From charlesreid1

Notes

network/domain/dns questions

  • pod private wiki requires a domain
  • that requires network interfaces and ip addresses to be set up

tinc

  • installing tinc natively, whole point is to avoid fuss
  • doesn't feel particularly secure, but it's all public/private key infra, soooo
  • tinc is more limited, requires clients to have tinc installed and keys copied
  • to get around that, create dorky socks proxy server that handles traffic to the wiki

bespin setup:

  • bespin runs own dns server
  • bespin.charles points to itself
  • bespin.charles/wiki is wiki endpoint
  • bespin connects to dorky via tinc, 10.6.0.10
  • bespin has a self-signed ssl certificate for bespin.charles

dorky setup:

  • dorky has a dns server bound to tinc interface - tinc dnsmasq
  • dorky.charles points to itself
  • dorky gets connection from bespin via tinc, 10.6.0.1
  • dorky has a charlesreid1.party certificate
  • dorky runs a socks server
  • dorky forwards packets between socks tunnel and tinc tunnel
  • dns requests forwarded thru socks tunnel are handled by tinc dnsmasq

Tinc on bespin and dorky

On bespin (behind NAT):

$ cd /etc/tinc/master

$ cat tinc.conf
Name = bespin
AddressFamily = any
Mode = switch
ConnectTo = dorky

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.10 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

On dorky (public IP):

$ cd /etc/tinc/master

$ cat tinc.conf
Name = dorky
AddressFamily = any
Mode = switch

$ cat tinc-up
#!/bin/sh
ifconfig $INTERFACE 10.6.0.1 netmask 255.255.0.0

$ cat tinc-down
#!/bin/sh
ifconfig $INTERFACE down

$ ls hosts/
bespin
dorky

Bespin

Bespin DNS server

Bespin is running its own DNS server - PiHole in a docker conainer.

This needs a new DNS record, so bespin.charles will point to bespin's tinc IP address, 10.6.0.10.

Adding custom DNS entries to PiHole: https://github.com/pi-hole/pi-hole/issues/975#issuecomment-281027117

Open a shell in the PiHole container. Create a new dnsmasq configuration file with the following contents:

/etc/dnsmasq.d/charles.conf

address=/bespin.charles/10.6.0.10
address=/dorky.charles/10.6.0.1

To do this with commands:

$ docker exec -it e0dedd5f8129 /bin/bash
# echo "address=/bespin.charles/10.6.0.10" > /etc/dnsmasq.d/charles.conf
# echo "address=/dorky.charles/10.6.0.1" >> /etc/dnsmasq.d/charles.conf

Restart the container:

sudo systemctl restart pihole

Test that it works by doing a dig lookup of bespin.charles, specifying the pihole as the DNS server:

dig bespin.charles @127.53.0.1

Bespin tinc connection to dorky

Ensure this is okay by pinging other side of tunnel. From 10.6.0.10:

ping 10.6.0.1

and vice versa.

Bespin self-signed SSL cert

To create a self-signed certificate for bespin.charles:

Guide: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned-cert.key -out /etc/ssl/certs/selfsigned-cert.crt

Breakdown:

  • using openssl tool
  • x509 cert signing request
  • nodes means skip passphrase protection
  • days is number of days valid
  • 2048 bit key
  • keyout is output file for key
  • out is output file for cert

Now we are ready to set up the private wiki container.

Thing 1

stock image wpa supplicant

stock ubuntu rpi image, populated wpa supplicant

no response, no ip. checked the logs. it was trying to get an ip of 169.254.x.y???

disable dhcpcd

removed dhcpcd service

but now we won't get an ip on wlan0

to fix that, enable the rc.local service

call dhclient from the rc.local file

/etc/rc.local

sleep 3
dhclient wlan0
exit 0

enabled wpa supplicant in the network interfaces file (b/c dhcpcd disabled, we can use /etc/network/interfaces):

/etc/network/interfaces

source-directory /etc/network/interfaces.d

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

this worked. amazing.

MediaWiki fix

ran into a problem with the mediawiki container - the database was not being restored so it had no structure

had to add mw-config directory from mw tarball

also had to set up alias for /wiki/mw-config in apache config file

finally able to download the file (it was adding :8989 to end)

had to use bespin.cloud - https only via nginx, no cert for ip addr

Related

Tinc