Tunneling - rathole server
Rathole is used To setup tunneling and expose the SUDA computer to the internet using NAT traversal.
Prerequisites:
- a domain name
- a server that is exposed to the internet which will stand between the intenret and tunnel all data from our home connection
- a domain name with an A record pointing to a the server's IP
- an SSL certificate (reccomendedcan tube useobtained using Let's Encrypt's certbot)
- on the remote server with a public IP rathole needs to be setup in server mode
- ports 8080, 80, and 443 should be avaliable
- the secret string generated in the local install should be avaliable
- install software
sudo apt install certbot unzip
- clone the git repo which holds config files and scripts - this command will put all files in the repo in a subdirectory called suda-git in the users home directory ($HOME)
git clone https://gitlab.com/hacklab01/suda.git $HOME/suda-git
Install and setup rathole
- download the archive
wget -O $HOME/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip
- make appropriate directory
mkdir $HOME/rathole
- extract the downloaded archive to the newly created directory
unzip -q $HOME/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole
- allow execution of the rathole binary
sudo chmod +x $HOME/rathole/rathole
- move rathole binary to /usr/bin/ directory so that it's accesible globally
sudo mv $HOME/rathole/rathole /usr/bin/
- make a directory that will hold the rathole configuration
sudo mkdir -p /etc/rathole
- copy configuration files to /etc/rathole
sudo cp $HOME/suda-git/config/app1s.toml /etc/rathole
sudo cp $HOME/suda-git/config/app2s.toml /etc/rathole
sudo cp $HOME/suda-git/config/app3s.toml /etc/rathole
- copy systemd service files to /etc/systemd/system
sudo cp $HOME/suda-git/config/ratholes@.service /etc/systemd/system/
- this needs to use the same generated string as before (stored in the $secret variable) as the secret string for rathole
- define $secret
secret="the secret string from the local SUDA installation (without qoutes)quotes)"
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1s.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2s.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3s.toml
- app1s - noVNC service running on the client machine on port 443
- app2s - icecast streaming service running on the client machine on port 8443
- app3s - icecast admin backing service running on the client on port 8080
- enable these services
sudo systemctl enable ratholes@app1 --now
sudo systemctl enable ratholes@app2 --now
sudo systemctl enable ratholes@app3 --now
Setting up SSL
- define your domain (we will use suda.hacklab01.org)
- this domain needs to have an A record pointing to the public IP of the server
- set the domain variable to the suda domain
domain=suda.hacklab01.org
- setup SSL - enter a valid email address the certificate will need to be refreshed manually
sudo certbot certonly -d $domain
- Let's Encrypt certificates generated by certbot need to be copied to the local SUDA installation machine for use with icecast
- create a bundle from all Let's Encrypt certificates
sudo bash -c "cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/letsencrypt/live/$domain/bundle.pem