PoC: Ugly but Working!

2025-05-28 04:50:23 -07:00 · 2017-02-05 10:35:38 +01:00 · 2017-02-05 10:35:38 +01:00 · 918867c370
commit 918867c370
parent 8cdb42033a
6 changed files with 169 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,2 @@
 # xiringuito
-Simple, automated and opinionated SSH VPN
+Bash SSH VPN wrapper
--- a/scripts/client-setup.sh
+++ b/scripts/client-setup.sh
@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#
+# Setup client before establishing connection
+#
+set -e
+
+if [[ ${#} -lt 2 ]]; then
+  echo "Usage: ${0} TUNNEL_ID IP_BASE [NETWORK1 NETWORK2 ... NETWORKx]"
+  exit 1
+fi
+
+declare -r TUNNEL_ID=${1}
+declare -r IP_BASE=${2}
+shift 2
+declare -r NETWORKS=${@}
+
+declare -r NETWORK_DEVICE=tun${TUNNEL_ID}
+let CLIENT_LAST_IP_ADDR_OCTET="4*(${TUNNEL_ID}-1)+1"
+declare -r CLIENT_IP_ADDR=${IP_BASE}.${CLIENT_LAST_IP_ADDR_OCTET}
+
+if [[ ! $(ip link | grep " ${NETWORK_DEVICE}: ") ]]; then
+  sudo modprobe tun
+  sudo ip tuntap add mode tun user ${USER} ${NETWORK_DEVICE}
+  sudo ip link set ${NETWORK_DEVICE} up
+  sudo ip addr add ${CLIENT_IP_ADDR}/30 dev ${NETWORK_DEVICE}
+fi
+
+for NETWORK in ${NETWORKS}; do
+  echo "> ${NETWORK}"
+  sudo ip route add ${NETWORK} dev ${NETWORK_DEVICE}
+done
--- a/scripts/client-teardown.sh
+++ b/scripts/client-teardown.sh
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+# Teardown client after disconnection
+#
+set -e
+
+if [[ ${#} != 1 ]]; then
+  echo "Usage: ${0} TUNNEL_ID"
+  exit 1
+fi
+
+sudo ip tuntap del mode tun tun${1}
--- a/scripts/server-execute.sh
+++ b/scripts/server-execute.sh
@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+#
+# Execute/teardown on the server side
+#
+set -e
+
+if [[ ${#} != 2 ]]; then
+  echo "Usage: ${0} TUNNEL_ID IP_BASE"
+  exit 1
+fi
+
+declare -r TUNNEL_ID=${1}
+declare -r IP_BASE=${2}
+
+declare -r NETWORK_DEVICE=tun${TUNNEL_ID}
+let CLIENT_LAST_IP_ADDR_OCTET="4*(${TUNNEL_ID}-1)+1"
+declare -r CLIENT_IP_ADDR=${IP_BASE}.${CLIENT_LAST_IP_ADDR_OCTET}
+
+trap teardown EXIT
+
+function teardown() {
+  sudo iptables -t nat -D POSTROUTING -s ${CLIENT_IP_ADDR} -j MASQUERADE
+
+  sudo ip tuntap del mode tun ${NETWORK_DEVICE}
+}
+
+while true; do
+  sleep 60000 # do nothing until interrupted ;)
+done
--- a/scripts/server-setup.sh
+++ b/scripts/server-setup.sh
@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+#
+# Setup server before establishing connection
+#
+set -e
+
+if [[ ${#} != 2 ]]; then
+  echo "Usage: ${0} TUNNEL_ID IP_BASE"
+  exit 1
+fi
+
+declare -r TUNNEL_ID=${1}
+declare -r IP_BASE=${2}
+
+declare -r NETWORK_DEVICE=tun${TUNNEL_ID}
+let CLIENT_LAST_IP_ADDR_OCTET="4*(${TUNNEL_ID}-1)+1"
+let SERVER_LAST_IP_ADDR_OCTET="4*(${TUNNEL_ID}-1)+2"
+declare -r CLIENT_IP_ADDR=${IP_BASE}.${CLIENT_LAST_IP_ADDR_OCTET}
+declare -r SERVER_IP_ADDR=${IP_BASE}.${SERVER_LAST_IP_ADDR_OCTET}
+
+declare -r SSHD_CONFIG_FILE=/etc/ssh/sshd_config
+declare -r SSHD_RESTART_CMD="reload ssh"
+
+# Ensure previous tunnels with the same ID are not running
+set +e
+pkill -f xiringuito-server-execute.${TUNNEL_ID}.sh
+set -e
+
+# Set up network device
+if [[ ! $(ip link | grep " ${NETWORK_DEVICE}: ") ]]; then
+  sudo modprobe tun
+  sudo ip tuntap add mode tun user ${USER} ${NETWORK_DEVICE}
+  sudo ip link set ${NETWORK_DEVICE} up
+  sudo ip addr add ${SERVER_IP_ADDR}/30 dev ${NETWORK_DEVICE}
+fi
+
+# Set up SSH server for tunneling
+if [[ ! $(grep "^PermitTunnel yes" ${SSHD_CONFIG_FILE}) ]]; then
+  echo "PermitTunnel yes" | sudo tee -a ${SSHD_CONFIG_FILE}
+  sudo ${SSHD_RESTART_CMD}
+fi
+
+# We need IPv4 forwarding to enable packet traversal
+if [[ ! $(sudo sysctl -a 2>/dev/null | grep "net.ipv4.ip_forward.*=.*1") ]]; then
+  sudo sysctl -w net.ipv4.ip_forward=1
+fi
+
+# We need IPv4 NAT
+if [[ ! $(sudo iptables -t nat -nvL POSTROUTING | grep " ${CLIENT_IP_ADDR} ") ]]; then
+  sudo iptables -t nat -A POSTROUTING -s ${CLIENT_IP_ADDR} -j MASQUERADE
+fi
--- a/45
+++ b/45
@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Bash SSH VPN wrapper
+#
+set -e
+
+if [[ ${#} -lt 1 ]]; then
+  echo "Usage: ${0} [SSH_USER@]SSH_SERVER [NETWORK1, NETWORK2, ... NETWORKx]"
+  exit 1
+fi
+
+declare -r SSH_SERVER=${1}; shift
+declare -r NETWORKS=${@}
+
+declare -r IP_BASE=192.168.245
+declare -r TUNNEL_ID_PATH=~/.xiringuito/tunnel_id
+declare -r TUNNEL_ID_FILE=${TUNNEL_ID_PATH}/${SSH_SERVER}
+
+if [[ ! -f ${TUNNEL_ID_FILE} ]]; then
+  mkdir -p ${TUNNEL_ID_PATH}
+  let GENERATED_ID=${RANDOM}%50+1
+  echo ${GENERATED_ID} >${TUNNEL_ID_FILE}
+fi
+
+declare -r TUNNEL_ID=$(cat ${TUNNEL_ID_FILE})
+
+cd $(dirname ${0})
+
+trap teardown EXIT
+
+function teardown() {
+  echo "Tearing down tunnel..."
+  ./scripts/client-teardown.sh ${TUNNEL_ID}
+  echo "Ensuring remote process is stopped."
+  ssh -oLogLevel=QUIET ${SSH_SERVER} pkill -f xiringuito-server-execute.${TUNNEL_ID}.sh
+}
+
+./scripts/client-setup.sh ${TUNNEL_ID} ${IP_BASE} ${NETWORKS}
+
+scp -oLogLevel=QUIET ./scripts/server-setup.sh ${SSH_SERVER}:/tmp/xiringuito-server-setup.${TUNNEL_ID}.sh >/dev/null
+scp -oLogLevel=QUIET ./scripts/server-execute.sh ${SSH_SERVER}:/tmp/xiringuito-server-execute.${TUNNEL_ID}.sh >/dev/null
+
+ssh -oLogLevel=QUIET ${SSH_SERVER} /tmp/xiringuito-server-setup.${TUNNEL_ID}.sh ${TUNNEL_ID} ${IP_BASE}
+sleep 1
+ssh -oLogLevel=QUIET -w ${TUNNEL_ID}:${TUNNEL_ID} ${SSH_SERVER} /tmp/xiringuito-server-execute.${TUNNEL_ID}.sh ${TUNNEL_ID} ${IP_BASE}