Cookie policy

EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.

Now we are ready to do some test and see if everything is working properly. First of all, please add ~/bin/Compassh to your $PATH environment. Don't forget to source your ~/.bashrc or to logout and login again. You should be able to call compassh without adding any path.

So let's see how it works.

$ compassh
   VPN name               SSH connection                        Port  PID
----------------------------------------------------------------------------
   strumentiresistenti    root @ proxy.strumentiresistenti.org  1081  -
   office                 root @ proxy.bigcompany.biz           1082  -

compassh is listing our two VPNs, with the SSH connection profile (user and host), the SOCKS port and the PID of the process holding the VPN. Since no VPN has been enabled, the PID is null for both. So, let's start a VPN:

$ compassh start strumentiresistenti
$ compassh
   VPN name               SSH connection                        Port  PID
----------------------------------------------------------------------------
 + strumentiresistenti    root @ proxy.strumentiresistenti.org  1080  14932
   office                 root @ proxy.bigcompany.biz           1081  -

The strumentiresistenti VPN now has a plus sign and a PID associated. It's running. If you use netstat you'll see an OpenSSH listening on port 1080: that's the SOCKS proxy waiting for incoming connections. You can for example configure your browser to use localhost:1080 as SOCKS proxy and be able to connect to a private IP reachable by proxy.strumentiresistenti.org, let's say 192.168.1.20, even if you are on a totally separate network.

You can of course connect to localhost on ports 10001, 1234 and 4001 to access remote services forwarded by OpenSSH. And finally you can SSH on whatever.strumentiresistenti.org and get routed through proxy.strumentiresistenti.org:

$ ssh -l root mail.strumentiresistenti.org
# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:45:ec:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.20/24 brd 217.70.191.255 scope global eth0
#

VERY IMPORTANT: To be able to use names instead of IP addresses, the names must be resolved by one of those:

  • The ~/.compassh.conf %hosts table
  • Your /etc/hosts file
  • Your DNS name server
  • The remote proxy /etc/hosts file
  • The remote proxy DNS name server

Usually the best position is the remote proxy DNS name server, since something.internal.domain makes most sense inside a network than outside it. But if the remote proxy can't resolve the name, just add it to your /etc/hosts file or the remote /etc/hosts file, if you have the required permissions. If you can't modify any /etc/hosts file, add an entry to the %hosts table inside your .compassh.conf file like this:

our %hosts = (
    'remote1' => '192.168.21.3',
    'git.intranet' => '172.20.106.32',
    # ... and more ...
);

Since VPNs and patterns are separate concepts, you can define more than one pattern pointing to the same VPN. So if you have a corporate VPN concentrator that connects to customers networks, you can just define one single pseudo-VPN to the concentrator, as we did in the office VPN, and then add as many pattern as you need, like in:

our %patterns = (
    'bigcompany.biz$' => 'office',
    'customer1.com$' => 'office',
    'customer2.com$' => 'office',
    'anothercustomer.net$' => 'office',
)

compassh_proxy will route any connection to all those customers through the office VPN.

Now use the ps command to see how Compassh is managing all of this:

$ ps aux | grep ssh
tx0 8838 0.0 0.0 6148 2340 pts/4 S 10:51 0:00 /usr/bin/ssh
-F /home/tx0/.ssh/config.strumentiresistenti -N -D 1080
root @ proxy.strumentiresistenti.org

compassh has started a backgrounded ssh session to root @ proxy.strumentiresistenti.org, using the configuration file ~/.ssh/config.strumentiresistenti and creating with -D a SOCKS proxy on port 1080. That's how the VPN is kept up and running


  The Cog In The Machine On Which All Depends