Category Archives: Networking - Page 2

SSH reverse tunnel to OpenWRT / dropbear

I have a little WRT54GL router that runs OpenWRT. It is very convenient to be able to SSH into the router, and even more convenient to make tunnels.

In opensshd, there is an option

GatewayPorts yes

that needs to be turned on. It allows the SSH server to listen to ports and forward them back to the client. Also it allows other machines to connect to that port on the SSH server, not just the SSH server.

Well, for dropbear (the SSH implementation of OpenWRT), things are a little different. First, you need to start the dropbear deamon with the flag -a. Preferably:

#/etc/config/dropbear
        option 'GatewayPorts' 'on'

Second, when you invoke ssh, you need to specifically tell dropbear to listen to the network interface (not to localhost). Example:

$ ssh -l root -R 1.2.3.4:7777:10.2.2.12:80 1.2.3.4

This assumes you are on a client, on the 10.2-network. Your OpenWRT is on the internet (IP=1.2.3.4). Connections made to 1.2.3.4, port 7777 will be tunneled through SSH back to the client. The client will in turn make a new connection to 10.2.2.12, port 80 and forward all traffic there. So, in this case, an internal webserver is exposed on the internet.

With other sshd servers, it may be enought to make the call

$ ssh -l root -R 7777:10.2.2.12:80 1.2.3.4

and sshd will listen to all interfaces.

VPN Server and Routing issues (arping)

Like many other people I have a network behind a NAT. The router providing the NAT has a real world routable IP (and a domain name using DynDNS). The router can forward ports to machines inside. So, I installed a VPN server (poptop) on a local machine. My setup:

  gateway: 192.168.0.3
  vpnserver: 192.168.0.2

I configure poptop to use the following IPs:

  #options.pptpd 
  localip 192.168.0.240
  remoteip 192.168.0.241-242

As I now connect, from the internet, to the VPN server, I get IP 192.168.0.241 (or 242), and the VPN server itself holds IP 192.168.0.240 on its ppp-device.

The VPN client can now connect to the VPN server, and the other way around. What doesnt work though is:

  1. VPN client can not connect to other local machines
  2. VPN client can especially not connect to the local gateway, and thus not access the internet via VPN

What is the problem? The other machines on the network:

  1. does not know who has IP 192.168.0.241 and can not reply to it directly
  2. does not have the VPN server (but the gateway) as default gateway

Fixing routing table
One way to fix this is to add a host entry on a local machine. On Linux that would be:

  # route add -host 192.168.0.241 gw 192.168.0.2

(route is similar but the details are different in every OS).
Well, this works, but it sucks because you have to do it on every local host. It sucks even more if you have a NAT-machine that you cannot run the route command on, because then you can anyway not access the internet via VPN anyway.

ARP-hack
I found a solution I liked better. There is a command called arpspoof. Chances are you dont have it :(. What it does is that it sends out pings to machine A, pretending it is machine B. That way, machine A will send its packages to you, instead of to machine B. Normally, that is not such a legitimate thing to do.

However, there is another program that you might have on your VPN server; arping. This program does what arpspoof does, but it doesn’t lie if you ask it to. But it doesn’t need to know it lies, does it? I wrote this little script (works on linux – requires bridge-utils – run it on the VPN server):

  #!/bin/sh
  brctl addbr tmpbr
  ifconfig tmpbr 192.168.0.241
  arping -c 1 -U -I eth0 -s 192.168.0.241 192.168.0.3
  ifconfig tmpbr down
  brctl delbr tmpbr

So we bring up a temporary virtual network interface (tmpbr). We assign it the IP we would want other computers to believe us to have. We send an arp-ping through our normal network interface (eth0), but from the IP of the VPN-client, to the default gateway. Then we bring down tmpbr.

Now, our gateway (192.168.0.3) believes the vpn server has IP 192.168.0.241 (which is actually true). And beyond my knowledge, it seems the other computers on the network learn this thing too 🙂 But they forget quickly if they dont use the information, so you need to run the above script often (like every minute).

You can run the arping command with slightly different switches and still be successful. This worked and made sense to me.

My VPN server happens to run OpenWRT. Both arping and bridge-utils are included by default. If you let the VPN-server be installed on your NAT-router everything is easier. You can also make some things work fairly well setting up a NAT-server on the VPN-server as well, making double NAT to the internet.

Windows VPN on Linux and Qemu

How to connect to a Windows VPN-server using Linux? In my case PPTP was not allowed; I was required to use L2TP and a certificate (plus domain\user and password of course). All my attempts with OpenVPN, Network Manager and Mac OS X were in vain – only Windows VPN clients seemed to work. I wanted to connect from Linux, and was successful with the following strategy:

  1. Install Windows 2000 under Qemu
  2. Configure VPN in virtual machine and share it
  3. Route VPN traffic to virtual Windows machine

My linux machine is located behind a NAT (192.168.0.2) on the 192.168.0.* network.
The network behind VPN is 10.2.*.

Windows and Qemu
I will not write a guide on how to install Windows on Qemu. But, Windows 2000 or later should work. Pick up TinyXP if you dont have a problem with it. Older version of Windows means less disk/ram usage, and you will only use it as a VPN-client anyways. On 2000/XP check out MS knowledge base article 818043.

I used real network mode in Qemu (ie a tap-device). So, I configured a bridge (br0) device, that you I connected both eth0 and tap0 to. See example below for some help. Perhaps -net user can work as well (but be aware that the Windows must have IP=192.168.0.1, see below).

Configure and Share VPN in Windows
Configuring Windows to connect to the VPN should be very easy. When you are done, right-click on your VPN connection and choose the Sharing-tab. Check “Enable Internet Connection Sharing for this connection”. Now happens something weird – the Windows machine has to have IP=192.168.0.1! You have to accept that, and hopefully your local network can be 192.168.0.* and the network you want to connect to is not 192.168.0.*.

Route VPN-traffic to Windows machine
For me, the following command on the linux machine is enough:
sudo route add -net 10.2.0.0/16 gw 192.168.0.1
Now try to ping or ssh to something on the 10.2-network. You might want to change your DNS to a DNS on the VPN.

Qemu-startup-script
I use the following script to start my Qemu machine:

  sudo route add -net 10.2.0.0/16 gw 192.168.0.1
  sudo tunctl -t tap1
  # sudo brctl addif br0 tap1
  sudo qemu -m 128 -net nic -net tap,ifname=tap1 vpn2000.qcow
  # sudo brctl delif br0 tap1
  sudo tunctl -d tap1
  sudo route del -net 10.2.0.0/16 gw 192.168.0.1

I really have no idea why I dont need to connect br0 to tap1, but it happens automatically 🙂

My working routing table looks like this:

  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  192.168.0.0     *               255.255.255.0   U     0      0        0 br0
  10.2.0.0        192.168.0.1     255.255.0.0     UG    0      0        0 br0
  link-local      *               255.255.0.0     U     1000   0        0 br0
  default         192.168.0.2     0.0.0.0         UG    100    0        0 br0

Huawei E1550 and Ubuntu 10.04 (Lucid)

There are countless guides on how to make your 3G USB Modem work on Linux. Here are some findings I made with E1550 on Ubuntu Lucid NBR.

Most importantly, the 1550 is a storage device, that later turns into a modem. To make this transformation happen, on Ubuntu you need to call a program called modem-modeswitch. I made a script for me:

  sudo umount /media/4GB
  sleep 1
  sudo umount /media/Comviq
  sleep 1
  sudo rmmod usb-storage
  sleep 1
  sudo /lib/udev/modem-modeswitch -v 0x12d1 -p 0x1446 -d -t option-zerocd 

Note:

  1. My modem has space for a memory card, mine is formatted with the label 4GB and thus mounted on 4GB.
  2. The modem-modeswitch command failed for me unless I ran rmmod (telling usb-storage uses the device). There are probably milder methods
  3. Other guides will tell you how to make this automatically happen when you insert your modem

Now Network Manager didnt work for me, I didnt understand why, and installed GnomePPP instead. Very few configurations were needed. First add yourself to the UNIX group dip. This is what it should look like:

  gt@gt-701:~$ grep dip /etc/group
  dip:x:30:gt

Reboot – or whatever is needed to make that configuration effective.
To GnomePPP I gave very little information:

  1. User = user
  2. Number = *99#
  3. Device = /dev/ttyUSB0
  4. Type = USB Modem

Odd thing is that GnomePPP didnt accept an empty user name. I didnt need an APN to get online.

SSH proxies and tunnels

SSH is a fantastic tool. Imagine you have a server at work (server.mywork.com) that you can SSH into, but you have no other access to your company network. Try the following SSH tricks:

ssh -D 9999 me@server.mywork.com

Opens a SOCKS proxy. If you tell your browser to use localhost:9999 as SOCKS proxy, you can now browse your companies internal web pages.

ssh -L 2222:internalserver.intranet:22 me@server.mywork.com

Now you can do ssh to localhost, port 2222, and that will log you on to internalserver, even if internalserver is only accessible from server, not from where your computer is now. Port 2222 on home computer is forwarded to port 22 on internalserver. This works with any other port/protocol (IMAP, OpenVPN, HTTP).

Now imagine you cant SSH to any computer at your work, but you can do SSH out of work, to your home computer. Then you can try (at work):

ssh -R 2222:localhost:22 me@myhome.com

Now, if you ssh to myhome.com:2222, it will take you to your computer at work. Port 2222 on myhome.com is forwarded to port 22 on work computer.

Finally, to keep that last connection up, there is a clever program named autossh, which automatically reconnects if needed.

Dont break any company policies!

Tomato Firmware on Asus WL-500g Premium V2

For a while I have been running Tomato Firmware on my LinkSys WRT54GL. I needed to get another Tomato router for a friend, but the store was out of the WRT54GL. I ended up buying an Asus WL-500g Premium V2 instead. It took a while to install Tomato on it. Two things:

  1. Use the ND-version of Tomato
  2. Flash using the ASUS restore program (from Windows)

This worked with Tomato 1.27 ND.

I would recommend this router to anyone who considers getting a WRT54GL; it is faster, has more RAM and ROM, looks better and ASUS has some kind of flash restoration system, so you should be able to fix it even if you bricked it.