Creating a SSH tunnel without a password. This is useful for establishing secure connections on older versions of Linux which don't support OpenVPN.
This guide is based on the Linux VPN Setup guide in the knowledge database.
Generate the ssh key
Assuming a vpn users has been created and is the currently active user:
$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/vpn/.ssh/id_dsa): Created directory '/home/vpn/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/vpn/.ssh/id_dsa. Your public key has been saved in /home/vpn/.ssh/id_dsa.pub. The key fingerprint is: 04:b0:6f:ff:2e:13:73:fb:aa:f1:d0:ee:3f:02:aa:b2 vpn@localhost.localdomain $ mv .ssh/id_dsa.pub .ssh/authorized_keys
Copy /home/vpn/.ssh/id_dsa locally to a Windows machine and load it through PuTTYgen (available on Linux) to save it into PuTTY's own format using Save private key with no password. Use the filename format client_key.PPK or similar.
Test the key with PLink (available on Linux):
plink.exe -N -C -2 -i brace_key.PPK vpn@60.240.47.233 -L 23:192.168.100.1:23
The above Plink line will create a SSH connection to the Bracey gateway, then telnet connection attempts to localhost:23 on the Windows PC will be forwarded to the Control server at 192.168.100.1 behind the gateway. If the Control server has a port forward and is available through the Internet via port SSH but the client only has telnet the following line should be used:
plink.exe -N -C -2 -i brace_key.PPK vpn@60.240.47.233 -L 23:127.0.0.1:23
This has been used setup so that Bracey staff can access Control securely remotely with there Telnet only TUN clients. Similar SSH connections have been made to allow remote secure VNC connections.
Mapping a printer back from control server
At Eurocollection, the same method was used as above, instead of mapping port 23, we map the port number that their vnc session uses. This would be 59xx, where xx is the vnc session number. Also we need to be able to print to their docket printer. This is done by mapping a port back from the server to the local host (using the -R switch). We place this command in a batch file that needs to be auto run when the computer starts up.
plink.exe -N -C 2 -i bendigo_key.PPK vpn@61.9.150.170 -L 5910:127.0.0.1:5910 -R 6670:127.0.0.1:6670
This will allow connections to port 5910 on the windows computer to map to the same port on the control server. And port 6670 on the control server will map to the same port on the windows computer. Now that the server has a way to write printouts back to the windows computer, we need to send these to the printer. I have tried using netserial.exe (and netserial-quiet.exe) and it works fine even if it is to a LPT port and not a serial port. Set up another batch file that runs:
netserial-quiet.exe 6670 LPT1:
Place these in the startup folder (in the start menu) so that it gets run at startup. Also since the plink.exe will leave a command prompt window open, the users should be informed not to close this. On the control site, from prnaad, just set up the printer to be tcp:127.0.0.1:6670 (or what ever port you used). I have tried a few transactions with this setup and it seems to work fine. I did try to send them their docket logo by doing (from the control server) :
cat docketlogo.img | telnet 127.0.0.1 6670
The printer did not like that and printed out a long roll of garbage. To send their docket logo properly, send the docket logo file to the windows computer and run:
copy /b docketlogo.img LPT1: