Skip to main content

Tunneling - rathole server

- on the remote server with a public IP rathole needs to be setup in server mode

- ports 8080, 80, and 443 should be avaliable

- the secret string generated in the local install should be avaliable


- install software


sudo apt install certbot unzip


- clone the git repo which holds config files and scripts - this command will put all files in the repo in a subdirectory called suda-git in the users home directory ($HOME)


git clone https://gitlab.com/hacklab01/suda.git $HOME/suda-git


Install and setup rathole


- download the archive


wget -O $HOME/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip


- make appropriate directory


mkdir $HOME/rathole


- extract the downloaded archive to the newly created directory


unzip -q $HOME/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole


- allow execution of the rathole binary


sudo chmod +x $HOME/rathole/rathole


- move rathole binary to /usr/bin/ directory so that it's accesible globally


sudo mv $HOME/rathole/rathole /usr/bin/


- make a directory that will hold the rathole configuration


sudo mkdir -p /etc/rathole


- copy configuration files to /etc/rathole


sudo cp $HOME/suda-git/config/app1s.toml /etc/rathole

sudo cp $HOME/suda-git/config/app2s.toml /etc/rathole

sudo cp $HOME/suda-git/config/app3s.toml /etc/rathole


- copy systemd service files to /etc/systemd/system


sudo cp $HOME/suda-git/config/ratholes@.service /etc/systemd/system/


- this needs to use the same generated string as before (stored in the $secret variable) as the secret string for rathole

- define $secret


secret="the secret string from the local SUDA installation (without qoutes)"


sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1s.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2s.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3s.toml


- app1s - noVNC service running on the client machine on port 443

- app2s - icecast streaming service running on the client machine on port 8443

- app3s - icecast admin backing service running on the client on port 8080


- enable these services


sudo systemctl enable ratholes@app1 --now

sudo systemctl enable ratholes@app2 --now

sudo systemctl enable ratholes@app3 --now


Setting up SSL


- define your domain (we will use suda.hacklab01.org)

- this domain needs to have an A record pointing to the public IP of the server

- set the domain variable to the suda domain


domain=suda.hacklab01.org


- setup SSL - enter a valid email address the certificate will need to be refreshed manually


sudo certbot certonly -d $domain


- Let's Encrypt certificates generated by certbot need to be copied to the local SUDA installation machine for use with icecast

- create a bundle from all Let's Encrypt certificates


sudo bash -c "cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/letsencrypt/live/$domain/bundle.pem

 

Back to top