Tinc: Difference between revisions
Andre Castro (talk | contribs) No edit summary |
Andre Castro (talk | contribs) |
||
Line 200: | Line 200: | ||
Serveraliveinterval 30 | Serveraliveinterval 30 | ||
</pre> | </pre> | ||
Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key) | Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key) | ||
===enable to ssh jump to RPI on XVM== | |||
XPUB Staff: | |||
use <code>jumpuser</code> script to enable to ssh jump to RPI | |||
If user's username and its ssh publickey is XVM's /home/ | |||
jumpuser add_ip username 10.0.0.XYZ | |||
If not, also add the user with | |||
jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT] | |||
log you changes with: | |||
rtlg | |||
==Enable HTTP to tinc node== | ==Enable HTTP to tinc node== |
Revision as of 13:03, 10 July 2020
tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet.
And is used in XPUB to create the HUB VPN - aelectronic learning enviroment, server playground, web publishing platform, consisting of local machines (mainly raspberry pis) that sit behind firewalls, but through tinc are accessible from outside the firewall.
Install tinc Client
On RaspberryPi / machine that will be joining HUB
Install dependencies
sudo apt install build-essential automake libssl-dev liblzo2-dev libbz2-dev zlib1g-dev libncurses5-dev libreadline-dev
Compile Tinc 1.1pre :
cd ~
wget https://www.tinc-vpn.org/packages/tinc-1.1pre17.tar.gz
tar xvf tinc-1.1pre17.tar.gz
cd tinc-1.1pre17
./configure
make
sudo make install
Once installed create configuration dir:
sudo mkdir -p /usr/local/etc/tinc/
And tinc is installed in
/usr/local/sbin/tinc
Add new tinc Node to HUB network
In the Pi
In your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd
Add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys There is a trick to do this with
cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
Install Tinc on the Pis Instructions can be found here Tinc, until the creation creation of the configuration dir:
sudo mkdir -p /usr/local/etc/tinc/
- Add your chosen Node name and IP to HUB#IP_allocation
- Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there
Disable ssh to your pi with password (allow ssh key only), by:
- ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
cat ~/.ssh/authorized_keys
- ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
- edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
- and uncomment the line:
#PasswordAuthentication no
to:
PasswordAuthentication no
- reload ssh:
sudo systemctl reload ssh
You up with the following info:
username: nameoftheuser Node IP: 10.0.0.??? Node name: nameofnode ssh public key: ssh-ed25519 ... ... nameoftheuser@laptop
Staff: In the XVM (xpub server)
As root:
create an invitation node the node as described in HUB#Adding_a_new_thing
tinc -n hub invite $NAMEOFNODE
Which will generate an invitation address
Back In the Pi
User invitation to join the network ($INVITE_ADDRES)
sudo tinc join $INVITE_ADDRES
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
sudo tinc -n hub add subnet $NODE.IP.ADDRS
edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up: commenting the echo line and adding the line:
- Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
- Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
Start tincd daemon:
tincd -n hub -D -d3
In new window, ssh again to the pi and see if you can ping other tinc nodes:
ping 10.0.0.1
If so Tinc is running :) yahh
tincd service file
According to tinc documentation
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
- tinc.service is used to globally enable or disable all tinc daemons managed by systemd
- tinc@netname.service is used to enable or disable specific tinc daemons.
These are located in the source directory, in the sub-directory systemd/
However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168
Hence we'll us the ones bellow that so far have worked fine.
/etc/systemd/system/tinc.service
# This is a mostly empty service, but allows commands like stop, start, reload # to propagate to all tinc@ service instances. [Unit] Description=Tinc VPN Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ After=network.target Wants=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/sbin/true ExecReload= /usr/local/sbin/true WorkingDirectory=/usr/local/etc/tinc [Install] WantedBy=multi-user.target
/etc/systemd/system/tinc@hub.service
[Unit] Description=Tinc net %i Documentation=info:tinc Documentation=man:tinc(8) man:tinc.conf(5) Documentation=http://tinc-vpn.org/docs/ PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] Type=simple WorkingDirectory=/usr/local/etc/tinc/%i ExecStart=/usr/local/sbin/tincd -n %i -D ExecReload=/usr/local/sbin/tincd -n %i -kHUP TimeoutStopSec=5 Restart=always RestartSec=60 [Install] WantedBy=tinc.service
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
- Enable
sudo systemctl enable tinc
sudo systemctl enable tinc@hub
- Start
sudo systemctl start tinc@hub
- Check status
sudo systemctl status tinc@hub
Note that because tinc@testvpn.service
requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2
and checking the status of tinc@hubsudo systemctl status tinc@hub
Enable SSH to tinc node
Add a new entry to your laptop ~/.ssh/config by following this template
Host hub.PI_NAME User yourname Hostname 10.0.0.10? ProxyJump yourname@xpub.nl:2501 Identityfile ~/.ssh/id_rsa Serveraliveinterval 30
Note: ls ~/.ssh to know what is filename for the Identityfile(private ssh key)
=enable to ssh jump to RPI on XVM
XPUB Staff:
use jumpuser
script to enable to ssh jump to RPI
If user's username and its ssh publickey is XVM's /home/
jumpuser add_ip username 10.0.0.XYZ
If not, also add the user with
jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT]
log you changes with:
rtlg
Enable HTTP to tinc node
- The pi needs to be running a webserver
XPUB Staff on XVM will need to as root:
- edit /etc/nginx/sites-available/hub.xpub.nl
- adding to it a new location to the hub.xpub.nl server block
location /nodename { proxy_pass http://tinc.node.ip.addr/; client_max_body_size 200M; }* test the configuration nginx -t * if all good restart nginx systemctl restart nginx * visit url https://hub.xpub.nl/nodename