RDP Tunnels
Rationale
I love the persistence of a host machine! I’m too cheap to get a VPS. I really like the windows 11 OS but really love mac laptops. I left 3389
open on my router (with DDNS) and found myself getting brute forced. I saw this post around the same time, and realized tunnelling could be a great alternative.
Assumptions
General Assumptions
I wrote this for my situation. While setting it up, I found there was not a central guide, so I made one. If it doesn’t perfectly fit your situation, hopefully a part of it will help.
Assumptions About You
- You have administrator access to both machines
- You are comfortable with the command line on both systems
- You have VSCode installed on both machines
- You’re aware of the concept of SSH
- You have a Cloudflare account and a website there
- You’re using brew
Assumptions About This Guide
- I’ve got
example.com
on my cloudflare account (I don’t, obvs) - My tunnel is named
wormhole
- My tunnel id is 123455677890asdf
- My macOS username is
me
Host Setup
Windows Setup
-
get pwsh (i used
winget
)PS> winget install Microsoft.PowerShell
- At the time of writing, should be v7.2
-
install chocolatey at https://chocolatey.org/
PS> Set-ExecutionPolicy Bypass -Scope Process -Force [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
-
install cloudflared via chocolatey
PS> choco install cloudflared
- login
PS> cloudflared login
- you may need to manually open the link in the output and select the site you’d like to add the tunnel to
- create a tunnel
PS> cloudflared tunnel create wormhole
- setup cloudflared as a service
PS> cloudflared service install PS> mkdir C:\Windows\System32\config\systemprofile\.cloudflared
- create a config
PS> code C:\Windows\System32\config\systemprofile\.cloudflared\config.yml
- example:
tunnel: 123455677890asdf credentials-file: C:\Windows\System32\config\systemprofile\.cloudflared\123455677890asdf.json ingress: - hostname: wormhole.example.com service: ssh://localhost:22 - service: http_status:404
-
set service as automatic
PS> Set-Service -Name Cloudflared -StartupType "Automatic" PS> Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\Cloudflared\ -Name ImagePath -Value "C:\ProgramData\chocolatey\lib\cloudflared\tools\cloudflared.exe --config=C:\Windows\System32\config\systemprofile\.cloudflared\config.yml tunnel run" PS> cloudflared tunnel route dns wormhole.example
-
add a non-admin user (for ssh only). enter a paasword when prompted
PS> New-LocalUser -Name me-ssh
-
set pwsh as your default shell
PS> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\PowerShell\7\pwsh.exe" -PropertyType String -Force
-
create external user .ssh directory to house authorized_keys
PS> mkdir C:\Users\me-ssh\.ssh
-
modify sshd_config
PS> code C:\ProgramData\ssh\sshd_config
- enable publickey authentication, uncomment this line
PubkeyAuthentication yes
-
setup sshd & ssh-agent as automatic services, and start them
PS> Set-Service -Name sshd -StartupType "Automatic"; Set-Service -Name ssh-agent -StartupType "Automatic"; Start-Service sshd; Start-Service ssh-agent
Client Config
MacOS
-
make sure developer tools are up to date
$> brew install cloudflare/cloudflare/cloudflared
- to confirm install
$> cloudflared -v
- Login (just like on the host setup)
$> cloudflared login
-
A browser window should have opened.
-
If the browser failed to open, please visit the output URL directly in your browser.
-
- Select the site you want to to log in to
- after selecting you’ll see in the terminal
You have successfully logged in. If you wish to copy your credentials to a server, they have been saved to: /Users/yourusername/.cloudflared/cert.pem
- next, update your hosts file
$> code ~/.ssh/config
- add the following
Host *.example.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
- now you can ssh into the box directly
$> ssh [email protected]
-
But let’s take this further for RDP and setup local forwarding
$> ssh -L 56789:127.0.0.1:3389 [email protected]
- Setup pub key and add to host
cat ./.ssh/id_rsa.pub | ssh [email protected] "echo | Out-File -FilePath ~/.ssh/authorized_keys -Append"
Further thoughts
- Connect to the tunnel from the client machine on startup https://mpharrigan.com/2016/05/17/background-ssh.html
- Remove the password from the newly created user
- Change default ports (ssh, RDP)
- Restrict RDP access to 127.0.0.1 only
- Create a host and client scripts to just take care of all of this
Belvedere
I recently created name-on using the DotNetCore command line tools and VS Code. It was surprisingly easy, and I love scaffolding from the command line.
I also recently got my WSL setup working, which involved setting fish as my default shell, and revisiting some of the functions I have made in the past.
My quick experience with the DNC CLI seemed like the perfect thing to functionalize. I like having a standard structure to my apps:
- class library
- command line
- web app / API
- test project
DNC has the concept of tmeplates and extensions, but what can I say, I wanted to write this with fish. So I did.
I picked the name belvedere by looking up scaffolding in a thesaurus. Apparently its a “raised turret atop a house,” and comes from 1590’s italian.
Belvedere will create all the necessary projects, with the correct intra-project references, a solution, gitignore, and README. It also intializes a git repo and commits the created files.
You can find the code here: https://github.com/clintcparker/fish_functions/blob/master/belvedere.fish
Name-on
But Y tho?
I needed a unique name generator, so I built one.
I had used the Heroku unique-name generator before, when building bad ideas. I loved how it removed a mental hurdle from getting something out the door; coming up with a name. Personally, I’m horrible at naming things, so this was a necessity. I don’t want to get hung up on picking a good name, and the defaults are equally as bad (ConsoleApplication23, anybody?).
I’d also been wanting to get back to dot net core. The last time I had played around with it, they were still using the dnx
command line tool and project.json
files. So this project seemed small enough, and valuable enough, to actually keep me on task for the duration of v1.
The command line
I was stoked to be able to layout the project structure from the command line. I’m just so much more optimistic about a tool when there’s a CLI behind it. Even if I’ll never script it, the idea that i could is very appealing.
I scaffolded the whole project via the dotnet new
and dotnet add
commands. I was also able to build and test in the same manner. It was a nice break from VS 2017.
Structure
I found lists of adjectives and nouns online. And thank to some recent practice with regex crosswords, quickly stripped everything but the words themselves.
I added some tests for uniqueness, which is about 99.985%. I also added protection for never getting the same name twice in a row.
I was able to create a CLI for OS X, which was came in handy when publishing to Azure, and needing names for everything.
For the web app the dotnet help
lists a template called razor
with the description “mvc with razor pages.” I’ve used the Razor syntax since it debuted, and thought, “of course I want razor, not aspx
.” Apparently though, Razor Pages is a new thing. I actually really liked it for build the web app component. I still created a controller for the API, but was happy I stumbled onto this new paradigm.
I really went over the top with the completeness. Azure for hosting. Custom domain through NameCheap. SSL through CloudFlare.
Next Steps
The README has a roadmap, which includes packaging the CLI and improving the site. PRs are welcomed.
Adventures in vs Extension Updates
While at //build I was inspired to update my extensions to support VS 2017. I meant to do it last year, but got distracted. The process was really simple, and is outlined on the new hotness that is MS Docs. It took me about 10 minutes to get it all configured an tested. But then…I was sidelined by my CI config.
For some reason, my AppVeyor builds were failing. They were clearly pulling the latest from my repo, but for some reason, the nuget restore stopped working. I probably should’ve googled the issue, and I think I did, but I was asking the wrong questions. I finally gave up and manually configured the build via the GUI, and then exported that config to YAML. When I went to do the next extension, I finally realized what the problem was. I used the exact same exported YAML, and got the exact same initial errors with the nuget restore.
Googling “appveyor not using yaml” led me to this help article. I still don’t understand why permissions were an issue to read the appveyor.yml
, when it was clearly reading an updated csproj
file. But I do now have extensions that support VS 2017.
Data Driven
This video absolutely changed my life. My friend and mentor showed it to me in the beginning of 2015. The early experiences of Etsy immediately resonated with me. And the concept of geometric growth being outside of the control of the business was something that I had never before considered, but absolutely made sense.
Don’t pick projects based on what’s cool, pick projects that make sense to the company.