Friday, December 30, 2016

Reverse proxy to a NAT'ed machines

Problem:
I am running some webapps that I need to demonstrate to other people without giving them my home IP address.
My setup:
I have a virtual machine running the webapps, behind NAT at home.
Requirements:
  • I do not want to send my IP address to people I’m demonstrating the application to.
  • I do not want to open a port then do port forwarding.
Solutions:
The three solutions I thought of are Reverse SSH tunneling, VPN, and tor hidden services.


I love tor hidden services and I do use it but I will not be covering that in this blog post. I do not want the people I’m demoing the project to go download Tor. I also don’t want to set up Tor socks proxy for them.


Reverse SSH solution:
CLIENT is behind a NAT with a webapp running on port 8000. SERVER (SSH server & reverse proxy server) has a public IP address that client can SSH into.


You can read more information about reverse SSH tunneling here: http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel and https://www.howtoforge.com/reverse-ssh-tunneling
Tools: Just an SSH server and a client.
Setup:
CLIENT:
ssh -R 8001:localhost:8000 user@SERVER
8001 is the port that’s opened on the SERVER
8000 is the port open on CLIENT, running a webapp
SERVER:
Server can now access localhost:8001 in order to access webapp on CLIENT, running on port 8000.


Note: You can also do the following:
ssh -R 8001:10.0.0.1:80 user@SERVER
In this case, when SERVER visits localhost:8001, the SERVER is able to access webapp running on 10.0.0.1:80 on the CLIENT network.
Diagram:


VPN solution:
In this solution, SERVER is an OpenVPN server and is running reverse proxy. CLIENT has a webapp running on port 8000.


In this case, the CLIENT will VPN into the SERVER. Reverse proxy running on the server will be able to access any ports open on the CLIENT.


Tools:
OpenVPN 2.4 and OpenVPN-install script
Setup:
On CLIENT and SERVER, add OpenVPN repositories as described here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#UsingOpenVPNaptrepositories
I was using Ubuntu 14.04, so I ran the following commands on my SERVER and CLIENT:
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 trusty main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
To install OpenVPN run the following commands:
apt-get update && apt-get install openvpn
We will now have openvpn on CLIENT and SERVER.
On the server, we will be using OpenVPN-install script from here: https://github.com/Angristan/OpenVPN-install
Simply following the steps here: https://github.com/Angristan/OpenVPN-install#usage
I ran the following on the server:
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Please select whatever options meet your requirements.
At the end, you’ll have a client.ovpn file in ~/.
Transfer the file to your CLIENT machine.


I do not want CLIENT traffic to leave through SERVER. I did that by changing the OpenVPN server configuration file.
You will need to edit /etc/openvpn/server.conf
Comment out the following lines by adding # at the start of the line:
push "dhcp-option DNS X.X.X.X”
push "dhcp-option DNS X.X.X.X”
push "redirect-gateway def1 bypass-dhcp"
It should look like these afterwards:
#push "dhcp-option DNS X.X.X.X"
#push "dhcp-option DNS X.X.X.X"
#push "redirect-gateway def1 bypass-dhcp"
Run the following commands on the SERVER to make sure openVPN server is up and running:
service openvpn restart
service openvpn status
We need to change an iptables rule to allow traffic from SERVER to CLIENT.
If you run ‘iptables -t nat -L’, you’ll see the following:
SNAT       all  --  10.8.0.0/24          anywhere             to:YOUR_SERVER_IP
We will drop that rule. Dropping this rule will also disable CLIENT traffic to go through SERVER.


We can drop the rule with the following command:
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR_SERVER_IP
You will also need to remove iptables command from /etc/rc.local afterwards.
Now, when CLIENT is VPN’ed into SERVER, it will use its own gateway for internet traffic instead of VPN server. SERVER will also be able to access any open ports on CLIENT.


On the client:
As root, run ‘openvpn --config client.ovpn’ to connect to SERVER. You can now set up the reverse proxy to allow SERVER to access CLIENT webapp.


Diagram:
Reverse Proxy:
You can learn more about setting up reverse proxy here: https://www.nginx.com/resources/admin-guide/reverse-proxy/


(Just like the post here: http://boredhackerblog.blogspot.com/2016/12/setting-up-etherpad-with-basic-auth.html This post is for documenting solutions to my problems. Hope it helps out. Shout out to MSPaint. )
Posted by at

22 comments:

  1. Tim KramerJanuary 1, 2017 at 5:56 AM

    Depending on the web app, you may run into trouble with the reverse proxy and session handling. I've been using the SSH tunnel with slightly different syntax:

    ssh -N -L 8001:10.0.0.1:80 user@SERVER -p 65535

    Above allows for the use of a non-standard port (65535) for the SSH service. I've used this with both ssh on Linux and PuTTY on Windows (though the last switch might be a capital "P", IIRC).

    One other tool to consider sshuttle, which is SSH based and handles more than a single port.

    ReplyDelete
  2. innoxent boySeptember 27, 2017 at 2:00 AM

    This comment has been removed by the author.

    ReplyDelete
  3. FrankMay 28, 2018 at 10:11 AM

    This comment has been removed by the author.

    ReplyDelete
  4. ArianaJune 5, 2018 at 9:03 AM

    Virtual Private Network enables you to use internet to connect to machines while https://novavpn.com/blog/popcorn-time/ making sure that the connections are private.

    ReplyDelete
  5. Ella lilySeptember 24, 2018 at 5:58 AM

    I think this is one of the most significant information for me. And i’m glad reading your article. But should remark on some general things, visit website

    ReplyDelete
  6. MatiasSeptember 27, 2018 at 12:27 PM

    Extremely intriguing online journal. A lot of web journals I see nowadays don't generally give anything that I'm keen on, however I'm most definitely inspired by this one. Recently felt that I would post and let you know. privacyonline

    ReplyDelete
  7. mona martinOctober 8, 2018 at 2:49 PM

    I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. getmoreprivacy

    ReplyDelete
  8. James harperOctober 13, 2018 at 5:37 AM

    You have a genuine capacity for composing one of a kind substance. I like how you think and the way you speak to your perspectives in this article. I concur with your mindset. Much obliged to you for sharing. lemigliorivpn

    ReplyDelete
  9. James harperOctober 26, 2018 at 2:22 PM

    This comment has been removed by the author.

    ReplyDelete
  10. victoria seoNovember 12, 2018 at 1:19 AM

    I am so waiting for another blog like this, Totally in awe of the article.
    pneumatic suppliers

    ReplyDelete
  11. royNovember 13, 2018 at 1:29 AM

    After your PC reboots watch that your system connector is dynamic and bundles are streaming. Play out the ipconfig/all check once more.
    https://www.router-reset.com/how-clear-cache-ie11/

    ReplyDelete
  12. Ethan RyanNovember 25, 2018 at 4:24 PM

    A simple bookmarking tool that makes it easy to save, organize and share your favorite web pages. Access your bookmarks from any computer, phone or tablet. Listango works on all modern web browsers… vpnveteran

    ReplyDelete
  13. BrendaPalmeriDecember 16, 2018 at 10:06 PM

    Keep posting the good work. Some really helpful information in there. Bookmarked. Nice to see your site. youtube proxy

    ReplyDelete
  14. Emmalin 2February 13, 2019 at 8:12 AM

    This is something that you just read and read. You just can’t get tired of it.
    https://jmichek.tumblr.com/Using-a-Circular-Saw

    ReplyDelete
  15. MatiasMarch 1, 2019 at 12:54 PM

    I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. lesmeilleursvpn

    ReplyDelete
  16. Aaron JuanMarch 8, 2019 at 1:21 AM

    We have read your all the information some points are good. Great post. MelonCube is top notch company which provide affordable minecraft server hosts at reasonable price.

    ReplyDelete
  17. James harperApril 22, 2019 at 6:33 AM

    I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. Klik hier

    ReplyDelete
  18. ChristianApril 26, 2019 at 3:32 AM

    Through internet business, firms can move a lot of their client support on line with the goal that clients can get to databases or manuals straightforwardly. prywatnoscwsieci.pl

    ReplyDelete
  19. Michael SmithApril 26, 2019 at 4:02 PM

    Assume paid for with the help of center, have discovered modern society; believed that protect on your playlists, you could potentially know most of the hassle; assumed ones step quit, much more is unable to drive; Imagine I would like adore, merely the caress. meer informatie

    ReplyDelete
  20. Ashton kutcherJune 28, 2019 at 4:22 AM

    Amazing post! I appreciate your hard work. Thank you for sharing. I have also share some use full information.
    Drone pro review
    mosquitron reviews
    eco beat earphones review
    Coolair review
    Coolair air cooler review

    ReplyDelete
  21. JamesSeptember 30, 2019 at 2:06 AM

    Quicker your website more clients it will have the option to cook flawlessly. VPS hosting is suggested for online business firms or blog proprietors who think that its hard to lease a devoted server. buy

    ReplyDelete

Subscribe to: Post Comments (Atom)