Sorry, this is a work in progress. I have this working on a Turris Omnia, just need to write up the documentation. Please feel free to edit/correct as required.
The goal of this how-to is to have remote access of internal system (themselves exposed via SSH/RDP/etc.) through the internet via HTTPS, with a gateway running withing a LXC-hosted container.
Use-case: Your company firewall doesn't allow outbound RDP/SSH, so you can't connect to your system, which is in the cloud; they do allow outbound HTTPS/SSL.
sed '/path/ s/01/03/g' /etc/config/wireless
(which should switch the configuration from slot 1 to slot 3), and then wifi
(which restarts wireless networking with the new configuration).
This step assumes that a sufficiently large filesystem is mounted on /srv
. You'll need to create an LXC container via the Web GUI, as the CLI command doesn't work.
## Can't see why this command doesn't work! # lxc-create -n ubuntu -t download -- -d Ubuntu -r Xenial -a armv71 ## The container needs to auto-start, check: uci show | grep lxc-auto ## start the container, and attach to its console lxc-start -n ubuntu lxc-attach -n ubuntu
## Set an admin password (echo "P@ssw0rd"; sleep 1; echo "P@ssw0rd") | passwd root ## Configure system # dpkg-reconfigure tzdata # Optional: set timezone # Install some updates automatically apt -y install unattended-upgrades # best practice # Change hostname... apt -y install dbus # otherwise next cmd fails hostnamectl set-hostname vm-server reboot
The following requires root access (suggest using lxc-attach
to access the Ubuntu console, rather than via SSH).
apt-get -y install wget ## The minimum set of packages that a guacamole server requires apt-get -y install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev ## Optional (per-protocol) packages for VNC, RDP, SSH and Telnet (and their dependencies) apt-get -y install \ libvncserver-dev libfreerdp-dev libssh2-1-dev libtelnet-dev \ libpango1.0-dev libssl-dev libpulse-dev libvorbis-dev libwebp-dev ## Optional packages for guacenc apt-get -y install libavcodec-dev libavutil-dev libswscale-dev
guac_ver=0.9.13-incubating # release used... wget -qO- https://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-${guac_ver}.tar.gz | tar xz pushd guacamole-server*/ ## Check the build environment, Prepare a startup script, then Build/install the package ./configure --with-init-dir=/etc/init.d make > /dev/null # Compile, and... make install > /dev/null # Install popd ## Start Guacamole server (first tell Ubuntu to rescan the libs) ldconfig # before: service guacd start update-rc.d guacd defaults # before: service guacd start service guacd start
netstat -nltp | grep guac ps -ew | grep guac
### Download the (pre-built) client (1/2)... wget -N https://sourceforge.net/projects/guacamole/files/current/binary/guacamole-${guac_ver}.war apt-get -y install tomcat7 # not required: tomcat7-admin tomcat7-docs ### ??? GUACAMOLE_HOME=/usr/share/tomcat7/.guacamole mkdir -p ${GUACAMOLE_HOME}/extensions # for: guacamole-auth-jdbc-*sql-*.jar mkdir -p ${GUACAMOLE_HOME}/lib # for: the RDMS' JDBC driver .jar files mkdir -p /etc/guacamole # for: guacamole.properties mkdir -p /var/lib/guacamole # for: guacamole.war # mkdir -p /var/lib/guacamole/classpath # ### Make the Guacamole Client available to Tomcat (symbolic links are best practice) cp guacamole/target/guacamol*.war /var/lib/guacamole/guacamole.war ln -sf /var/lib/guacamole/guacamole.war /var/lib/tomcat7/webapps/guacamole.war
### Download the (pre-built) client (2/2)... wget -N https://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-${guac_ver}.tar.gz ### Install MySQL RDMS... sql_root_passwd=P@ssw0rd # Install (2/3) MySQL (RDBMS) (and provide MySQL with a root password to allow scripted installation) debconf-set-selections <<< "mysql-server mysql-server/root_password password ${sql_root_passwd}" debconf-set-selections <<< "mysql-server mysql-server/root_password_again password ${sql_root_passwd}" apt-get -y install mysql-server ### Create the Guacamole database and an account for the authentication provider mysql -u root --password=${sql_root_passwd} <<EOF4 # MySQL script to create Guacamole DB & Auth provider credentials CREATE DATABASE guacamole_db; CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'guac_P@ssw0rd'; GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost'; FLUSH PRIVILEGES; quit EOF4 ### Create the schema and admin account (guacadmin) for the Guacamole DB (2 scripts) # pushd extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql pushd guacamole-auth-*/mysql cat schema/*.sql | mysql -u root --password=${sql_root_passwd} guacamole_db # Copy the corresponding PostgreSQL or MySQL authentication module to its directory # cp target/guacamole-auth-*.jar ${GUACAMOLE_HOME}/extensions/ # /usr/share/tomcat7/extensions cp guacamole-auth-*.jar ${GUACAMOLE_HOME}/extensions/ # /usr/share/tomcat7/extensions popd mysql_j_ver=5.1.41 # Download either the MySQL Java connector and copy to their directories wget -N https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-${mysql_j_ver}.tar.gz | tar xz cp mysql-connector*/*.jar ${GUACAMOLE_HOME}/lib/ # /usr/share/tomcat7/lib
sudo tee /etc/guacamole/guacamole.properties >/dev/null <<EOF5 # Hostname and port of guacamole proxy # guacd-hostname: localhost # guacd-port: 4822 # Authentication provider class # auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider # Properties used by MySQLAuthenticationProvider mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: guac_P@ssw0rd # mysql-disallow-simultaneous-connections: false mysql-disallow-duplicate-connections: false EOF5 ln -s /etc/guacamole/guacamole.properties ${GUACAMOLE_HOME} # is: /usr/share/tomcat7/.guacamole ### Step 4: Finally: Restart Guacamole weblet (i.e. TomCat) # sudo service guacd restart ## Not needed # sudo service mysql restart sudo service tomcat7 restart ## Is needed
### 0: First, establish remote access via SSH... apt-get install -y nginx ufw allow 'Nginx Full' ## allows 80,443/tcp # ufw status verbose #################################################################################################################################### # Define variables ssl_country=UK ssl_state=England ssl_city=London ssl_org=IT ssl_certname=vm-server.dtdns.net ssl_altname='DNS.1=vm-server.home,DNS.2=vm-server' # Create a self-signed certificate mkdir -p /etc/nginx/ssl openssl req -x509 -subj "/C=$ssl_country/ST=$ssl_state/L=$ssl_city/O=$ssl_org/CN=$ssl_certname/subjectAltName=$ssl_altname" -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/bonnes_me.key -out /etc/nginx/ssl/bonnes_me.crt -extensions v3_ca # need to do chmod /etc/nginx/ssl/*.key
### Proxy parameters
sh -c 'cat > /etc/nginx/proxy.conf <<"EOF" ############################################################################### ### Proxy parameters proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Server $host; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k; proxy_redirect off; EOF'
### Proxy parameters for WebSockets
sh -c 'cat > /etc/nginx/proxy-websocket.conf <<"EOF" ############################################################################### ### Proxy parameters for WebSockets proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Authorization ""; proxy_read_timeout 86400; proxy_redirect off; EOF'
### Proxy parameters for SSL
sh -c 'cat > /etc/nginx/ssl-config.conf <<"EOF" ############################################################################### ### Configuration for SSL ssl_certificate /etc/nginx/ssl/vm-server.crt; ssl_certificate_key /etc/nginx/ssl/vm-server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; EOF'
### HTTPS listener parameters
sh -c 'cat > /etc/nginx/sites-available/https << EOF ############################################################################### ### SERVER block - HTTPS listener parameters server { # access_log /var/log/nginx/access_https_vm-server.log; access_log off; ## default: ?? listen 443 ssl; # 433, or (say) 8443 if using sslh/openvpn server_name vm-server.dtdns.net vm-server.home vm-server; include /etc/nginx/ssl-config.conf; port_in_redirect off; # http://www.nginxtips.com/nginx-optimization-the-definitive-guide/ client_header_buffer_size 1k; client_header_timeout 12; large_client_header_buffers 2 1k; client_body_buffer_size 10K; client_body_timeout 12; client_max_body_size 8m; ### LOCATION blocks... location /guac/ { # proxy_pass http://vm-server.home:8080/guacamole/; proxy_pass http://localhost:8080/guacamole/; proxy_cookie_path /guacamole/ /guac/; ## because we have location: /guac/, instead of: /guacamole/ proxy_buffering off; ## guacamole will not work if this is on (default: on) include /etc/nginx/proxy-websocket.conf; } } EOF'
XXX
rm /etc/nginx/sites-enabled/default >/dev/null 2>&1 ln -s /etc/nginx/sites-available/https /etc/nginx/sites-enabled/https >/dev/null 2>&1 service nginx restart
firewall.@redirect[1]=redirect firewall.@redirect[1].target='DNAT' firewall.@redirect[1].src='wan' firewall.@redirect[1].dest='lan' firewall.@redirect[1].proto='tcp' firewall.@redirect[1].src_dport='443' firewall.@redirect[1].name='HTTPS' firewall.@redirect[1].dest_ip='172.27.0.100' ## This is the Ip-address of vm-server firewall.@redirect[1].dest_port='443'