20200726: Difference between revisions

Notes

network/domain/dns questions

• pod private wiki requires a domain
• that requires network interfaces and ip addresses to be set up

tinc

• installing tinc natively, whole point is to avoid fuss
• doesn't feel particularly secure, but it's all public/private key infra, soooo
• tinc is more limited, requires clients to have tinc installed and keys copied
• to get around that, create dorky socks proxy server that handles traffic to the wiki

bespin setup:

• bespin runs own dns server
• bespin.charles points to itself
• bespin.charles/wiki is wiki endpoint
• bespin connects to dorky via tinc, 10.6.0.10
• bespin has a self-signed ssl certificate for bespin.charles

dorky setup:

• dorky has a dns server bound to tinc interface - tinc dnsmasq
• dorky.charles points to itself
• dorky gets connection from bespin via tinc, 10.6.0.1
• dorky has a charlesreid1.party certificate
• dorky runs a socks server
• dorky forwards packets between socks tunnel and tinc tunnel
• dns requests forwarded thru socks tunnel are handled by tinc dnsmasq

Tinc on bespin and dorky

On bespin (behind NAT):

$ cd /etc/tinc/master

$ cat tinc.conf
Name = bespin
AddressFamily = any
Mode = switch
ConnectTo = dorky

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.10 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

On dorky (public IP):

$ cd /etc/tinc/master

$ cat tinc.conf
Name = dorky
AddressFamily = any
Mode = switch

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

Bespin

bespin is running its own dns server

dns record for bespin.charles to point to itself

bespin connects to dorky via tinc, 10.6.0.10 (everything ok here)

bespin has self-signed ssl cert for bespin.charles

Related

Tinc