From dfe765ac88f8a9a0d91f05cb4ae224fc8f5182c7 Mon Sep 17 00:00:00 2001 From: Christian Rotzoll Date: Tue, 2 Apr 2019 02:54:30 +0100 Subject: [PATCH] FAQ and switch off --- FAQ.md | 59 +++++++++++++++++ build_sdcard.sh | 3 + .../config.scripts/internet.sshtunnel.py | 66 ++++++++++++++----- 3 files changed, 110 insertions(+), 18 deletions(-) diff --git a/FAQ.md b/FAQ.md index 3902cb8..429936d 100644 --- a/FAQ.md +++ b/FAQ.md @@ -624,3 +624,62 @@ If that not works ry to ping the IP of the RaspiBlitz with `ping [IP-of-RaspiBli - Some Routers have `IP Isolation` switched on - not allowing to devices to connect If that all is not working: Join the conversation on [GitHub Issue #420](https://github.com/rootzoll/raspiblitz/issues/420). + +## How to setup port-forwarding with a SSH tunnel? + +To use a public server for port-forwarding thru a SSH tunnel you can use the following experimental script on the RaspiBlitz (since v1.2): + +`/home/admin/config.scripts/internet.sshtunnel.py` + +But first you need to make sure that the public server you are using is supporting SSH reverse tunneling and authentification by public authorized key. Check the `/etc/ssh/sshd_config` on the public server to contain the following settings: + +``` +RSAAuthentication yes +PubkeyAuthentication yes +GatewayPorts yes +AllowTcpForwarding yes +``` + +You can add those at the end of the file, save and reboot. + +On the RaspiBlitz you can then setup for example to forward the gRPC port 10009 (internal port) to the port 20009 on the public server (external port) with the user = `test` and server address = `raspiblitz.com` with the following command: + +`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009` + +You can even set multiple port forwardings like with: + +`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009 8080:9090` + +Please beware that after you set such a port forwarding you need to set the domain of the public server as a `DynamicDNS` name (leave update url empty) and then connect mobile wallets fresh or export again the macaroons/certs. When connecting the mobile wallets you may need to adjust ports manually after QR code scan. And if you SSH tunnel the LND node port `9735` you may also need to sun the custom LND port script and maybe also a manual set of the domain in the LND service is needed. This all is very experimental at the moment ... better integration will come in the future. + +To switch this SSH tunneling off again use: + +`/home/admin/config.scripts/internet.sshtunnel.py off` and also deactivate the DynamicDNS again. + +## How to setup just a port-forwarding user on my public server? + +Make sure the `/etc/ssh/sshd_config` has the following lines at the end: + +``` +RSAAuthentication yes +PubkeyAuthentication yes +GatewayPorts yes +AllowTcpForwarding yes +AuthorizedKeysFile /etc/ssh/authorized_keys/%u +``` + +The last one stores all authorized_keys in one directory with a file per user. See https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea#424659 To prepare this run: +``` +mkdir /etc/ssh/authorized_keys +groupadd forwardings +``` + +To add a forwarding user run: +``` +useradd -g forwardings -d /home [USERNAME] +echo "command="date" [CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]" > /etc/ssh/authorized_keys/[USERNAME] +passwd [USERNAME] +``` + +The `[CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]` you get when running the `internet.sshtunnel.py` script on the RaspiBlitz (see above). + diff --git a/build_sdcard.sh b/build_sdcard.sh index f1a00af..4d44cd1 100644 --- a/build_sdcard.sh +++ b/build_sdcard.sh @@ -237,6 +237,9 @@ sudo apt-get install -y vnstat # prepare for BTRFS data drive raid sudo apt-get install -y btrfs-tools +# prepare for ssh reverse tunneling +sudo apt-get install -y autossh + # prepare for display graphics mode # see https://github.com/rootzoll/raspiblitz/pull/334 sudo apt-get install -y fbi diff --git a/home.admin/config.scripts/internet.sshtunnel.py b/home.admin/config.scripts/internet.sshtunnel.py index 8809eeb..dc87da3 100755 --- a/home.admin/config.scripts/internet.sshtunnel.py +++ b/home.admin/config.scripts/internet.sshtunnel.py @@ -39,10 +39,10 @@ WantedBy=multi-user.target if sys.argv[1] == "on": # check if already running - #already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True) - #if str(already_running).count("enabled") > 0: - # print("already ON - run 'internet.sshtunnel.py off' first") - # sys.exit(1) + already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True) + if str(already_running).count("enabled") > 0: + print("already ON - run 'internet.sshtunnel.py off' first") + sys.exit(1) # check server address if len(sys.argv) < 3: @@ -87,26 +87,50 @@ if sys.argv[1] == "on": service_data = SERVICETEMPLATE.replace("[PLACEHOLDER]", additional_parameters) # DEBUG exit - print("****** SERVICE ******") + print() + print("*** New systemd service: %s" % (SERVICENAME)) print(service_data) - sys.exit(0) # write service file service_file = open(SERVICEFILE, "w") service_file.write(service_data) service_file.close() + # check if SSH keys for root user need to be created + print() + print("*** Checking root SSH keys") + if Path("/home/root/.ssh/id_rsa.pub").exists() == False: + print("Generating root SSH keys ...") + subprocess.call("sudo -u root ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N """, shell=True) + print("DONE") + else: + print("OK - root id_rsa.pub file exists") + ssh_pubkey="" + with open('/home/root/.ssh/id_rsa.pub', 'r') as file: + ssh_pubkey = file.read().replace('\n', '') + + # make sure autossh is installed + # https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/ + print() + print("*** Install autossh") + subprocess.call("sudo apt-get install -y autossh", shell=True) + # enable service - print("*** Enabling systemd service: SERVICENAME") - subprocess.call("systemctl daemon-reload", shell=True) - #subprocess.call(f"systemctl enable {SERVICENAME}", shell=True) print() + print("*** Enabling systemd service: %s" % (SERVICENAME)) + subprocess.call("sudo systemctl daemon-reload", shell=True) + subprocess.call("sudo systemctl enable %s" % (SERVICENAME), shell=True) # final info (can be ignored if run by other script) - print("*** OK - SSH TUNNEL SERVICE STARTED ***") - #print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of {} ") + print() + print("*** OK - SSH TUNNEL SERVICE DONE SETUP ***") + print("For details see chapter '' in:") + print("https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md") print("- Tunnel service needs final reboot to start.") - #print("- After reboot check logs: sudo journalctl -f -u {SERVICENAME}") + print("- After reboot check logs: sudo journalctl -f -u %s" % (SERVICENAME)) + print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of %s :" % (ssh_server)) + print(ssh_pubkey) + print() # # SWITCHING OFF @@ -115,12 +139,18 @@ if sys.argv[1] == "on": elif sys.argv[1] == "off": # check if already disabled - #alreadyRunning = subprocess.check_output(f"systemctl is-enabled {SERVICENAME}" ,shell=True, universal_newlines=True) - #if str(alreadyRunning).count("enabled") == 0: - # print("Was already OFF") - # sys.exit(0) - - print ("TODO: Switch OFF") + alreadyRunning = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True) + if str(alreadyRunning).count("enabled") == 0: + print("Was already OFF") + sys.exit(0) + + print("*** Disabling systemd service: %s" % (SERVICENAME)) + subprocess.call("sudo systemctl stop %s" % (SERVICENAME), shell=True) + subprocess.call("sudo systemctl disable %s" % (SERVICENAME), shell=True) + subprocess.call("sudo rm %s" % (SERVICEFILE), shell=True) + subprocess.call("sudo systemctl daemon-reload", shell=True) + print("OK Done") + print() # # UNKOWN PARAMETER