Skip to main content

Tunnelling - rathole client

Setting up a SUDA rathole client (a machine set to run SUDA locally)

Prerequisites:

- a rathole server already setup

- the secret string used to setup the server

- a local server already setup for local (ethernet) use
- this process takes place on that server and exposes it to the internet using the rathole server


- get rathole


wget -O $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip


- make a directory for rathole


mkdir $HOME/rathole


- unzip the archive into that directory


unzip -q $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole


- make the binary executable


sudo chmod +x $HOME/rathole/rathole


- move the binary to /usr/bin/ so it's accessible from anywhere in the system


sudo mv $HOME/rathole/rathole /usr/bin/


- make a directory that will hold the rathole configuration


sudo mkdir -p /etc/rathole


- copy configuration files to /etc/rathole


sudo cp $HOME/suda-git/config/app1c.toml /etc/rathole/app1.toml

sudo cp $HOME/suda-git/config/app2c.toml /etc/rathole/app2.toml

sudo cp $HOME/suda-git/config/app3c.toml /etc/rathole/app3.toml


- copy rathole systemd service files to /etc/systemd/system


sudo cp $HOME/suda-git/config/ratholec@.service /etc/systemd/system/


- define $secret (needs to be the saved string)


secret=the_saved_string


- use sed to replace "hackme" with the secret string in the config files


sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2.toml

sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3.toml


- define $domain (the client needs to know where to connect to - in this case suda.hacklab01.org, set to rathole server domain)

domain=suda.hacklab01.org


- use sed to replace "changeme" with the domain in the config files

sudo sed -i "s/changeme/$domain/g" /etc/rathole/app1.toml

sudo sed -i "s/changeme/$domain/g" /etc/rathole/app2.toml

sudo sed -i "s/changeme/$domain/g" /etc/rathole/app3.toml


- app1 - noVNC service running on the client machine on port 443

- app2 - icecast streaming service running on the client machine on port 8443

- app3 - icecast admin backing service running on the client on port 8080


- enable rathole instances with the appropriate config file for each service


sudo systemctl enable ratholec@app1 --now

sudo systemctl enable ratholec@app2 --now

sudo systemctl enable ratholec@app3 --now


- transfer the SSL certificate files from the server machine to the client


- make new directory to hold the certificates


sudo mkdir -p /etc/letsencrypt/live/$domain/


- define user for remote server


user=root (only root can access the certificates)


- use secure copy (scp) to connect to the remote server and grab the Let's encrypt certificate files generated by certbot

sudo scp $user@$domain:/etc/letsencrypt/live/$domain/* /etc/letsencrypt/live/$domain


- setup MAPS for tunneling:

- set local ip to replace with the domain

ip=$(ip -o route get to 209.51.188.174 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')


- change the references to the local IP into the domain

sed -i "s/$ip/$domain/g" $HOME/maps/MAPS.pd


- setup noVNC service for tunneling - the service configuration instructs noVNC to use the certificate and run the service on port 443 (as opposed to port 80 for the local configuration)


- change the streaming audio URL in noVNC index.html


sed -i "s/http:\/\/$ip:8080/https:\/\/$domain:8443/g" $HOME/suda-git/noVNC-1.4.0/index.html


- disable the novnc-local service


sudo systemctl disable novnc-local


- copy novnc-remote service to /etc/systemd/system/


sudo cp $HOME/suda-git/config/novnc-remote.service /etc/systemd/system/

 

- use sed to set domain in novnc-remote service file by replacing the string "changeme" with the domain


sudo sed -i "s/changeme/$domain/g" /etc/systemd/system/novnc-remote.service


- enable the novnc-remote service

sudo systemctl enable novnc-remote


- setup icecast for tunneling - the configuration file instructs icecast to use the certificate and run with SSL support


sudo cp $HOME/suda-git/config/icecast-remote.xml /etc/icecast2/icecast.xml

- use sed to replace the string "hackme" in the icecast config file with the generated random string ($secret)

sudo sed -i "s/hackme/$secret/g" /etc/icecast2/icecast.xml

- use sed to replace the string "changeme" in the icecast config file with the domain name of the rathole server ($domain)


sudo sed -i "s/changeme/$domain/g" /etc/icecast2/icecast.xml


- icecast needs a bundle made from fullchain and privkey Let's encrypt files


sudo bash -c "cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/letsencrypt/live/$domain/bundle.pem"

- move the newly created bundle.pem file to /etc/icecast2

sudo mv /etc/letsencrypt/live/$domain/bundle.pem /etc/icecast2/bundle.pem

- reboot and test by opening your domain in a browser

sudo reboot



No Comments
Back to top