Secure Remote Access

In this tutorial, we show how to access a Mako Server instance deployed within an Intranet from external location without having to use VPN or set up port forwarding. The Mako Server includes support for both Let's Encrypt and remote access from within the same integrated plugin.

A free supplemental product called SharkTrustX is acting as a proxy, enabling two different network locations to communicate. See the SharkTrustX product page for an introduction to how this works.

VPN Free Secure Remote Access

Figure 1: Local HTTPS connection and remote access via SharkTrustX running on VPS.

Before continuing, make sure you have downloaded the Mako Server for your platform and that you know how to start the Mako Server from the command line.

Creating the Configuration File

Start by creating a directory, and in this directory, create a new mako.conf configuration file.

Copy the following and paste the data into mako.conf:

acme={
   acceptterms=true,
   rsa=true,
   email="YOUR-EMAIL-ADDRESS",
   domains={"SUB-DOMAIN"},
   challenge={
      type="dns-01",
      revcon=true -- This enables remote access
   }
}

Before saving the file, change the email address and the sub-domain name "SUB-DOMAIN". The sub-domain name can for example be your full name, but make sure to only use letters, numbers, and hyphens. The email address is required when using the Let's Encrypt service, which lets us operate the server securely when we are on the same network as the server.

When you have saved the file, open a command window in the same directory as where you saved mako.conf. Now, simply start the mako server without any arguments.

mako
.
.
ACME DNS server name:   local.makoserver.net
Creating new ACME account

The above shows that Mako Server is now communicating with the online portal and Let's Encrypt. This initial operation takes roughly two minutes. You should see the following being printed just after two minutes:

ACME: SUB-DOMAIN.local.makoserver.net renewed

The above means that you now have a secure way to access the server locally by using the domain name printed in the console.

The Online SharkTrustX Portal

The Mako Server has integrated support for local.makoserver.net, a demo portal we have set up. In the end, you would set up your own SharkTrustX server and not use our demo portal. Our demo portal is purely designed for testing/learning purposes and should not be used for deployment.

Accessing the Server Locally

Navigate to the demo portal https://local.makoserver.net

You should see your Mako Server listed on the page, but do not worry since only visitors from your network location can see the server. You can navigate securely (using HTTPS) to your local server by clicking the link on this page. Note that the link expects the server to listen on the default HTTPS port 443. Just add the HTTPS port number that the server is listening on to the end of the URL should the link not work; e.g. :9443.

You may have a type of DNS filtering that blocks the translation of DNS names to internal IP addresses if the domain name is not working. This must be turned off if you plan on using the domain name designed for local use. Older browsers were susceptible to DNS rebinding attacks, and blocking internal IP address translation helped older browsers stay secure.

Accessing the Server Remotely

Navigate to the demo portal https://local.makoserver.net

Click the login button and either sign in with a Microsoft account or click "Create an account" to create a portal account.

Initially, make sure you sign into the online portal from the same location as the connected Mako Server. The online portal automatically grants you access to any device that is connected from the same Intranet. This grant is saved in the online portal's database.

After signing into the portal from the same Intranet, try signing into the portal from another Intranet. The easiest way to do this is to you use your phone with WiFi turned off. When the WiFi is off, you will be accessing the online portal from your mobile network provider's Intranet.

The domain name provided in the link in the portal to your Mako Server will be different when accessing the portal from another network. The link provided will have the following form:

https://c67c502bd10693392480fe407de43469.local.makoserver.net/

The sub-domain name is now a random number with 128 bits of entropy. This domain name changes automatically every 12 hours; thus you must always navigate to the online portal and login to get a fresh link.

A reverse connection bridge is initiated when the above link is clicked, enabling the user to access a server in another network. All traffic between the user and the destination server is routed via the online connection bridge.

What Have We Done?

You have been given a brief introduction to SharkTrustX. The Mako Server includes a crypto security module hardwired for the domain local.makoserver.net. The Mako Server also includes a soft crypto module that lets you use a different portal. You can use a different portal by adding the following settings in mako.conf:

  • challenge.servername - The portal domain name
  • challenge.key - Portal registration key
  • challenge.secret - Portal secret

See the Mako Server's Let's Encrypt settings for details on the above.

The domain local.makoserver.net is one of several portals hosted by https://sharktrustx.realtimelogic.com. You can add your own portal (domain name) to this server and be the administrator for the portal. How to set up a new domain name (new portal) is explained in the more detailed Let's Encrypt tutorial.

Note that the portals hosted by our demo server should not be used for production. We may from time to time disrupt this service when testing new features. Instead, you should host your own SharkTrustX server on your own cloud server. See the SharkTrustX Github page for details.

Security

SharkTrustX keeps the identity of your server's remote connection bridge domain name virtually impossible to guess with its 128 bits of entropy. Having said that, a server available via the remote connection bridge should, from a security perspective, be considered similar to a server accessible via port forwarding. You must implement authentication if you have a server side web application that can do real work. A static web page such as the Mako Server's integrated hello page is safe to show anyone without authentication.

Posted in Tutorials