tunnels to localhost and other ssh plumbing

Related tags

Network tunnel ssh golang
Overview
                            __                              
.----.-----.--------.-----.|  |_.-----.--------.-----.-----.
|   _|  -__|        |  _  ||   _|  -__|        |  _  |  -__|
|__| |_____|__|__|__|_____||____|_____|__|__|__|_____|_____|

remotemoe - ssh plumbing all the things

go report Uptime Robot ratio (7 days) License

What is it

remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs, changing firewalls, or adding port forwards.

Common use-cases include:

  • Allow third-party services to access your web app while you're developing it.
  • Let containers expose themself to the internet without having to change any infrastructure.
  • Quickly share a web app with a collaborator or team for review.
  • Allow your CI to run development branches that expose them-self for review.
  • Access remotely deployed Raspberry Pi's.

remotemoe doesn't require its users to install, trust, or run any third-party software. It uses plain old SSH, which is available everywhere these days.

How it works

Users connect to remotemoe with their regular ssh client - they use the -R parameter to forward services which remotemoe then pass requests back to, from the public internet.

At its purest form, users open a shell to remotemoe, passing on their local port 80.

$ ssh -R 80:localhost:80 remote.moe

Once opened, other people will immediately be able to access your localhost:80 by accessing xyz.remote.moe as if it was on the public internet.

What it's not

It's no SaaS; if you need a reliable service, you're probably going to have to run it your self - any small cloud instance should do just fine...

Available for getting started and testing is remote.moe. It is provided with no guarantees and will run broken and unstable branches from time to time :)

Try remote.moe to get started

Use remote.moe if you are ready for a quick and dirty getting started experience. Assume you have a web server running on your local machine that listens for HTTP traffic on port 8080.

In a terminal, enter:

$ cd Pictures/; python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

In another terminal, enter:

$ ssh -R80:localhost:8080 remote.moe
New to remotemoe? - try 'firsttime' or 'help' and start exploring!

http (80)
http://7k3j6g3h67l23j345wennkoc4a2223rhjkba22o77ihzdj3achwa.remote.moe/

$ 

That's pretty much all there is to it - all your nudes are now accessible on the URL that remotemoe spits out.

Next up is typing help to have a look at some of the other features. For instance, you could add a more human-friendly hostname, add HTTPS and SSH forwards, or look at the different ways to keep an ssh tunnel open.

Protocols

For convenience, remotemoe handles various types of protocols differently to make them easier to access:

HTTP

When typical HTTP ports are forwarded (80, 81, 3000, 8000 or 8080), remotemoe reverse proxies traffic from its HTTP server to the ssh tunnel.

Based on the incoming HTTP request's Host-header, it selects the appropriate ssh tunnel to use.

HTTPS

When typical HTTPS ports are forwarded (443, 3443, 4443, or 8443), just as HTTP, remotemoe picks an SSH tunnel to route traffic based on the Host-header.

HTTPS traffic, however, requires the forwarded service to talk TLS. It doesn't do any certificate validation as no-one will be able to provide a valid SSL certificate inside the SSH tunnel.

SSH

SSH does not support virtual hosts in the same manner as HTTP does, but there's a trick we can use: the -J ProxyJump parameter.

When typical SSH ports are forwarded (22, 2022 or 2222), remotemoe outputs a special ssh command which can reach the peer:

$ ssh -R22:localhost:22 remote.moe

ssh (22)
ssh -J remote.moe 7k3j6g3h67l23j345wennkoc4a2223rhjkba22o77ihzdj3achwa.remote.moe

$ 

ProxyJump'ing through remotemoe, allows it to see what host the client is trying to reach and just like HTTP(S) traffic, pick an appropriate tunnel pass communication on to.

By the way, ssh traffic is the most secure way of using remotemoe. You don't have to trust anyone but your remote endpoint. As long as you know your peers' fingerprint beforehand - there is no way remotemoe can intercept these ssh sessions even though they pass through it.

Other

remotemoe does not deal with any other protocols for now. But they are still available to use, however, not directly accessible without SSH.

You could for example access a forwarded SMTP service, that was forwarded with ssh -R25:localhost:25 remote.moe by doing something in the lines of:

$ ssh -L25:7k3j6g3h67l23j345wennkoc4a2223rhjkba22o77ihzdj3achwa.remote.moe:25 remote.moe 

Notice -L instead of -R - this pulls the remote service to your localhost, and the remote SMTP service should now be accessible from localhost:25.

Running remotemoe

You will need

  • Some cloud instance, running ubuntu or similar
  • ... that has a public IP address
  • ... and a domain or subdomain with records appropriately configured
  • Knowledge of Golang and general systems administration :)

To run remotemoe, you need to:

  • Fetch this repo, build and move the executable to your instance or server
  • Create a service for running remotemoe, take inspiration from infrastructure/remotemoe.service
  • Ensure the hostname of the machine is set accordingly to your domain or subdomain.
  • Move openssh out of the way, remotemoe wants to listen on port 22

This shall be automated in the future :)

Compared to Cloudflare's Argo Tunnels

Argo tunnels, and Cloudflare in general, do a lot of things that remotemoe does not, but one similarity is their trycloudflare.com service (https://blog.cloudflare.com/a-free-argo-tunnel-for-your-next-project/) where everyone can expose their web app through a tunnel.

Using their example, when using Argo tunnels, you are required to download their client and run:

$ cloudflared tunnel --url localhost:7000

a remotemoe equivalent would be:

$ ssh -R80:localhost:7000 remote.moe

remotemoe and especially Cloudflare does a lot more than this, but to highlight a few differences:

  • Cloudflare provides a massive Highly Available service at a cost - remotemoe does not.
  • Cloudflare requires you to create an account if you need to define hostnames or bring a custom domain - remotemoe does not.
  • remotemoe can be used as an SSH ProxyJump-host and is not limited to any specific protocol - any TCP port is reachable through remotemoe.
Comments
  • Mismatch between behavior and rfc4254

    Mismatch between behavior and rfc4254

    This code tries to apply the same logic for both exec and pty-req requests. https://github.com/fasmide/remotemoe/blob/f745ed596a4ca6205b521c4fcea0cf45137ade0b/ssh/console.go#L33-L81

    It's a mess, and it violates 6.5. Starting a Shell or a Command which states:

       Once the session has been set up, a program is started at the remote
       end.  The program can be a shell, an application program, or a
       subsystem with a host-independent name.  Only one of these requests
       can succeed per channel.
    

    Also, exec requests are less useful at the moment as the command line never exits on its own, reducing scriptability.

    For example, lets say a remote script just wants to know its own FQDN:

    $ ssh remote.moe whoami
    euhf ... ehfuih.remote.moe
    <hang>
    

    There is no good way of knowing when the command is finished.

    opened by fasmide 2
  • ssh server forward

    ssh server forward

    Hi, I'm trying to connect to my ssh server through remote.moe. My server is on port 6868, so on that same server I run: ssh -R22:localhost:6868 remote.moe. It generates an address for me and I can connect from another device but I can't access the shell of my system, I stay in the access, firsttime, etc. commands. Any idea what I'm doing wrong? Thanks in advance!

    opened by iecxiv 2
  • Abuse

    Abuse

    Today i received the following message from the remote.moe service hosting provider:

    Dear Mr Kristian Mide,
    
    We have received a notification regarding phishing from [[email protected]](mailto:[email protected]).
    
    Please check the notification for the details of the problem, and then resolve this issue as soon as possible.
    
    We also request that you send a statement within 24 hours to us and to the complainant. This statement should make it clear how the issue occurred, and what you have done to prevent it from happening again.
    
    How to proceed:
    - Solve the issue
    - Send us a statement by using the following link: <removed>
    - Send a response by email to the complainant
    
    The statement you send us will be checked by a staff member, who will then coordinate any further proceedings. If you fail to comply within the stated deadline, the IP may be locked.
    
    Important note:
    When replying to us, please leave the abuse ID [AbuseID:<removed>] unchanged in the subject line.
    
    Kind regards
    
    Abuse department
    
    Hetzner Online GmbH
    Industriestr. 25
    91710 Gunzenhausen / Germany
    Tel: +49 9831 505-0
    Fax: +49 9831 505-3
    [[email protected]](mailto:[email protected])
    [www.hetzner.com](http://www.hetzner.com/)
    
    Register Court: Registergericht Ansbach, HRB 6089
    CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
    
    For the purposes of this communication, we may save some
    of your personal data. For information on our data privacy
    policy, please see: [www.hetzner.com/datenschutzhinweis](http://www.hetzner.com/datenschutzhinweis)
    
    
    > During an investigation of fraud, we discovered a compromised website (iu...2a.remote.moe) that is being used to attack our client and their customers.
    >
    > In addition to the website owner, we have addressed this report to the responsible authoritative providers who have the ability to disable the malicious content in question. Based on your relationship to the content in question, please see our specific request below.
    >
    > This threat has been active for at least 0.1 hours.
    >
    > hXXps://iuf..52a.remote.moe/
    >
    > First detection of malicious activity: 11-21-2022 12:12:44 UTC
    > Most recent observation of malicious activity: 11-21-2022 12:15:54 UTC
    > Associated IP Addresses:
    > 159.69.126.209
    >
    > ===   HOSTING  PROVIDER   ===
    > If you agree that this is malicious, we kindly request that you take steps to have the content removed as soon as possible.  It is highly likely that the intruder who set up this phishing content has also left additional fraudulent material on this server such as illegitimate access points.
    >
    > ===     WEBSITE OWNER     ===
    > We recommend taking the following actions to secure the web site and prevent the attackers from returning:
    >     - Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins).
    >     - Search all of your web directories for suspicious files as attackers commonly leave backdoors.
    >     - Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software.
    >     - Change your web hosting provider if this is an ongoing issue.
    >
    > If your provider has disabled your account because of this incident, you must coordinate a resolution with them directly as PhishLabs has no control over this aspect.
    >
    > If we have contacted you in error, or if there is a better way for us to report this incident, please let us know so that we may continue our investigation.
    >
    > We are grateful for your assistance. 
    >
    >
    > Kind regards, 
    > SOC Team
    > PhishLabs Security Operations
    > 12023866001
    > Available 24/7
    >
    >
    > [PL-3342487]
    >
    

    I will try to explain to these guys what remotemoe is all about, but it might very well be the end of "remote.moe the service" (of cause, not the software). But we will see how this plays out

    Around that same time, it seems to be impossible to resolve the remote.moe domain - I have no idea if these is somehow related - maybe the PhishLabs guys also contacted one.com and made them deactivate the domain

    To be continued...

    opened by fasmide 4
  • HTTPS

    HTTPS

    Hi, I really like this tunneling method since its free and one f the best you could get but I noticed that I cant connect to https services even if the port is running on my pc and its also the remote server is also working? is it a problem for my side or https only support specific servers or webpages??

    opened by thizYa5R 2
  • Restrict usage to authorized keys

    Restrict usage to authorized keys

    Hello,

    I wanted to restrict the use of the service so that any random public key cannot be used. I was not able to find any way of doing this so I implemented an "authorized keys" check in the pubkey callback.

    • Is there a way of doing something equivalent that I might have missed?
    • If not, would you be interested in a PR of this commit?
    opened by Oaz 3
  • self hosting -- cert issue

    self hosting -- cert issue

    Can you help me with a little readme on how to tls certs with this binary?

    jlisfsg6odga64r3k4xivgrcrq.tunnel.xyz not found
    May 11 13:11:03 tunnel remotemoe[741]: 2022/05/11 13:11:03 http: TLS handshake error from 183.82.115.199:45382: 400 urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for "irwdcbzqprzif66tkifrsvhxsxjlisfsg6odga64r3k4xivgrcrq.tunnel": Domain name does not end with a valid public suffix (TLD)
    May 11 13:11:03 tunnel remotemoe[741]: 2022/05/11 13:11:03 http: TLS handshake error from 183.82.115.199:45384: acme/autocert: missing certificate
    May 11 13:11:03 tunnel remotemoe[741]: 2022/05/11 13:11:03 http: TLS handshake error from 183.82.115.199:45392: acme/autocert: missing certificate
    May 11 13:11:03 tunnel remotemoe[741]: 2022/05/11 13:11:03 http: TLS handshake error from 183.82.115.199:45390: acme/autocert: missing certificate
    
    opened by debianmaster 7
  • idea: stateless remotemoe

    idea: stateless remotemoe

    I think it would be cool if remotemoe had no configuration state other than what its clients supply to it. Having run remote.moe (the service) for some time now, I've realized that its datastore needs some maintenance - it's filled with abandoned hostnames users added for testing - I would much rather it didn't store anything about its users.

    At the moment, to activate a custom hostname, remotemoe assumes the first user to ask for a particular hostname is the one who should own it from now on. Unless removed, other users cannot use it without acquiring the associated ssh keypair.

    This information is stored forever at the moment: it would be uncool if it were possible for others to steal each other's hostnames, especially since remotemoe may have asked Let's encrypt for valid SSL certificates. So another solution is needed if remotemoe is to magically provide the same security over hostnames while not storing any data locally.

    I think this is achrivable by dropping support for <custom-host>.remotemoe and force users to bring their own domains, which should have their DNS configured with CNAMES to <their-public-key-hash>.remotemoe. remotemoe could lookup this information to verify if a user should be allowed to use a particular hostname.

    Untitled (1)

    opened by fasmide 1
Owner
Kristian Mide
Kristian Mide
ngrok : Introspected tunnels to localhost

ngrok - Introspected tunnels to localhost (homepage) ”I want to expose a local server behind a NAT or firewall to the internet.” What is ngrok? ngrok

null 0 Oct 27, 2021
Create a dynamic fou tunnels works behind NAT

Dynamic Linux Tunneling This software creates Gretap Tunnels over FOU for Dynamic client endpoints. It also works behind NAT444 (CGN-LSN). You can use

Ahmet ÖZER 5 Oct 17, 2022
ScriptTiger 20 Sep 23, 2022
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀

Golang SSH Client. Fast and easy golang ssh client module. Goph is a lightweight Go SSH client focusing on simplicity! Installation ❘ Features ❘ Usage

Mohamed El Bahja 1.2k Dec 24, 2022
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 10 Jun 29, 2022
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 1 Nov 16, 2022
Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Məhəmməd 2 Sep 8, 2022
one simple git ssh server (just for learning git over ssh )

wriet one simple git ssh server use golang write one simple git ssh server how to running starting service docker-compose up -d add authorized_keys i

rong fengliang 2 Mar 5, 2022
gh is GitHub on the command line. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code

gh is GitHub on the command line. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code

frenchy77 0 Jan 24, 2022
🌕 Server application for storing doujinshi, manga, art collections and other galleries with API and user control. Written in Go.

?? Server application for storing doujinshi, manga, art collections and other galleries with API and user control. Written in Go.

null 19 Dec 31, 2022
Scripts and other small tools developed against TCM systems

TCM Tools This repo contains scripts and small tools developed against TCM services that do not really have a home other places but we would like to m

Twin Cities Maker 0 Mar 22, 2022
A Golang program that receives DNSTAP traffic and relays it to multiple other listeners.

socket-proxy socket-proxy is a Golang program that is used to proxy dnstap messages from one socket to multiple other sockets. Overview Name Servers t

Andrew Fried 0 Jan 10, 2022
Zero Trust Network Communication Sentinel provides peer-to-peer, multi-protocol, automatic networking, cross-CDN and other features for network communication.

Thank you for your interest in ZASentinel ZASentinel helps organizations improve information security by providing a better and simpler way to protect

ZTALAB 8 Nov 1, 2022
Kiara is a Go equivalent of Phoenix PubSub that makes it easy for Go applications to communicate with each other.

Kiara is a Go equivalent of Phoenix PubSub that makes it easy for Go applications to communicate with each other. Examples Basic Usage Custom Co

Genta Kamitani 140 Nov 1, 2022
The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the processor

server-pubsub The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the p

null 0 Dec 3, 2021
This app brings the Matterbridge binary to your server to connect Nextcloud Talk with other chat services

This app brings the Matterbridge binary to your server to connect Nextcloud Talk with other chat services

Nextcloud 27 Sep 12, 2022
[WIP] gg is a portable tool to redirect the traffic of a given program to your modern proxy without installing any other programs.

gg gg (go-graft), was inspired by graftcp. go-graft is a pure golang implementation with more useful features. TODO: Use system DNS as the fallback. R

mzz 428 Dec 28, 2022
A bridge from the Stellar network to other blockchains

Creating equitable access to the global financial system Starbridge Starbridge is software that facilitates bridge builders who are connecting the Ste

Stellar 38 Dec 9, 2022
Turbine-common - This package contains the common interfaces for Turbine that are shared with other software

turbine-common This package contains the common interfaces for Turbine that are

NoraSector 3 Feb 12, 2022