docs

Overview

This tool allowes access to devices that are not explicitly routable from the internet.

Direct connection from device to internet

It does so by connecting a Customer Device by using a Client Connector to the Remote Access Server.

Therefore Consumers are able to gain indirect access to the device by tunneling over the Remote Access Server.

    
graph TD
    server["Remote Access Server"]
    subgraph "Customer Device"
        connector["Client Connector"]
    end

    subgraph "Consumer"
        client["Web Brwoser"]
        ssh["SSH Client"]
    end

    server -. "https (TLS)" .- connector

    server -. "https (TLS)" .- client
    server -. "SOCKS" .- ssh

Indirect connection from device over service PC to internet

In scenarios where the Customer Device has no direct access to the internet, a Service PC with an up-to-date browser (Firefox/Chrome) can be used to connect the Customer Device to the Remote Access Server. No additional software (other than the browser) is required on the Service PC.

    
graph TD;
    server["Remote Access Server"]
    subgraph "Customer Device";
        connector["Client Connector"]
    end

    subgraph "Consumer";
        client["Web Brwoser"]
        ssh["SSH Client"]
    end

    subgraph "Service PC";
        browser["Web Brwoser"]
    end

    server -. " https (TLS)" .- browser
    browser -. "https  (TLS) / http" .- connector

    server -. "https (TLS)" .- client
    server -. "SOCKS" .- ssh

Configuration tool

The configuration of the remote access endpoint can be done at sites.websof.de. Once registered and activated by an administrator you can start to create sites on the domains that are unlocked for you.

Click sites in the side-menu to manage your sites. Click on Add new site to add a new site.

After adding the site you will see your configured site and the unique token.

This token is used to connect a device endpoint to a site. It can not be changed or recreated and will be lost when the corresponding site is deleted. Devices that are using an outdated token are not accessible!

Configuring a site

You have the opportunity to change various options of a site you own.

For example you can change

  • the name
  • or domain (and therefore the resulting FQDN for your site)
  • enable/disable access to it completely
  • enable/disable access to its public http/https endpoints
  • change authentification for its public http/https endpoints
  • enable/disable access to its socks endpoints

Integration

As a docker container

To integrate the remote access connector to your device you can use the following docker command:

docker run \
  -it --rm --net=host \
  -e CONNECT_TYPE=rule \
  -e RULE=":80-*:*,:22-*:*" \
  -e TOKEN=$MY_SITE_TOKEN \
  -e NAME=`hostname` \
  -e TYPE=$MY_DEVICE_TYPE \
  -e NO_CONNECT=1 \
  -e BRIDGE_PORT=8765 \
  --name tnnl \
  weberlars/tnnl:arm32v7-20220505

With the CONNECT_TYPE=rule you can specify that a custom rule is used to restrict access to certain ports. The RULE=":80-*:*,:22-*:*" specifies that only access to the local ports 80 and 22 are allowed. All other access are blocked by the connector.

Other supported CONNECT_TYPES are

  • localhost allowes access to all local ports on the device
  • any allowes access to other devices in the same network

The TOKEN must be the token that is assigned to your site.

NAME should be set to the hostname to identify single devices.

TYPE should be set to the product name of the device.

By using NO_CONNECT=1 you can configure the connector not to connect to the remote access server by itself.

With the BRIDGE_PORT a TCP port can be specified to listen on for bridge connections. It is recommend to place this port behind a reverse proxy and only allow authorized access to that port.

Rules

You can provide your own rules using the environment variable RULE in the format: RULE="$IN_HOST:$IN_PORT-$OUT_HOST:$OUT_PORT". Multiple rules can be seperated by ,. The rules are evaluated in the order they are provided and the first matching rule will be used. If no rule is matching the connection is rejected.

For the $IN_HOST there are two special values.

  1. An empty string is the default host which will only match requests to the default host. Requests to the default host will be redirected to localhost if not specified.
  2. * which is a wildcard that allows access to all devices (unsupported for now, tnnl requests will only be sent to the default host for now).

Here are a few example rules:

Rule Description
:*-*:* Unrestricted access to all ports on localhost
:80-*:* Allow access to port 80
:80-*:4000 Allow access to port 80 but forward it to port 4000
:*-192.168.1.1:* Allow access to all ports on 192.168.1.1
:80-192.168.1.1:* Allow access to port 80 on 192.168.1.1
:80-192.168.1.1:4000 Allow access to port 80 on 192.168.1.1 but forward it to port 4000
:80-*:*,:22-*:* Allow access to port 80 and port 22

Accessing a site

Public HTTP/HTTPS endpoints

To access the http endpoint on your device, you can simply use your browser and access https://$SITE_NAME.$SITE_DOMAIN.

Custom tcp protocols

To connect to a custom tcp port you have to use the sites server as a socks proxy. For example to connect to ssh on your device use:

ssh \
  -o ProxyCommand='nc -x access.websof.de:1080 %h %p' \
  $(SSH_USER)@$(SITE_NAME).$(SITE_DOMAIN)