Created
January 24, 2024 12:48
-
-
Save froger-me/7935faa0f7cf1f275204b9a52d263b22 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Inspired from: | |
| # https://dev.to/bulletmark/create-a-reverse-ssh-tunnel-for-remote-access-to-a-restricted-machine-1ma0 | |
| # https://unix.stackexchange.com/questions/474848/ssh-remote-port-forwarding-with-multiple-ports | |
| # ----------------------------------------------- # | |
| # On local restricted machine to access | |
| sudo mkdir -p /etc/sshtunnel && \ | |
| sudo ssh-keygen -qN "" -f /etc/sshtunnel/id_rsa && \ | |
| sudo vim /etc/systemd/system/sshtunnel.service | |
| # BEGIN File content | |
| [Unit] | |
| Description=Service to maintain an ssh reverse tunnel | |
| Wants=network-online.target | |
| After=network-online.target | |
| StartLimitIntervalSec=0 | |
| [Service] | |
| Type=simple | |
| ExecStart=/usr/bin/ssh -qgNn \ | |
| -o ServerAliveInterval=30 \ | |
| -o ServerAliveCountMax=3 \ | |
| -o ExitOnForwardFailure=yes \ | |
| -o StrictHostKeyChecking=no \ | |
| -o UserKnownHostsFile=/dev/null \ | |
| -o PreferredAuthentications=publickey \ | |
| -i /etc/sshtunnel/id_rsa \ | |
| -R 0.0.0.0:3389:localhost:3389 \ | |
| -R 0.0.0.0:60022:localhost:22 \ | |
| -R 0.0.0.0:8080:localhost:80 \ | |
| -R 0.0.0.0:60443:localhost:443 \ | |
| -R 0.0.0.0:10000:localhost:10000 \ | |
| sshtunnel@domain.tld -p 22 | |
| Restart=always | |
| RestartSec=60 | |
| [Install] | |
| WantedBy=multi-user.target | |
| # END File content | |
| # Make sure to only use key authentication and | |
| # disallow root login in /etc/ssh/sshd_config | |
| PermitRootLogin no | |
| PasswordAuthentication no | |
| PermitEmptyPasswords no | |
| ChallengeResponseAuthentication no | |
| # ----------------------------------------------- # | |
| # On the server used to tunnel connexions | |
| sudo useradd -m -s /bin/true sshtunnel && | |
| sudo mkdir -p ~sshtunnel/.ssh && | |
| sudo vim ~sshtunnel/.ssh/authorized_keys | |
| # paste the content of local id_rsa.pub in ~sshtunnel/.ssh/authorized_keys and save-quit | |
| sudo chown -R sshtunnel:sshtunnel ~sshtunnel/.ssh && \ | |
| sudo chmod 700 ~sshtunnel/.ssh && \ | |
| sudo chmod 600 ~sshtunnel/.ssh/authorized_keys | |
| # WARNING: Exposes the restricted machine's ssh access to the public Internet | |
| # Make sure to use key authentication on the restricted machine! | |
| # Set the following in /etc/ssh/sshd_config | |
| GatewayPorts yes | |
| AllowTcpForwarding yes | |
| # Check with: | |
| sshd -T | grep -E 'GatewayPorts|AllowTcpForwarding' | |
| # Use after editing /etc/ssh/sshd_config | |
| sudo systemctl restart ssh | |
| # Edit /etc/apache2/sites-available/vhost-sub.domain.tld.conf | |
| <VirtualHost *:80> | |
| ServerName vhost-sub.domain.tld | |
| Redirect permanent / "https://vhost-sub.domain.tld" | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| ServerName vhost-sub.domain.tld | |
| ProxyPreserveHost On | |
| ProxyRequests Off | |
| ProxyVia On | |
| RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} | |
| # Proxy all traffic to vhost-sub.domain.tld | |
| ProxyPass / http://localhost:60080/ | |
| ProxyPassReverse / http://vhost-sub.domain.tld/ | |
| </VirtualHost> | |
| # ----------------------------------------------- # | |
| # On local restricted machine to access | |
| sudo systemctl enable --now sshtunnel | |
| sudo systemctl status sshtunnel | |
| sudo journalctl -u sshtunnel | |
| # ----------------------------------------------- # | |
| # Removal | |
| # On the restricted machine: | |
| sudo systemctl disable --now sshtunnel | |
| sudo rm /etc/systemd/system/sshtunnel.service | |
| sudo rm -rf /etc/sshtunnel | |
| # On the server: | |
| sudo userdel -r sshtunnel | |
| # Set the following in /etc/ssh/sshd_config | |
| GateWayPorts no | |
| # Use after editing /etc/ssh/sshd_config | |
| sudo systemctl restart ssh |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment