I need to work remotely and need to connect to a company network from my work Mac over the internet. How do I set this up? I have looked at different software for example OpenVPN and Tunnelblick. But not sure how to go about it. Any suggestions? Advice?
If your work Mac has restricted firewall, and speed is your concern, you can try shadowsocks-libev to bypass the firewall, which is primarily designed to bypass GFW, and used by millions of sneaky users. It is so fast that no vpn can compete with it.
For your work device (server side)
brew install shadowsocks-libev
# ss-server and ss-local installed
# create a server with listening port 3333
# sudo may be required
ss-server -p 3333 -m chacha20 -k your_password -u
For you client (home device)
brew install shadowsocks-libev
# apt install shadowsocks-libev
# sudo may be required
ss-local -s WORK_IP -p 3333 -b 127.0.0.1 -l 1080 -k your_password -m chacha20 -u
This created socks5 proxy with 127.0.0.1:1080. Make sure "your_password", port "3333", encrypt method "chacha20" should be matched on both sides.
set your home deivce (client side) socks5 proxy as 127.0.0.1:1080. Done.
Test IP
# With proxy, this would show your work Mac's IP
curl -x socks5h://localhost:1080 ifconfig.co/json
# without proxy
curl ifconfig.co/json
As a client side, GUI version is also recommended for beginners. Open source Mobile Version is also available.
This is a demo only. For security reasons, do not contain any password in the command line. Use -c config.json instead.
You can try this: vpn client
You should ask your admins to set up a vpn account for you. After that you can connect with a vpn client( of your choosing your use barracuda) and the provided credentials. Hope to have helped.
Since you brought up OpenVPN and Tunnelblick I should probably point out that
Tunnelblick is a free, open source graphic user interface for OpenVPN on macOS
Therefore Tunnelblick is probably going to be your app of choice.
Again, since you clearly are looking at OpenVPN I should point out there are two editions in circulation at the moment: commercial and community. I don't see any reason why you should pick commercial edition as your setup seems to be pretty simple. You probably will end up with a checklist of following things to do:
set up an OpenVPN server in your company network (windows, linux, pc, mac, raspberry pi - range of supported platforms is very extensive)
on the server generate keys for your client(s) (or use pre-shared secret as described in quick start below)
write and securely transport .ovpn config files (you can embed keys in there for simplicity) over to your mac
import the .ovpnfile into your Tunnelblick and start
The official quick start guide is probably the best place to start quick.
There's a whole bunch of other things that you (or more likely, your workplace network admin) will have to sort out. Just to name a few: routing and NAT-ting, ip address/domain name for OpenVPN server, firewall rules on machines you connect to.
But covering it all here without knowing your specifics will be problematic.
You should use any-desk or VNC server for connect your machine remotely. it's easy to use.
Your problem is not what you need to do on your Mac. What you do on the Mac-side is only half of any viable solution.
What you need to find out is what ways of connecting to the "company network" are provided by the company? Is anyone able to connect to the company network from a non-Mac computer? Does the company have any IT staff? Or do you have auth/means of changing their network configuration?
First of all, what type of control do you need? If we're talking about files and stuff like that then you should run a SSH server on your mac. More about that here (stackoverflow.com\superuser.com) and here (apple.com).
Another way to do that is to run a Remote Control Software (for example, Team Viewer), but it's laggy and unstable.
I was in the same situation as you a few months earlier and used the Tunnelblick in the Mac OS, which worked perfectly fine.
Since you are going to connect to your company network, I suggest you configure a VPN server and client to do that. I have configured the OpenVPN community edition to do that. The steps are:-
Server side configuration
- Login to root - sudo su
- Install OpenVPN and Easy-RSA - apt-get install openvpn easy-rsa
- Copy the server.conf from samples to /etc/openvpn - gunzip -c
/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >
/etc/openvpn/server.conf
- Edit server.conf
- Check that Diffie-Hellman is set to 2048 - dh dh2048.pem
- Uncomment push "redirect-gateway def1 bypass-dhcp"
- Uncomment push "dhcp-option DNS 10.0.2.100" or put any other DNS
server you want - default settings is OpenDNS.
- Setup IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
- Also, edit /etc/sysctl.conf, and set "net.ipv4.ip_forward=1" after
uncommenting the line. This is for persisting the ip forwarding when
you reboot.
- Setup ufw (Uncomplicated Firewall - this is a frontend to iptables)
- ufw allow ssh
- ufw allow 1194/udp
- Edit /etc/default/ufw and set DEFAULT_FORWARD_POLICY to ACCEPT.
- Edit /etc/ufw/before.rules and add the following lines near the top
*nat :POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.0.8.0/8 -o ens4 -j MASQUERADE COMMIT ufw enable
- Do a ufw status and check if the rules are setup properly
- Setup the RSA keys
- cp -r /usr/share/easy_rsa/ /etc/openvpn/
- mkdir /etc/openvpn/easy-rsa/keys
- Edit /etc/openvpn/easy-rsa/vars and change keys KEY_COUNTRY etc, and
KEY_NAME="server"
- Generate the Diffie-Hellman PEM file - openssl dhparam -out
/etc/openvpm/dh2048.pem 2048 cd /etc/openvpn/easy-rsa/
- . ./vars
- ./clean-all
- ./build-ca
- ./build-key-server server
- cd keys && cp server.crt server.key ca.crt /etc/openvpn
- At this point your /etc/openvpn should contain server.key,
server.crt, ca.crt and dh2048.pem
- Start OpenVPN - service openvpn start
- Generate client config
- Copy client config from samples - cp
/usr/share/doc/openvpn/examples/example-config-files/client.conf
~/client/client.ovpn
- Generate the client keys - cd /etc/openvpn/easy-rsa && ./build-key
client It will generate client.crt and client.key files.
- Copy client.crt, client.key, ca.crt to ~/client.
- Edit client.ovpn
- Edit the entry "remote my-server-1 1194" and put the
IP/Hostname of the VPN server in place of my-server-1.
- At the end, append "auth-user-pass"
- In a new line, add an opening tag <ca>.
- Append the contents of /etc/openvpn/ca.crt.
- Append a closing tag </ca>.
- Append opening tag <cert>.
- Append contents of client.crt.
- Append a closing tag </cert>.
- Append a opening tag <key>.
- Append contents of client.key.
- Append a closing tag </key>.
- Comment out keys "remote-cert-tls server" and "tls-auth ta.key 1"
- Uncomment "user nobody" and "group nogroup".
- Save the file and download to your Mac client securely.
Client side configuration
Download the OpenVPN MacOs client
(https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/).
Import the .ovpn file mentioned earlier.
Connect using this client.
I am running apps on Compute Engine. I run on a Windows box and use Putty to connect to the CE. This pretty much seems to work fine (leaving aside the problems in the Google doc on this).
I have set up another user who I want to enable for SSH (on a Mac) and have her use FileZilla to push files to the CE.
I am trying it out on my own Mac. I set up 2 firewall rules with 2 different priorities for tcp:22 =
myssh Apply to all IP ranges: 0.0.0.0/0 tcp:22 Allow 1000 default
default-allow-ssh Apply to all IP ranges: 0.0.0.0/0 tcp:22 Allow 65534 default
The user has permissions on of the Project of: "Compute Instance Admin(v1)"
On the Mac terminal I do the following:
ssh-keygen -t rsa -f ~/.ssh/userfirstname-ssh-key -C [googleusername.gmail.com]
I go to the GCP CE Meta data (logged in as myself) and then copy the contents of the userfirstname-ssh-key.pub to the Metadata/SSH Keys and save.
After GCP gives the ok on the key being added I enter the following in the Mac terminal:
ssh -i [userfirstname]-ssh-key [googleusername.gmail.com]#gcp-external-ip
Depending on i-don't-know-what, sometimes it says "Permission denied (public key)", "Operation timed out"
I've repeated this a few times and just tried to telnet in to the gcp-external-ip and get "Operation timed out" telnet: Unable to connect to remote host.
At a complete loss. Please help.
You could (and should) use the gcloud command line tools. Then it is easiest to simple copy the correct gcloud command from the Web Console. There is a little drop-down menu next to 'SSH' for each of your instances.
I have 2 Linux Servers (with LAMP):
Web Server with SSL (https://www.example.com)
Admin Server (needs to connect to Web Server, via https)
When i connect from Admin Server (to Web Server) via curl command. It is refusing. Then when i use curl with --caeert option, its going through. Like this:
# curl --cacert CAchain.crt -I https://www.example.com
HTTP/1.1 200 OK
..
I'm getting 200 OK only because of --cacert CAchain.crt.
Then obviously i need the pure/basic curl command without defining the --cacert, to be working. Like:
# curl -I https://www.example.com
HTTP/1.1 200 OK
..
So that my Admin Application will for sure be able to connect to it (via https).
But now, when i connect to https://www.example.com from Admin Server (via its Application), it is bouncing back. Not able to reach, with SSL.
How do i make my Linux (RHEL) to install the client's CA-CERT inside, in order automatically AVOID defining the cert file. So that any communications to "https://www.example.com" via CURL or Web Browser (from Admin), can just then successfully go through. (Is it something like, we make "SSH without Keys" logic? But how, please?)
You need to add the CA cert to somewhere that curl can use it - it looks like you're just keeping it in your local directory (which isn't where curl looks for it - typically in some /etc/pki/ssl/ca-bundle.crt-type location). There's a handful of ways to do this. I don't have much experience doing it in RHEL (or CentOS), but have done it for Debian.
This ServerFault Post might help.
Likewise, This Post might help you install/import the CA cert properly.
I am having a problem with my server and so far couldn't find any solution for this. When I try to add a server from a server manager (windows server 2012) I can see only the kerberos security error. Both servers are in the same domain(i have tried from several servers from domain and got the same error).
The strange thing is when I unjoin the problematic server from domain and rejoin it with another name it works normally. But the problem is to make it work with existing name. Anyhelp will be highly appreciated
thanks in advance.
Late reply, but I've just encountered the same error and hope this solution proves useful to others.
Situation: I had to wipe and reinstall a virtual server on which I'd previously had to set some Service Principal Names, and some SPNs for a service account. Turns out the SPNs were still there for the old server/account and I had to remove them.
I recommend checking for and removing rogue SPNs to resolve this. Use the following commands in an elevated command prompt:
setspn -l <servername/username>
In my case I had problems with MBAM, the Bitlocker admin tool, so for example I used:
setspn -l mbam01
Which gave me the output (changed names to protect the innocent):
Registered ServicePrincipalNames for CN=MBAM01,OU=Member Servers,DC=corp,DC=domainname,DC=com:
termserv/mbam01.corp.domainname.com
termserv/mbam01
http/mbam01.corp.domainname.com
http/mbam01
HOST/MBAM01
HOST/mbam01.corp.domainname.com
This will list the SPNs associated with the server or user account. Then you remove the errant SPNs with this command:
setspn -d <listed service> <servername/username>
In my case it turned out the mbamapppool user had http/mbam01 and http/mbam01.corp.domainname.com associated with it, causing Server Manager to fail to poll the server. I removed the http/ refs from the user and then added them to the server with the following commands:
setspn -d http/mbam01 corp\mbamapppooluser
setspn -d http/mbam.corp.domainname.com corp\mbamapppooluser
setspn -s http/mbam01 mbam01
setspn -s http/mbam01.corp.domainname.com mbam01
I then refreshed Server Manager and it polled the server successfully, and the Kerberos Security Error had gone.
I've just successfully built SparkleShare for windows according to guide:
https://github.com/wimh/SparkleShare/wiki
and exported my ssh public key to a server.
The problem is that I can't connect from a client behind a http_proxy to a public server with ssh running on a custom port. I had also problem with cloning any git server. I need to switch git:// protocol to http:// one. Any suggestion? Does anyone have similar experience?
This is a log file:
15:25:13 [SSH] ssh-agent started, PID=4380 Identity added:
C:\Users\MYUSER\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key
(C:\Users\sg0922706\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key)
15:25:34 [Fetcher][C:\Users\MYUSER\Documents\SparkleShare.tmp\share]
Fetchin g folder: ssh://MYGITUSER#MYHOST/MYPATH 15:25:34 [Fetcher]
Disabled host key checking MYHOST 15:25:34 [Cmd] git clone --progress
"ssh://MYGITUSER#MYHOST/MYPATH" "C:\Us
ers\MYUSER\Documents\SparkleShare.tmp\share" 15:25:37 [Git] Exit code
128 15:25:37 [Fetcher] Failed 15:25:37 [Fetcher] Enabled host key
checking for MYHOST
To get SparkleShare to use your proxy you will need to modify the config of the msysgit that is installed as part of SparkleShare. Navigate to C:\Program Files (x86)\SparkleShare\msysgit\etc and edit the gitconfig file in notepad and add the following line under the [http] tag
proxy = http://user:pass#proxyurl:port
modifying the url as required to match your settings. You can then use the "On my own server" option to add the http url of your repository.
I have a work around on this particular problem. I guess that you already successfully connected to your server via a simple SSH client (i.e. PuTTY)? With PuTTY you can easily configure an ssh connection via any kind of proxy (such as HTTP, SOCKS, Telnet, ..)
What you can do now is to specify a local "tunnel" (an SSH port forwarding rule) like this: L22 127.0.01:22 (see attachment). If you are using a ssh command line add the following option: -L 22:127.0.01:22.
So now as soon as your terminal is open and running you'll be able to reach your git server via the server url: ssh://git#127.0.0.1.
If your local port 22 is busy you can define the tunnet on a other port. i.e. if the 44 is not occupied: L44 127.0.0.1:22. The url to use in SparkleShare become ssh://git#127.0.0.1:44.
But it's a work around. I'm looking for a better solution.