Tinc/2018-04-12: Difference between revisions
From charlesreid1
| Line 107: | Line 107: | ||
One of the things you'll need to do is copy the key files from each machine to each other machine. | One of the things you'll need to do is copy the key files from each machine to each other machine. | ||
Before you do this, make sure everything in <code>hosts/</code> is owned by a regular user: | |||
<pre> | |||
sudo chown -R charles:charles /etc/tinc/$LABEL/hosts | |||
</pre> | |||
AWS uses private keys by default, which is a pain in the ass. But with the debian dotfiles and the cloud init script, each node already has a regular user and a private/public key pair for that user, so we're ready to go with passwordless access. | AWS uses private keys by default, which is a pain in the ass. But with the debian dotfiles and the cloud init script, each node already has a regular user and a private/public key pair for that user, so we're ready to go with passwordless access. | ||
Revision as of 03:05, 13 April 2018
Tincd experiment to debug all the headaches we're having:
- Create three AWS nodes
- Set them up with debian dotfiles
- Install tinc
Now we have a brady bunch.
Following this guide: https://linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/
Step 0: Set Up Nodes
A bit painful. Still need to smooth this out.
Ubuntu flavor of cloud-init will accept bash scripts with a shebang. AWS cloud init will not.
More info: https://stackoverflow.com/a/17827406/463213
Need to mime-encode everything. (Maybe as simple as copying and pasting a URL?)
Cannot customize machine name for curl-pipe-to-bash (had to download, sed -i, replace blackbeard with other, etc.)
Tincd installation process does not get hostname dynamically, does not intelligently pick ip address. pick a random ip in 100-200 range. 0-100 is reserved, 200+ is the high seas
Most painful part is, we cannot SSH in. Script is supposed to check for existence of /home/ubuntu/.ssh/authorized_keys and copy it into our user's authorized keys, but this did not work. Had to manually SSH into the machine, run cat command, log out, then try again.
Real solution: have a reserved private/public key pair, hard code public key.
Step 1: Prep Nodes
Update aptitude and install the necessary packages:
sudo apt update && sudo apt upgrade sudo apt -y install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev
Step 2: Install Tinc
Install tinc from source:
#!/bin/bash cd /tmp wget https://tinc-vpn.org/packages/tinc-1.0.33.tar.gz tar -xf tinc-1.0.33.tar.gz cd tinc-1.0.33 ./configure --prefix= make sudo make install
Step 3: Set Up Tinc
Create VPN Directory
Create working directory for our network, which we'll call zombie. Then make a place for the VPN files to live. The regular user should own the hosts directory, otherwise you'll be dealing with some major pain-in-the-ass yak shaving.
export LABEL="zombie" sudo mkdir -p /etc/tinc/$LABEL/hosts sudo chown -R charles:charles /etc/tinc/$LABEL/hosts
Create VPN Config
Create config file (modify):
/etc/tinc/$LABEL/tinc.conf:
Name = machineX Device = /dev/net/tun AddressFamily = ipv4 ConnectTo = machineY
Create VPN Host Files
Make one machine host file for each machine, on the corresponding machine (modify to use real IP address and subnet IP address that matches tinc-up):
/etc/tinc/$LABEL/hosts/machineX:
Address = A.B.C.D Subnet = 10.6.0.W
Note: 10.6.0.W is the unique IP address for machine X on the VPN.
Now you will need to generate a public/private key pair using tinc. The private key will live in /etc/tinc/$LABEL/ and the public key will be added to the machine file in /etc/tinc/$LABEL/hosts.
sudo tincd -n $LABEL -K 4096
Use the default location for both keys. For example, on machine 1:
Please enter a file to save private RSA key to [/etc/tinc/zombie/rsa_key.priv]: Please enter a file to save public RSA key to [/etc/tinc/zombie/hosts/machine1]:
Aside: Setting Up Passwordless Scp
One of the things you'll need to do is copy the key files from each machine to each other machine.
Before you do this, make sure everything in hosts/ is owned by a regular user:
sudo chown -R charles:charles /etc/tinc/$LABEL/hosts
AWS uses private keys by default, which is a pain in the ass. But with the debian dotfiles and the cloud init script, each node already has a regular user and a private/public key pair for that user, so we're ready to go with passwordless access.
From Machine A:
cat ~/.ssh/id_rsa.pub
Copy this text
On Machine B:
echo "ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA charles@machine1" >> ~/.ssh/authorized_keys
Now you can ssh from Machine A into Machine B.
Copy the completed machine file to each other machine server:
scp /etc/tinc/$LABEL/hosts/machineX charles@IP-OF-MACHINE-Y:/etc/tinc/$LABEL/hosts/.
Create VPN Control Scripts
Create control scripts to bring the VPN up/down.
Create tinc-up script (modify the IP address):
/etc/tinc/$LABEL/tinc-up:
#!/bin/sh ip link set $INTERFACE up ip addr add 10.6.0.X dev $INTERFACE ip route add 10.6.0.0/24 dev $INTERFACE
Create tinc-down script:
/etc/tinc/$LABEL/tinc-down
#!/bin/sh ip route del 10.6.0.0/24 dev $INTERFACE ip addr del 10.6.0.X dev $INTERFACE ip link set $INTERFACE down
Next Steps
Fix this script: https://git.charlesreid1.com/dotfiles/debian/src/branch/master/dotfiles/scripts/tincd_install.sh