SSH Access to VM
- Thread starter Munshine
- Start date
yes 2 ways
the ugly wrong one and the right one
(PUB is Public IP, PRI is Private Ip)
the ugly one would be portforward other ports
for example forward PUB Port 322 to PRI (3) port 22
however i strongly recommend
imidiatly get into openvpn, setup an openvpn hosts on the hypervirsor
block all incomming traffic to your hypervisor
let only ports you wanna forward to vms (like web or whatever those vms do) trough
do not let any other ports (ssh, promox whatever) except openvpn in the open
otherwise you will be vunerable to
- weak credentials
- lost password
- stolen passwords, stolen tokens (trojans, someone looking over your shoulder whatever)
- software vunerabilitys (you know those which the security updates are for)
- things we wont think of now
and you will always
- give away more intel about your machine as you might think
- get always visits by bruteforcers wheres no need for it
- play with fire and rely on luck
theres no need for that
openvpn is free and super relyable, i run it for years, never had a failed daemon that wont let me login anymore ever
rightly setup its supersecure, wont even answer to the port and is invisible to scan (run on UDP, run with tls and hmac and it wont even answer if you aint send the right question aka static key, use ssl async keys for communication)
advantage you have your own private subent for vpn clients, can directly communicate to every private ip on your promox host
the ugly wrong one and the right one
(PUB is Public IP, PRI is Private Ip)
the ugly one would be portforward other ports
for example forward PUB Port 322 to PRI (3) port 22
however i strongly recommend
imidiatly get into openvpn, setup an openvpn hosts on the hypervirsor
block all incomming traffic to your hypervisor
let only ports you wanna forward to vms (like web or whatever those vms do) trough
do not let any other ports (ssh, promox whatever) except openvpn in the open
otherwise you will be vunerable to
- weak credentials
- lost password
- stolen passwords, stolen tokens (trojans, someone looking over your shoulder whatever)
- software vunerabilitys (you know those which the security updates are for)
- things we wont think of now
and you will always
- give away more intel about your machine as you might think
- get always visits by bruteforcers wheres no need for it
- play with fire and rely on luck
theres no need for that
openvpn is free and super relyable, i run it for years, never had a failed daemon that wont let me login anymore ever
rightly setup its supersecure, wont even answer to the port and is invisible to scan (run on UDP, run with tls and hmac and it wont even answer if you aint send the right question aka static key, use ssl async keys for communication)
advantage you have your own private subent for vpn clients, can directly communicate to every private ip on your promox host
ok fro starters what is it.
openvpn is kind of a router/encryptorand ofc tunnel daemon.
that daemon has always at least one virtual network interface (tun for routing mode, tap for bridge mode). and 1 open port for communication with its clients.
so client connect form outside to the port, and comes in on the virtual network interface, openvpn-daemon is in the middle.
now openvpn can be setup very different way, even without encryption, i wont go into details here now we cover only basic secure setup.
you need now 3 things
-your keys - you need to generate them
-server config file - this will configure your whole new network (a VPN is a virtual network)
-client config (cleint must need to know where is the vpn server, and which mode to connect with)
there 2 ways todo those 3 things.
- use a gui
use a VM as a openvpn server and use a grafical GUI, like you download PFsense firewall and use it as a openvpn server
would have the advantage that you could setup a whole firewall for all vms trough it on a much but this would be to complicated for me to support you in this trough a forum (without getting paid a lot
)
or use another gui for openvpn
- second option install openvpn server on the host itself
disadvantage is no gui tools really
advantage it alwas work no matter what you restart as long the host runs)
now you could also install your host as a client and have a openvpn server somewhere else
but i assume you only have a public fixed ip on your host.
i give you here now an working example server config
Now as you can see we have 4 entrys about certificates
ta.key - static key to initiate communciation
ca.crt - tahts your CA you have to create
server-crt - thats the server cert your CA has to create
server-key
now the client config just need the same settings (cipher and stuff) plus the client certs and server adress like
now all you need is to create those key and distribute it to the endpoints
now keep in mind
takey, ca.cert are alawys the same (on all clients on all servers)
client.key client.crt or server.crt, server.key are on each node unique
theres a way to use the same cvert for every client but i strongly recommend not to use that
however if its a home server and its not that secure you could make life easier with that
now how to make key in the next post
openvpn is kind of a router/encryptorand ofc tunnel daemon.
that daemon has always at least one virtual network interface (tun for routing mode, tap for bridge mode). and 1 open port for communication with its clients.
so client connect form outside to the port, and comes in on the virtual network interface, openvpn-daemon is in the middle.
now openvpn can be setup very different way, even without encryption, i wont go into details here now we cover only basic secure setup.
you need now 3 things
-your keys - you need to generate them
-server config file - this will configure your whole new network (a VPN is a virtual network)
-client config (cleint must need to know where is the vpn server, and which mode to connect with)
there 2 ways todo those 3 things.
- use a gui
use a VM as a openvpn server and use a grafical GUI, like you download PFsense firewall and use it as a openvpn server
would have the advantage that you could setup a whole firewall for all vms trough it on a much but this would be to complicated for me to support you in this trough a forum (without getting paid a lot
)or use another gui for openvpn
- second option install openvpn server on the host itself
disadvantage is no gui tools really
advantage it alwas work no matter what you restart as long the host runs
)now you could also install your host as a client and have a openvpn server somewhere else
but i assume you only have a public fixed ip on your host.
i give you here now an working example server config
Code:
#management 172.16.1.1 7505 #management port if you need it dont use it if you dont know
#local you.could.bind.it.to.an.ip.here
port 1194
proto udp
dev tun0
persist-key
persist-tun
user nobody
group nogroup
keepalive 10 120
cipher AES-256-CBC # Blowfish (default)
comp-lzo
tls-auth keys/ta.key 0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
#crl-verify crl.pem ####For revokes
client-to-client
ifconfig-pool-persist clients.ipp.txt
###openvpn network ip range
server 172.16.1.0 255.255.255.0
###routes the client shall recieve aka which network shall he access
#i assumed your vhost network is 192.168.100.x
#imake 172.16.1.x as a network for openvpn clients in routed mode
push "route 172.16.1.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
push "dhcp-option DNS 10.10.100.1"
#push "dhcp-option WINS 10.10.200.1"
#setting up routes for irouting
#this is only if you have another network on your client side
#and you want that your vhost cant directly talk aka make a connection from vhost to clientside entwork
#aka site-to-site network, forst start keep it simple as a client-to-site network
#route 192.168.1.0 255.255.255.0
##########################################################
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-clients.log
verb 6
mute 20
#plugin /usr/lib/openvpn/openvpn-auth-pam.so ovpn #authplug if nessesary.
#chroot /etc/openvpn
client-config-dir /etc/openvpn/gate.saurid.com-clientsNow as you can see we have 4 entrys about certificates
ta.key - static key to initiate communciation
ca.crt - tahts your CA you have to create
server-crt - thats the server cert your CA has to create
server-key
now the client config just need the same settings (cipher and stuff) plus the client certs and server adress like
Code:
client
float
dev tun
proto udp
remote host.example.net 1194
resolv-retry infinite
nobind
#auth-user-pass
persist-key
persist-tun
;mute-replay-warnings
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1now all you need is to create those key and distribute it to the endpoints
now keep in mind
takey, ca.cert are alawys the same (on all clients on all servers)
client.key client.crt or server.crt, server.key are on each node unique
theres a way to use the same cvert for every client but i strongly recommend not to use that
however if its a home server and its not that secure you could make life easier with that
now how to make key in the next post
Last edited:
heres a nice wiki from open wrt
https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__traditional_tun_server1
theres also the part about key generation
a more complete guide
https://openvpn.net/index.php/open-source/documentation/howto.html#quick
but harder to understand
but next time google it yourself
still i wrote you my part to help you to understand those wikis a bit better (hope it helped)
now all you need todo is generate those keys
adjust config so keys are found (both client and server)
adust ip ranges and push routes if needed
and restart openvpn daemon
install of openvpn
apt-get install openvpn
config is in /etc/openvpn
pretty much straightforward there
client is to be found at openvpn.net - go to community
download win client
put in config files in the config directory under programfiles\}openvpn\config
start gui client press connect
with the config i gave you it should be done in less than 20 minutes
https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__traditional_tun_server1
theres also the part about key generation
a more complete guide
https://openvpn.net/index.php/open-source/documentation/howto.html#quick
but harder to understand
but next time google it yourself
still i wrote you my part to help you to understand those wikis a bit better (hope it helped)
now all you need todo is generate those keys
adjust config so keys are found (both client and server)
adust ip ranges and push routes if needed
and restart openvpn daemon
install of openvpn
apt-get install openvpn
config is in /etc/openvpn
pretty much straightforward there
client is to be found at openvpn.net - go to community
download win client
put in config files in the config directory under programfiles\}openvpn\config
start gui client press connect
with the config i gave you it should be done in less than 20 minutes
one more thing
a little neat trick
a problem is that iptables needs to reload everytime an interface changes.
nopw in order to load on the host your iptables (firewall) rules we have the problem that the openvpn interface is not up yet (it always loads last nad take some 15 sec to establish connect)
so before we reload rules and stuff just insert this in your network config
This makes your openvpn server adapter persistent
even better you can bind services to it, so you wont expose em to the net even if the iptables firewall is down
sidenote, many people use bridged mode in openvpn (mactap)
DONT EVER
yes its easier, yes no routing, less hassle
BUT
once you have talky clients like windows you blow up your remote connection with sense chabber
a bridge interface basically extends the lan, so all ethernet talk is going to transferd over the net
not a solid idea and cna have interresting sideeffects.
just route the shit outta it and youre fine with less headache
lave mactap for special pupose use for people who know why and how todo it
a little neat trick
a problem is that iptables needs to reload everytime an interface changes.
nopw in order to load on the host your iptables (firewall) rules we have the problem that the openvpn interface is not up yet (it always loads last nad take some 15 sec to establish connect)
so before we reload rules and stuff just insert this in your network config
Code:
auto tun0
iface tun0 inet static
address 172.16.1.1
netmask 255.255.255.255
network 172.16.1.2
pre-up openvpn --mktun --dev tun0This makes your openvpn server adapter persistent
even better you can bind services to it, so you wont expose em to the net even if the iptables firewall is down
sidenote, many people use bridged mode in openvpn (mactap)
DONT EVER
yes its easier, yes no routing, less hassle
BUT
once you have talky clients like windows you blow up your remote connection with sense chabber
a bridge interface basically extends the lan, so all ethernet talk is going to transferd over the net
not a solid idea and cna have interresting sideeffects.
just route the shit outta it and youre fine with less headache
lave mactap for special pupose use for people who know why and how todo it