DV-Zeuthen

| Computer Center

Warp Login Usage

Warp Usage for Safe Remote Login

Computer Center

Warp Usage for Safe Remote Login

1. Login
2. Access to internal Web Pages
3. Usage of VNC via an SSH tunnel
4. sshuttle

1. Login

Log in to your group's least-loaded WGS:
ssh warp.zeuthen.desy.de
ssh <username>@warp.zeuthen.desy.de

Log in to a special WGS of your choice:
ssh warp.zeuthen.desy.de -t target=<wgs>

2. Access to internal Web Pages

Internal web pages are e.g.

Establish an ssh tunnel to warp.
ssh has built-in support to act as a SOCKS proxy. All you have to do is use the -D option.
ssh -D localhost:2233 <username>@warp.zeuthen.desy.de

For Windows-10 an up-to-date release (at least 1909) is required!
Open the cmd promt and type the command described above.

Start your browser or other application which supports SOCKS proxies with proxy localhost and your choosen port, here 2233

Firefox

Linux: Edit->Preferences->Network
Windows: Tools->Options->General->Network Settings->Settings
or application menu-> Settings->General->Network Settings-> Settings
choose "Manual proxy configuration"
SOCKS Host: localhost
Port: 2233
SOCKS v5 should work

Safari (macOS)

Preferences ->Advanced, Proxies: Change Settings
Select SOCKS Proxy
Enter as SOCKS Proxy Server:
localhost:2233

Hint: There are browser plugins to make it easier to switch between proxies.
E.g. FoxyProxy is a set of proxy management tools for Firefox and SwitchyOmega for Chrome.

All outgoing and incoming data for the browsing session will be encrypted since it passes through the SSH connection.

3. Usage of VNC via an SSH tunnel

You can run your vnc session by the command
vncserver:<displaynumber>
on your group's WGS.
To connect to it from outside, you'll have to create a ssh tunnel.
First configure Kerberos on your system for password-less login as explained on https://dvinfo.zeuthen.desy.de/BYOD/User-Info
Then configure your ~/.ssh/config like this:

Host warp.zeuthen.desy.de
   User <accountname>
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

Host <yourwgs>.zeuthen.desy.de
   User <accountname>
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes
   ProxyCommand ssh warp.zeuthen.desy.de nc %h %p
   LocalForward 5901 localhost:590<displaynumber>
   DynamicForward 2345

Replace your account name, the name of the wgs running the vnc server and the port number, e.g. for port 4, the forward command should direct to localhost:5904. You can then run
ssh <yourwgs>.zeuthen.desy.de and then connect to the vnc session on localhost:1. You can also use port 2345 as SOCKS5 proxy in your browser to access internal pages.

4. sshuttle

sshuttle is an application which leads all network traffic through one specific gateway. So this application can be used as good alternative to a VPN conncetion.

Linux

Install sshuttle using your local Linux package manager. If it is not available there please download it from github:
https://github.com/apenwarr/sshuttle
Afterwards execute the following command to establish the connection (use option --no-latency-control on high-bandwidth internet connections for improved performance).

sshuttle --dns --no-latency-control -r <username>@warp.zeuthen.desy.de 141.34.0.0/16 131.169.0.0/16 -x warp.zeuthen.desy.de

 
Now you will be able to connect to all internal web sites and services and thus will be able to use Remote Desktop programs without using any specific parameters like local ports. To connect to znapis please use the webaddress https://znrdsweb.zeuthen.desy.de/RDWeb/webclient/ or use xfreerdp as Remote Desktop program.

xfreerdp /u: /d:win /v:znapis.zeuthen.desy.de

macOS

Install sshuttle via homebrew (https://brew.sh)

brew install sshuttle


Afterwards execute the following command to establish the connection.

sshuttle --dns --no-latency-control -r <username>@warp.zeuthen.desy.de 141.34.0.0/16 131.169.0.0/16 -x warp.zeuthen.desy.de

Now you will be able to connect to all internal web sites and services.
To connect to znapis please use the webaddress https://znrdsweb.zeuthen.desy.de/RDWeb/webclient/ or use the Microsoft Remote Desktop Client, which you can install from the Apple App Store.