hhf/ssh-tunneling
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ssh-tunneling/README.md
hhf 434eaada9e Update README.md
2024-12-06 18:32:04 +05:30

190 lines
No EOL
4.6 KiB
Markdown
Raw Blame History

# SSH Tunneling Script
A robust bash script for managing SSH tunnels to enable bi-directional remote access through NAT networks. This script simplifies the process of setting up both reverse tunnels and local port forwarding with built-in logging, error handling, and automatic reconnection.
## Table of Contents
- [Features](#features)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Configuration](#configuration)
- [Usage](#usage)
- [Network Architecture](#network-architecture)
- [Troubleshooting](#troubleshooting)
- [Logging](#logging)
- [Security Considerations](#security-considerations)
## Features
- ✨ Bi-directional tunneling support
- 🔄 Automatic retry on connection failure
- 📝 Comprehensive logging system
- 🎨 Colorized console output
- 🔒 Connection testing and validation
- 💪 Robust error handling
- 🔌 Clean shutdown management
- ⚡ Keepalive connection maintenance
## Prerequisites
- Linux/Unix-based system
- SSH client installed
- `netcat` (nc) for port checking
- SSH access to a public-facing server
- Proper SSH key setup (recommended)
## Installation
1. Download the script:
```bash
curl -O https://your-domain.com/tunnel.sh
```
2. Make it executable:
```bash
chmod +x tunnel.sh
```
3. Move to a suitable location:
```bash
sudo mv tunnel.sh /usr/local/bin/tunnel.sh
```
## Configuration
Edit the following variables at the top of the script according to your setup:
```bash
SSHD_ADDRESS="user@example.com" # Public SSH server address
REMOTE_ADDRESS="192.168.1.100" # Remote computer's internal IP
LOCAL_RDP_PORT="3389" # Local RDP port
REMOTE_RDP_PORT="3389" # Remote RDP port
TUNNEL_PORT="2222" # Tunnel port on public server
SOCKS_PORT="8765" # Local SOCKS proxy port
LOG_FILE="/var/log/ssh-tunnel.log" # Log file location
KEEP_ALIVE="60" # SSH keepalive interval in seconds
MAX_RETRIES=3 # Maximum number of connection retries
```
## Usage
The script supports two modes of operation:
### 1. Reverse Tunnel with SOCKS Proxy
Run on the local computer to allow incoming connections and set up SOCKS proxy:
```bash
./tunnel.sh reverse
```
### 2. Local Port Forwarding
Run on the local computer to access remote services:
```bash
./tunnel.sh local
```
### Running as a Service
To run the script as a system service, create a systemd service file:
```ini
[Unit]
Description=SSH Tunnel Service
After=network.target
[Service]
ExecStart=/usr/local/bin/tunnel.sh reverse
Restart=always
User=your-username
[Install]
WantedBy=multi-user.target
```
Save as `/etc/systemd/system/ssh-tunnel.service` and enable:
```bash
sudo systemctl enable ssh-tunnel
sudo systemctl start ssh-tunnel
```
## Network Architecture
The script is designed for the following network setup:
```
[Local Computer] --> [NAT] --> [Public SSH Server] --> [NAT] --> [Remote Computer]
```
- Local Computer: Behind NAT, runs the script
- Public SSH Server: Internet-facing server with SSH access
- Remote Computer: Behind NAT, target for remote access
## Troubleshooting
### Common Issues
1. **Connection Refused**
- Check SSH server is running
- Verify firewall rules
- Ensure ports are not in use
2. **Permission Denied**
- Verify SSH key setup
- Check user permissions
- Review SSH server configuration
3. **Tunnel Fails to Establish**
- Check network connectivity
- Verify port availability
- Review SSH server logs
### Debug Mode
Run with debug output:
```bash
ssh -vv [your normal parameters]
```
## Logging
Logs are stored in `/var/log/ssh-tunnel.log` by default. The log includes:
- Connection attempts
- Tunnel establishment status
- Error messages
- Retry attempts
Example log output:
```
2024-12-06 10:15:23 [INFO] Testing SSH connection to user@example.com...
2024-12-06 10:15:24 [INFO] Setting up reverse tunnel and SOCKS proxy...
2024-12-06 10:15:25 [INFO] Reverse tunnel established (PID: 1234)
```
## Security Considerations
1. **SSH Keys**
- Use SSH keys instead of passwords
- Protect private keys with strong passphrases
- Regularly rotate SSH keys
2. **Port Selection**
- Avoid well-known ports
- Use high-numbered ports (>1024)
- Consider port knocking
3. **Access Control**
- Restrict SSH access by IP
- Use `AllowUsers` in SSH config
- Implement fail2ban
4. **Server Configuration**
```bash
# /etc/ssh/sshd_config
GatewayPorts clientspecified
AllowTcpForwarding yes
```
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
Reference in a new issue View git blame Copy permalink