Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How do I access remote vm over TLS?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere
PostPosted: Thu Feb 02, 2017 4:08 am    Post subject: How do I access remote vm over TLS? Reply with quote
Spent the day setting up a vm with qemu. Uploaded vm file to server and can access it with a vnc viewer after running this script:
Code:

#!/bin/bash

/usr/bin/qemu-system-x86_64 \
    -monitor stdio \
    -machine accel=kvm \
    -m 1024 \
    -hda /home/audiodef/GentooStudio_HDA.img \
    -boot once=c,menu=off \
    -net nic,vlan=0 \
    -net user,vlan=0 \
    -rtc base=localtime \
    -name "GentooStudio" \
    -vnc :1

But I'd like to secure that connection. What do I need to do?
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
PostPosted: Thu Feb 02, 2017 6:35 am    Post subject: Reply with quote
audiodef ... vnc over ssh:

Code:
$ ssh -L 5902:localhost:5901 <ip_of_machine_running_qemu>
$ vncviewer localhost:2

HTH & best ... khay
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere
PostPosted: Thu Feb 02, 2017 3:36 pm    Post subject: Reply with quote
Thanks, khay. I wasn't sure this would work, since I have a headless server, and indeed, I got:
Code:

Can't open display:

Because I'm no longer on my local machine at this point.

Playing around with aqemu on my local machine, I can see that you can:
Code:

-vnc :1,tls,x509=/path/to/cert


I'm not sure what kind of cert this requires, though, because when I use my existing certs from setting up my mail server, it complains that gnutls is required:
Code:

(qemu) qemu-system-x86_64: -vnc :1,tls,x509=/home/audiodef/keys/vnc: Failed to start VNC server: TLS credentials support requires GNUTLS


Doesn't seem to matter if I generate new keys or use /etc/ssl/certs.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
PostPosted: Thu Feb 02, 2017 5:46 pm    Post subject: Reply with quote
audiodef wrote:
Thanks, khay. I wasn't sure this would work, since I have a headless server, and indeed, I got:
Code:
Can't open display:

audiodef ... you're welcome. It's been a long time since I used vnc but as I remember the above should work headless. As for the error, what port does qemu use for vnc (netstat -tlnp)?

audiodef wrote:
Because I'm no longer on my local machine at this point.

Well, how are you connecting? You would need to access the (qemu) host (and obviously a router/firewall would prevent that).

Code:
(qemu) qemu-system-x86_64: -vnc :1,tls,x509=/home/audiodef/keys/vnc: Failed to start VNC server: TLS credentials support requires GNUTLS

USE="gnutls" is not enabled by default on qemu, I expect you have it disabled.

best ... khay
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3134
PostPosted: Thu Feb 02, 2017 7:20 pm    Post subject: Reply with quote
Quote:
Can't open display:

Looks like you needed X forwarding
ssh -X or ssh -Y (-Y is more permissive than -X, considered insecure)

Weird. What does a server being headless have to do with it? It's a bit puzzling.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere
PostPosted: Thu Feb 02, 2017 7:45 pm    Post subject: Reply with quote
Thanks, guys, I appreciate it.

After losing hair for a few hours, it naturally came down to something very simple.
Code:

-vnc :1,password,tls,x509=/home/audiodef,x509verify=/home/audiodef

should be:
Code:

-vnc (ip_address_here!):1,password,tls,x509=/home/audiodef,x509verify=/home/audiodef


Now I just need to figure out how to set a password to use the "password" argument in the command above, then I should have the bare essentials for a reasonably protected setup.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy