Open zamentur opened 1 year ago
Do you consider this to be a feature to be included in the core, or up to apps (namely openvpn, wireguard, zerotier, or others) to implement?
I don't know exactly. We can imagine several ways to improve this idea, for example update the command 2 with the firewall open ports...
I think a better solution (untested), just run from local ynh server: ssh -R 0.0.0.0:2222:localhost:22 -R 0.0.0.0:443:localhost:443 -R 0.0.0.0:80:localhost:80 -R 0.0.0.0:25:localhost:25 -R 0.0.0.0:993:localhost:993 -R 0.0.0.0:465:localhost:465 -R 0.0.0.0:587:localhost:587 myvps
In that case we can just imagine to add a small config panel to configure "tunneling" vps settings: host, port, user and password , and just run a command to rerun this command when it's down.
With that in mind, would it be possible to configure a YunoHost server as reverse-proxy of the local one? As in said config panel taking a list of domains to setup an NGINX conf to proxy them through the ssh tunnel?
Yes it might be possible if you want mix services inside the vps and inside your local ynh server.
But here the main idea is to buy a simple distro vps (debian or other) with nothing on it and just run this command...
Tonight's investigations with @zamentur :
-R
args are enough to expose the ports iff ssh config has GatewayPorts yes
and PermitTunnel yes
Here we try to create a VPN with tunnel SSH and interface bridging (needs IP assignment, etc.)
# Both VPS and YunoHost server need brutils installed
# VPS server needs
# On YunoHost server:
ssh -R 0.0.0.0:2222:localhost:22 -R 0.0.0.0:443:localhost:443 -R 0.0.0.0:80:localhost:80 -R 0.0.0.0:25:localhost:25 -R 0.0.0.0:993:localhost:993 -R 0.0.0.0:465:localhost:465 -R 0.0.0.0:587:localhost:587 \
-o "PermitLocalCommand=yes" \
-o "LocalCommand=brtctl addbr br-local && brctl addif br-local tap5 && ifconfig tap5 up" \
-o Tunnel=ethernet -w 5:5 -t root@<IP> \
"brtctl addbr br-remote && brctl addif br-remote tap5 ens2 && ifconfig br-remote up && ifconfig tap5 up"
Both VPS and YunoHost server need brutils installed
This package has been depreciated. Is it really wise to install it? If so, how do you do it? running apt install brtctl
and similar does not work.
Also, is this the only way to expose a local ynh server via a small public VPS? I feel like it should be possible with the wireguard server applicatoin and the wireguard client applicatoin, but I cant figure out how to do it.
Imho this is really hackish ... SSH ain't designed to be a reverse proxy ... Imho we should either have a proper routing using openvpn/wireguard/tailscale/headscale/iptables, or TLS-level SNI-based routing (cf https://github.com/YunoHost/issues/issues/2181)
The goal
Find a way to expose easily a local server thanks to a public vps.
The concept
ssh -R 5022:localhost:22 myvps
ssh localhost -p 5022 -L 0.0.0.0:443:localhost:443 -L 0.0.0.0:80:localhost:80 -L 0.0.0.0:25:localhost:25 -L 0.0.0.0:993:localhost:993 -L 0.0.0.0:465:localhost:465 -L 0.0.0.0:587:localhost:587
TODO: check it doesn't bypass firewall