Forward SSH from Reverse Proxy Server through VPN to Home Server

I’m trying to set up GitLab on my home server. HTTPS is working and I can get to GitLab’s interface, but SSH is not and thus I can’t push code to the server.

Here is the setup:

Cloudflare <--> Reverse Proxy (nginx, hosted on Digital Ocean) <--- VPN ---> Untangle Firewall <--> GitLab Server (on ESXi)

If I try to SSH directly from the Reverse Proxy to the GitLab server (over VPN connection), it works perfect.

If I try to SSH from my laptop using the domain name, I get:

kex_exchange_identification: Connection closed by remote host
Connection closed by 104.31.73.156 port 2095

If I try to SSH from my laptop using the Reverse Proxy’s IP (thus cutting out Cloudflare), I get:

Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to {{ IP }} port 2095: message authentication code incorrect

I’m currently trying to use the nginx stream module to do so, and this is the stream setup:

stream {
        upstream git-ssh {
                server {{INTERNAL GITLAB IP}}:22;
        }
        server {
                listen 2095;
                proxy_pass {{INTERNAL GITLAB IP}}:22;
                proxy_protocol on;
        }
}

The reason I have upstream git-ssh and then don’t use it was because I was wondering if that was the problem, but it makes no difference if I use it or not.

I’m not familiar with iptables, but I tried the following commands:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2095 -j DNAT --to-destination {{GITLAB IP}}:22
sudo iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 2095 -j SNAT --to-source {{PROXY IP}}

But it didn’t seem to work. ssh just sits there returning nothing and eventually times out.

I am lost now, and was hoping someone could give me pointers?

Go to Source
Author: Cody Dostal

How to follow IP changes in LAN to avoid remote connectivity issues

I’ve set up remote access to a computer and had to enter the authorized IPs which can connect remotely to the computer. These IPs change from time to time and I have no control over that, so every time they change I have to go update the authorized IPs list. Usually, a user will let me know that the connection failed.

Is there a way to somehow track this IP changes (happening on a company’s LAN) so I can proactively update my list instead of having to wait until the connection fails to go and see what the new IP is ?

If it’s not possible, how is this usually handled by IT security professionals ?

Go to Source
Author: Trusky

How to automate the key exchange in WireGuard when you deploy a cluster of machines?

Let’s assume you want to deploy a cluster of machines on Hetzer Cloud. For simplicity let’s call them worker1, worker2, worker3. They need to communicate with a server called master, which will be running on different account then the workers. Ideally, the whole setup should not be open to the internet. Unfortunately, Hetzner supports only private networks within the same account.

To make it work, you can setup your own VPN using WireGuard. Conceptually, it is not hard. You need to setup three connections (between the master and each worker). The tricky part is how to automate the key exchange. Ideally, it should not be more work if you deploy additional workers (e.g. 100 instead 3 workers).

Setting up such a VPN cluster sounds like a common problem, but I cannot find any recommendations on how to setup 1-to-n or n-to-m connections, only tutorials on how to peer two machines. I’m thinking of automating the key exchange with Ansible (generate keys, gather them, install them on the master), but wanted to check first whether there is an easier solution to the problem that I missed.

In SSH, workers could share their key, which would simplify the problem. In WireGuard, keys cannot be shared, as far as I understood. How would you automate the setup of a VPN with WireGuard, so each worker can reach the master? Or is WireGuard the wrong choice for the problem?

Clarification:

  • In my scenario, it is not possible to move the workers and master to the same account; otherwise, Hetzner networks would be the straightforward solution for setting up a private network.
  • If you are not familiar with Hetzner Cloud, it is not a problem. You can assume that you get normal Linux machines, but then you are on your own (it does not support VPC peering across accounts as AWS does). Yet you can use all Linux tools available for creating the VPN setup. WireGuard would be my first choice, but I’m open to other techniques.

Go to Source
Author: Philipp Cla├čen

OpenVPN Unrecognized option or missing or extra parameter

I have a .conf file which contains below information but openvpn says something is missing.

cat ./vpnconf.conf
client

gateway [IP]
ID GRDVPN
secret [SECRET]
username [USERNAME]
password [PASSWORD]
MTU 1380

sudo openvpn --config  ./vpnconf.conf 
Options error: Unrecognized option or missing or extra parameter(s) in ./VPN_access_to_VF_lab_-_keep_confidential/copy-conf.vpn:4: gateway (2.4.4)
Use --help for more information.

What I am doing wrong?

Go to Source
Author: AVarf

openvpn fails silently in systemd only

Brand new server.

I can start openvpn as a client at the cli using

openvpn --config /etc/openvpn/client.conf --verb 3

and pull a VPN ip address on the tun0 interface and ping the server just fine. But systemd fails silently without an error in any log.

service openvpn start

I did a standard

apt install openvpn

without any issues.

journalctl output:

Jun 11 06:19:12 fl.trader.com systemd[1]: Starting OpenVPN service...
Jun 11 06:19:12 fl.trader.com systemd[1]: Started OpenVPN service.

root@fl:/home/user# cat /etc/*-release

PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian

root@fl:/home/user# openvpn –version

OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

root@flounder:/home/kermit# cat /etc/openvpn/client.conf

client
remote my-server-ip
dev tun
nobind
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/trader.com.crt
key /etc/openvpn/trader.com.key
comp-lzo
verb 3
ping-restart 60

log /var/log/openvpn/openvpn.log

server:

root@vortex:/pki# cat /etc/openvpn/server.conf

mode server
tls-server
port 1194
proto udp
dev tun

ca      /pki/ca.crt
cert    /pki/issued/trader.com.crt
key     /pki/private/trader.com.key
dh      /pki/dh.pem

server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 4  # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 4.2.2.2"

log /var/log/openvpn/openvpn.log

How do I get openvpn to start in systemd?

Go to Source
Author: brad