Browse Source

FAQ and switch off

sshtunnel
Christian Rotzoll 6 years ago
parent
commit
dfe765ac88
  1. 59
      FAQ.md
  2. 3
      build_sdcard.sh
  3. 64
      home.admin/config.scripts/internet.sshtunnel.py

59
FAQ.md

@ -624,3 +624,62 @@ If that not works ry to ping the IP of the RaspiBlitz with `ping [IP-of-RaspiBli
- Some Routers have `IP Isolation` switched on - not allowing to devices to connect - Some Routers have `IP Isolation` switched on - not allowing to devices to connect
If that all is not working: Join the conversation on [GitHub Issue #420](https://github.com/rootzoll/raspiblitz/issues/420). If that all is not working: Join the conversation on [GitHub Issue #420](https://github.com/rootzoll/raspiblitz/issues/420).
## How to setup port-forwarding with a SSH tunnel?
To use a public server for port-forwarding thru a SSH tunnel you can use the following experimental script on the RaspiBlitz (since v1.2):
`/home/admin/config.scripts/internet.sshtunnel.py`
But first you need to make sure that the public server you are using is supporting SSH reverse tunneling and authentification by public authorized key. Check the `/etc/ssh/sshd_config` on the public server to contain the following settings:
```
RSAAuthentication yes
PubkeyAuthentication yes
GatewayPorts yes
AllowTcpForwarding yes
```
You can add those at the end of the file, save and reboot.
On the RaspiBlitz you can then setup for example to forward the gRPC port 10009 (internal port) to the port 20009 on the public server (external port) with the user = `test` and server address = `raspiblitz.com` with the following command:
`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009`
You can even set multiple port forwardings like with:
`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009 8080:9090`
Please beware that after you set such a port forwarding you need to set the domain of the public server as a `DynamicDNS` name (leave update url empty) and then connect mobile wallets fresh or export again the macaroons/certs. When connecting the mobile wallets you may need to adjust ports manually after QR code scan. And if you SSH tunnel the LND node port `9735` you may also need to sun the custom LND port script and maybe also a manual set of the domain in the LND service is needed. This all is very experimental at the moment ... better integration will come in the future.
To switch this SSH tunneling off again use:
`/home/admin/config.scripts/internet.sshtunnel.py off` and also deactivate the DynamicDNS again.
## How to setup just a port-forwarding user on my public server?
Make sure the `/etc/ssh/sshd_config` has the following lines at the end:
```
RSAAuthentication yes
PubkeyAuthentication yes
GatewayPorts yes
AllowTcpForwarding yes
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
```
The last one stores all authorized_keys in one directory with a file per user. See https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea#424659 To prepare this run:
```
mkdir /etc/ssh/authorized_keys
groupadd forwardings
```
To add a forwarding user run:
```
useradd -g forwardings -d /home [USERNAME]
echo "command="date" [CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]" > /etc/ssh/authorized_keys/[USERNAME]
passwd [USERNAME]
```
The `[CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]` you get when running the `internet.sshtunnel.py` script on the RaspiBlitz (see above).

3
build_sdcard.sh

@ -237,6 +237,9 @@ sudo apt-get install -y vnstat
# prepare for BTRFS data drive raid # prepare for BTRFS data drive raid
sudo apt-get install -y btrfs-tools sudo apt-get install -y btrfs-tools
# prepare for ssh reverse tunneling
sudo apt-get install -y autossh
# prepare for display graphics mode # prepare for display graphics mode
# see https://github.com/rootzoll/raspiblitz/pull/334 # see https://github.com/rootzoll/raspiblitz/pull/334
sudo apt-get install -y fbi sudo apt-get install -y fbi

64
home.admin/config.scripts/internet.sshtunnel.py

@ -39,10 +39,10 @@ WantedBy=multi-user.target
if sys.argv[1] == "on": if sys.argv[1] == "on":
# check if already running # check if already running
#already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True) already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
#if str(already_running).count("enabled") > 0: if str(already_running).count("enabled") > 0:
# print("already ON - run 'internet.sshtunnel.py off' first") print("already ON - run 'internet.sshtunnel.py off' first")
# sys.exit(1) sys.exit(1)
# check server address # check server address
if len(sys.argv) < 3: if len(sys.argv) < 3:
@ -87,26 +87,50 @@ if sys.argv[1] == "on":
service_data = SERVICETEMPLATE.replace("[PLACEHOLDER]", additional_parameters) service_data = SERVICETEMPLATE.replace("[PLACEHOLDER]", additional_parameters)
# DEBUG exit # DEBUG exit
print("****** SERVICE ******") print()
print("*** New systemd service: %s" % (SERVICENAME))
print(service_data) print(service_data)
sys.exit(0)
# write service file # write service file
service_file = open(SERVICEFILE, "w") service_file = open(SERVICEFILE, "w")
service_file.write(service_data) service_file.write(service_data)
service_file.close() service_file.close()
# check if SSH keys for root user need to be created
print()
print("*** Checking root SSH keys")
if Path("/home/root/.ssh/id_rsa.pub").exists() == False:
print("Generating root SSH keys ...")
subprocess.call("sudo -u root ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N """, shell=True)
print("DONE")
else:
print("OK - root id_rsa.pub file exists")
ssh_pubkey=""
with open('/home/root/.ssh/id_rsa.pub', 'r') as file:
ssh_pubkey = file.read().replace('\n', '')
# make sure autossh is installed
# https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/
print()
print("*** Install autossh")
subprocess.call("sudo apt-get install -y autossh", shell=True)
# enable service # enable service
print("*** Enabling systemd service: SERVICENAME")
subprocess.call("systemctl daemon-reload", shell=True)
#subprocess.call(f"systemctl enable {SERVICENAME}", shell=True)
print() print()
print("*** Enabling systemd service: %s" % (SERVICENAME))
subprocess.call("sudo systemctl daemon-reload", shell=True)
subprocess.call("sudo systemctl enable %s" % (SERVICENAME), shell=True)
# final info (can be ignored if run by other script) # final info (can be ignored if run by other script)
print("*** OK - SSH TUNNEL SERVICE STARTED ***") print()
#print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of {} ") print("*** OK - SSH TUNNEL SERVICE DONE SETUP ***")
print("For details see chapter '' in:")
print("https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md")
print("- Tunnel service needs final reboot to start.") print("- Tunnel service needs final reboot to start.")
#print("- After reboot check logs: sudo journalctl -f -u {SERVICENAME}") print("- After reboot check logs: sudo journalctl -f -u %s" % (SERVICENAME))
print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of %s :" % (ssh_server))
print(ssh_pubkey)
print()
# #
# SWITCHING OFF # SWITCHING OFF
@ -115,12 +139,18 @@ if sys.argv[1] == "on":
elif sys.argv[1] == "off": elif sys.argv[1] == "off":
# check if already disabled # check if already disabled
#alreadyRunning = subprocess.check_output(f"systemctl is-enabled {SERVICENAME}" ,shell=True, universal_newlines=True) alreadyRunning = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
#if str(alreadyRunning).count("enabled") == 0: if str(alreadyRunning).count("enabled") == 0:
# print("Was already OFF") print("Was already OFF")
# sys.exit(0) sys.exit(0)
print ("TODO: Switch OFF") print("*** Disabling systemd service: %s" % (SERVICENAME))
subprocess.call("sudo systemctl stop %s" % (SERVICENAME), shell=True)
subprocess.call("sudo systemctl disable %s" % (SERVICENAME), shell=True)
subprocess.call("sudo rm %s" % (SERVICEFILE), shell=True)
subprocess.call("sudo systemctl daemon-reload", shell=True)
print("OK Done")
print()
# #
# UNKOWN PARAMETER # UNKOWN PARAMETER

Loading…
Cancel
Save