tianchaijz · November 7, 2018 05:39 · Nov 7, 2018 · Feb 18, 2018 · Feb 18, 2018 · Feb 18, 2018
diff --git a/tunnel.service b/tunnel.service
@@ -5,6 +5,8 @@ Documentation=https://github.com/mmatczuk/go-http-tunnel
 [Service]
 User=tunnel
 Group=tunnel
+Restart=always
+RestartSec=30
 ExecStart=/usr/local/bin/tunnel -config /etc/tunnel/tunnel.yml start-all
 
 # systemd.exec

diff --git a/000-tunneld-server.md b/000-tunneld-server.md
@@ -15,7 +15,7 @@
 - Download the `clients` file to `/etc/tunneld/clients`
 - `chown -R tunneld:tunneld /etc/tunneld`
 - Download the `tunneld.service` to `/etc/systemd/system/tunnel.service`
-    - If you want http tunneling, change the parameters to `/usr/local/bin/tunneld` accordingly and maybe put the http stuff behind a proxy server
+    - If you want http tunneling, change the parameters to `/usr/local/bin/tunneld` accordingly and maybe put the http stuff behind a proxy server ([Caddy](https://caddyserver.com) is perfect for this!)
 - `systemctl daemon-reload`
 - `systemctl enable tunneld`
 - `systemctl start tunneld`

diff --git a/000-tunneld-server.md b/000-tunneld-server.md
@@ -1,11 +1,13 @@
-# mmatczuk/go-http-tunnel server!
+# mmatczuk/go-http-tunnel server
+
 
 ## Server
 
 - Download release 2.1 for your architecture https://github.com/mmatczuk/go-http-tunnel/releases/tag/2.1
 - Move `tunneld` to `/usr/local/bin/tunneld`
 - Create user `useradd -r tunneld`
 - Create `/etc/tunneld`
+- Install [Certstrap 1.1.1](https://github.com/square/certstrap/releases/tag/v1.1.1) to `/usr/local/bin/certstrap`
 - Download `generateCertificates.sh` and `chmod +x generateCertificates.sh`
 - Generate your certificates `./generateCertificates.sh YOUR-CA-NAME hostname-of-your-tunnel-server,clientname1,clientname2`
     - You can always come back and generate additional certificates..

diff --git a/000-tunneld-server.md b/000-tunneld-server.md
@@ -24,37 +24,9 @@
 - Extract tunnel binary to `/usr/local/bin/tunnel`
 - Create user tunnel `useradd -r tunnel`
 - Create `/etc/tunnel` and copy tls certificate files there
-- Create `/etc/tunnel/tunnel.yml`
-
-      server_addr: YOUR-SERVER-HOSTNAME:5223
-      tls_crt: /etc/tunnel/client.crt
-      tls_key: /etc/tunnel/client.key
-      root_ca: /etc/tunnel/ca.crt
-      tunnels:
-        ssh:
-          proto: tcp
-          addr: localhost:22
-          remote_addr: 0.0.0.0:2222
-
+- Create `/etc/tunnel/tunnel.yml` (See example `tunnel.yml`)
 - `chown -R tunnel:tunnel /etc/tunnel`
 - `tunnel -config /etc/tunnel/tunnel.yml id` to show your client id, you have to add this one to the allowed clients (`/etc/tunneld/clients`) on the server
-- Create `/etc/systemd/system/tunnel.service`
-
-      [Unit]
-      Description=tunnel
-      Documentation=https://github.com/mmatczuk/go-http-tunnel
-
-      [Service]
-      User=tunnel
-      Group=tunnel
-      ExecStart=/usr/local/bin/tunnel -config /etc/tunnel/tunnel.yml start-all
-
-      # systemd.exec
-      ProtectHome=yes
-      ProtectSystem=full
-
-      [Install]
-      WantedBy=multi-user.target
-
+- Download `tunnel.service` to `/etc/systemd/system/tunnel.service`
 - `systemctl enable tunnel`
-- `systemctl start tunnel`
+- `systemctl start tunnel`
diff --git a/tunnel.service b/tunnel.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=tunnel
+Documentation=https://github.com/mmatczuk/go-http-tunnel
+
+[Service]
+User=tunnel
+Group=tunnel
+ExecStart=/usr/local/bin/tunnel -config /etc/tunnel/tunnel.yml start-all
+
+# systemd.exec
+ProtectHome=yes
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tunnel.yml b/tunnel.yml
@@ -0,0 +1,10 @@
+server_addr: YOUR-SERVER-HOSTNAME:5223
+tls_crt: /etc/tunnel/client.crt
+tls_key: /etc/tunnel/client.key
+root_ca: /etc/tunnel/ca.crt
+tunnels:
+  ssh:
+    proto: tcp
+    addr: localhost:22
+    remote_addr: 0.0.0.0:1025
+
diff --git a/generateCertificates.sh b/generateCertificates.sh
@@ -33,7 +33,6 @@ generateCA () {
 requestAndSignCertificate () {
   local SERVICE=$1
   echo "Create certificate request for ${SERVICE}"
-  #certstrap_with_opts request-cert --passphrase "" --key "${DEPOT_PATH}/${CA_NAME}.key" --key-bits "${KEY_BITS}" --common-name "${SERVICE}" --domain "${SERVICE}"
   certstrap_with_opts request-cert --passphrase "" --key "${DEPOT_PATH}/${CA_NAME}.key" --key-bits "${KEY_BITS}" --common-name "${SERVICE}"
   echo "Sign certificate request for ${SERVICE}"
   certstrap_with_opts sign --passphrase "" --expires "${EXPIRES}" --CA "${CA_NAME}" "${SERVICE}"

diff --git a/tunneld-server.md → 000-tunneld-server.md b/tunneld-server.md → 000-tunneld-server.md
diff --git a/clients b/clients
@@ -0,0 +1,15 @@
+# List your client-ids here
+# Each line should contain only a single client-id followed by a comma (,) and a backslash (\)
+# The last line shouldn't have the comma and backslash!
+#
+# Make sure no stray whitespace at the end of lines!!!
+# with vim do :%s/\s\+$//e
+#
+# Please list the client ids here with name
+#
+# client-id                                                       description
+# TVFU53T-M4J2ELM-ET9YZLI-SPHSWLY-WVO3T7B-RM3SC2A-EDURNZY-LUP5SQG client1
+# 2DZE5EU-DGZIA5W-60ORFAS-S3PF74R-CWKTMTK-LHCBJES-W43SOFU-ZDCXMAI client2
+CLIENTS=\
+TVFU53T-M4J2ELM-ET9YZLI-SPHSWLY-WVO3T7B-RM3SC2A-EDURNZY-LUP5SQG,\
+2DZE5EU-DGZIA5W-60ORFAS-S3PF74R-CWKTMTK-LHCBJES-W43SOFU-ZDCXMAI
diff --git a/generateCertificates.sh b/generateCertificates.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+CA_NAME=${1:-}
+SERVICES=${2:-}
+
+if [[ -z "$CA_NAME" || -z "${SERVICES}" ]]; then
+  echo "CA_NAME and SERVICE[,SERVICE,...] parameters required"
+  echo "Usage: $0 CA_NAME SERVICE[,SERVICE,...]"
+  exit 1
+fi
+
+# Some certstrap options
+DEPOT_PATH=certificates
+EXPIRES="10 years"
+KEY_BITS=4096
+
+certstrap_with_opts () {
+  certstrap --depot-path "${DEPOT_PATH}" "$@"
+}
+
+generateCA () {
+  if [[ -f "${DEPOT_PATH}/${CA_NAME}.crt" ]]; then
+    echo "CA \"${CA_NAME}\" already exists"
+    return
+  fi
+
+  echo "Generate root CA \"${CA_NAME}\""
+  certstrap_with_opts init --passphrase "" --expires "${EXPIRES}" --common-name "${CA_NAME}"
+}
+
+requestAndSignCertificate () {
+  local SERVICE=$1
+  echo "Create certificate request for ${SERVICE}"
+  #certstrap_with_opts request-cert --passphrase "" --key "${DEPOT_PATH}/${CA_NAME}.key" --key-bits "${KEY_BITS}" --common-name "${SERVICE}" --domain "${SERVICE}"
+  certstrap_with_opts request-cert --passphrase "" --key "${DEPOT_PATH}/${CA_NAME}.key" --key-bits "${KEY_BITS}" --common-name "${SERVICE}"
+  echo "Sign certificate request for ${SERVICE}"
+  certstrap_with_opts sign --passphrase "" --expires "${EXPIRES}" --CA "${CA_NAME}" "${SERVICE}"
+}
+
+generateCA
+
+SERVICES=${SERVICES//,/$'\n'}
+for SERVICE in $SERVICES
+do
+  requestAndSignCertificate "${SERVICE}"
+done
diff --git a/tunneld-server.md b/tunneld-server.md
@@ -0,0 +1,60 @@
+# mmatczuk/go-http-tunnel server!
+
+## Server
+
+- Download release 2.1 for your architecture https://github.com/mmatczuk/go-http-tunnel/releases/tag/2.1
+- Move `tunneld` to `/usr/local/bin/tunneld`
+- Create user `useradd -r tunneld`
+- Create `/etc/tunneld`
+- Download `generateCertificates.sh` and `chmod +x generateCertificates.sh`
+- Generate your certificates `./generateCertificates.sh YOUR-CA-NAME hostname-of-your-tunnel-server,clientname1,clientname2`
+    - You can always come back and generate additional certificates..
+- Move the server certificate, server key and ca certificate to `/etc/tunneld`. Name them `ca.crt`, `server.crt` and `server.key`
+- Download the `clients` file to `/etc/tunneld/clients`
+- `chown -R tunneld:tunneld /etc/tunneld`
+- Download the `tunneld.service` to `/etc/systemd/system/tunnel.service`
+    - If you want http tunneling, change the parameters to `/usr/local/bin/tunneld` accordingly and maybe put the http stuff behind a proxy server
+- `systemctl daemon-reload`
+- `systemctl enable tunneld`
+- `systemctl start tunneld`
+
+## Client
+
+- Download [https://github.com/mmatczuk/go-http-tunnel/releases/tag/2.1](https://github.com/mmatczuk/go-http-tunnel/releases/tag/2.1) matching your clients architecture
+- Extract tunnel binary to `/usr/local/bin/tunnel`
+- Create user tunnel `useradd -r tunnel`
+- Create `/etc/tunnel` and copy tls certificate files there
+- Create `/etc/tunnel/tunnel.yml`
+
+      server_addr: YOUR-SERVER-HOSTNAME:5223
+      tls_crt: /etc/tunnel/client.crt
+      tls_key: /etc/tunnel/client.key
+      root_ca: /etc/tunnel/ca.crt
+      tunnels:
+        ssh:
+          proto: tcp
+          addr: localhost:22
+          remote_addr: 0.0.0.0:2222
+
+- `chown -R tunnel:tunnel /etc/tunnel`
+- `tunnel -config /etc/tunnel/tunnel.yml id` to show your client id, you have to add this one to the allowed clients (`/etc/tunneld/clients`) on the server
+- Create `/etc/systemd/system/tunnel.service`
+
+      [Unit]
+      Description=tunnel
+      Documentation=https://github.com/mmatczuk/go-http-tunnel
+
+      [Service]
+      User=tunnel
+      Group=tunnel
+      ExecStart=/usr/local/bin/tunnel -config /etc/tunnel/tunnel.yml start-all
+
+      # systemd.exec
+      ProtectHome=yes
+      ProtectSystem=full
+
+      [Install]
+      WantedBy=multi-user.target
+
+- `systemctl enable tunnel`
+- `systemctl start tunnel`
diff --git a/tunneld.service b/tunneld.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=tunneld
+Documentation=https://github.com/mmatczuk/go-http-tunnel
+
+[Service]
+Environment="CA=/etc/tunneld/ca.crt"
+Environment="CERT=/etc/tunneld/server.crt"
+Environment="KEY=/etc/tunneld/server.key"
+Environment="TUNNELADDR=YOUR-HOSTNAME:5223"
+EnvironmentFile=/etc/tunneld/clients
+User=tunneld
+Group=tunneld
+ExecStart=/usr/local/bin/tunneld -rootCA ${CA} -tlsCrt ${CERT} -tlsKey ${KEY} -httpsAddr "" -httpAddr "" -tunnelAddr ${TUNNELADDR} -clients ${CLIENTS}
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# systemd.exec
+ProtectHome=yes
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target
No results found