PDA

Bekijk de volledige versie : How to setup SSH tunnel using the WL500



max2950
30-11-2006, 21:21
I recently begun a new job. Although the job is interesting, i was disappointed by the companie's Internet policy. Everything is tracked down and logged. Since i do not want them to see everything i might do online. It was not the matter of surfing to some porn site while at work, no, the point was that i want some privacy. I do not want my employer to see my activity on the wl500 forums ;).
So i begun to seek for a solution. On i've found is tunneling over SSH. After some serches on the web and on this forum, i collected all the info i need to get this done.

In this how to i assume that you know how to telnet to your WL500 and that you are somehow familiar to the concept o tunneling and to some basics of Linux systems. I also assume that you are running Oleg's firmware.

By the way, tunneling is a way to overcome some of your corporate's Internet policies, do all of this stuff at your own risk. Do not blame if something bad happens to you or to your belonging.

The information in this howto is already available on the forum, but cluttered in several topics, so i collected it together and made this howto. I made my possible to make this article accessible to mewbies.


Firt what we need is to have a SSH daemon running in our WL500. For convenience i include how to get this done here. Original was found in hezik's howto (http://wl500g.info/showthread.php?t=1984)



mkdir -p /usr/local/etc/dropbear
dropbearkey -t dss -f /usr/local/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /usr/local/etc/dropbear/dropbear_rsa_host_key
mkdir -p /usr/local/sbin/
echo "#!/bin/sh" >> /usr/local/sbin/post-boot
chmod +x /usr/local/sbin/post-boot
echo "dropbear" >> /usr/local/sbin/post-boot
dropbear


The above code will generate the keys reauired to encrypt the connection and also create a post-boot script that will start dropbear after each boot.


At this point you should be able to connect to your wl500 using putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).


We now need to enable access to ssh from wan side. I found usefulf information in kiewer's (http://wl500g.info/showthread.php?t=2074) howto. Again i include this here for convenience.

Create a post firewal script if you do not have one. The post-firewall script must reside in /usr/local/sbin/. You can use vi to create/edit your post-firewall script. Help on using vi can be found here (http://unixhelp.ed.ac.uk/vi/index.html).
We will redirect connection on port 443 to port 22. The reason to this is that most corporate proxys will think that the data going through is regular https trafic and therefore grant you full access.

Put this in your post-firewall script, but do not forget to change 192.168.1.1 to match your wl500's LAN ip :


iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:22
iptables -A INPUT -j DROP


If you newly created the script do not forget to add the following line at the top of it :


#!/bin/sh


After that we save our stuff so that we do not need to start over after reboot.



flashfs save
flashfs commit
flashfs enable



Now it is time to reboot your device and go to your workplace's computer and set up Putty. (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
Start Putty and go to tunnels
Add port 3000 (or whatever you like). To do this, type 3000 in the "source port" zone, leave destination blank, check the "dynamic" box and the "Auto" box and click "Add".
http://www.planetemax.com/ext/forums/wl500/putty_tun.png

Then go to Proxy and setup the proxy setting acoording to your corporate proxy.
http://www.planetemax.com/ext/forums/wl500/putty_proxy.png

Now go to session, enter the WAN address of your wl500 and set 443 as connect port.
http://www.planetemax.com/ext/forums/wl500/putty_session.png

Click open, and login using your wl500 idenfiers.

Now your tunnel is up and running. You can now tunnel almost any application that support SOCKS proxys.
Setup your application to use SOCKS proxy 127.0.0.1 on port 3000.

max2950
23-12-2006, 10:31
I just experimented a little and succeeded in having VNC go through the tunnel !

Here is how :
In the "Tunnels" panel, type 5900 in "source port".
In the "Destination" field type the LAN ip of the machine you wish to access with vnc followed by the port.
Assume you machine's IP is 192.168.1.36, then type 192.168.1.36:5900 into "destination".
Check the "local" box, and the "auto" box and click add.

Now open the VNC client, enter 127.0.0.1 as the host address and you should be able to connect !

max2950
28-12-2006, 07:50
Yesterday in changed my BeWan ADSL2+ for the one provided by my ISP. The ISP provided modem (FreeBox) takes care of all the PPP job, so that i only need to setup the WL500 to connect using "automatic ip".

Unfortunately, the above configuration did not work anymore and i had to change my post-boot and post-firewall scripts. I'm a big newbie when it comes to IPTables, so any suggestions are welcome.

Here is my post-boot file


#!/bin/sh
dropbear -p 22 -p 443

Whe simply tell dropbeart to listen on port 22 and 443.
In the post-firewall script we will open the firewall on port 443


#!/bin/sh
iptables -D INPUT -j DROP
iptables -I INPUT 2 -p tcp --syn --dport 443 -j ACCEPT


Now it is working again. It seems that the firewall behaves differetly in PPPoE and in Automatic IP.....:confused: