I had to solve that the split horizon DNS problem in order to find my way out to the Internet. The complementary problem is how to access the internal network form the Internet. The scenario being, for example, your home network being protected by a very angry firewall that you don’t necessarily control. However, it’d be quite handy to be able to SSH into your machines at home, use the printer, or connect to the internal messaging system.
However, everything is pretty much firewalled such that no incoming connections are possible. Fortunately, outgoing connections to an SSH server are possible. With the RemoteForward
option of OpenSSH we can create a reverse tunnel to connect to the separate network. All it requires is a SSH server that you can connect to from both sides, i.e. the internet and the separate network, and some configuration, maybe like this on the machine within the network: ssh -o 'RemoteForward=localhost:23 localhost:22' root@remotehost
and this for the internet machine:
Host dialin User toor HostName my.server Port 23
It then looks almost like this:
+---------------------------------------+ |Internet | +---------------------------------------+ | +-----------+ | | |My machine | +------------+ | | +-----------+ | | | | | | +----------v--+ | | | | | | | SSH Server | | | | | | | +----------+--+ | | ^ | | +------------------------ | | --------+ | | +------------------------ | | --------+ |XXXXXXXX Firewall XX | | XXXXXXXX| +------------------------ | | --------+ | | +------------------------ | | --------+ | ACME.corp 10/8 | | | +------------------------ | | --------+ | | | | | +---------+---|------+ | | XMPP <-+ | | | | | | | | | | | | | v | | | Print <----------+ ssh -R | | | | | via corkscrew | | | | | | | | VCS <-+ +--------------------+ | | | My machine | | | +--------------------+ | | | +---------------------------------------+
“But…” I hear you say. What about the firewall? How would we connect in first place? Sure, we can use corkscrew, as we’ve learned. That will then look a bit more convoluted, maybe like this:
ssh -o ProxyCommand="corkscrew proxy.acme.corp 80 ssh.my.server 443" -o 'RemoteForward=localhost:23 localhost:22' root@lolcathost
What? You don’t have corkscrew installed? Gnah, it’s dangerous to go alone, take this:
cd wget --continue http://www.agroman.net/corkscrew/corkscrew-2.0.tar.gz tar xvf corkscrew*.tar* cd corkscrew* ./configure --prefix=~/corkscrew; make; make install echo -e 'y\n'|ssh-keygen -q -t rsa -N "" -f ~/.ssh/id_rsa (echo -n 'command="read",no-X11-forwarding,no-agent-forwarding '; cat ~/.ssh/id_rsa.pub ;echo;echo EOF)
As a bonus, you get a SSH public key which you can add on the server side, i.e. cat >> ~root/.ssh/authorized_keys <<EOF
. Have you noticed? When logging on with that key, only the read
command will be executed.
That’s already quite helpful. But how do you then connect? Via the SSH server, of course. But it’s a bit of a hassle to first connect there and then somehow port forward via SSH and all. Also, in order to resolve internal names, you’d have to first SSH into the separate machine to issue DNS queries. That’s all painful and not fun. How about an automatic pseudo VPN that allows you to use the internal nameserver and transparently connects you to your internal network?
Again, sshuttle to the rescue. With the same patches applied to /etc/NetworkManager/dnsmasq.d/corp-tld
, namely
# resolves names both, .corp and .acme server=/acme.corp/10.2.3.4 server=/corp.acme/10.3.4.5
you can make use of that lovely patch for dns hosts. In the following example, we have a few nameservers defined, just in case: 10.2.3.4
, 10.3.4.5
, 10.4.5.6
, and 10.5.6.7
. It also excludes some networks that you may not want to have transparently routed. A few of them are actually standard local networks and should probably never be routed. Finally, the internal network is defined. In the example, the networks are 10.1.2.3/8
, 123.1.2.3/8
, and 321.456.0.0/16
.
sshuttle --dns-hosts 10.2.3.4,10.3.4.5,10.4.5.6,10.5.6.7 -vvr dialin 10.1.2.3/8 123.1.2.3/8 321.456.0.0/16 \
--exclude 10.0.2.1/24 \
--exclude 10.183.252.224/24 \
--exclude 127.0.1.1/8 \
--exclude 224.0.0.1/8 \
--exclude 232.0.0.1/8 \
--exclude 233.252.0.0/14 \
--exclude 234.0.0.0/8
This setup allows you to simply execute that command and enjoy all of your networks. Including name resolution.