Yorizuka/server_behind_cgnat.txt

## server_behind_cgnat.txt
_______________________________________________________________________________

 8888        w                         8    888 888b.    Yb    dP 888b. .d88b.
 8www Yb dP w8ww .d88b 8d8b 8d8b. .d88 8     8  8  .8     Yb  dP  8  .8 YPwww.
 8     `8.   8   8.dP' 8P   8P Y8 8  8 8     8  8wwP'      YbdP   8wwP'     d8
 8888 dP Yb  Y8P `Y88P 8    8   8 `Y88 8    888 8     via   YP    8     `Y88P'

 #   Use an outside VPS to port-forward to a cgnated server
_______________________________________________________________________________

Note: this 'guide' is a cleaned up and edited version of my notes, so it's less of a generic tutorial & more of a personal cheat sheet.
Note: the socat "udp to tcp" tunnel is not a great solution, it creates a new tcp connection for each udp message. (I will fix this eventually)
Note: please dont blindly copy and pase this guide nor use this as a tutorial, this is more for me then it is for others.

###   On local server setup ssh key to login with to VPS
 > apt-get install autossh
 > ssh-keygen -b 4096


###   On external VPS configure port forwarding on ssh connections, allow root to login (so we can forward ports below 1024)
 edit `/etc/ssh/sshd_config` to enable `AllowTcpForwarding` & set `GatewayPorts` to `clientspecified`
 turn on `PasswordAuthentication` & root login for a bit
 if you need to setup root with ssh keys, temporarly set `PermitRootLogin` to `yes` instead of `prohibit-password`


 (TO GEN PASSWORD): > openssl rand -base64 18

 on the VPS
 > sudo passwd root
 reload ssh server with new config
 > sudo /etc/init.d/ssh restart


###   On local server
 upload ssh keys to root account
 > ssh-copy-id root@example.com
 login with the temp root password.

 forward port 80 on the VPS to local port 8080
 normal ssh > ssh -nNTv -R 0.0.0.0:80:localhost:8080 root@example.com
 or auto ssh (best) > autossh -M 0 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -nNTv -R 0.0.0.0:80:localhost:8080 -R 0.0.0.0:443:localhost:8443 root@example.com


###   If UDP is needed
 it will need to be tunneled over TCP, socat can be used on VPS to tunnel UDP via TCP.
 Then that can travel through ssh, and then socat on the server can convert it back.

 in this case port `-R 0.0.0.0:64738:localhost:64738` is just a standard TCP tunnel via ssh it can be ignored
 (this was made for mumble that used both tcp and udp on port 64738)

 `-R 0.0.0.0:64739:localhost:64739` im using port 64739 to tunnel the socat TCP converted UDP to the local server
 `socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739` is listing for UDP at 64738 and sending to 64739
 > ssh -nTv -R 0.0.0.0:64738:localhost:64738 -R 0.0.0.0:64739:localhost:64739 root@mumble.example.com "apt-get --assume-yes install socat && socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739"
 or
 > autossh -M 0 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -nT -R 0.0.0.0:64738:localhost:64738 -R 0.0.0.0:64739:localhost:64739 root@mumble.example.com "apt-get --assume-yes install socat && socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739"

 on the local server run this to convert back the 64739 TCP to UDP at 64738
 > socat TCP4-LISTEN:64739,reuseaddr,fork UDP:localhost:64738


###   Clean up.
 turn off `PasswordAuthentication` in `/etc/ssh/sshd_config` and set `PermitRootLogin` to `prohibit-password`
 > sudo /etc/init.d/ssh restart
 remove the temp password from root, we have ssh keys uploaded now.
 > sudo passwd -d root

###   extras / most of u should skip this
 install a mumble server to the newly cgnat freed server
 > apt-get install mumble-server
 > dpkg-reconfigure mumble-server
	_______________________________________________________________________________

	8888 w 8 888 888b. Yb dP 888b. .d88b.
	8www Yb dP w8ww .d88b 8d8b 8d8b. .d88 8 8 8 .8 Yb dP 8 .8 YPwww.
	8 `8. 8 8.dP' 8P 8P Y8 8 8 8 8 8wwP' YbdP 8wwP' d8
	8888 dP Yb Y8P `Y88P 8 8 8 `Y88 8 888 8 via YP 8 `Y88P'

	# Use an outside VPS to port-forward to a cgnated server
	_______________________________________________________________________________

	Note: this 'guide' is a cleaned up and edited version of my notes, so it's less of a generic tutorial & more of a personal cheat sheet.
	Note: the socat "udp to tcp" tunnel is not a great solution, it creates a new tcp connection for each udp message. (I will fix this eventually)
	Note: please dont blindly copy and pase this guide nor use this as a tutorial, this is more for me then it is for others.

	### On local server setup ssh key to login with to VPS
	> apt-get install autossh
	> ssh-keygen -b 4096


	### On external VPS configure port forwarding on ssh connections, allow root to login (so we can forward ports below 1024)
	edit `/etc/ssh/sshd_config` to enable `AllowTcpForwarding` & set `GatewayPorts` to `clientspecified`
	turn on `PasswordAuthentication` & root login for a bit
	if you need to setup root with ssh keys, temporarly set `PermitRootLogin` to `yes` instead of `prohibit-password`


	(TO GEN PASSWORD): > openssl rand -base64 18

	on the VPS
	> sudo passwd root
	reload ssh server with new config
	> sudo /etc/init.d/ssh restart


	### On local server
	upload ssh keys to root account
	> ssh-copy-id root@example.com
	login with the temp root password.

	forward port 80 on the VPS to local port 8080
	normal ssh > ssh -nNTv -R 0.0.0.0:80:localhost:8080 root@example.com
	or auto ssh (best) > autossh -M 0 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -nNTv -R 0.0.0.0:80:localhost:8080 -R 0.0.0.0:443:localhost:8443 root@example.com


	### If UDP is needed
	it will need to be tunneled over TCP, socat can be used on VPS to tunnel UDP via TCP.
	Then that can travel through ssh, and then socat on the server can convert it back.

	in this case port `-R 0.0.0.0:64738:localhost:64738` is just a standard TCP tunnel via ssh it can be ignored
	(this was made for mumble that used both tcp and udp on port 64738)

	`-R 0.0.0.0:64739:localhost:64739` im using port 64739 to tunnel the socat TCP converted UDP to the local server
	`socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739` is listing for UDP at 64738 and sending to 64739
	> ssh -nTv -R 0.0.0.0:64738:localhost:64738 -R 0.0.0.0:64739:localhost:64739 root@mumble.example.com "apt-get --assume-yes install socat && socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739"
	or
	> autossh -M 0 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -nT -R 0.0.0.0:64738:localhost:64738 -R 0.0.0.0:64739:localhost:64739 root@mumble.example.com "apt-get --assume-yes install socat && socat -T15 udp4-recvfrom:64738,reuseaddr,fork TCP:localhost:64739"

	on the local server run this to convert back the 64739 TCP to UDP at 64738
	> socat TCP4-LISTEN:64739,reuseaddr,fork UDP:localhost:64738


	### Clean up.
	turn off `PasswordAuthentication` in `/etc/ssh/sshd_config` and set `PermitRootLogin` to `prohibit-password`
	> sudo /etc/init.d/ssh restart
	remove the temp password from root, we have ssh keys uploaded now.
	> sudo passwd -d root

	### extras / most of u should skip this
	install a mumble server to the newly cgnat freed server
	> apt-get install mumble-server
	> dpkg-reconfigure mumble-server