[How To] AFP via SSH Tunnel

Questions about using NAS on Mac OS.
Locked
rory
Know my way around
Posts: 212
Joined: Tue Feb 12, 2008 11:52 am

[How To] AFP via SSH Tunnel

Post by rory »

I've been tooling around with tunneling protocols through an SSH pipe. Using an SSH tunnel means that only one port needs to be open on the firewall and other protocols tunnel through that port (good for security and simplicity) and it allows for easily and safely mount remote disks in Finder via AFP. You can do other fun things like securely access an insecure pop mail account, or pipe all of your traffic to an external server thereby avoiding local firewall rules and surveillance (good for work).

Once you dig into the man pages and examples it is pretty straight forward. But I didn't want to have to remount the tunnel with every login. Too much to remember. I looked at a few of the publicly available GUI tools. The two best (for OSX) that I've found are Meerkat (http://codesorcery.net/meerkat) and AlmostVPN (http://www.leapingbytes.com/almostvpn). Please let us know if you are using something better!

Meerkat is the more polished of the two but is limited in functionality. It automates the setup of basic tunnels but lacks advanced functionality. It also does not play nice with OSX 10.5. AlmostVPN is not as polished and the documentation is a bit lacking BUT it provides all kinds of configuration options. It supports nearly all of the switches and optimization rules available through the terminal commands. It took a bit of trial and error but eventually I got it going. It is well worth the effort if you are willing to put in a little work. Also, I've been in touch with the developer and future version is in the works.

Hope some of you find this useful.

Rory
iMac 27" i7 / OS X 10.6.5
TS-259 Pro / RAID 1 / 2 x 1T WD Black / 3.2.1 1231T
TS-410 / RAID 6 / 2 x 750GB + 2 x 500GB WD Black / 3.5.1 Build 1002T
SMCGS8P-Smart Switch
User avatar
AndyChuo
Experience counts
Posts: 2388
Joined: Thu Sep 13, 2007 11:56 am
Location: Taipei, Taiwan

Re: [How To] AFP via SSH Tunnel

Post by AndyChuo »

Thanks for sharing rory.

Andy
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
techdef
Getting the hang of things
Posts: 65
Joined: Fri Dec 07, 2007 11:32 am

Re: [How To] AFP via SSH Tunnel

Post by techdef »

Rory,

Well this is something I'd love to be able to do. I dl'd Almost VPN and am totally stumped. Is this something you think you'd be able to do a quick how-to / tutorial on setting up? I'm sure there are many of us who would be grateful for the hand-holding.

thanks,
-jamie
rory
Know my way around
Posts: 212
Joined: Tue Feb 12, 2008 11:52 am

Re: [How To] AFP via SSH Tunnel

Post by rory »

Yeah almostVPN is pretty awkward but once you get it to work it somehow makes sense. Is summary, you need to set up an SSH Server with your specific SSH server details (IP, pass, port, etc) and you need to add a protocol to that server. Do this by ^ clicking the SSH server name and selecting drive - enter AFP and corresponding port - 548 in the resulting dialogue box. Now you also need to set up a "profile" that tells almostVPN to tunnel through the SSH server (at least I think this is what the profile is doing - I couldn't get it to work until I set up the profile). Do this by ^ clicking on "profile" to set up a new profile. Once you have given the profile a name ^ click the name and select "drive". You will get a dialogue box that is populated with the AFP information from the server above. Click done. Now double click either of the network icons that you see in almostVPN and you should be connected. Open Finder and see if you have a Network icon. If you are not connected check the SSH server details. It tests the server dynamically and will give you an error message and red dot if you are not connected properly.

I haven't toyed with it in some time. Writing the above summary I realize just how involved this is. It is convoluted to be sure but I have found it to be stable. I'm sure there is a better way but this is what worked for me after trying a few different GUI tools. I only figured it out by trial and error! If you can wait until next week when I'm on vacation I'll write something up and post it here and on the wiki.

Let me know if this helps.
iMac 27" i7 / OS X 10.6.5
TS-259 Pro / RAID 1 / 2 x 1T WD Black / 3.2.1 1231T
TS-410 / RAID 6 / 2 x 750GB + 2 x 500GB WD Black / 3.5.1 Build 1002T
SMCGS8P-Smart Switch
rory
Know my way around
Posts: 212
Joined: Tue Feb 12, 2008 11:52 am

Re: [How To] AFP via SSH Tunnel

Post by rory »

OK below is a tutorial. It is rough and needs some clean up. Also, it is quite a bit more convoluted than I remember but it is worth the effort. You will be able to manage your NAS remotely via afp tunneled through your SSH connection. You can close up all those ports on your router too! Please let me know if you are able to get this working. I'm happy to trouble shoot. It works like a charm for me.

Rory

Start Tutorial

Download and install the AlmostVPN preference pane. See http://www.leapingbytes.com/almostvpn and be sure to download the 1.6pre version if you are using Leopard (find the link under Announcements at the top of the page).

Go to system preferences and open the AlmostVPN preference pane.

Take a look at the four configuration tabs – Control, Configure, Monitor, Preference. I like the menu bar item found under preferences so I toggle that. We will do most of our work in the Configure tab. So toggle the Configure tab.

Right click on SSH Servers and select SSH Servers

Complete the resulting dialogue box. Note there are three information tabs (lower part of dialogue box) - Address, Account, Options. Be sure to assign the correct port address under options.

Host Name: This can be any descriptor you like
Address is the DNS or IP of your server – note it seems to like an IP better than a DNS address
Account User Name and Password – this is whatever you use to login to your SSH server
Account Options – Port Assignment (if not 22) and proxy info if needed.
Click Done to complete configuration


Now you should see your SSH Server listed under SSH Servers by whatever Host Name that you assigned it above. Click on the Host Name that appears below the SSH Servers. You will see all of the information you entered in the setup under a single pane. You can change here if needed. Note that there will be a red or green dot next to the Host Name. This indicates that your entry is accessible. If it is red then your server is not reachable for some reason. Check all information carefully. It will test the server dynamically as you make changes.

Now right click on your SSH Server. Select Service. Select AFP or some other protocol if you like. Make sure that you toggle TCP-UDP. Click Done.

Now right click on your SSH Server entry again. Select Drive. It pre-selects to AFP but you can choose another protocol as needed. Be sure to enter a path. This should be one of your shares. Also be sure to enter the account information too.

Now... look for Profiles. Right click and select Profile. Enter a Profile Name. Now right click the Profile that you created and select Drive. In the resulting pulldown menu select the AFP entry that corresponds to your SSH Server. It should be afp://hostname/pathtodirectory and click Done.

Now... highlight the Profile name that you created under Profile. Look for the start / stop buttons under Properties. Click start. Toggle the Control tab to watch as your tunnel connects. It may take a few seconds. Once it is connected switch to finder and look for the connected drive under Devices. You will likely need to drill down by clicking on the computer icon under devices. You should see your mounted tunnel here. You should also be able to access your NAS via the Shared devices assuming that your NAS broadcasts via bonjour.
iMac 27" i7 / OS X 10.6.5
TS-259 Pro / RAID 1 / 2 x 1T WD Black / 3.2.1 1231T
TS-410 / RAID 6 / 2 x 750GB + 2 x 500GB WD Black / 3.5.1 Build 1002T
SMCGS8P-Smart Switch
robzr
Starting out
Posts: 30
Joined: Sat Jul 17, 2010 7:50 am

Re: [How To] AFP via SSH Tunnel

Post by robzr »

This can also be done with standard OS X command line tools. The following two commands can be run in a terminal window without administrator privileges:

dns-sd -R FileServer _afpovertcp._tcp . 5548 >/dev/null &
ssh -gNL \*:5548:127.0.0.1:548 username@remote.host.com

If you use ssh keys (see ssh-keygen) it can be entirely non interactively.

Rob
rory
Know my way around
Posts: 212
Joined: Tue Feb 12, 2008 11:52 am

Re: [How To] AFP via SSH Tunnel

Post by rory »

Yup. Almost VPN is a GUI. It does a bit more as it allows for scripting and alerts if the connection is lost. My command line skills are intermediate at best so I found this tool pretty useful.
iMac 27" i7 / OS X 10.6.5
TS-259 Pro / RAID 1 / 2 x 1T WD Black / 3.2.1 1231T
TS-410 / RAID 6 / 2 x 750GB + 2 x 500GB WD Black / 3.5.1 Build 1002T
SMCGS8P-Smart Switch
nxt
Starting out
Posts: 10
Joined: Thu Sep 02, 2010 3:53 am

Re: [How To] AFP via SSH Tunnel

Post by nxt »

I have followed the tutorial and works really well, when I am on my local network, but when I on a different network, it establishes the ssh tunnel but fails to mount the AFP share. Any ideas, what have I done wrong?
rory
Know my way around
Posts: 212
Joined: Tue Feb 12, 2008 11:52 am

Re: [How To] AFP via SSH Tunnel

Post by rory »

Can you ssh in from the remote network and mount via terminal?
iMac 27" i7 / OS X 10.6.5
TS-259 Pro / RAID 1 / 2 x 1T WD Black / 3.2.1 1231T
TS-410 / RAID 6 / 2 x 750GB + 2 x 500GB WD Black / 3.5.1 Build 1002T
SMCGS8P-Smart Switch
xoxox

Re: [How To] AFP via SSH Tunnel

Post by xoxox »

I know the thread is old, but here is the easy way.
Absolutely no need for some strange gui tools, just open the terminal:

Code: Select all

dns-sd -R QNap _afpovertcp._tcp . 12345 > /dev/null &
This announces the new afp share via bonjour.

Code: Select all

ssh -gNL 12345:127.0.0.1:548 admin@remote.host.com
This open the ssh connection with the tunnel.
Of course change username/address.

Works with my 119P+ and Mac OS X Lion.
Locked

Return to “Mac OS”