20200726: Difference between revisions
From charlesreid1
(→Tinc) |
|||
| (20 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Notes== | ==Notes== | ||
network/domain/dns questions | |||
* pod private wiki requires a domain | * pod private wiki requires a domain | ||
* that requires network interfaces and ip addresses to be set up | * that requires network interfaces and ip addresses to be set up | ||
tinc | |||
* installing tinc natively, whole point is to avoid fuss | * installing tinc natively, whole point is to avoid fuss | ||
* | * doesn't feel particularly secure, but it's all public/private key infra, soooo | ||
* | * tinc is more limited, requires clients to have tinc installed and keys copied | ||
* | * to get around that, create dorky socks proxy server that handles traffic to the wiki | ||
bespin setup: | |||
* bespin runs own dns server | |||
* bespin.charles points to itself | |||
* bespin.charles/wiki is wiki endpoint | |||
* bespin connects to dorky via tinc, 10.6.0.10 | |||
* bespin has a self-signed ssl certificate for bespin.charles | |||
On bespin: | dorky setup: | ||
* dorky has a dns server bound to tinc interface - tinc dnsmasq | |||
* dorky.charles points to itself | |||
* dorky gets connection from bespin via tinc, 10.6.0.1 | |||
* dorky has a charlesreid1.party certificate | |||
* dorky runs a socks server | |||
* dorky forwards packets between socks tunnel and tinc tunnel | |||
* dns requests forwarded thru socks tunnel are handled by tinc dnsmasq | |||
===Tinc on bespin and dorky=== | |||
{{Main|Tinc}} | |||
On bespin (behind NAT): | |||
<pre> | <pre> | ||
| Line 34: | Line 55: | ||
</pre> | </pre> | ||
On dorky: | On dorky (public IP): | ||
<pre> | <pre> | ||
| Line 56: | Line 77: | ||
dorky | dorky | ||
</pre> | </pre> | ||
===Bespin=== | |||
====Bespin DNS server==== | |||
Bespin is running its own DNS server - PiHole in a docker conainer. | |||
This needs a new DNS record, so bespin.charles will point to bespin's tinc IP address, 10.6.0.10. | |||
Adding custom DNS entries to PiHole: https://github.com/pi-hole/pi-hole/issues/975#issuecomment-281027117 | |||
Open a shell in the PiHole container. Create a new dnsmasq configuration file with the following contents: | |||
<code>/etc/dnsmasq.d/charles.conf</code> | |||
<pre> | |||
address=/bespin.charles/10.6.0.10 | |||
address=/dorky.charles/10.6.0.1 | |||
</pre> | |||
To do this with commands: | |||
<pre> | |||
$ docker exec -it e0dedd5f8129 /bin/bash | |||
# echo "address=/bespin.charles/10.6.0.10" > /etc/dnsmasq.d/charles.conf | |||
# echo "address=/dorky.charles/10.6.0.1" >> /etc/dnsmasq.d/charles.conf | |||
</pre> | |||
Restart the container: | |||
<pre> | |||
sudo systemctl restart pihole | |||
</pre> | |||
Test that it works by doing a dig lookup of bespin.charles, specifying the pihole as the DNS server: | |||
<pre> | |||
dig bespin.charles @127.53.0.1 | |||
</pre> | |||
====Bespin tinc connection to dorky==== | |||
Ensure this is okay by pinging other side of tunnel. From 10.6.0.10: | |||
<pre> | |||
ping 10.6.0.1 | |||
</pre> | |||
and vice versa. | |||
====Bespin self-signed SSL cert==== | |||
To create a self-signed certificate for bespin.charles: | |||
Guide: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04 | |||
<pre> | |||
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned-cert.key -out /etc/ssl/certs/selfsigned-cert.crt | |||
</pre> | |||
Breakdown: | |||
* using openssl tool | |||
* x509 cert signing request | |||
* nodes means skip passphrase protection | |||
* days is number of days valid | |||
* 2048 bit key | |||
* keyout is output file for key | |||
* out is output file for cert | |||
Now we are ready to set up the private wiki container. | |||
==Thing 1== | |||
===stock image wpa supplicant=== | |||
stock ubuntu rpi image, populated wpa supplicant | |||
no response, no ip. checked the logs. it was trying to get an ip of 169.254.x.y??? | |||
===disable dhcpcd=== | |||
removed dhcpcd service | |||
but now we won't get an ip on wlan0 | |||
to fix that, enable the rc.local service | |||
call dhclient from the rc.local file | |||
<code>/etc/rc.local</code> | |||
<pre> | |||
sleep 3 | |||
dhclient wlan0 | |||
exit 0 | |||
</pre> | |||
enabled wpa supplicant in the network interfaces file (b/c dhcpcd disabled, we can use <code>/etc/network/interfaces</code>): | |||
<code>/etc/network/interfaces</code> | |||
<pre> | |||
source-directory /etc/network/interfaces.d | |||
allow-hotplug wlan0 | |||
iface wlan0 inet dhcp | |||
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf | |||
</pre> | |||
this worked. amazing. | |||
==MediaWiki fix== | |||
ran into a problem with the mediawiki container - the database was not being restored so it had no structure | |||
had to add mw-config directory from mw tarball | |||
also had to set up alias for /wiki/mw-config in apache config file | |||
finally able to download the file (it was adding :8989 to end) | |||
had to use bespin.cloud - https only via nginx, no cert for ip addr | |||
==Related== | ==Related== | ||
Latest revision as of 02:35, 27 July 2020
Notes
network/domain/dns questions
- pod private wiki requires a domain
- that requires network interfaces and ip addresses to be set up
tinc
- installing tinc natively, whole point is to avoid fuss
- doesn't feel particularly secure, but it's all public/private key infra, soooo
- tinc is more limited, requires clients to have tinc installed and keys copied
- to get around that, create dorky socks proxy server that handles traffic to the wiki
bespin setup:
- bespin runs own dns server
- bespin.charles points to itself
- bespin.charles/wiki is wiki endpoint
- bespin connects to dorky via tinc, 10.6.0.10
- bespin has a self-signed ssl certificate for bespin.charles
dorky setup:
- dorky has a dns server bound to tinc interface - tinc dnsmasq
- dorky.charles points to itself
- dorky gets connection from bespin via tinc, 10.6.0.1
- dorky has a charlesreid1.party certificate
- dorky runs a socks server
- dorky forwards packets between socks tunnel and tinc tunnel
- dns requests forwarded thru socks tunnel are handled by tinc dnsmasq
Tinc on bespin and dorky
Main article: Tinc
On bespin (behind NAT):
$ cd /etc/tinc/master $ cat tinc.conf Name = bespin AddressFamily = any Mode = switch ConnectTo = dorky $ cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.6.0.10 netmask 255.255.0.0 $ cat tinc-down #!/bin/sh ifconfig $INTERFACE down $ ls hosts/ bespin dorky
On dorky (public IP):
$ cd /etc/tinc/master $ cat tinc.conf Name = dorky AddressFamily = any Mode = switch $ cat tinc-up #!/bin/sh ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0 $ cat tinc-down #!/bin/sh ifconfig $INTERFACE down $ ls hosts/ bespin dorky
Bespin
Bespin DNS server
Bespin is running its own DNS server - PiHole in a docker conainer.
This needs a new DNS record, so bespin.charles will point to bespin's tinc IP address, 10.6.0.10.
Adding custom DNS entries to PiHole: https://github.com/pi-hole/pi-hole/issues/975#issuecomment-281027117
Open a shell in the PiHole container. Create a new dnsmasq configuration file with the following contents:
/etc/dnsmasq.d/charles.conf
address=/bespin.charles/10.6.0.10 address=/dorky.charles/10.6.0.1
To do this with commands:
$ docker exec -it e0dedd5f8129 /bin/bash # echo "address=/bespin.charles/10.6.0.10" > /etc/dnsmasq.d/charles.conf # echo "address=/dorky.charles/10.6.0.1" >> /etc/dnsmasq.d/charles.conf
Restart the container:
sudo systemctl restart pihole
Test that it works by doing a dig lookup of bespin.charles, specifying the pihole as the DNS server:
dig bespin.charles @127.53.0.1
Bespin tinc connection to dorky
Ensure this is okay by pinging other side of tunnel. From 10.6.0.10:
ping 10.6.0.1
and vice versa.
Bespin self-signed SSL cert
To create a self-signed certificate for bespin.charles:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned-cert.key -out /etc/ssl/certs/selfsigned-cert.crt
Breakdown:
- using openssl tool
- x509 cert signing request
- nodes means skip passphrase protection
- days is number of days valid
- 2048 bit key
- keyout is output file for key
- out is output file for cert
Now we are ready to set up the private wiki container.
Thing 1
stock image wpa supplicant
stock ubuntu rpi image, populated wpa supplicant
no response, no ip. checked the logs. it was trying to get an ip of 169.254.x.y???
disable dhcpcd
removed dhcpcd service
but now we won't get an ip on wlan0
to fix that, enable the rc.local service
call dhclient from the rc.local file
/etc/rc.local
sleep 3 dhclient wlan0 exit 0
enabled wpa supplicant in the network interfaces file (b/c dhcpcd disabled, we can use /etc/network/interfaces):
/etc/network/interfaces
source-directory /etc/network/interfaces.d allow-hotplug wlan0 iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
this worked. amazing.
MediaWiki fix
ran into a problem with the mediawiki container - the database was not being restored so it had no structure
had to add mw-config directory from mw tarball
also had to set up alias for /wiki/mw-config in apache config file
finally able to download the file (it was adding :8989 to end)
had to use bespin.cloud - https only via nginx, no cert for ip addr