Problem:
I am running some webapps that I need to demonstrate to other people without giving them my home IP address.
My setup:
I have a virtual machine running the webapps, behind NAT at home.
Requirements:
- I do not want to send my IP address to people I’m demonstrating the application to.
- I do not want to open a port then do port forwarding.
Solutions:
The three solutions I thought of are Reverse SSH tunneling, VPN, and tor hidden services.
I love tor hidden services and I do use it but I will not be covering that in this blog post. I do not want the people I’m demoing the project to go download Tor. I also don’t want to set up Tor socks proxy for them.
Reverse SSH solution:
CLIENT is behind a NAT with a webapp running on port 8000. SERVER (SSH server & reverse proxy server) has a public IP address that client can SSH into.
You can read more information about reverse SSH tunneling here: http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel and https://www.howtoforge.com/reverse-ssh-tunneling
Tools: Just an SSH server and a client.
Setup:
CLIENT:
ssh -R 8001:localhost:8000 user@SERVER
8001 is the port that’s opened on the SERVER
8000 is the port open on CLIENT, running a webapp
SERVER:
Server can now access localhost:8001 in order to access webapp on CLIENT, running on port 8000.
Note: You can also do the following:
ssh -R 8001:10.0.0.1:80 user@SERVER
In this case, when SERVER visits localhost:8001, the SERVER is able to access webapp running on 10.0.0.1:80 on the CLIENT network.
Diagram:
VPN solution:
In this solution, SERVER is an OpenVPN server and is running reverse proxy. CLIENT has a webapp running on port 8000.
In this case, the CLIENT will VPN into the SERVER. Reverse proxy running on the server will be able to access any ports open on the CLIENT.
Read more about VPN here: https://openvpn.net/index.php/open-source/documentation/howto.html and https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
Tools:
OpenVPN 2.4 and OpenVPN-install script
Setup:
On CLIENT and SERVER, add OpenVPN repositories as described here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#UsingOpenVPNaptrepositories
I was using Ubuntu 14.04, so I ran the following commands on my SERVER and CLIENT:
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 trusty main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
To install OpenVPN run the following commands:
apt-get update && apt-get install openvpn
We will now have openvpn on CLIENT and SERVER.
On the server, we will be using OpenVPN-install script from here: https://github.com/Angristan/OpenVPN-install
Simply following the steps here: https://github.com/Angristan/OpenVPN-install#usage
I ran the following on the server:
wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Please select whatever options meet your requirements.
At the end, you’ll have a client.ovpn file in ~/.
Transfer the file to your CLIENT machine.
I do not want CLIENT traffic to leave through SERVER. I did that by changing the OpenVPN server configuration file.
You will need to edit /etc/openvpn/server.conf
Comment out the following lines by adding # at the start of the line:
push "dhcp-option DNS X.X.X.X”
push "dhcp-option DNS X.X.X.X”
push "redirect-gateway def1 bypass-dhcp"
It should look like these afterwards:
#push "dhcp-option DNS X.X.X.X"
#push "dhcp-option DNS X.X.X.X"
#push "redirect-gateway def1 bypass-dhcp"
Run the following commands on the SERVER to make sure openVPN server is up and running:
service openvpn restart
service openvpn status
We need to change an iptables rule to allow traffic from SERVER to CLIENT.
If you run ‘iptables -t nat -L’, you’ll see the following:
SNAT all -- 10.8.0.0/24 anywhere to:YOUR_SERVER_IP
We will drop that rule. Dropping this rule will also disable CLIENT traffic to go through SERVER.
We can drop the rule with the following command:
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR_SERVER_IP
You will also need to remove iptables command from /etc/rc.local afterwards.
Now, when CLIENT is VPN’ed into SERVER, it will use its own gateway for internet traffic instead of VPN server. SERVER will also be able to access any open ports on CLIENT.
On the client:
As root, run ‘openvpn --config client.ovpn’ to connect to SERVER. You can now set up the reverse proxy to allow SERVER to access CLIENT webapp.
Diagram:
Reverse Proxy:
You can learn more about setting up reverse proxy here: https://www.nginx.com/resources/admin-guide/reverse-proxy/
(Just like the post here: http://boredhackerblog.blogspot.com/2016/12/setting-up-etherpad-with-basic-auth.html This post is for documenting solutions to my problems. Hope it helps out. Shout out to MSPaint. )
Depending on the web app, you may run into trouble with the reverse proxy and session handling. I've been using the SSH tunnel with slightly different syntax:
ReplyDeletessh -N -L 8001:10.0.0.1:80 user@SERVER -p 65535
Above allows for the use of a non-standard port (65535) for the SSH service. I've used this with both ssh on Linux and PuTTY on Windows (though the last switch might be a capital "P", IIRC).
One other tool to consider sshuttle, which is SSH based and handles more than a single port.
Hello Everyone !
DeleteUSA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**DETAILS IN LEADS**
First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term Business
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
This comment has been removed by the author.
ReplyDeleteHello all
Deleteam looking few years that some guys comes into the market
they called themselves hacker, carder or spammer they rip the
peoples with different ways and it’s a badly impact to real hacker
now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
Anyone want to make deal with me any type am available but first
I‘ll show the proof that am real then make a deal like
Available Services
..Wire Bank Transfer all over the world
..Western Union Transfer all over the world
..Credit Cards (USA, UK, AUS, CAN, NZ)
..School Grade upgrade / remove Records
..Spamming Tool
..keyloggers / rats
..Social Media recovery
.. Teaching Hacking / spamming / carding (1/2 hours course)
discount for re-seller
Contact: 24/7
fixitrogers@gmail.com
This comment has been removed by the author.
ReplyDeleteVirtual Private Network enables you to use internet to connect to machines while https://novavpn.com/blog/popcorn-time/ making sure that the connections are private.
ReplyDeleteI think this is one of the most significant information for me. And i’m glad reading your article. But should remark on some general things, visit website
ReplyDeleteExtremely intriguing online journal. A lot of web journals I see nowadays don't generally give anything that I'm keen on, however I'm most definitely inspired by this one. Recently felt that I would post and let you know. privacyonline
ReplyDeleteGreat Article
DeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. getmoreprivacy
ReplyDeleteYou have a genuine capacity for composing one of a kind substance. I like how you think and the way you speak to your perspectives in this article. I concur with your mindset. Much obliged to you for sharing. lemigliorivpn
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI am so waiting for another blog like this, Totally in awe of the article.
ReplyDeletepneumatic suppliers
After your PC reboots watch that your system connector is dynamic and bundles are streaming. Play out the ipconfig/all check once more.
ReplyDeletehttps://www.router-reset.com/how-clear-cache-ie11/
A simple bookmarking tool that makes it easy to save, organize and share your favorite web pages. Access your bookmarks from any computer, phone or tablet. Listango works on all modern web browsers… vpnveteran
ReplyDeleteKeep posting the good work. Some really helpful information in there. Bookmarked. Nice to see your site. youtube proxy
ReplyDeleteThis is something that you just read and read. You just can’t get tired of it.
ReplyDeletehttps://jmichek.tumblr.com/Using-a-Circular-Saw
I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. lesmeilleursvpn
ReplyDeleteWe have read your all the information some points are good. Great post. MelonCube is top notch company which provide affordable minecraft server hosts at reasonable price.
ReplyDeleteI have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. Klik hier
ReplyDeleteThrough internet business, firms can move a lot of their client support on line with the goal that clients can get to databases or manuals straightforwardly. prywatnoscwsieci.pl
ReplyDeleteAssume paid for with the help of center, have discovered modern society; believed that protect on your playlists, you could potentially know most of the hassle; assumed ones step quit, much more is unable to drive; Imagine I would like adore, merely the caress. meer informatie
ReplyDeleteAmazing post! I appreciate your hard work. Thank you for sharing. I have also share some use full information.
ReplyDeleteDrone pro review
mosquitron reviews
eco beat earphones review
Coolair review
Coolair air cooler review
Quicker your website more clients it will have the option to cook flawlessly. VPS hosting is suggested for online business firms or blog proprietors who think that its hard to lease a devoted server. buy
ReplyDeleteThanks for sharing your thoughts, this blog is great. Use Full Links.
ReplyDeleteXwatch Smartwatch Review
Memorysafex Review
wifi Ultraboost Review
ReplyDeleteWeight Loss
Choco Lite
Resurge
Pure Forskolin
Flash Keto
Phenq
Nucific Bio X4
Instant Keto
Thanks for sharing your knowledge, keep learning keep updating. ChargeHubGO+ Review
ReplyDeleteNice post, thank for sharing this information. It's really makes me understand about that topic. FixMeStick Review
ReplyDeleteI really like the way you write the post and help us with the information. Thank you for sharing this post. Please read my blogs too.
ReplyDeleteleptitox
resurge
leptoconnect
dronex pro review
photostick
Hello Everyone !
ReplyDeleteUSA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**DETAILS IN LEADS**
First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term Business
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Hello all
ReplyDeleteam looking few years that some guys comes into the market
they called themselves hacker, carder or spammer they rip the
peoples with different ways and it’s a badly impact to real hacker
now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
Anyone want to make deal with me any type am available but first
I‘ll show the proof that am real then make a deal like
Available Services
..Wire Bank Transfer all over the world
..Western Union Transfer all over the world
..Credit Cards (USA, UK, AUS, CAN, NZ)
..School Grade upgrade / remove Records
..Spamming Tool
..keyloggers / rats
..Social Media recovery
.. Teaching Hacking / spamming / carding (1/2 hours course)
discount for re-seller
Contact: 24/7
fixitrogers@gmail.com
Thanks,for sharing such a good information provide us. It’s hard to
ReplyDeletefind good quality writing like yours these days. i really enjoyed.
Best Ear Wax Cleaner In 2020
Nice Read!, thanks for the information. feel free to check out the Caresole Insole Review this is an instance of renovating technology. I'm using this product in my daily life.
ReplyDeleteHere are few more device that your must check out.
Koresphere review and StopSnore Clip Review
AirBolt Review
EcoHeat Review
Extraordinary bit of substance in the wake of perusing this I'm feeling overpowering to such an extent that I've increase a type of information from this page. Keep doing awesome!! Much obliged to YOU!
ReplyDeleteThe Viral Tech
Great piece of content after reading all this I'm feeling so overwhleming that I've gain some sort of knowledge from this page. Keep up the good work!! Thank YOU!
ReplyDeletebarx buddy reviews
Xtra PC
ReplyDeleteThePhotostick
FIXD
KeySmart
Peeps by Carbon Klean
Dodow
ScreenKlean by Carbon Klean
XY Find it
The Research you have did on this topic, is really appreciable, thanks for posting this article, if you also want to read review about electronics gadget than visit to my site also.
ReplyDeleteWhat is PureAir Max
What is ZoomShot Pro
How Bit Watch Works