From 99980260c9fcedab8837158d4798b9f22f4f2277 Mon Sep 17 00:00:00 2001
From: murdrum <701724-enkht04@users.noreply.gitlab.com>
Date: Sat, 1 Aug 2020 00:51:40 +0200
Subject: [PATCH] Readme and configs edits

---
 README.md                     | 23 ++++++++++++-----------
 config                        |  4 ++--
 secure-tunnel@.service        |  2 +-
 setup-host-to-expose.sh       | 26 ++++++++++++--------------
 targets/secure-tunnel@example |  1 +
 5 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index bd6c53a..1d0bfab 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 
+
 # secure-reverse-ssh-tunnel
 
 This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host.
@@ -8,14 +9,14 @@ This project provides ready-to-use tools to configure a remote host via an ssh t
 ### Premise:
 - HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT)
 - EUD) End user device such as a laptop or mobile device provided with an ssh client.
-- JH) A host publicly accessible over the internet (or a network accessible to voth HTE and EUD) running Openssh server.
+- JH) A host publicly accessible over the internet (or a network accessible to both HTE and EUD) running Openssh server.
 
 ### Scenario:
 
 - EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network.
 - EUD can generate outgoing traffic to the internet or external networks.
 - HTE can't accept incoming connections from the internet or other networks.
-- HTE can generate outoing traffic to the internet or external networks.
+- HTE can generate outgoing traffic to the internet or external networks.
 - JH is accessible to both HTE and EUD and runs an Openssh server.
 
 Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port.
@@ -23,8 +24,8 @@ Normally, to allow communication between EUD and HTE, you would need to setup a
 This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used.
 By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys.
 At this point EUD can access HTE's service just like any other service running on JH.
-The Reverse tunnel binds HTE's port to JH's network-interface:port (JumHost's localhost by default, see **GatewayPorts yes**)
-Every request sent to JH binded port is going to be forarded to HTE's port.
+The Reverse tunnel binds HTE's port to JH's network-interface:port (JumpHost's localhost by default, see **[GatewayPorts](https://gitlab.com/enkht04/secure-reverse-ssh-tunnel#note)**)
+Meaning every request sent to JH's binded port is going to be forwarded HTE's port.
 
 **In ssh cli terms:**
 ```bash
@@ -34,7 +35,7 @@ Every request sent to JH binded port is going to be forarded to HTE's port.
 ---
 ## Support us
 
-Whether you use this project, have learned something from it, or just like it, please consider supporting it by donate, so we can dedicate more time on open-source projects like this :)
+Whether you use this project, have learned something from it, or simply like it, please consider supporting it by donation, so we can spend more time on open-source projects like this :)
 
 <a href="https://it.liberapay.com/Unitoo/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
 
@@ -43,7 +44,7 @@ Whether you use this project, have learned something from it, or just like it, p
 ## Components
 
 - setup-remote-host.sh: This script must be run as root after setup step
-- authorized_keys: should contains the ssh pubkey for HTE
+- authorized_keys: should contains the ssh pubkey for JH
 - config: example host configuration for "EUD" computer
 - secure-tunnel@.service: SystemD ready to use example service
 - targets/* : contains multiple targets that need to be used as jump servers
@@ -87,7 +88,7 @@ To check if the tunnel is active and the dedicated port is up, ssh into your jum
 netstat -tupln | grep 20001
 ```
 
-You should see your port associated to autossh process :)
+You should see autossh's process to your chosen port :)
 
 ### Remote port forwarding
 
@@ -101,7 +102,7 @@ would result in a bind like this:
 ```bash
 127.0.0.1:${JH_PORT}  LISTEN pid/sshd
 ```
-To expose forwarded ports over every jumphost's IP add the following  to `/etc/ssh/sshd_config`
+To expose forwarded ports over every jumphost's IP (0.0.0.0) add the following  to `/etc/ssh/sshd_config`
 
 ```bash
 GatewayPorts yes
@@ -109,9 +110,9 @@ GatewayPorts yes
 ###### Note:
 Every forwarded port will now be publicly exposed (unless FW rules are in place.)
 
-A better aproach would be: 
+A better approach would be: 
 ```bash
-GatewayPorts userspecified
+GatewayPorts clientspecified
 ```
 The reverse tunnel above becomes;
 ```bash
@@ -120,7 +121,7 @@ The reverse tunnel above becomes;
 
 ### Local port forward
 
-You could use your Jump Host even to bind to a local port  a web interface of a remote host or something else with:
+You could use your Jump Host even to bind a local port  to a web interface on a remote host or something else with:
 ```bash
 ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET}
 ```
diff --git a/config b/config
index 4ea47d3..5dad1d5 100644
--- a/config
+++ b/config
@@ -3,9 +3,9 @@ Host jumpserver
      User root
      IdentityFile /home/<USER>/.ssh/<ID>
 
-Host remotehost
+Host HostToExpose
      Hostname localhost
      User <REMOTE_USER>
      Port 20001
      IdentityFile /home/<USER>/.ssh/<ID>
-     Proxycommand ssh -W %h:%p jumpserver
\ No newline at end of file
+     Proxycommand ssh -W %h:%p jumpserver
diff --git a/secure-tunnel@.service b/secure-tunnel@.service
index 7c0d54a..589a9cb 100644
--- a/secure-tunnel@.service
+++ b/secure-tunnel@.service
@@ -5,7 +5,7 @@ After=network.target
 [Service]
 Environment="AUTOSSH_GATETIME=0"
 EnvironmentFile=/etc/default/secure-tunnel@%i
-ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:22 ${USER}@${TARGET}
+ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:"${HTE_PORT}" "${USER}"@"${TARGET}"
 User=autossh
 Restart=on-failure
 RestartSec=5s
diff --git a/setup-host-to-expose.sh b/setup-host-to-expose.sh
index a4de07c..b1c2509 100755
--- a/setup-host-to-expose.sh
+++ b/setup-host-to-expose.sh
@@ -13,15 +13,15 @@ function check_if_running_as_root {
 
 check_if_running_as_root
 
-read -p "Did you run this script on the remote host? " -n 1 -r
+read -p "Are you running this script on the host to expose? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]
 then
-    echo "Please rerun this script on HTE as root user."
+    echo "Please re-run this script on HTE as root user."
     [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
 fi
 
-read -p "Did you setup various targets and adjusted configurations as described in README?" -n 1 -r
+read -p "Have you setup targets and adjusted configurations as described in README?" -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]
 then
@@ -41,10 +41,10 @@ function check_necessary_packages {
         apt-get --yes install autossh
     elif [[ ! -z $YUM_CMD ]]; then
         echo "OK: yum found."
-        yum install autossh
+        yum install -y autossh
     elif [[ -z $DNF_CMD ]]; then
-        echo "OK: yum found."
-        dnf install autossh
+        echo "OK: dnf found."
+        dnf install -y autossh
     else
         echo "No valid package manager found. Exiting."
         exit 1;
@@ -72,7 +72,7 @@ function adjust_ssh_folder_for {
 
     echo "NEXT: Setup ${1} home: ${homedir}."
 
-    mkdir -p "${homedir}/.ssh"
+    mkdir -p "${homedir}/.ssh" &&
     touch -a "${homedir}/.ssh/authorized_keys"
 
     if [ ! -s authorized_keys ]; then
@@ -80,9 +80,8 @@ function adjust_ssh_folder_for {
     fi
     cat authorized_keys >> "${homedir}/.ssh/authorized_keys"
 
-    echo "OK: Files and content ready."
-    echo "NEXT: Setup file and folder permissions."
-
+    echo -e "OK: Files and content ready.\nNEXT: Setup file and folder permissions."
+    
     chown -R "$1":"$1" "${homedir}/.ssh"
     chmod 700 "${homedir}/.ssh"
     chmod 600 "${homedir}/.ssh/authorized_keys"
@@ -97,12 +96,11 @@ function setup_systemd_service_if_available {
     if [[ ! -z $SYSTEMCTL_CMD ]]; then
         echo "NEXT: Copy targets into /etc/default."
 
-        cp -n targets/* /etc/default/
+        cp -n targets/* /etc/default/ &&
 
-        echo "OK: Targets copied."
-        echo "NEXT: Setup systemd service."
+        echo "OK: Targets copied. \nNEXT: Setup systemd service."
 
-        cp secure-tunnel@.service /etc/systemd/system/
+        cp secure-tunnel@.service /etc/systemd/system/ &&
         systemctl daemon-reload
 
         echo "OK: Systemd service created."
diff --git a/targets/secure-tunnel@example b/targets/secure-tunnel@example
index b5ed9be..00edb31 100644
--- a/targets/secure-tunnel@example
+++ b/targets/secure-tunnel@example
@@ -1,3 +1,4 @@
 USER=autossh
 TARGET=jumphost
 JH_PORT=20001
+HTE_PORT=22