Expose easily a ynh local ynh server with a small public vps

YunoHost / issues

General issue tracker for the YunoHost project

72 stars 8 forks source link

Expose easily a ynh local ynh server with a small public vps #2191

Open zamentur opened 1 year ago

zamentur commented 1 year ago

The goal

Find a way to expose easily a local server thanks to a public vps.

The concept

Inside local ynh server run an ssh command to the vps: ssh -R 5022:localhost:22 myvps
Inside the vps run ssh localhost -p 5022 -L 0.0.0.0:443:localhost:443 -L 0.0.0.0:80:localhost:80 -L 0.0.0.0:25:localhost:25 -L 0.0.0.0:993:localhost:993 -L 0.0.0.0:465:localhost:465 -L 0.0.0.0:587:localhost:587
Enjoy

TODO: check it doesn't bypass firewall

tituspijean commented 1 year ago

Do you consider this to be a feature to be included in the core, or up to apps (namely openvpn, wireguard, zerotier, or others) to implement?

zamentur commented 1 year ago

I don't know exactly. We can imagine several ways to improve this idea, for example update the command 2 with the firewall open ports...

zamentur commented 1 year ago

I think a better solution (untested), just run from local ynh server: ssh -R 0.0.0.0:2222:localhost:22 -R 0.0.0.0:443:localhost:443 -R 0.0.0.0:80:localhost:80 -R 0.0.0.0:25:localhost:25 -R 0.0.0.0:993:localhost:993 -R 0.0.0.0:465:localhost:465 -R 0.0.0.0:587:localhost:587 myvps

In that case we can just imagine to add a small config panel to configure "tunneling" vps settings: host, port, user and password , and just run a command to rerun this command when it's down.

tituspijean commented 1 year ago

With that in mind, would it be possible to configure a YunoHost server as reverse-proxy of the local one? As in said config panel taking a list of domains to setup an NGINX conf to proxy them through the ssh tunnel?

zamentur commented 1 year ago

Yes it might be possible if you want mix services inside the vps and inside your local ynh server.

But here the main idea is to buy a simple distro vps (debian or other) with nothing on it and just run this command...

tituspijean commented 1 year ago

Tonight's investigations with @zamentur :

the -R args are enough to expose the ports iff ssh config has GatewayPorts yes and PermitTunnel yes
they are not enough to have the YunoHost server outbound traffic routed through the VPS (needed for emails and dyndns)

Here we try to create a VPN with tunnel SSH and interface bridging (needs IP assignment, etc.)

# Both VPS and YunoHost server need brutils installed
# VPS server needs
# On YunoHost server:
ssh -R 0.0.0.0:2222:localhost:22 -R 0.0.0.0:443:localhost:443 -R 0.0.0.0:80:localhost:80 -R 0.0.0.0:25:localhost:25 -R 0.0.0.0:993:localhost:993 -R 0.0.0.0:465:localhost:465 -R 0.0.0.0:587:localhost:587 \
    -o "PermitLocalCommand=yes" \
    -o "LocalCommand=brtctl addbr br-local && brctl addif br-local tap5 && ifconfig tap5 up" \
    -o Tunnel=ethernet -w 5:5 -t root@<IP> \
    "brtctl addbr br-remote && brctl addif br-remote tap5 ens2 && ifconfig br-remote up && ifconfig tap5 up"

mstyp commented 1 year ago

Both VPS and YunoHost server need brutils installed

This package has been depreciated. Is it really wise to install it? If so, how do you do it? running apt install brtctl and similar does not work.

Also, is this the only way to expose a local ynh server via a small public VPS? I feel like it should be possible with the wireguard server applicatoin and the wireguard client applicatoin, but I cant figure out how to do it.

alexAubin commented 8 months ago

Imho this is really hackish ... SSH ain't designed to be a reverse proxy ... Imho we should either have a proper routing using openvpn/wireguard/tailscale/headscale/iptables, or TLS-level SNI-based routing (cf https://github.com/YunoHost/issues/issues/2181)