FAQ and switch off

2025-03-17 21:31:45 +01:00 · 2019-04-02 02:54:30 +01:00 · 2019-04-02 02:54:30 +01:00 · dfe765ac88
commit dfe765ac88
parent 65bf544883
3 changed files with 110 additions and 18 deletions
--- a/FAQ.md
+++ b/FAQ.md
@ -624,3 +624,62 @@ If that not works ry to ping the IP of the RaspiBlitz with `ping [IP-of-RaspiBli
 - Some Routers have `IP Isolation` switched on - not allowing to devices to connect

 If that all is not working: Join the conversation on [GitHub Issue #420](https://github.com/rootzoll/raspiblitz/issues/420).
+
+## How to setup port-forwarding with a SSH tunnel?
+
+To use a public server for port-forwarding thru a SSH tunnel you can use the following experimental script on the RaspiBlitz (since v1.2):
+
+`/home/admin/config.scripts/internet.sshtunnel.py`
+
+But first you need to make sure that the public server you are using is supporting SSH reverse tunneling and authentification by public authorized key. Check the `/etc/ssh/sshd_config` on the public server to contain the following settings:
+
+```
+RSAAuthentication yes
+PubkeyAuthentication yes
+GatewayPorts yes
+AllowTcpForwarding yes
+```
+
+You can add those at the end of the file, save and reboot.
+
+On the RaspiBlitz you can then setup for example to forward the gRPC port 10009 (internal port) to the port 20009 on the public server (external port) with the user = `test` and server address = `raspiblitz.com` with the following command:
+
+`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009`
+
+You can even set multiple port forwardings like with:
+
+`/home/admin/config.scripts/internet.sshtunnel.py on test@raspiblitz.com 10009:20009 8080:9090`
+
+Please beware that after you set such a port forwarding you need to set the domain of the public server as a `DynamicDNS` name (leave update url empty) and then connect mobile wallets fresh or export again the macaroons/certs. When connecting the mobile wallets you may need to adjust ports manually after QR code scan. And if you SSH tunnel the LND node port `9735` you may also need to sun the custom LND port script and maybe also a manual set of the domain in the LND service is needed. This all is very experimental at the moment ... better integration will come in the future.
+
+To switch this SSH tunneling off again use: 
+
+`/home/admin/config.scripts/internet.sshtunnel.py off` and also deactivate the DynamicDNS again. 
+
+## How to setup just a port-forwarding user on my public server?
+
+Make sure the `/etc/ssh/sshd_config` has the following lines at the end:
+
+```
+RSAAuthentication yes
+PubkeyAuthentication yes
+GatewayPorts yes
+AllowTcpForwarding yes
+AuthorizedKeysFile  /etc/ssh/authorized_keys/%u
+```
+
+The last one stores all authorized_keys in one directory with a file per user. See https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea#424659 To prepare this run:
+```
+mkdir /etc/ssh/authorized_keys
+groupadd forwardings
+```
+
+To add a forwarding user run:
+```
+useradd -g forwardings -d /home [USERNAME]
+echo "command="date" [CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]" > /etc/ssh/authorized_keys/[USERNAME]
+passwd [USERNAME]
+```
+
+The `[CONTENT-OF-RASPIBLITZ-ROOT-SSH-PUBKEY]` you get when running the `internet.sshtunnel.py` script on the RaspiBlitz (see above).
+
--- a/build_sdcard.sh
+++ b/build_sdcard.sh
@ -237,6 +237,9 @@ sudo apt-get install -y vnstat
 # prepare for BTRFS data drive raid
 sudo apt-get install -y btrfs-tools

+# prepare for ssh reverse tunneling
+sudo apt-get install -y autossh
+
 # prepare for display graphics mode
 # see https://github.com/rootzoll/raspiblitz/pull/334
 sudo apt-get install -y fbi
--- a/home.admin/config.scripts/internet.sshtunnel.py
+++ b/home.admin/config.scripts/internet.sshtunnel.py
@ -39,10 +39,10 @@ WantedBy=multi-user.target
 if sys.argv[1] == "on":

    # check if already running
-    #already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
-    #if str(already_running).count("enabled") > 0:
-    #    print("already ON - run 'internet.sshtunnel.py off' first")
-    #    sys.exit(1)
+    already_running = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
+    if str(already_running).count("enabled") > 0:
+        print("already ON - run 'internet.sshtunnel.py off' first")
+        sys.exit(1)

    # check server address
    if len(sys.argv) < 3:
@ -87,26 +87,50 @@ if sys.argv[1] == "on":
    service_data = SERVICETEMPLATE.replace("[PLACEHOLDER]", additional_parameters)

    # DEBUG exit
-    print("****** SERVICE ******")
+    print()
+    print("*** New systemd service: %s" % (SERVICENAME))
    print(service_data)
-    sys.exit(0)

    # write service file
    service_file = open(SERVICEFILE, "w")
    service_file.write(service_data)
    service_file.close()

-    # enable service
-    print("*** Enabling systemd service: SERVICENAME")
-    subprocess.call("systemctl daemon-reload", shell=True)
-    #subprocess.call(f"systemctl enable {SERVICENAME}", shell=True)
+    # check if SSH keys for root user need to be created
    print()
+    print("*** Checking root SSH keys")
+    if Path("/home/root/.ssh/id_rsa.pub").exists() == False:
+        print("Generating root SSH keys ...")
+        subprocess.call("sudo -u root ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa  -q -N """, shell=True)
+        print("DONE")
+    else:
+        print("OK - root id_rsa.pub file exists")
+    ssh_pubkey=""
+    with open('/home/root/.ssh/id_rsa.pub', 'r') as file:
+        ssh_pubkey = file.read().replace('\n', '')
+
+    # make sure autossh is installed
+    # https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-autossh/
+    print()
+    print("*** Install autossh")
+    subprocess.call("sudo apt-get install -y autossh", shell=True)
+    
+    # enable service
+    print()
+    print("*** Enabling systemd service: %s" % (SERVICENAME))
+    subprocess.call("sudo systemctl daemon-reload", shell=True)
+    subprocess.call("sudo systemctl enable %s" % (SERVICENAME), shell=True)

    # final info (can be ignored if run by other script)
-    print("*** OK - SSH TUNNEL SERVICE STARTED ***")
-    #print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of {} ")
+    print()
+    print("*** OK - SSH TUNNEL SERVICE DONE SETUP ***")
+    print("For details see chapter '' in:")
+    print("https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md")
    print("- Tunnel service needs final reboot to start.")
-    #print("- After reboot check logs: sudo journalctl -f -u {SERVICENAME}")
+    print("- After reboot check logs: sudo journalctl -f -u %s" % (SERVICENAME))
+    print("- Make sure the SSH pub key of this RaspiBlitz is in 'authorized_keys' of %s :" % (ssh_server))
+    print(ssh_pubkey)
+    print()

 #
 # SWITCHING OFF
@ -115,12 +139,18 @@ if sys.argv[1] == "on":
 elif sys.argv[1] == "off":

    # check if already disabled
-    #alreadyRunning = subprocess.check_output(f"systemctl is-enabled {SERVICENAME}" ,shell=True, universal_newlines=True)
-    #if str(alreadyRunning).count("enabled") == 0:
-    #    print("Was already OFF")
-    #    sys.exit(0)
+    alreadyRunning = subprocess.check_output("systemctl is-enabled %s" % (SERVICENAME) ,shell=True, universal_newlines=True)
+    if str(alreadyRunning).count("enabled") == 0:
+        print("Was already OFF")
+        sys.exit(0)

-    print ("TODO: Switch OFF")
+    print("*** Disabling systemd service: %s" % (SERVICENAME))
+    subprocess.call("sudo systemctl stop %s" % (SERVICENAME), shell=True)
+    subprocess.call("sudo systemctl disable %s" % (SERVICENAME), shell=True)
+    subprocess.call("sudo rm %s" % (SERVICEFILE), shell=True)
+    subprocess.call("sudo systemctl daemon-reload", shell=True)
+    print("OK Done")
+    print()

 #
 # UNKOWN PARAMETER