEEo6ROBDIku3XCmKLqqcw root@roberts-mbp
 +The key's randomart image is:
 ++---[RSA 2048]----+
 +|X+               |
 +|OB               |
 +|Bo* o   ​. ​       |
 +|** B . . .       |
 +|+.=   . S . o    |
 +|.      o * * o   |
 +|.       = B B    |
 +|+ .      = =     |
 +|oE        +o.    |
 ++----[SHA256]-----+
 +
 +# ( \
 +#   ​printf '​tunnel="​0",​command="​ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2"​ ' ; \
 +#   cat ~/​.ssh/​id_rsa_test.pub \
 +# ) | ssh root@www.robmeerman.co.uk tee -a .ssh/​authorized_keys
 +tunnel="​0",​command="​ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2"​ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pPee+HqiExk28lwKGcjoAMnkWRVKoQsn8b+90ST3HteZq1oCKtig49YOtlXDZGma0vR/​y9Xbelk26xJfZO32BR3GCPou6XYSU67qwC8wK256H0LfTUlquUufklmKd3BaKamAtXU0JwhVxQCFH0hToG6dgc0FLelqs1r8u6cPni1wTxaId6epHrYCBrKvP+fwYz0S0K3e2opcqZUTwMyPYwu280UxQr2HYvzykdoJeiJtsKgneFRxhX7gnlKCYoia0fToKHel24GfUFfqipFrJbsm8LDYuVh5KVgx1J1Hx19Fu0LM3IIqoXQESob91TjTx1bq41iIMZ0n0td5gDVj root@roberts-mbp
 +
 +# ssh vpn
 +add host www.robmeerman.co.uk:​ gateway 10.1.36.1
 +add net 10: gateway 10.1.36.1
 +change net default: gateway 172.16.0.1
 +
 +# Nothing further appears to happen. VPN is up and running! Try `traceroute
 +# google.com` in another terminal to verify that the traffic is going via your
 +# server and not its default route.
 +
 +# When all done, press ^C to kill the VPN and restore default settings. Your
 +# prompt will return first, and *then* the clean-up code will execute and
 +# print:
 +^C
 +route: writing to routing socket: not in table
 +change net default: gateway 10.1.36.1: not in table
 +add net default: gateway 10.1.36.1
 +delete net 10: gateway 10.1.36.1
 +delete host www.robmeerman.co.uk:​ gateway 10.1.36.1
 +</​code>​
  
 ====== Global Keyboard Shortcut to toggle Skype microphone ====== ====== Global Keyboard Shortcut to toggle Skype microphone ======
osx/start.1529072035.txt.gz · Last modified: 2018/06/15 14:13 by robm