This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
osx:start [2020/01/30 20:45] robm [GPG with remote forwarding] |
osx:start [2022/05/13 13:19] (current) robm [GPG with remote forwarding] |
||
---|---|---|---|
Line 670: | Line 670: | ||
sudo route delete default | sudo route delete default | ||
sudo route add default $NAKED_GATEWAY_IP | sudo route add default $NAKED_GATEWAY_IP | ||
- | </ | ||
- | |||
- | ====== VPN over SSH ====== | ||
- | |||
- | * **Server**: GNU/Linux (Ubuntu 12.04) -- '' | ||
- | * **Client**: MacOS/BSD (El Capitan, v10.11.5) -- '' | ||
- | |||
- | Create and configure a tunnelled connection between client and server, via '' | ||
- | |||
- | - Go install http:// | ||
- | - SSH into the server and edit ''/ | ||
- | PermitRootLogin yes | ||
- | PermitTunnel yes | ||
- | </ | ||
- | - Restart SSHd on the server ('' | ||
- | - Log out of server (need to reconnect to make use of config changes) | ||
- | - **As root** on the client machine, SSH into the root account on the server with tun devices enabled via '' | ||
- | - Within the resulting root shell on the **server**, configure the new '' | ||
- | ifconfig tun0 inet 172.16.0.1 dstaddr 172.16.0.2 | ||
- | ifconfig tun0 | ||
- | ping 172.16.0.1 | ||
- | ping 172.16.0.2 | ||
- | </ | ||
- | - In a root shell on the **client**, configure the new '' | ||
- | ifconfig tun0 inet 172.16.0.2 172.16.0.1 | ||
- | ifconfig tun0 | ||
- | ping 172.16.0.2 | ||
- | ping 172.16.0.1 | ||
- | </ | ||
- | - Back in the root shell on the **server**, repeat '' | ||
- | - The tunnel is now configured. It will remain so until the SSH session is closed. | ||
- | |||
- | Configure IPv4 (ICMP+TCP+UDP) forwarding and Network Address Translation (NAT): | ||
- | |||
- | - In the root shell on the **server** (only needs to be done one per boot): < | ||
- | # Prepare networking stack for use by forced commands in | ||
- | # / | ||
- | # between 172.16.0.1 (this host) and 172.16.0.2 (remote end). | ||
- | |||
- | # We then want to enabling forwarding of IPv4 traffic, i.e. we want to act as a | ||
- | # router. We enable this in the kernel, and then ensure traffic originating | ||
- | # from the remote side of the point-to-point link is accepted, and any | ||
- | # responses are likewise accepted | ||
- | echo 1 > / | ||
- | / | ||
- | / | ||
- | -m state --state RELATED, | ||
- | / | ||
- | |||
- | # Any traffic originating from the remote side should go through Network | ||
- | # Address Translation (NAT), so responses from (e.g.) DNS servers are sent to | ||
- | # this host, so *we* can forward it to the remote end. This is the MASQUERADE | ||
- | # rule. | ||
- | / | ||
- | / | ||
- | |||
- | # Monitor packets | ||
- | watch -n0.5 -d ifconfig tun0 | ||
- | </ | ||
- | - As root on the **client**: < | ||
- | route add 10.0.0.0/8 -interface tun0 | ||
- | </ | ||
- | - IPv4 forwarding via '' | ||
- | |||
- | Note: The changes made to the server persist after the SSH session has ended. | ||
- | |||
- | To get name resolution working, you need to configure the client to use a DNS server at the remote end, e.g. | ||
- | |||
- | - Discover the DNS nameservers used by the **server**: < | ||
- | - Add these to the **client** system: < | ||
- | |||
- | You may also want to add your remote system' | ||
- | |||
- | Most useful guides: | ||
- | |||
- | * http:// | ||
- | * http:// | ||
- | * https:// | ||
- | * https:// | ||
- | * http:// | ||
- | * NAT: http:// | ||
- | * SSH, including forced-commands via '' | ||
- | |||
- | More thorough networking (Ethernet layer, instead of link layer): http:// | ||
- | |||
- | ===== Automating via SSH configuration files ===== | ||
- | |||
- | <note important> | ||
- | |||
- | - **As root** on your client system, generate a new SSH keypair to use for VPN. < | ||
- | - Install new public key into remote system, and prefix with a ForeCommand which is run whenever this key is used to authenticate:< | ||
- | printf ' | ||
- | cat ~/ | ||
- | ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
- | - Configure client via '' | ||
- | Hostname $SERVER | ||
- | User root | ||
- | # Remote' | ||
- | # tunnel=" | ||
- | IdentityFile ~root/ | ||
- | Tunnel yes | ||
- | TunnelDevice 0:0 | ||
- | PermitLocalCommand yes | ||
- | LocalCommand ~root/ | ||
- | # Disable connection sharing, otherwise closing VPN may not actually reset | ||
- | # network settings because vpn.sh (cf. LocalCommand) continues to wait | ||
- | # for the `ssh` process to exit (which it may not if another session is | ||
- | # active) | ||
- | ControlPath none | ||
- | # Disable use of ssh-agent, as it seems to prevent our preferred identity | ||
- | # (cf. IdentityFile) being applied, which in turn means we don't trigger the | ||
- | # ForceCommand of the remote' | ||
- | IdentityAgent none</ | ||
- | - Create a new script on your client machine at '' | ||
- | # .ssh/ | ||
- | REMOTE_HOST=$1 | ||
- | TUNNEL_DEVICE=$2 | ||
- | |||
- | ifconfig $TUNNEL_DEVICE inet 172.16.0.2 172.16.0.1 | ||
- | ROUTE=$(route get $REMOTE_HOST) | ||
- | GATEWAY=$(sed -ne 's/^ *gateway: //p' <<<" | ||
- | INTERFACE=$(sed -ne 's/^ *interface: //p' <<<" | ||
- | route add $REMOTE_HOST $GATEWAY | ||
- | route add 10/8 $GATEWAY | ||
- | route change default 172.16.0.1 | ||
- | WAIT_PID=$PPID | ||
- | ( | ||
- | while kill -0 $WAIT_PID >/ | ||
- | # The route gets deleted when the SSH tunnel closes gracefully and tun0 disappears | ||
- | route change default $GATEWAY | ||
- | route add default $GATEWAY | ||
- | route delete 10/8 $GATEWAY | ||
- | route delete $REMOTE_HOST $GATEWAY | ||
- | ) &</ | ||
- | - Make the new script executable: < | ||
- | - Test it by running < | ||
- | |||
- | Sample session showing the output from the commands above: | ||
- | |||
- | < | ||
- | # ssh-keygen -f ~/ | ||
- | Generating public/ | ||
- | Your identification has been saved in / | ||
- | Your public key has been saved in / | ||
- | The key fingerprint is: | ||
- | SHA256: | ||
- | The key's randomart image is: | ||
- | +---[RSA 2048]----+ | ||
- | |X+ | | ||
- | |OB | | ||
- | |Bo* o | ||
- | |** B . . . | | ||
- | |+.= . S . o | | ||
- | |. o * * o | | ||
- | |. = B B | | ||
- | |+ . = = | | ||
- | |oE +o. | | ||
- | +----[SHA256]-----+ | ||
- | |||
- | # ( \ | ||
- | # | ||
- | # cat ~/ | ||
- | # ) | ssh root@www.robmeerman.co.uk tee -a .ssh/ | ||
- | tunnel=" | ||
- | |||
- | # ssh vpn | ||
- | add host www.robmeerman.co.uk: | ||
- | add net 10: gateway 10.1.36.1 | ||
- | change net default: gateway 172.16.0.1 | ||
- | |||
- | # Nothing further appears to happen. VPN is up and running! Try `traceroute | ||
- | # google.com` in another terminal to verify that the traffic is going via your | ||
- | # server and not its default route. | ||
- | |||
- | # When all done, press ^C to kill the VPN and restore default settings. Your | ||
- | # prompt will return first, and *then* the clean-up code will execute and | ||
- | # print: | ||
- | ^C | ||
- | route: writing to routing socket: not in table | ||
- | change net default: gateway 10.1.36.1: not in table | ||
- | add net default: gateway 10.1.36.1 | ||
- | delete net 10: gateway 10.1.36.1 | ||
- | delete host www.robmeerman.co.uk: | ||
</ | </ | ||
Line 895: | Line 712: | ||
session | session | ||
</ | </ | ||
- | |||
These appear to be tried in the order listed, and if one aborts (e.g. press ESC for TouchID) the next is tried (i.e. the usual terminal password prompt) | These appear to be tried in the order listed, and if one aborts (e.g. press ESC for TouchID) the next is tried (i.e. the usual terminal password prompt) | ||
+ | |||
+ | To make this work from within '' | ||
+ | |||
+ | Install by first running: | ||
+ | |||
+ | < | ||
+ | brew install pam-reattach | ||
+ | </ | ||
+ | |||
+ | and then modifying ''/ | ||
+ | |||
+ | < | ||
+ | # sudo: auth account password session | ||
+ | auth | ||
+ | auth | ||
+ | auth | ||
+ | auth | ||
+ | account | ||
+ | password | ||
+ | session | ||
+ | </ | ||
====== Automatic fan control when on AC power to avoid sweaty palms ====== | ====== Automatic fan control when on AC power to avoid sweaty palms ====== | ||
Line 971: | Line 808: | ||
Server testcase: < | Server testcase: < | ||
+ | **Future direction**: | ||
====== Number Pad ====== | ====== Number Pad ====== | ||
Line 976: | Line 814: | ||
Satisfies [[https:// | Satisfies [[https:// | ||
+ | |||
+ | ====== Working with Certificates ====== | ||
+ | |||
+ | Tool to help with generating / converting certificates: | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ====== Monitor Brightness Control (external monitor) ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | < | ||
+ | brew cask install monitorcontrol | ||
+ | </ | ||
+ | |||
+ | ====== Fan Control ====== | ||
+ | |||
+ | (iStat Menus doesn' | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ====== Change URL and file-type/ | ||
+ | |||
+ | https:// | ||
+ | |||
+ | or '' | ||
+ | |||
+ | ====== Download files from interactive SSH sessions ====== | ||
+ | |||
+ | iTerm2.app snippet: | ||
+ | |||
+ | < | ||
+ | alias download=" | ||
+ | Li4uIgogIGV4aXQgMQpmaQpmb3IgZmlsZW5hbWUgaW4gIiRAIgpkbwogIGlmIFsgISAtciAiJGZp | ||
+ | bGVuYW1lIiBdIDsgdGhlbgogICAgZWNobyBGaWxlICRmaWxlbmFtZSBkb2VzIG5vdCBleGlzdCBv | ||
+ | ciBpcyBub3QgcmVhZGFibGUuCiAgICBjb250aW51ZQogIGZpCgogIGZpbGVuYW1lNjQ9JChlY2hv | ||
+ | IC1uICIkZmlsZW5hbWUiIHwgYmFzZTY0KQogIGZpbGVzaXplPSggJCh3YyAtYyAiJHtmaWxlbmFt | ||
+ | ZX0iKSApCiAgcHJpbnRmICJcMDMzXTEzMzc7RmlsZT1uYW1lPSR7ZmlsZW5hbWU2NH07c2l6ZT0k | ||
+ | e2ZpbGVzaXplWzBdfToiCiAgYmFzZTY0IDwgIiRmaWxlbmFtZSIKICBwcmludGYgJ1xhJwpkb25l | ||
+ | Cg==' | ||
+ | |||
+ | </ | ||
+ | |||
+ | Also offered as an answer [[https:// | ||
+ |