Skip to main content

Tunneling - rathole server

Rathole is used To setup tunneling and expose the SUDA computer to the internet using NAT traversal.


Prerequisites:


- a server that is exposed to the internet which will stand between the internet and tunnel all data from the local SUDA server

- a domain name with an A record pointing to a the remote server's IP

- an SSL certificate (obtainable using Let's Encrypt's certbot)

- on the remote server with a public IP rathole needs to be setup in server mode

- ports 8080, 80, and 443 should be avaliable

- secret string ($secret) from the local SUDA install

 


- install software


sudo apt update

sudo apt install certbot unzip git


- clone the git repo which holds config files and scripts - this command will put all files in the repo in a subdirectory called suda-git in the users home directory ($HOME)


git clone https://gitlab.com/hacklab01/suda.git $HOME/suda-git


Install and setup rathole


- download the archive


wget -O $HOME/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip


- make appropriate directory


mkdir $HOME/rathole


- extract the downloaded archive to the newly created directory


unzip -q $HOME/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole


- allow execution of the rathole binary


sudo chmod +x $HOME/rathole/rathole


- move rathole binary to /usr/bin/ directory so that it's accessible globally


sudo mv $HOME/rathole/rathole /usr/bin/


- make a directory that will hold the rathole configuration


sudo mkdir -p /etc/rathole


- copy configuration files to /etc/rathole renaming it accordingly


sudo cp $HOME/suda-git/config/app1s.toml /etc/rathole/app1.toml

sudo cp $HOME/suda-git/config/app2s.toml /etc/rathole/app2.toml

sudo cp $HOME/suda-git/config/app3s.toml /etc/rathole/app3.toml


- copy systemd service files to /etc/systemd/system


sudo cp $HOME/suda-git/config/ratholes@.service /etc/systemd/system/


- define secret (the saved string from local install)


secret=saved_string


- if it wasn't save, check your icecast (/etc/icecast2/icecast.xml) and copy it from there


- use sed to replace the string hackme with the generated string


sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3.toml


- app1 - noVNC service running on the client machine on port 443

- app2 - icecast streaming service running on the client machine on port 8443

- app3 - icecast admin backing service running on the client on port 8080


- allow rathole to open low level ports


sudo setcap 'cap_net_bind_service=+ep' /usr/bin/rathole


- enable the rathole instances with the appropriate config file


sudo systemctl enable ratholes@app1 --now

sudo systemctl enable ratholes@app2 --now

sudo systemctl enable ratholes@app3 --now


Setting up SSL


- define your domain (we will use suda.hacklab01.org)

- this domain needs to have an A record pointing to the public IP of the server

- set the domain variable to the suda domain


domain=suda.hacklab01.org


- setup SSL - enter a valid email address the certificate will need to be refreshed manually (a reminder email will be sent to the email from the EFF)


sudo certbot certonly -d $domain


- the same command refreshes the certificate for the domain


No Comments
Back to top