XPUB HUB New Nodes: Difference between revisions
(9 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
New nodes (machines) can be edited to the [[HUB]] Tinc network. | New nodes (machines) can be edited to the [[HUB]] Tinc network. | ||
To add a node to the HUB, you will need to: | |||
* 0. Determine IP address of a new server (see below) | |||
* 1. Install Tinc and invite it to the XPUB hub (see below) | |||
* 2. Enable HTTP to Tinc node | |||
You can install the server on the HUB in two ways: | |||
# without direct SSH access (SSH access possible through local network or by adding your computer to the HUB) | |||
# with direct SSH access (user account on XVM needed) | |||
==Install Tinc== | ==Install Tinc== | ||
Line 8: | Line 19: | ||
==Add new tinc Node to [[HUB]] network == | ==Add new tinc Node to [[HUB]] network (2022 -- no ssh keys or jump user) == | ||
===Add yourself to the HUB list=== | |||
Add your chosen Node name and IP to [[HUB#IP_allocation]]. | |||
Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there. | |||
===Invite the new node to the HUB network (staff)=== | |||
'''In the XVM (xpub server)''' | |||
As root: | |||
create an invitation node the node as described in [[HUB#Adding_a_new_thing]] | |||
tinc -n hub invite $NAMEOFNODE | |||
Which will generate an invitation address | |||
===Accept Tinc invitiation link=== | |||
'''Back In the Pi''' | |||
User invitation to join the network ($INVITE_ADDRES) | |||
sudo tinc join $INVITE_ADDRES | |||
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS): | |||
sudo tinc -n hub add subnet $NODE.IP.ADDRS | |||
edit the tinc-up file in <code>/usr/local/etc/tinc/hub/tinc-up</code> | |||
* comment out the echo line | |||
* add the line <code>ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0</code> | |||
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP | |||
* Example tinc-up file: | |||
<source lang="bash"> | |||
#!/bin/sh | |||
# echo 'Unconfigured tinc-up script, please edit '$0'!' | |||
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0 | |||
</source> | |||
=== ifconfig === | |||
'''FOR DEBIAN''' You may need to install ifconfig | |||
apt install net-tools | |||
===Test if Tinc works=== | |||
Start th tincd daemon | |||
sudo tincd -n hub -D -d3 | |||
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes: | |||
ping 10.0.0.1 | |||
If so Tinc is running :) yahh | |||
===Run Tinc as a service=== | |||
To do this, we will make a tincd service file. | |||
According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]... | |||
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files: | |||
* <code>tinc.service</code> is used to globally enable or disable all tinc daemons managed by systemd | |||
* <code>tinc@netname.service</code> is used to enable or disable specific tinc daemons. | |||
These are located in the source directory, in the sub-directory <code>systemd/</code> | |||
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168] | |||
'''Hence we'll us the ones bellow that so far have worked fine.''' | |||
<code>/etc/systemd/system/tinc.service</code> | |||
<pre># This is a mostly empty service, but allows commands like stop, start, reload | |||
# to propagate to all tinc@ service instances. | |||
[Unit] | |||
Description=Tinc VPN | |||
Documentation=info:tinc | |||
Documentation=man:tinc(8) man:tinc.conf(5) | |||
Documentation=http://tinc-vpn.org/docs/ | |||
After=network.target | |||
Wants=network.target | |||
[Service] | |||
Type=oneshot | |||
RemainAfterExit=yes | |||
ExecStart=/usr/local/sbin/true | |||
ExecReload= /usr/local/sbin/true | |||
WorkingDirectory=/usr/local/etc/tinc | |||
[Install] | |||
WantedBy=multi-user.target</pre> | |||
<code>/etc/systemd/system/tinc@.service</code> | |||
<pre>[Unit] | |||
Description=Tinc net %i | |||
Documentation=info:tinc | |||
Documentation=man:tinc(8) man:tinc.conf(5) | |||
Documentation=http://tinc-vpn.org/docs/ | |||
PartOf=tinc.service | |||
ReloadPropagatedFrom=tinc.service | |||
[Service] | |||
Type=simple | |||
WorkingDirectory=/usr/local/etc/tinc/%i | |||
ExecStart=/usr/local/sbin/tincd -n %i -D | |||
ExecReload=/usr/local/sbin/tincd -n %i -kHUP | |||
TimeoutStopSec=5 | |||
Restart=always | |||
RestartSec=60 | |||
[Install] | |||
WantedBy=tinc.service</pre> | |||
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system. | |||
* Enable | |||
** <code>sudo systemctl enable tinc</code> | |||
** <code>sudo systemctl enable tinc@hub</code> | |||
* Start <code>sudo systemctl start tinc@hub</code> | |||
* Check status <code>sudo systemctl status tinc@hub</code> | |||
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code> | |||
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>. | |||
==Add new tinc Node to [[HUB]] network (with ssh key) == | |||
===User & SSH key=== | ===User & SSH key=== | ||
Line 100: | Line 251: | ||
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0 | ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0 | ||
</source> | </source> | ||
=== ifconfig === | |||
'''FOR DEBIAN''' You may need to install ifconfig | |||
apt install net-tools | |||
===Test if Tinc works=== | ===Test if Tinc works=== | ||
Start th tincd daemon | Start th tincd daemon | ||
tincd -n hub -D -d3 | sudo tincd -n hub -D -d3 | ||
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes: | In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes: | ||
Line 223: | Line 381: | ||
'''XPUB Staff on XVM''' will need to as '''root''': | '''XPUB Staff on XVM''' will need to as '''root''': | ||
* edit /etc/nginx/sites-available/hub.xpub.nl | * edit <code>/etc/nginx/sites-available/hub.xpub.nl</code> | ||
* adding to it a new location to the hub.xpub.nl server block | * adding to it a new location to the hub.xpub.nl server block | ||
<pre> | <pre> | ||
Line 238: | Line 396: | ||
[[Category:Cookbook]] | [[Category:Cookbook]] | ||
[[Category:Tinc]] |
Latest revision as of 16:52, 25 September 2023
Adding a node to the XPUB HUB
New nodes (machines) can be edited to the HUB Tinc network.
To add a node to the HUB, you will need to:
- 0. Determine IP address of a new server (see below)
- 1. Install Tinc and invite it to the XPUB hub (see below)
- 2. Enable HTTP to Tinc node
You can install the server on the HUB in two ways:
- without direct SSH access (SSH access possible through local network or by adding your computer to the HUB)
- with direct SSH access (user account on XVM needed)
Install Tinc
See instructions at Tinc page.
Add new tinc Node to HUB network (2022 -- no ssh keys or jump user)
Add yourself to the HUB list
Add your chosen Node name and IP to HUB#IP_allocation.
Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.
Invite the new node to the HUB network (staff)
In the XVM (xpub server)
As root:
create an invitation node the node as described in HUB#Adding_a_new_thing
tinc -n hub invite $NAMEOFNODE
Which will generate an invitation address
Accept Tinc invitiation link
Back In the Pi
User invitation to join the network ($INVITE_ADDRES)
sudo tinc join $INVITE_ADDRES
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
sudo tinc -n hub add subnet $NODE.IP.ADDRS
edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up
- comment out the echo line
- add the line
ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
- Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
ifconfig
FOR DEBIAN You may need to install ifconfig
apt install net-tools
Test if Tinc works
Start th tincd daemon
sudo tincd -n hub -D -d3
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes:
ping 10.0.0.1
If so Tinc is running :) yahh
Run Tinc as a service
To do this, we will make a tincd service file.
According to tinc documentation...
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
tinc.service
is used to globally enable or disable all tinc daemons managed by systemdtinc@netname.service
is used to enable or disable specific tinc daemons.
These are located in the source directory, in the sub-directory systemd/
However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168
Hence we'll us the ones bellow that so far have worked fine.
/etc/systemd/system/tinc.service
# This is a mostly empty service, but allows commands like stop, start, reload # to propagate to all tinc@ service instances. [Unit] Description=Tinc VPN Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ After=network.target Wants=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/sbin/true ExecReload= /usr/local/sbin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/etc/systemd/system/tinc@.service
[Unit] Description=Tinc net %i Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=tinc.service
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
- Enable
sudo systemctl enable tinc
sudo systemctl enable tinc@hub
- Start
sudo systemctl start tinc@hub
- Check status
sudo systemctl status tinc@hub
Note that because tinc@testvpn.service
requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2
and checking the status of tinc@hubsudo systemctl status tinc@hub
.
Add new tinc Node to HUB network (with ssh key)
User & SSH key
In your Pi: create a user with the same username as in the sandbox. Keeping it the same as in the sandbox will make things easier for us and gnd.
Add your public ssh key (from your own computer) to your account the Pi (same as mentioned) to ~/.ssh/authorized_keys
.
On some systems, there is a script (already installed) to do this, called ssh-copy-id:
ssh-copy-id username@local.pi.IP.addr
Otherwise, the following attempts to do the same (basically you are just adding the contents of your public key as a new line to the file authorized_keys on the pi:
cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
Disable SSH to your pi with password (allow ssh key only), by:
- ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
cat ~/.ssh/authorized_keys
- ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
- edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
- and uncomment the line:
#PasswordAuthentication no
to:
PasswordAuthentication no
- reload ssh:
sudo systemctl reload ssh
You end up with the following info:
username: nameoftheuser Node IP: 10.0.0.??? Node name: nameofnode ssh public key: ssh-ed25519 ... ... nameoftheuser@laptop
Add yourself to the HUB list
Add your chosen Node name and IP to HUB#IP_allocation.
Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.
Invite the new node to the HUB network (staff)
In the XVM (xpub server)
As root:
create an invitation node the node as described in HUB#Adding_a_new_thing
tinc -n hub invite $NAMEOFNODE
Which will generate an invitation address
Accept Tinc invitiation link
Back In the Pi
User invitation to join the network ($INVITE_ADDRES)
sudo tinc join $INVITE_ADDRES
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
sudo tinc -n hub add subnet $NODE.IP.ADDRS
edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up
- comment out the echo line
- add the line
ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
- Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
ifconfig
FOR DEBIAN You may need to install ifconfig
apt install net-tools
Test if Tinc works
Start th tincd daemon
sudo tincd -n hub -D -d3
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes:
ping 10.0.0.1
If so Tinc is running :) yahh
Run Tinc as a service
To do this, we will make a tincd service file.
According to tinc documentation...
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
tinc.service
is used to globally enable or disable all tinc daemons managed by systemdtinc@netname.service
is used to enable or disable specific tinc daemons.
These are located in the source directory, in the sub-directory systemd/
However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168
Hence we'll us the ones bellow that so far have worked fine.
/etc/systemd/system/tinc.service
# This is a mostly empty service, but allows commands like stop, start, reload # to propagate to all tinc@ service instances. [Unit] Description=Tinc VPN Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ After=network.target Wants=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/sbin/true ExecReload= /usr/local/sbin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/etc/systemd/system/tinc@hub.service
[Unit] Description=Tinc net %i Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=tinc.service
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
- Enable
sudo systemctl enable tinc
sudo systemctl enable tinc@hub
- Start
sudo systemctl start tinc@hub
- Check status
sudo systemctl status tinc@hub
Note that because tinc@testvpn.service
requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2
and checking the status of tinc@hubsudo systemctl status tinc@hub
.
SSH to your node
Add a new entry to your laptop ~/.ssh/config by following this template
Host hub.PI_NAME User yourname Hostname 10.0.0.10? ProxyJump yourname@xpub.nl:2501 Identityfile ~/.ssh/id_rsa Serveraliveinterval 30
Note: ls ~/.ssh to know what is filename for the Identityfile (private ssh key)
Enable to ssh jump to RPI on XVM (staff)
XPUB Staff on XVM: use jumpuser
script to enable to ssh jump to RPI.
If user's username and its ssh publickey is XVM's /home/
jumpuser add_ip username 10.0.0.XYZ
If not, also add the user with
jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT]
log you changes with:
rtlg
Enable HTTP to tinc node (staff)
To make the https://hub.xpub.nl/NEWNODE url work.
Note: The pi needs to run a webserver, otherwise there is nothing to see :).
XPUB Staff on XVM will need to as root:
- edit
/etc/nginx/sites-available/hub.xpub.nl
- adding to it a new location to the hub.xpub.nl server block
location /nodename { proxy_pass http://tinc.node.ip.addr/; client_max_body_size 200M; }
- test the configuration
nginx -t
- if all good restart nginx
systemctl restart nginx
- visit url https://hub.xpub.nl/nodename