Permission denied with reverse tunnel rsync

I want Host B to set up a ssh tunnel to Host A so it can rsync with Host C. Only Host B has keys. All three machines use the same key.

I’ve tried this:

ssh -i ~/.ssh/key -A -R localhost:50000:Host_A:22 Host_C 'sudo -E -s rsync -a -e "ssh -v -l admin -p 50000 -o StrictHostKeyChecking=no" --rsync-path="sudo rsync" /path/ localhost:/path'

However, I’m getting an ssh permission denied error when running the rsync command. I thought thought the -E -s options in sudo would keep the environment/shell and allow me to use the key but apparently not.

Any ideas on how to do this?

linux – How to route traffic from ipsec to wiregurad tunnel? or route one network adapter to another not the default?

I have 3 devices, A,B,C.

A: ipsec client

B: ipsec server, wireguard client.

C: wiregurad server.

B’wg config:

[Interface]
PrivateKey = *
Address = 10.0.0.3/24
DNS = 8.8.8.8
MTU = 1420
[Peer]
PublicKey = ***
Endpoint = ip:port
AllowedIPs = 10.0.0.0/24

C:

[Interface]
Address = 10.0.0.1/24
MTU = 1200
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j FULLCONENAT
ListenPort = port
PrivateKey = ***

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.3/32

I wanna that A’s all traffic via B via C to the internet to happend。

I’ve tried a few things at B, but they are not worked.

like:

iptables -A FORWARD -i ppp+ -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

or:

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -A INPUT -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j ACCEPT

Do I need do something at A or C? or I did wrong at B?

Please help me, thanks.

proxy – SSH Tunnel HTTP Security

I think I have this set up right, but I’d appreciate a sanity-check and any info on best practices that I should be using for creating SSH tunnels to my home network while traveling.

Home network: Router with ssh enabled (key only) and a random port forwarded to the router port 22. Behind the router (without forwarded ports) are all of my local 192.168…. addresses.

Travel computer: Chromebook with Secure Shell extension, set up to ssh user@domain -D port, ed25519 key. Proxy SwitchyOmega extension set to auto-switch to the tunnel for specified addresses when connected via ssh.

Now, when I connect, my understanding is:

  1. The ssh connection to the router is encrypted, i.e. the ssh results in a terminal shell on the router and everything I do there is secure from anyone without access to the travel computer or home router.
  2. In the browser of my travel computer, if I go to one of the tunneled addresses, SwitchyOmega sends all of the data through the ssh tunnel in #1, encrypting everything between the travel laptop and the router.
  3. If the tunneled address itself uses encryption, e.g. https, that passes inside the tunnel between the laptop and router encrypted by ssh as well, and continues on from the router still encrypted using https.
  4. If the tunneled address doesn’t use encryption, e.g. http, that passes inside the tunnel (and is therefore encrypted by ssh between the laptop and router), but once it leaves the router it continues on as plain (unencrypted) http.
  5. If the tunneled address is inside my home network and isn’t encrypted, e.g. http 192.168…, the unencrypted part of the path occurs entirely behind my home network router, and is protected by the firewall from anyone without access to my home network already.

I think that means that an attacker without access to either ssh endpoint (laptop or home network) should not be able to read the communication between my devices – and that’s true even if the device on the home network is using unencrypted http and the travel computer on public/untrusted wifi. Is that right? Are there any gaps in that setup that would leave unencrypted data exposed?

Is there anything else I should be doing/not doing? Thanks!

ssh tunnel – Keep a bash script running when running a Docker container

I’m trying to establish an SSH tunnel connection from inside a Docker container.

I created a brief shh-tunnel.sh script that allows the connection and I run it from inside the .Dockerfile, like this:

FROM ubuntu:20.04

RUN apt-get update && apt-get install -y -qq python3 python3-pip openssh-client

ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get install -y postgresql postgresql-contrib

COPY ssh-tunnel.sh .

(other things ...)

RUN chmod u+x ./ssh-tunnel.sh 
RUN ./ssh-tunnel.sh

All looks fine when I run docker build.
My question is… how can I keep the connection established? When I run docker run?

network – Beware: macOS Finder “Connect to Server” accepts FTPS URLs (FTP in a SSL/TLS tunnel) but actually connects via plain FTP!

network – Beware: macOS Finder “Connect to Server” accepts FTPS URLs (FTP in a SSL/TLS tunnel) but actually connects via plain FTP! – Ask Different

split tunnel – Access dns through vpn without affecting other network traffic

I set up a windows vpn and enabled Split Tunneling. I want to route any traffic to an aws redshift database through it (redshift-cluster-1.whatever.us-east-1.redshift.amazonaws.com port 55438), but all other internet traffic should go over the default connection. How do I do this with Add-VpnConnectionRoute command?

tunnel – Pfsense GRE to Proxmox Openvirtualswitch gateway not going up

So, I run pfsense on Hetzner Cloud and proxmox on Hetzner Cloud. Both are VMs. The Hetzner network is very restricted. I found a solution: GRE tunnels.

The following setup works:

pve machine = 10.0.0.3, test machine = 10.0.0.4

pve machine /etc/network/interfaces:

auto vmbr0

iface vmbr0 inet manual

ovs_type OVSBridge

post-up ovs-vsctl add-port vmbr0 tep0 -- set interface tep0 type=internal

post-up ifconfig tep0 192.168.1.1 netmask 255.255.255.0

post-up ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip=10.0.0.4

test machine /etc/network/interfaces:

auto vmbr0

iface vmbr0 inet manual

ovs_type OVSBridge

post-up ovs-vsctl add-port vmbr0 tep0 -- set interface tep0 type=internal

post-up ifconfig tep0 192.168.1.2 netmask 255.255.255.0

post-up ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip=10.0.0.3

After restarting machines, I can ping both of them and I can create a LXC container on the proxmox with ip 192.168.1.5, I can ping that one from both machines. Now I removed the test machine and went with pfsense.

pve machine (still 10.0.0.3) pfsense = 10.0.0.2

pve machine /etc/network/interfaces:

auto vmbr0

iface vmbr0 inet manual

ovs_type OVSBridge

post-up ovs-vsctl add-port vmbr0 tep0 -- set interface tep0 type=internal

post-up ifconfig tep0 192.168.1.1 netmask 255.255.255.0

post-up ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip=10.0.0.2

pfsense setup:

GRE configuration

Interface screen

But, even after restarting both machines. the gateway won’t go up:

Gateways

I have no clue anymore. It works on a test machine, but I’m missing something on pfsense? Has anyone any idea?

8 – How to get the general conditions of sale accepted in the purchase tunnel?

Why does Drupal Commerce not include a sub-module to have the general conditions of sale accepted in the purchase tunnel?

I do not understand this choice, because this functionality is ESSENTIAL to place an order. Why is this not included with Drupal Commerce ?

The only solution is to use an old module, incompatible Drupal 9 and completely abandoned (no update for more than 4 years) :

https://www.drupal.org/project/commerce_agree_terms

How to get the general conditions of sale accepted in the purchase tunnel ?

You will answer me that you have to go through a customize module but this is not the solution, Drupal has an interface (like WordPress) and should not be reserved only for developers.

Drupal 9 integrates more and more functionality to modify a website without using custom code, for in 2021 Drupal Commerce does not integrate this. How do you want to make a sale without general sales conditions? In this case it would be necessary to let the developer make personalized modules, for taxes, orders, products, …

networking – site-to-site VPN route traffic through VPN tunnel

Short version: in a site-to-site VPN setup with Strongswan on both sides, how to route particular traffic via the VPN tunnel?

Long version:

We have two Linux (ubuntu 20.04) in AWS, both installed with Strongswan VPN, and a VPN tunnel has been established.

IP 172.31.0.151                      IP 10.0.0.14 
Server 1        <===VPN tunnel===>   Server 2

As expected, they can ping each other, tcpdump will display correct private IP addresses for the ping.

The content of /etc/ipsec.conf of Server 2 (Server 1 ipsec.conf is almost identical, just swapping left/right values):

# basic configuration
config setup
# Add connections here.
conn %default
 ikelifetime=28800s
 lifetime=3600s
#rekeymargin= You choose; must match other side
 keyingtries=%forever
 keyexchange=ikev2
 authby=secret
 mobike=no


conn vpn-test
# private ip
 left=10.0.0.14

# vpc cidr
 leftsubnet=10.0.0.0/24

# elastic ip
 leftid=18.999.999.999

# private ip
 leftsourceip=10.0.0.14

# public/elastic ip
 right=18.888.888.888

# subnet/VPC cidr
 rightsubnet=172.31.0.0/16,2.2.2.2/32

 auto=start
 type=tunnel
 ike=aes256-sha1-modp1024!
 esp=aes256-sha1!
 dpddelay=30s
 dpdtimeout=120s
 dpdaction=restart
# Add connections here.

Goal: if from Server 2 we need to access a “dummy” IP address in Server 1’s network, for example, we want to ping 2.2.2.2 and send the ping request over the VPN tunnel, instead of going out of the Server 2’s actual network interface and into the internet.

With the 2.2.2.2/32 in both configuration, left/rightsubnet respectively, it still doesn’t work.

Mehod 1 we tried: ip route add

The Strongswan does not create a VPN network interface, an ip a command gives the two default network interfaces in the Ubuntu:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:ac:45:e9:76:60 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.14/28 brd 10.0.0.15 scope global dynamic ens5
       valid_lft 3576sec preferred_lft 3576sec
    inet6 fe80::cac:45ff:fee9:7660/64 scope link
       valid_lft forever preferred_lft forever

So to use ip route add command to route traffic will not work here.

Method 2: iptables

The other method we tried is to use iptables to do DNAT, when destination is 2.2.2.2, route it to Server 1’s ip address of 172.31.0.151, however DNAT will change the destination, therefore on Server 1 we will observe packets with destination of 172.31.0.151, instead of 2.2.2.2, and unable to NAT it accordingly. So iptables doesn’t solve this problem either.

Being new to this field I don’t know if it should be in Strongswan configuration or Linux routing or something else. How can we approach the issue?

Thank you for your time.

node.js – how to connect to mongodb server via ssh tunnel with Proxy Jump (ProxyCommand)

I have an ssh config file like this.
I have a proxy jump to host1 from test2.

Host host1
  Hostname xxxxxx.us-east-1.elb.amazonaws.com
  Port 2222
  User xxxx
  IdentityFile ~/.ssh/cert
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KeepAlive yes
  ServerAliveInterval 30
  ServerAliveCountMax 30

Host test2
  Hostname xx.xxx.xx.xxx
  ProxyCommand  ssh.exe host1  -q -W %h:%p host1
  User ubuntu
  IdentityFile ~/.ssh/cert
  KeepAlive yes
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ServerAliveInterval 30
  ServerAliveCountMax 30

I have to Use SSH Tunneling to Mongodb using Host test2, But it uses Proxy Jump using ProxyCommand

I want to connect to mongodb using SSH Tunneling with a Mongo DB Compass and also with node js mongoose.

How Can I connect using the Mongo DB Compass?

enter image description here

Here I don’t have an option to enter ProxyCommand details.

How Can I connect using node js?

I am using tunnel-ssh, I have a reference code ,

var config = {
    username:'ubuntu',
    host:'xx.xxx.xx.xxx',
    agent : process.env.SSH_AUTH_SOCK,
    privateKey:require('fs').readFileSync('~/.ssh/cert'),
    port:22,
    dstPort:27017,
    password:'mypassword'
};

var server = tunnel(config, function (error, server) {
  
});

Here as well how can I enter ProxyCommand details here?

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheapest USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Proxyti.com Buy Quality Private Proxies