Tunnelling - rathole client
- get rathole
wget -O $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip
- make a directory for rathole
mkdir $HOME/rathole
- unzip the archive into that directory
unzip -q $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole
- make the binary executable
sudo chmod +x $HOME/rathole/rathole
- move the binary to /usr/bin/ so it's accessible from anywhere in the system
sudo mv $HOME/rathole/rathole /usr/bin/
- make a directory that will hold the rathole configuration
sudo mkdir -p /etc/rathole
- copy configuration files to /etc/rathole
sudo cp $HOME/suda-git/config/app1c.toml /etc/rathole/app1.toml
sudo cp $HOME/suda-git/config/app2c.toml /etc/rathole/app2.toml
sudo cp $HOME/suda-git/config/app3c.toml /etc/rathole/app3.toml
- copy systemd service files to /etc/systemd/system
sudo cp $HOME/suda-git/config/ratholec@.service /etc/systemd/system/
- define $secret (needs to be the same string as on the server install)
secret="the_string_from_the_server(witout_quotes)"
- use sed to replace "hackme" with the secret string in the config files
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1c.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2c.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3c.toml
- app1 - noVNC service running on the client machine on port 443
- app2 - icecast streaming service running on the client machine on port 8443
- app3 - icecast admin backing service running on the client on port 8080
- enable rathole instances with the appropriate config file for each service
sudo systemctl enable ratholec@app1 --now
sudo systemctl enable ratholec@app2 --now
sudo systemctl enable ratholec@app3 --now
- transfer the SSL certificate files from the server machine to the client
- define the domain (without protocol)
domain=suda.hacklab01.org
- make new directory to hold the certificates
sudo mkdir -p /etc/letsencrypt/suda.hacklab01.org/livelive/$domain/
scp- $user@$domain:/etc/letsencrypt/live/$domain/*define
user for remote server
scp $user@$domain:/etc/letsencrypt/live/$domain/bundle.pem bundle.pem
user=root (only root can access the certificates)
sudo scp $user@$domain:/etc/letsencrypt/live/$domain/* /etc/letsencrypt/live/$domain
- setup MAPS for tunneling - change the references to the local IP into the domain
sed -i "s/http:\/\/$ip:8080/https:\/\/$domain:8443/g" $HOME/suda-git/noVNC-1.3.0/index.html
sed -i "s/$ip/$domain/g" $HOME/maps/MAPS.pd
- setup noVNC service for tunneling - the service configuration instructs noVNC to use the certificate and run the service on port 443 (as opposed to port 80 for the local configuration)
- disable the novnc-local service
sudo systecmtl disable novnc-local
- copy novnc-remote service to /etc/systemd/system/
sudo cp $HOME/suda-git/config/novnc-remote.service /etc/systemd/system/
- enable the novnc-remote service
sudo systecmtl enable novnc-remote