How To: Tunnel/Proxy CCcam on UR with dropbear

[ToneDeff]

Had been wondering about the posibility for tunneling connections on my TM for a while, already had an ssh server setup for other things and stumbled across an ssh client used on some Enigma images that had the ability for remote port forwarding on certain version.

using "dropbear" to connect to an ssh server your able to hide your home i.p from cccam servers and also hide the data being sent from your isp.

here's a guide to how i got it working, it's deffinelty not for someone without a fair bit of linux experience, and you'll need a "Remote Server" that has SSH running.

-ftp DropBear.0.52-UR.tar.gz to /tmp/
-manual install from addons
-open telnet session to "UR"
-then enter ln -s /var/dropbear/bin/dropbearmulti /var/dropbear/ssh
-then connect to the remote server with /var/dropbear/ssh [email protected]/920

You don't have permission to view the code content. Log in or register now.

it will show

You don't have permission to view the code content. Log in or register now.

-press y
-then enter the ssh server password
-if it logs in ok then you can continue ;P
-type exit to get back to UR telnet

-get your clines

You don't have permission to view the code content. Log in or register now.

-now you need to create ssh login lines to forward those address through tunnel

You don't have permission to view the code content. Log in or register now.

-once you have lines ready enter them into telnet to "UR"
-/var/dropbear/ssh -f [email protected]/920 -L 12000:server.no-ip.biz:12000
do the same login procedure as first time, after password you will get put back to "UR" telnet
-enter any other lines you need after changing tunnel port and server
-/var/dropbear/ssh -f [email protected]/920 -L 22001:server2.no-ip.biz:12001
-you can now close telnet session.

-now open cccam.cfg and edit the clines to

You don't have permission to view the code content. Log in or register now.

if it all worked it should clear now :Fish:

hope that makes some kind of sense, at least it will remind me how to do it when i forget roud:

i only use cccam as a client not sure if dropbear would be able to accept incoming request from the remote i.p to share a local out, although it might be possible with right settings i didn't look into that side.

i think it will work with any CAM's as all the tunneling etc is done by dropbear and is forced by what address you set CAM to use.

p.s
you need to reconnect ssh tunnels after rebooting box.

-open telnet session to "UR"
-/var/dropbear/ssh -f [email protected]/920 -L 12000:server.no-ip.biz:12000
-/var/dropbear/ssh -f [email protected]/920 -L 22001:server2.no-ip.biz:12001
-enter passwords then close telnet.

p.p.s
"dropbearmulti" contains all the ssh server etc, all i have tested and being used in this is the ssh client.

 

[ToneDeff]

just realised you don't need to start multiple tunnels to tunnel multiple ports you can add them to a single connection

e.g

/var/dropbear/ssh -f [email protected]/920 -L 12000:server.no-ip.biz:12000
/var/dropbear/ssh -f [email protected]/920 -L 22001:server2.no-ip.biz:12001

could actually be done with just

/var/dropbear/ssh -f [email protected]/920 -L 12000:server.no-ip.biz:12000 -L 22001:server2.no-ip.biz:12001

p.s
think i've figured out how to tunnel back the other way for "cccam servers", so client could connect to port on the "remote" ssh server and get forward back to your home network, ill do some tests and hopefully post guide in abit.

 

[ToneDeff]

well think i'm going to give up on the reverse port, using this

var/dropbear/ssh -f [email protected]/920 -R 16002:localhost:16001

will forward port 16002 on the "remote" ssh server back to port 16001 on your local network "without needing any ports opened on home network", but that only works when connecting through ssh on "localhost:16002"

i can't get it to work with the "remote" ssh servers external i.p. i use my ssh server for alot of other stuff and don't wan't to go breaking it when i don't need this functioning myself

this method would work if both cccam client/server are connected to the same ssh server, and client uses "localhost" as cccam serv.

 

[ToneDeff]

this method should work for client/server both using the same ssh server, i'm unable to test it though. would mean that the only place traffic isn't hidden in an ssh tunnel is within "remote" ssh server.

server and client don't need any ports forwarded on their home networks and only port that needs to be open on remote server is the one for ssh...

e.g
server box uses : links "localhost:31000" on the remote ssh server back through tunnel to port *12000 on cccam box. *change if not using default cccam port

You don't have permission to view the code content. Log in or register now.

clients box use : links "localhost:12000" on client TM through tunnel to "localhost:31000" on remote ssh server.

You don't have permission to view the code content. Log in or register now.

client then uses cline

You don't have permission to view the code content. Log in or register now.

i think on the fline restriction you could also limit it just to "localhost" or "127.0.0.1" not sure about how that works though.

Edit:
just realised not much to worry about fline restrictions if the port is closed

 

[ephagous]

with this command

/var/dropbear/ssh root@my_ssh_server/22

it's ok.i can login as root on my_ssh_server
but when i was type

/var/dropbear/ssh -f root@my_ssh_server/22 -L 22000:my_db_server:18000

i was receive this message

/var/dropbear/ssh: exited: command required for -f

what's a problem?

 

[ToneDeff]

only way i'm able to get that error is by doing with with no extra commands e.g

"/var/dropbear/ssh -f [email protected]/920" gives error

but

"/var/dropbear/ssh -f [email protected]/920 -N"
"/var/dropbear/ssh -f [email protected]/920 -L 12000:server.no-ip.biz:12000"

etc, i can't get that error so not sure what going on, possibly try

"/var/dropbear/ssh -f root@my_ssh_server/22 -L 22000:my_db_server:18000 -N"

the error is coming from "-f" which is the option to keep tunnel alive on box after you close telnet, and the error is saying it has no commands to keep alive.

also "/var/dropbear/ssh root@my_ssh_server/22 -L 22000:my_db_server:18000" then test it without closing telnet session.

p.s
i wouldn't leave remote ssh on default port no matter how secure you think pass is ;P

 

[nozzer]

Interesting but I cant see too many people having access to a remote ssh server to connect to.Why not try and set up a standard PPTP or L2TP tunnel to one of the fairly cheap (few £ per month) VPN providers.

There's loads of linux source for such clients so it shouldn't be too difficult to compile one for a linux stb.

 

[ToneDeff]

the UR image is fairly limited i couldn't find a way to get any VPN client running without editing image.

i already had ssh running and being used for tunneling on remote dedicated server, and didn't want to break it trying to install VPN server on there, didn't really expect many people to use this but thought i might aswell post as i had managed it, if only for my own usage when i forget how i did it.

also you can get a VPS server with ssh access pretty easily, probably about the same or cheaper then most VPN providers.

 

[ephagous]

Hi ToneDeff
with this command It's work for me

/var/dropbear/ssh -L 22000:my_db_server:18000 root@my_ssh_server/22

but i must type my_ssh_server's password before then a tunnel was created and remote to my_db_server
how can i solve this problem?

 

[ToneDeff]

Hi ToneDeff
with this command It's work for me

/var/dropbear/ssh -L 22000:my_db_server:18000 root@my_ssh_server/22

but i must type my_ssh_server's password before then a tunnel was created and remote to my_db_server
how can i solve this problem?

without the "-f" that tunnel will close as soon as you close telnet on PC.

and i'm not sure of a way to make it auto log in.

 

[faltooweb]

Here is one way to auto log-on (no password)
If you have a linux/Unix/Cygwin machine
1. Create a pair of keys
ssh-keygen -t dsa -b 1024
2. Copy the two key files(id_dsa and id_dsa.pub) from ~/.ssh
scp -p ~/.ssh/id_dsa* root@dropbear_ssh_server:~/.ssh/.
3. Log on to "dropbear_ssh_server"
4. Convert files
dropbearconvert openssh dropbear ~/.ssh/id_dsa ~/.ssh/id_dropbear
5. To start a tunnel to "my_ssh_server" from "dropbear_ssh_server"
ssh -f -L 22000:my_db_server:18000 root@my_ssh_server -i ~/.ssh/id_dropbear

-Ramesh

 

[ToneDeff]

Here is one way to auto log-on (no password)
If you have a linux/Unix/Cygwin machine
1. Create a pair of keys
ssh-keygen -t dsa -b 1024
2. Copy the two key files(id_dsa and id_dsa.pub) from ~/.ssh
scp -p ~/.ssh/id_dsa* root@dropbear_ssh_server:~/.ssh/.
3. Log on to "dropbear_ssh_server"
4. Convert files
dropbearconvert openssh dropbear ~/.ssh/id_dsa ~/.ssh/id_dropbear
5. To start a tunnel to "my_ssh_server" from "dropbear_ssh_server"
ssh -f -L 22000:my_db_server:18000 root@my_ssh_server -i ~/.ssh/id_dropbear

-Ramesh

you tested this on a TM600/UR ? when i tried to get auth keys working it needed /.ssh/ dir in root and the UR image didn't have it.

 

[beneee]

Hey,

very interesting. Can you help me, to only stealth the Server? Clients should connect to the SSH Address in C-Line and Server make tunnel to SSH Server.

- Server tunnel to SSH in example 195.122.134.1
- Clients use C-Line: C: 195.122.134.1 port username pass
- Server F-Lines: F: username pass

Is this possible?

Greets

 

[beneee]

I answer myself, yes it is possible. Up and it is running great.

 

[ToneDeff]

/var/dropbear/ssh -f root@my_ssh_server/22 -L 22000:my_db_server:18000

i was receive this message

/var/dropbear/ssh: exited: command required for -f

what's a problem?

Just realised i missed a command/option from the original post....

it should have "-N" at the end of ssh command e.g
/var/dropbear/ssh -f root@my_ssh_server/22 -L 22000:my_db_server:18000 -N

 

[jimsmith]

how would i do this if the actual cccam server is running on the ssh box ?

 

[ToneDeff]

I am unable to test this currently but i belive it should be

You don't have permission to view the code content. Log in or register now.

You don't have permission to view the code content. Log in or register now.

where the server is running cccam on port 31000, once it is working you can remove the port forwarding in firewall for cccam and add "-N" to command, then the only port the will need to be open and public is the ssh server