[LINUX] SSH connection from Windows via SSL VPN

SSH connection from Windows via SSL VPN

I think that the number of people who work remotely due to coronavirus has increased, but I think that there are also people who have a server in the intranet, set up a VPN to access from the outside, and then connect with ssh. In this article, I will introduce an example of how to make the trouble of starting software such as FortiClient, connecting with SSLVPN, and connecting with SSH as much as possible. I think people who don't want to use a mouse will come to us.

environment

--Client: Windows 10 --Server: Ubuntu 16.04 LTS --VPN server: Fortinet's SSL-VPN (I can't play with it here)

SSL-VPN connection

I think it's the most troublesome point. It is necessary to start FortiClient VPN, enter the password on the started GUI, and connect. In some cases, tapping from the https protocol from the Web may provide a page that allows VPN connection, but the effort does not change much. Anyway, when you connect to SSH, you have to interact with the black screen, so it is humanity that you want to set up a VPN from the command.

Fortinet publishes the FortiClient app in the Windows App Store called the Microsoft Store. The review is terrible, but unlike the FortiClient VPN app, it provides a function as a VPN provider for the Windows system, so it is not a way to connect to a VPN on the GUI from the screen that started it. Therefore, you will connect to the VPN using the standard Windows VPN connection function.

Connection method

Install the App. Go to "Settings> Network and Internet> VPN" or search for "VPN" from the start, open the VPN settings screen, go to "Add VPN Connection", and go to "VPN Provider" at the top. Select "FortiClient" (if it doesn't appear, you haven't installed it). After that, enter the appropriate connection name (myvpn in the image below) and the information of the connection destination (sslvpn.myvpn.com in the image below) and save it. The user and password will be asked when you connect for the first time, so you can leave them blank (or you can't enter them). image.png

Now, if you select a connection from the added connection name, user authentication will be performed and the connection will be completed. From the network-like icon (where you use it when connecting to WiFi) on the right side of the taskbar, you can check the VPN connection status etc., and clicking there opens the same setting screen and you can connect / disconnect.

Call from command

Of course, Windows has some software running behind it when this VPN connection is made, so I think about calling it with a command. It's a hassle to click the mouse.

Specifically, it is as follows.

rasdial [Connection name] [User name] [password]

If you have connected by checking "Save sign-in information" from the settings, you can omit the user name and password.

rasdial [Connection name]

You can start the connection with. I'm afraid to enter the password normally, so I think this is better. For cutting

rasdial /disconnect

Is used.

This is the story when running from a command prompt or Power Shell. This notation is possible because there is "rasdial.exe" in% SYSTEMROOT% \ System32 \ and the environment variable PATH is usually passed. If you are using WSL2, you can't run it with the rasdial command, but since WSL2 can run exe files with metamorphosis,

rasdial.exe [Connection name]

You can connect with. Since PATH has been added from the beginning, I think it's quite a metamorphosis.

This solved the troublesome VPN connection problem to some extent.

SSH connection

Windows 10 includes an OpenSSH client by default and is often

%SYSTEMROOT%\System32\OpenSSH\ssh [User name]@[access point]

I think you can connect with. ssh-keygen etc. also work fine.

However, as I mentioned a little earlier, Windows 10 has WSL2 (Windwos Subsystems for Linux 2) (the latest version should have it for the time being), and if the server is Linux, it is better to use WSL2. There is less confusion, and I think that is better. Various people have explained the introduction of Linux by WSL2, so please have a look there.

So the story is simple, for example if you're using an Ubuntu distribution with WSL2

"Windows key" (start opens) → enter "ubuntu" ・ Start with enter → Connect with ssh [user name] @ [destination]

I think that the procedure is the shortest in the story so far. You can also start it by typing "ubuntu" from "Run" of "Windows key + R" without searching from the start. I think either one is fine, but there may be times when it is convenient because the history remains if you select "Run".

Create a function

The story doesn't end here. If you always make a VPN connection to the same destination and an SSH connection to the same destination, about 99.9% of the people in the world will want to create a function (according to my research).

First, for ssh, if you only connect to the same destination, use an alias

alias myssh="ssh [User name]@[access point]"
# example
alias myssh="ssh [email protected]"

After that, you can connect with the myssh command. If you don't want to enter your password, why not switch to public key authentication and empty your passphrase? I do.

If there are several connection destinations, it will be taken as an argument and executed by the function, so

function myssh () {
  command ssh [email protected].$1
}

Or if public key authentication

function myssh () {
  command ssh -i ~/.ssh/id_rsa [email protected].$1
}

And so on. It may not be necessary to have command, but please add it if there is an alias with the same name. With the above function, myssh 921 will try to connect to 123.45.67.921.

Alias is sufficient for VPN connection, but I want to throw connection and disconnection into the same command as an option, so I make it a function.

function myvpn () {
  if [ $# -eq 0 ]; then
    command rasdial.exe connection destination
  else
    command rasdial.exe /disconnect
  fi
}

With the above function, executing myvpn alone will disconnect with one or more arguments such as VPN connection and myvpn d. It seems that there are not many VPN connection destinations, but if there are, I think that it is better to receive the connection destination as an argument by using options etc. If it is troublesome, I think it will be simple if you use different aliases for connecting and disconnecting.

The above functions should be added to ~ / .bashrc. After making changes, log out or run with . ~ / .Bashrc or source ~ / .bashrc.

With the above, the flow is "Start WSL2 (Ubuntu this time) → VPN connection by executing myvpn → SSH connection by myssh". In some cases, it may be easier to make an SSH connection when the VPN connection is successful.

Finally

I wanted to simplify the troublesome VPN connection, so I summarized what I investigated. I'm new to Linux, so what about the dirty functions and security? There may be something like that. I don't think that passwords are saved in plain text, but I hope that each person will be aware of security.

Please use the time it takes to connect to your work.

Recommended Posts

SSH connection from Windows via SSL VPN
[Note] ssh connection from terminal with AWS LightSail
[Postgresql] SSH connection to the external DB server from the client
Make a SonicWall SSL VPN connection with the Linux CLI
Connect to centos6 on virtualbox with ssh connection from Mac