Being in the remote administration business is a strange beast and offers lots of challenges, but when you are working for multiple clients sometimes connecting to the servers can be challenging enough. Here’s a little idea that I had this morning that may save someone some grief, so I thought I would jot it down for all to see.
One of the issues I have connecting to some clients revolves around my linux desktop. Sure I can connect to many VPN devices using vpnc or other tools, but in some cases client policy prohibits such reasonable behaviour due to a) single vendor plugins; b) bad java or plugin issues; c) host checking software or; d) Antivirus requirements that do not recognize linux agents. My problem is that I do not want to administer Unix servers from a Windows system, it’s just … wrong. Like, fundamentally wrong. (on cue, someone I know is calling me a zealot)
Conventional wisdom would dictate that I need to run a Windows VM, open the VPN client, and then connect using Putty or similar. Sure this works. It works fine. Except that some VMs do not interact with the clipboard properly, and I prefer to connect from my linux console because that’s where all my tools are. When I am documenting tickets I rely heavily on being able to seamlessly get things from my console to my documents without having the third party involved. I want to be able to work on all systems the same way, because it improves efficiency. That and the fact that I would rather use less Windows than more.
The solution I came up with is simplistic, but allows me to use the Windows VPN client, and bypass Windows for everything else. Basically a DIY VPN jump box. All you need is a Windows VM, and Cygwin. It’s just crazy enough to work, and does!
Here’s what you do.
- Start your Windows VM. (Don’t have one already? Check out VirtualBox. Installing it is out of scope.)
- Log in with an administrator account if you are running Windows XP, Win7 and Vista users can log in as a normal user providing you have rights to run things as administrator.
- Verify the IP of your VM. This means you will need to use bridged networking, none of this will work with NAT type of networking so caveat emptor.
- Grab the cygwin installer from the Cygwin site. You should also check out the license if you are into that sort of thing.
- Run the installer, Win7 and Vista users should right click on the program and “Run as administrator”. Documentation on the installer can be found at the network setup help section. You should be able to take the defaults for most of it. It does an annoying thing where it asks you for a location to download the packages, and it defaults to c:\Program Files\Mozilla, I changed it to my Download folder.
- When you get to the “Choose a download site” (aka mirror) list choose, one that is close to you. If you have no preference then any of the mirrors should work, but speed may vary depending on geographic proximity or network link speed at the mirror.
- The next screen is the package selection screen. It looks daunting, but here what you need to get this working.
- In the search box type openssh. This will Narrow down the package selection to one group, called Net.
- Click the + next to the word Net to expand the group.
- In the New column there should be a Skip with a little circley-arrowy icon next to it. Click on the circley-arrowy icon, which will replace one of the n/a columns with a selected box (in the bin column). Now sshd will be selected for install.
- If you need any other special packages, like telnet, you can search for them here. Incidentally, to get telnet you need to search for inetutils.
- Now follow the defaults and wait for Cygwin to complete the install. This could take a while.
Post Cygwin install
There is a few steps you’ll need to do manually now to get the ssh daemon running.
- If you do not have a password for your Windows user then set one up now (and have someone swat you on the nose with a rolled up newspaper. Bad SA. Bad.). ssh needs a password to work.
- Start a cygwin bash session either by using the desktop icon if you chose to create one, or using the link under Start menu->Programs->Cygwin. Win7 and Vista users, right click on the console icon and select ‘Run As Administrator’ the first time.
- In the console, run the following command to set up the ssh host keys and whatnot. This could take a while as well, so don’t get discouraged and ^C in the middle of it like I did. This process also sets the service to start on boot, if you do not want it to start automatically you will need to disable it manually.
- When you get back to a prompt, follow-it up with this which turns on the service immediately. Net savings 10+ clicks!
cygrunsrv -S sshd
- If you are running Win7, Vista or any sort of firewall program you will need to allow port 22, or program C:\Cygwin\usr\sbin\sshd.exe.
Reap the benefits
- Connect to your Windows VM desktop.
- Start the VPN client and connect to the VPN.
- ssh into your Windows VM using the IP you found in the pre-flight check.
- Now ssh or telnet into the system on the client end of the VPN tunnel.
- You could even ssh tunnel through the VM for GUI jumps or web access.
Hopefully someone will find this useful other than me. It’s so simple I really don’t know why I did not think of it before, but I think it’s probably because I only have one or two VPNs with soft clients. Some people have many more. I plan to play with it a bit to see how low I can set the resource allocation to the VM. I think I can probably cut a Win7 VM down to 256MB with the right combination of settings and still have good results because in this case I only care about network. I’ll let you know how it turns out.
In my last job, I used this technique to tunnel remote desktop and 1521 from our main client’s (Windows) servers through a Windows VM to my Linux laptop. The client had a Checkpoint VPN that I could not connect to directly. Btw, the tunneled remote desktop was snappy compared to using it in the VM. I could not stand the latter anymore and was really happy when I finally found that tunneling trick. As things happen, I left the company soon afterwards, though.