Senrabdet's questions

I am trying to get a remote access approach (open source) working involving openssh and tightvnc that deals with NAT, that allows someone to remote to my server and then allows me to vnc back to their machine w/o having to mess with their firewall and allows me to use a static WAN address down the road. I've been trying to rough this out in small steps to manage the unknowns (for me, a lot:). It would appear others have gotten this to work, but am stumped.

For starters, have have gotten passwordless reverse ssh working between two windows 10 virtual machines (hyperv) on my laptop (i.e., I'm not trying to deal with port forwarding on my firewall or the static WAN address yet) but can't get the vcn to work over the reverse ssh tunnel, though it works just using the lan IP address instead of "localhost" for the reverse ssh.

I am wondering if my overall approach is flawed or not. It is:

Machine A/Person A (wants help)
currently a win10 vm
ssh client (native on win10)
tightvnc server

Machine B/Person B (help desk role)
currently win10 vm (same LAN as machine A at present)
ssh server (optional win10 add on)
tightvnc client

The idea would be Person A on machine A starts the VNC server on machine A, and connects over reverse ssh to machine B (so far so good). At that point person B on Machine B could VNC back to machine A and help.

My assumption which may be the problem is to use reverse ssh from A->B (I've tried the -L option too instead of -R), and then use tightvnc to access machine A back from B. After starting the vnc server on machine A, an example of the initial ssh command I've gotten to work from A to B is:
ssh -R 5902:localhost:5901 user@lanaddressMachineB -i ~/.ssh/id_rsa -vv

This part works. The vnc server on A has port 5902 (I have turned loopback on and off, tried listening server). I'm hoping this is something like I'm confused about which is the local host or something like that.

The error I'm getting on Machine B trying to vnc back to machine A over the ssh tunnel using "localhost::5902" is "connection has been gracefully closed". The vnc connection works if I just use the lanip of the vnc server on A from B.

There is nothing in the "tviewer.log" on either the client or the server. I've tried changing some settings in sshd_config (e.g., AllowAgentForwarding yes) with no result.

Q is my design flawed or workable? Is it the way I'm configuring things and can be addressed, possibly using a different ssh command?

Q do I need ssh server on both machines (am hoping to avoid this as means have to install it on other people's machines)?

I know there are various paid for and some free options to all of this, but am hoping to get it going.

Thank you.

I am looking at using the opensource version of nginx as a reverse proxy with upstreams for secure file serving using docker and self signed certs where I can run a script on clients and pull down a file. I can get it all to work, until I apply "ssl_verify_client on;", then my curl, wget and powershell attempts fail. My guess is somehow I'm not generating or registering the certs correctly so the trust chain is maintained.

I've throttled back to see if I can get it to work without the upstreams or docker (i.e., trying only to hit the reverse-proxy in a VM, and same results, works until I do "ssl_verify_client on;").

I've added my pem's to ca-certificates on the client and done "update-ca-certificates" (should I have done this on the server?).

Example of curl (gets "400 No required SSL certificate was sent"): curl -v -s --key client.key --cert client.crt --cacert client.pem https://mysite.dyndns.org/file.txt -o /home/user/Desktop/file.txt

Trying to diagnose the problem, I try: "openssl s_client -connect mysite.dyndns.org:443" and get: verify error:num=20:unable to get local issuer certificate

Am happy to post my nginx.conf, how I am generating certs, but figured initially would ask:

• Is what I'm trying to do feasible? Can curl, wget, or powershell work with self signed certs (as opposed to purchased ones)?

• is it a problem to use dyndns (works without the verify on)?

• if it looks like I've a problem with my cert generation, can someone suggest a link as a how to (I've been trying https://jamielinux.com/docs/openssl-certificate-authority/ and nate goods site). Is "LetsEncrypt" the "right answer"?

I know I may need to post more detail on commands/configs used etc. Any help appreciated. Thx!

I'm trying to use rsync and "--link-dest=" to create incremental copies of backups on a server (Debian Wheezy, LVM, RAID 1), with the goal of using hard links to save space.

Unlike what may be the "normal" use case, I want to back up every day from a windows client to a folder on the server called "1" (this part works, though I don't use rsync here to do the backup), and then rsync off of "1" to create 30 days worth of incremental changes. So "1" changes with each day's backup from the client, but the copies made off of it would contain older file versions, 30 days worth.

From a post at http://blog.interlinked.org/tutorials/rsync_time_machine.html which outlines how to use rsync to simulate what Apple's Time Machine does, I have the following code (the "15/16" part of the target path represent the day/time of the backup):

    date=`date "+%Y-%m-%dT%H:%M:%S"`
    $UserNameVar=client8

    rsync -aP --log-file=/home/User1/Desktop/rsync.log  --link-dest=/home/$UserNameVar/share/Backups/1/current /home/$UserNameVar/share/Backups/1 /home/$UserNameVar/share/Backups/15/16/back-$date

    rm -f /home/$UserNameVar/share/Backups/1/current
    ln -s back-$date /home/$UserNameVar/share/Backups/1/current

The code runs, the backup occurs, the link between the last backup and "current" is created, and the subsequent backups are very fast, but as best I can tell, the backups consume the same space as the original.

Is the approach flawed, or something in my code wrong? Or do I need a different way to calculate the actual free space?

Thanks

I'm trying to create multiple subnets on a Wheezy server, where I can run multiple virtual machines off of each subnet. Initially, I'd like to create 2 and I've gotten one of the subnets working, but can't seem to get the second one going.

My /etc/network/interfaces includes:

iface eth0 inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off

auto dummy0
iface dummy0 inet static
address 10.1.1.1
netmask 255.255.255.0

auto dummy1
iface dummy1 inet static
address 10.1.2.1
netmask 255.255.255.0

#VirtualMachineDummy0
auto dummy0:245
allow-hotplug dummy0:245
iface dummy0:245 inet static
address 10.1.1.245
netmask 255.255.255.0

#SubNet2
auto dummy1:111
allow-hotplug dummy1:111
iface dummy1:1 inet static
address 10.1.2.111
netmask 255.255.255.0

I can ping 10.1.1.245 and the virtual machine has connectivity, but I cannot ping 10.1.2.1 or 10.1.2.111.

FYI: along the way, I have tried disabling ipv6 and adding:
touch /etc/modprobe.d/local
echo "options dummy numdummies=2" > /etc/modprobe.d/local

Any suggestions as to how to fix this? Thanks!

I'd like to use rsync over openvpn to copy some files as root from one server to another, all on the same LAN (i.e., not over the Internet). Both servers are running Wheezy. I could do this over ssh, but I'd prefer not to because I want to keep ssh root access disabled. The VPN is working - e.g., from the client I can successfully ping the server's openvpn IP (and I can connect over the Internet using the VPN ip and VNC, though again for this use case I want to copy files on my LAN behind my firewall). However, when I try rsync, I get an error "connection over port 22 refused". Q: is this a problem with my rsync syntax and what syntax should I use, or with this approach do I need to setup the rsync daemon on the server? Rsync without the daemon seems to assume the use of ssh.

Thanks!

I am trying to learn how to use kpartx, and am having some trouble. My end goal is to use nested LVMs for virtual machines, where the VM's "/home" is in one nested LVM and the rest of the VM is on a second nested LVM, so I can use snapshots for /home and /"everythingelse".

When I issue "kpartx -av /dev/vg2/LVM1", I get no output including no output telling me the name of the new nested LVM. Likewise, no output from "kpartx -l /dev/vg2/LVM1". So without the new nested volume names, I can't mount or create a file system. My best guess is the nested LVMs are not actually being created....

Q: Is there something missing in my Kpartx install (apt-get install kpartx seemed to install as expected)? Does Kpart not work on RAID1 or have problems with Wheezy?

Some description off my environment:

-Encrypted RAID1, LVM, Two volume groups (I'm trying to use Kpartx on vg2), Wheezy; Linux Vserver (VM environment)

Thanks!

I am running virtual machines with Gnome desktops on Debian Squeeze and Wheezy. The virtual machines are on a different subnet than the host. I would like to block the virtual machines from accessing the router/firewall login page via Firefox, but still have access to the Internet.

Is there some way to do this with ufw, iptables, host.deny or possibly on the router itself using an address range (I can use Blocksite and lock down the config, but would prefer some other approach)? I've tried various things, but either my attempts fail or I block access to Internet from the VMs.

Thanks!

I'm trying to run a script at login that will execute for a regular user, but not be readable by that or other non-root users.

I've tried various things including chmod/chown combinations, as well as visudo. In all cases, I can either execute the script at login but still read it as the user, or not be able to read it but also not be able to execute it at login.

Have also tried shc which I can use, but that still leaves a file that while executable, can be copied/uploaded etc and decompiled.

Is this about me doing something wrong with chmod, chown, and visudo?