20200726

From charlesreid1

Notes

network/domain/dns questions

  • pod private wiki requires a domain
  • that requires network interfaces and ip addresses to be set up

tinc

  • installing tinc natively, whole point is to avoid fuss
  • doesn't feel particularly secure, but it's all public/private key infra, soooo
  • tinc is more limited, requires clients to have tinc installed and keys copied
  • to get around that, create dorky socks proxy server that handles traffic to the wiki

bespin setup:

  • bespin runs own dns server
  • bespin.charles points to itself
  • bespin.charles/wiki is wiki endpoint
  • bespin connects to dorky via tinc, 10.6.0.10
  • bespin has a self-signed ssl certificate for bespin.charles

dorky setup:

  • dorky has a dns server bound to tinc interface - tinc dnsmasq
  • dorky.charles points to itself
  • dorky gets connection from bespin via tinc, 10.6.0.1
  • dorky has a charlesreid1.party certificate
  • dorky runs a socks server
  • dorky forwards packets between socks tunnel and tinc tunnel
  • dns requests forwarded thru socks tunnel are handled by tinc dnsmasq

Tinc on bespin and dorky

Main article: Tinc

On bespin (behind NAT): 

$ cd /etc/tinc/master

$ cat tinc.conf
Name = bespin
AddressFamily = any
Mode = switch
ConnectTo = dorky

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.10 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

On dorky (public IP): 

$ cd /etc/tinc/master

$ cat tinc.conf
Name = dorky
AddressFamily = any
Mode = switch

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

Bespin

Bespin DNS server

Bespin is running its own DNS server - PiHole in a docker conainer.

This needs a new DNS record, so bespin.charles will point to bespin's tinc IP address, 10.6.0.10.

Adding custom DNS entries to PiHole: https://github.com/pi-hole/pi-hole/issues/975#issuecomment-281027117

Open a shell in the PiHole container. Create a new dnsmasq configuration file with the following contents:

/etc/dnsmasq.d/charles.conf 

address=/bespin.charles/10.6.0.10
address=/dorky.charles/10.6.0.1

To do this with commands: 

$ docker exec -it e0dedd5f8129 /bin/bash
# echo "address=/bespin.charles/10.6.0.10" > /etc/dnsmasq.d/charles.conf
# echo "address=/dorky.charles/10.6.0.1" >> /etc/dnsmasq.d/charles.conf

Restart the container: 

sudo systemctl restart pihole

Test that it works by doing a dig lookup of bespin.charles, specifying the pihole as the DNS server: 

dig bespin.charles @127.53.0.1

Bespin tinc connection to dorky

Ensure this is okay by pinging other side of tunnel. From 10.6.0.10: 

ping 10.6.0.1

and vice versa.

Bespin self-signed SSL cert

To create a self-signed certificate for bespin.charles:

Guide: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04 

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned-cert.key -out /etc/ssl/certs/selfsigned-cert.crt

Breakdown:

  • using openssl tool
  • x509 cert signing request
  • nodes means skip passphrase protection
  • days is number of days valid
  • 2048 bit key
  • keyout is output file for key
  • out is output file for cert

Now we are ready to set up the private wiki container.

Related

Tinc

Retrieved from "https://charlesreid1.com/w/index.php?title=20200726&oldid=28427"