VPNs, SSH Tunnels and my Macbook
March 23rd, 2008 | Filed under Technology.This weekend away has been an excellent chance to test out my home network and remote access to it. Some of the things I’ve done were just as a test, other things have been really useful.
For a start I allow incoming SSH connections so that I can access my server from anywhere outside. I’ve used this for everything from transferring files to setting off backups of my system at home. To maintain consistency between logins, and to cope with faulty Internet connections, I use screen to keep control of my session.
Tip: Use the following .screenrc option to make your many screen sessions less confusing by printing a list of open sessions along the bottom of your display:
hardstatus alwayslastline "%{.bW}%-w%{.rW}%n %t%{-}%+w %=%{..G} %H %{..Y} %Y/%m/%d %0c:%s "
In anticipation of other remote connections I might want to make to my machine at home, I thought about setting up a VPN. There are several options, all described in detail across the Internet, so I’m not going into detail about how to configure things, I’ll just explain what I am using and where I found out the information that made it work.
On The Server
My server runs Ubuntu Server and sits behind a firewall running on a Be Internet BeBox, which is a rebadged Thompson Speedtouch ADSL2+ router. This is not to be confused with Be Inc who made BeOS. Be Internet are a UK ISP offering “Up To 24Mb” speeds (I get between 5 and 8Mb).
To allow incoming connections I have to allow ports through my firewall, which is a great way to get your machine rootkit infested or flooded with denial-of-service attacks. So I didn’t really want to open up a load of ports.
After a bit of Googling, I decided OpenVPN was what I wanted, requiring just one UDP hole in my firewall, and a few certificates creating for the clients. Installing it was fairly straight forward, there being an Ubuntu package that contained all the example config files. I had it working within half an hour.
The hardest part was altering the NAT settings in my firewall. It has two ways to configure it - an easy web-based config, or a technical and somewhat confusing telnet interface. The telnet interface isn’t really documented and to set up NAT requires the user to modify several different areas of the system, with a high chance of messing the box up completely. So I needed a way to use the web-based config system, without giving the whole world access to it (which I can’t do anyway, it would require using the web-based system to modify the box and put it in ‘remote admin’ mode). Chicken, meet egg, egg meet chicken.
This is where another simpler VPN solution was very useful. Using nothing more than SSH it is possible to construct a very simple VPN. All you need is a few confusing parameters to SSH and it does the rest, creating a local port on your client machine that is then forwarded to a remote port on your server.
It took all of 30 seconds to install SSH Tunnel Manager on my MacBook and create an SSH tunnel between it and port 80 on my BeBox. I could then use my web browser to assign a new port mapping between the UDP port and my server.
The Client
On my Macbook I found a program called TunnelBlick which, despite saying it has problems with OSX 10.5, works fine. All I had to do was scp the certificates off my server, create a config file and then run the client and say ‘Connect’. After a few seconds I had a new local network adaptor and any requests sent to ‘10.0.8.1′ went through the VPN and into my server at home.
Now I have a secure, simple way to access the data on my server at home. I can even use Finder to connect to the Samba shares on my server. At one point I had VLC on my Mac playing an audio file off my server using Samba through the VPN. It wasn’t totally smooth, but it worked and showed the VPN connection was stable.
Visit my other sites: Photo Gallery | Insane in the Membrane | Main website