Tunnelling - rathole client
Setting up a SUDA rathole client (a machine set to run SUDA locally)
Prerequisites:
- a rathole server already setup
- the secret string used to setup the server
- a local server already setup for local (ethernet) use
- this process takes place on that server and exposes it to the internet using the rathole server
- get rathole
wget -O $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip https://github.com/rapiz1/rathole/releases/download/v0.4.7/rathole-x86_64-unknown-linux-gnu.zip
- make a directory for rathole
mkdir $HOME/rathole
- unzip the archive into that directory
unzip -q $HOME/suda-git/rathole-x86_64-unknown-linux-gnu.zip -d $HOME/rathole
- make the binary executable
sudo chmod +x $HOME/rathole/rathole
- move the binary to /usr/bin/ so it's accessible from anywhere in the system
sudo mv $HOME/rathole/rathole /usr/bin/
- make a directory that will hold the rathole configuration
sudo mkdir -p /etc/rathole
- copy configuration files to /etc/rathole
sudo cp $HOME/suda-git/config/app1c.toml /etc/rathole/app1.toml
sudo cp $HOME/suda-git/config/app2c.toml /etc/rathole/app2.toml
sudo cp $HOME/suda-git/config/app3c.toml /etc/rathole/app3.toml
- copy rathole systemd service files to /etc/systemd/system
sudo cp $HOME/suda-git/config/ratholec@.service /etc/systemd/system/
- define $secret (needs to be the same string as on the server install)
secret="the_string_from_the_server(witout_quotes)"
- use sed to replace "hackme" with the secret string in the config files
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app1.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app2.toml
sudo sed -i "s/hackme/$secret/g" /etc/rathole/app3.toml
- define $domain (the client needs to know where to connect to - in this case suda.hacklab01.org, set to rathole server domain)
domain=suda.hacklab01.org
- use sed to replace "changeme" with the domain in the config files
sudo sed -i "s/changeme/$domain/g" /etc/rathole/app1.toml
sudo sed -i "s/changeme/$domain/g" /etc/rathole/app2.toml
sudo sed -i "s/changeme/$domain/g" /etc/rathole/app3.toml
- app1 - noVNC service running on the client machine on port 443
- app2 - icecast streaming service running on the client machine on port 8443
- app3 - icecast admin backing service running on the client on port 8080
- enable rathole instances with the appropriate config file for each service
sudo systemctl enable ratholec@app1 --now
sudo systemctl enable ratholec@app2 --now
sudo systemctl enable ratholec@app3 --now
- transfer the SSL certificate files from the server machine to the client
- make new directory to hold the certificates
sudo mkdir -p /etc/letsencrypt/live/$domain/
- define user for remote server
user=root (only root can access the certificates)
- use secure copy (scp) to connect to the remote server and grab the Let's encrypt certificate files generated by certbot
sudo scp $user@$domain:/etc/letsencrypt/live/$domain/* /etc/letsencrypt/live/$domain
- setup MAPS for tunnelingtunneling:
- set local ip to replace with the domain
ip=$(ip -o route get to 209.51.188.174 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
- change the references to the local IP into the domain
sed -i "s/$ip/$domain/g" $HOME/maps/MAPS.pd
- setup noVNC service for tunneling - the service configuration instructs noVNC to use the certificate and run the service on port 443 (as opposed to port 80 for the local configuration)
- change the streaming audio URL in noVNC index.html
sed -i "s/http:\/\/$ip:8080/https:\/\/$domain:8443/g" $HOME/suda-git/noVNC-1.3.0/index.html
- disable the novnc-local service
sudo systemctl disable novnc-local
- copy novnc-remote service to /etc/systemd/system/
sudo cp $HOME/suda-git/config/novnc-remote.service /etc/systemd/system/
- enable the novnc-remote service
sudo systemctl enable novnc-remote
- setup icecast for tunneling - the configuration file instructs icecast to use the certificate and run with SSL support
sudo cp $HOME/suda-git/config/icecast-remote.xml /etc/icecast2/icecast.xml
- use sed to replace the string "hackme" in the icecast config file with the generated random string ($secret)
sudo sed -i "s/hackme/$secret/g" /etc/icecast2/icecast.xml
- use sed to replace the string "changeme" in the icecast config file with the domain name of the rathole server ($doman)
sudo sed -i "s/changeme/$domain/g" /etc/icecast2/icecast.xml
- icecast needs a bundle made from fullchain and privkey Let's encrypt files
sudo bash -c "cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/letsencrypt/live/$domain/bundle.pem"
- move the newly created bundle.pem file to /etc/icecast2
sudo mv /etc/letsencrypt/live/$domain/bundle.pem /etc/icecast2/bundle.pem
- reboot and test by opening your domain in a browser
sudo reboot