Skip to main content

Tunneling - rathole server

Rathole is used To setup tunneling and expose the SUDA computer to the internet using NAT traversal.


Prerequisites:


- a server that is exposed to the internet which will stand between the intenret and tunnel all data from our home connection

- a domain name with an A record pointing to a the server's IP

- an SSL certificate (can be obtained using Let's Encrypt's certbot)

- on the remote server with a public IP rathole needs to be setup in server mode

- ports 8080, 80, and 443 should be avaliable


- install software


sudo apt update

sudo apt install certbot unzip


- clone the git repo which holds config files and scripts - this command will put all files in the repo in a subdirectory called suda-git in the users home directory ($HOME)


git clone https://gitlab.com/hacklab01/suda.git $HOME/suda-git


Install and setup rathole


- download the archive


wget -O $HOME/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip


- make appropriate directory


mkdir $HOME/rathole


- extract the downloaded archive to the newly created directory


unzip -q $HOME/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole


- allow execution of the rathole binary


sudo chmod +x $HOME/rathole/rathole


- move rathole binary to /usr/bin/ directory so that it's accesible globally


sudo mv $HOME/rathole/rathole /usr/bin/


- make a directory that will hold the rathole configuration


sudo mkdir -p /etc/rathole


- copy configuration files to /etc/rathole


sudo cp $HOME/suda-git/config/app1s.toml /etc/rathole

sudo cp $HOME/suda-git/config/app2s.toml /etc/rathole

sudo cp $HOME/suda-git/config/app3s.toml /etc/rathole


- copy systemd service files to /etc/systemd/system


sudo cp $HOME/suda-git/config/ratholes@.service /etc/systemd/system/


- define $secret


secret=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '')


- get the secret and save it for later, it will be needed for the client setup (the client is the SUDA computer)


echo $secret


- use sed to replace the string hackme with the generated string


sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1s.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2s.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3s.toml


- app1s - noVNC service running on the client machine on port 443

- app2s - icecast streaming service running on the client machine on port 8443

- app3s - icecast admin backing service running on the client on port 8080


- allow rathole to open low level ports

 

sudo setcap 'cap_net_bind_service=+ep' /usr/bin/rathole

 

- enable these services


sudo systemctl enable ratholes@app1 --now

sudo systemctl enable ratholes@app2 --now

sudo systemctl enable ratholes@app3 --now


Setting up SSL


- define your domain (we will use suda.hacklab01.org)

- this domain needs to have an A record pointing to the public IP of the server

- set the domain variable to the suda domain


domain=suda.hacklab01.org


- setup SSL - enter a valid email address the certificate will need to be refreshed manually


sudo certbot certonly -d $domain


- Let's Encrypt certificates generated by certbot need to be copied to the local SUDA installation machine for use with icecast

- create a bundle from all Let's Encrypt certificates


sudo bash -c "cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/letsencrypt/live/$domain/bundle.pem"