Automate SSH reverse tunnel for remote access to local network

A RPi is deployed in an unknown local network and should connect to a public jump box. Later a user could connect to the jump box to reach the local network via the reverse tunnel.

Configure your RPi

I used a Debian 11.8 on a RPi v1 (2011.12) and install autossh and configure your reverse tunnel

example to bind 0.0.0.0:10022 on the onlinejumpbox and forward it to the RPi localhost:22 SSH server.

ssh -R 0.0.0.0:10022:localhost:22 debian@onlinejumpbox

Create and install a service with systemd in the file /etc/systemd/system/tunnel.service

[Unit]
Description=SSH tunnel service
After=network.target network-online.target sshd.service
#After=sshd.service

[Service]
ExecStart=/usr/bin/autossh -i /home/debian/.ssh/id_rsa -R 0.0.0.0:10022:localhost:22 -NT debian@onlinejumpbox
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

Optional: in /etc/ssh/sshd_config set

PasswordAuthentication no

Configure the server

Optional: if you want the bind_address parameter to work, in /etc/ssh/sshd_config set

GatewayPorts yes

Conclusion

A user can reach the local network via this command line

ssh -p 10022 debian@onlinejumpbox

Install Tailscale on Synology DSM 7 via Quickconnect

To keep this tutorial short, I'm assuming that the reader has the minimal level of knowledge to use upload file, launch a container on the NAS and use SSH.

This is a solution to configure Tailscale remotely when you only have a quickconnect access to your NAS.

Install Container Manager on the NAS

Click on 'Package Center' -> Search for 'Container Manager" -> and install it.
It'll create a docker volume that we are going to use next.

Enable SSH on the NAS

Click on 'Control Panel' -> 'Terminal & SNMP' -> 'Enable SSH service'.
Keep the default port to 22. If you modify it, modify also the port value in the ngrok.yml config file below.

Setup NGROK

https://ngrok.com/ is a tool to easily expose services behind NATs to public internet.

  1. Create a free account
  2. Retrieve your NGROK_AUTHTOKEN
  3. Create a file ngrok.yml with this content
version: 2
authtoken: NGROK_AUTHTOKEN
tunnels:
  dsm:
    proto: http
    addr: https://localhost:5001
  ssh:
    proto: tcp
    addr: 22

The first dsm service will expose the DSM web interface service.
The second ssh service will expose the SSH service

  1. Replace NGROK_AUTHTOKEN by the value you got from step 2.
  2. Upload the file in the docker volume.
  3. Open the 'Container Manager'
  4. From the Registry menu, download the ngrok/ngrok image for the release 3-alpine.
    (It's always better to fix the release version instead of taking latest for later compatibility)
  5. From the 'Container' menu, create a container
    • image: ngrok/ngrok:3-alpine
    • keep 'Enable auto-restart' disable. It's not needed.
    • 'Add File' in 'Volume settings' mapping '/docker/ngrok.yml' to '/ngrok.yml' in Read-Only
    • Select 'Host' in the 'Network'
    • Set start --config /ngrok.yml --all as 'Command' in the 'Execution Command'
  6. And run it

If ok, the container should be green and you will have two endpoints in your ngrok endpoints dashboard.

Setup Tailscale

Use the HTTPS endpoints to connect to your NAS and once connected, install Tailscale from the 'Package Center'.

From the NAS, click on 'Open' Tailscale, log in and add your devices to your account.

From the NAS, click again on 'Open' and activate the 'Advertise as Exit Node'

From that point on, I'm assuming you know how to configure and use Tailscale.

The last step is to advertise route. For this step, you'll need to use the TCP endpoint you configured with ngrok.
Use it to ssh to your NAS ssh -p <the port> <user>:<the tcp url without tcp://>
Once connected, configure the advertising route with this command
sudo tailscale up --advertise-routes 192.168.1.0/24 --advertise-exit-node --reset

Conclusion

Congrats, you're done !
For security, you can stop the ngrok container and even deactivate the SSH service.

Update WordPress page/post via Rest API

With the WordPress REST API plugin, use the following curl command line to get and update title and content.

GET a page

curl --user "$WPAPPUSER:$WPAPPPASS" -X GET https://website/index.php/wp-json/wp/v2/pages/<page_id> | jq ".content.rendered"

Update a title

curl --user "$WPAPPUSER:$WPAPPPASS" -X POST https://website/index.php/wp-json/wp/v2/pages/<page_id> -d 'title=My title'
Update the content
content="<!-- wp:paragraph --><p>Hello World</p><!-- /wp:paragraph -->"

curl --user "$WPAPPUSER:$WPAPPPASS" -X POST https://website/index.php/wp-json/wp/v2/pages/<page_id> -d "content=$content"
 
 
 

Install Ubuntu-18.04 on a NVMe disk

The price of NVMe disk getting closer or similar to SSD, most recent servers have only NVMe disks.

Unfortunately, installing Ubuntu-18.04 on such server triggers the error

Validation error: 'nvme.XXXXXX' is not valid under any of the given schemas in [...]

This issue has been fixed in https://bugs.launchpad.net/ubuntu/+source/curtin/+bug/1840524/comments/8 but is not yet backported on 18.04.3

If, you need to install 18.04, because for example of the NVIDIA driver support, the fix is to:

  1. flash a usb dongle with ubuntu-18.04
  2. after booting on the usb dongle, go to a terminal with Alt+F2 and enter
    sudo snap refresh --edge subiquity
  3. next, go back to main screen with Alt+F1 and start the installation.

 

Hopefully, 18.04.4 should have the patch.

 

 

Windows preparation for remote control with Ansible

Enabling Admin account

net user administrator /active:yes
net user administrator MyPassword

Enable Remote access and configure firewall

# To be done on both side
Enable-PSRemoting

Cleaning

# To be done on both side 
winrm enumerate winrm/config/listener
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Setup

$myFQDN=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
New-SelfSignedCertificate -DnsName $myFQDN -CertStoreLocation Cert:\LocalMachine\My
$thumbprint=@(Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.DnsNameList -match "$myFQDN" }).Thumbprint
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname=""$myFQDN""; CertificateThumbprint=""$thumbprint""}"
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true 

Host file

In a file name hosts.cfg

[targets]
server1 ansible_host=123.123.123.123 ansible_user=Administrateur ansible_password=secure_password
server2 ansible_host=123.123.123.123 ansible_user=Administrator ansible_password=secure_password

[targets:vars]
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore

And in the playbook

---

---
# This playbook tests the script module on Windows hosts
- name: Run powershell script
  hosts:
    - server1
    - server2
  vars:
    nsimul: 8
    results_dir: C:\results{{ nsimul }}
  gather_facts: false
  tasks: ...

Unbrick and update a J-Link V8 clone

You can buy a Segger JTAG J-Link clone for few USD on ebay, aliexpress, dx, ...

If you try to update its firmware with the official Segger tool, you'll brick the probe.

Don't worry, smart people have already put a checklist to restore a working firmware and even update it to the latest official version. I just put all the needed info into one single page.

Continue reading Unbrick and update a J-Link V8 clone