XPUB HUB New Nodes: Difference between revisions

From XPUB & Lens-Based wiki
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=Adding a node to the XPUB HUB=
New nodes (machines) can be edited to the [[HUB]] Tinc network.
New nodes (machines) can be edited to the [[HUB]] Tinc network.


It is useful for machines (mostly Pis), without public IP addres, but which require public ssh or http access. As is the case of some students and Xpub projects
To add a node to the HUB, you will need to:
 
* 0. Determine IP address of a new thing (see below)
* 1. Add a new thing (see below)
* 2. Ask user to give you a preferred username & a new ssh public key (see below)
* 3. Add a new jump user on the XVM (see below)
* 3. Jump user connects to his machine (see below)
 
Note: we will only add things that can only be ssh'ed via keys, no passwd logins plz.
 
==Install Tinc==
 
See instructions at [[Tinc]] page.
 
 
==Add new tinc Node to [[HUB]] network (2022 -- no ssh keys or jump user) ==
 
 
===Add yourself to the HUB list===
 
Add your chosen Node name and IP to [[HUB#IP_allocation]].
 
Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.
 
===Invite the new node to the HUB network (staff)===
 
'''In the XVM (xpub server)'''
 
As root:
 
create an invitation node the node as described in [[HUB#Adding_a_new_thing]]
 
tinc -n hub invite $NAMEOFNODE
 
Which will generate an invitation address
 
===Accept Tinc invitiation link===
 
'''Back In the Pi'''
 
User invitation to join the network ($INVITE_ADDRES)
 
sudo tinc join $INVITE_ADDRES
 
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
 
sudo tinc -n hub add subnet $NODE.IP.ADDRS
 
edit the tinc-up file in <code>/usr/local/etc/tinc/hub/tinc-up</code>
* comment out the echo line
* add the line <code>ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0</code>
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
 
* Example tinc-up file:
 
<source lang="bash">
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0
</source>
 
=== ifconfig ===
 
'''FOR DEBIAN''' You may need to install ifconfig
 
    apt install net-tools
 
===Test if Tinc works===
 
 
Start th tincd daemon
 
sudo tincd -n hub -D -d3
 
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes:
 
ping 10.0.0.1
 
If so Tinc is running :) yahh
 
===Run Tinc as a service===
 
To do this, we will make a tincd service file.
 
According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]...
 
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
 
* <code>tinc.service</code> is used to globally enable or disable all tinc daemons managed by systemd
* <code>tinc@netname.service</code> is used to enable or disable specific tinc daemons.
 
These are located in the source directory, in the sub-directory <code>systemd/</code>
 
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
 
'''Hence we'll us the ones bellow that so far have worked fine.'''
 
<code>/etc/systemd/system/tinc.service</code>
 
<pre># This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.
 
[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target
 
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc
 
[Install]
WantedBy=multi-user.target</pre>
<code>/etc/systemd/system/tinc@hub.service</code>
 
<pre>[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service
 
[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60
 
[Install]
WantedBy=tinc.service</pre>
 
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
 
* Enable
** <code>sudo systemctl enable tinc</code>
** <code>sudo systemctl enable tinc@hub</code>
* Start <code>sudo systemctl start tinc@hub</code>
* Check status <code>sudo systemctl status tinc@hub</code>


=Steps to add a machine to the Tinc network=
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>


'''In the Pi'''
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>.
in your Pi's create a user with same username as in the sandbox. Keeping it the same as in the sandbox - will make things easier for us and gnd


add your public ssh key to your username in the Pi (same as mentioned) to ~/.ssh/authorized_keys  
==Add new tinc Node to [[HUB]] network (with ssh key) ==
There is a trick to do this with
 
===User & SSH key===
 
In your Pi: create a user with the same username as in the sandbox. Keeping it the same as in the sandbox will make things easier for us and gnd.
 
Add your public ssh key (from your own computer) to your account the Pi (same as mentioned) to <code>~/.ssh/authorized_keys</code>. 
On some systems, there is a script (already installed) to do this, called ssh-copy-id:
 
ssh-copy-id username@local.pi.IP.addr
 
Otherwise, the following attempts to do the same (basically you are just adding the contents of your public key as a new line to the file authorized_keys on the pi:
  cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"
  cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"


install Tinc on the Pis Instructions can be found here [[Tinc]], until the creation creation of the configuration dir:
Disable SSH to your pi with password (allow ssh key only), by:
sudo mkdir -p /usr/local/etc/tinc/


*Add your chosen Node name and IP to [[HUB#IP_allocation]]
* ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
* Student project IPs last number should have 3 digits, last one is Simon's 10.0.1.103, so you can start from there


Disable ssh to your pi with password (allow ssh key only), by:
* ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
  cat  ~/.ssh/authorized_keys
  cat  ~/.ssh/authorized_keys
* ensuring you can login to the Pi with ssh key:
* ensuring you can login to the Pi with ssh key:
  ssh username@pi.ip.add -i ~/.ssh/id_rsa
  ssh username@pi.ip.add -i ~/.ssh/id_rsa
* edit /etc/ssh/sshd_config:  
* edit /etc/ssh/sshd_config:  
  sudo nano /etc/ssh/sshd_config
  sudo nano /etc/ssh/sshd_config
* and uncomment the line:  
* and uncomment the line:  
  #PasswordAuthentication no
  #PasswordAuthentication no
to:  
to:  
  PasswordAuthentication no
  PasswordAuthentication no
* reload ssh:  
* reload ssh:  
sudo systemctl reload ssh


You up with the following info:
sudo systemctl reload ssh
 
You end up with the following info:


<pre>
username: nameoftheuser
username: nameoftheuser
Node IP: 10.0.0.???
Node IP: 10.0.0.???
Node name: nameofnode  
Node name: nameofnode  
ssh public key:
ssh public key:
ssh-ed25519 ... ... nameoftheuser@laptop
ssh-ed25519 ... ... nameoftheuser@laptop
 
</pre>
===Add yourself to the HUB list===
 
Add your chosen Node name and IP to [[HUB#IP_allocation]].
 
Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.
 
===Invite the new node to the HUB network (staff)===


'''In the XVM (xpub server)'''
'''In the XVM (xpub server)'''
Line 52: Line 224:
Which will generate an invitation address
Which will generate an invitation address


===Accept Tinc invitiation link===


'''Back In the Pi'''
'''Back In the Pi'''
Line 57: Line 230:
User invitation to join the network ($INVITE_ADDRES)
User invitation to join the network ($INVITE_ADDRES)


  sudo tinc join $INVITE_ADDRES
sudo tinc join $INVITE_ADDRES


Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):
Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS):


  sudo tinc -n hub add subnet $NODE.IP.ADDRS
sudo tinc -n hub add subnet $NODE.IP.ADDRS


edit the tinc-up file in /usr/local/etc/tinc/hub/: commenting the echo line and adding the line:
edit the tinc-up file in <code>/usr/local/etc/tinc/hub/tinc-up</code>
* Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP  
* comment out the echo line  
   ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
* add the line <code>ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0</code>
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP  
    
* Example tinc-up file:
* Example tinc-up file:
<source lang="bash">
<source lang="bash">
#!/bin/sh
#!/bin/sh
Line 73: Line 250:
</source>
</source>


Start tincd daemon:
=== ifconfig ===
  tincd -n hub -D -d3
 
'''FOR DEBIAN''' You may need to install ifconfig
 
    apt install net-tools
 
===Test if Tinc works===
 
 
Start th tincd daemon
 
  sudo tincd -n hub -D -d3
 
In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes:


In new window, ssh again to the pi and see if you can ping other tinc nodes:
  ping 10.0.0.1
  ping 10.0.0.1


If so Tinc is running :) yahh
If so Tinc is running :) yahh


===Run Tinc as a service===
To do this, we will make a tincd service file.
According to [https://www.tinc-vpn.org/documentation/Linux.html tinc documentation]...
Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:
* <code>tinc.service</code> is used to globally enable or disable all tinc daemons managed by systemd
* <code>tinc@netname.service</code> is used to enable or disable specific tinc daemons.
These are located in the source directory, in the sub-directory <code>systemd/</code>
However this files, seem to give some issues, as metioned in the tinc github: [https://github.com/gsliepen/tinc/issues/133 issue 133], [https://github.com/gsliepen/tinc/issues/168 issue 168]
'''Hence we'll us the ones bellow that so far have worked fine.'''
<code>/etc/systemd/system/tinc.service</code>
<pre># This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.
[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc
[Install]
WantedBy=multi-user.target</pre>
<code>/etc/systemd/system/tinc@hub.service</code>
<pre>[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service
[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60
[Install]
WantedBy=tinc.service</pre>
Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.
* Enable
** <code>sudo systemctl enable tinc</code>
** <code>sudo systemctl enable tinc@hub</code>
* Start <code>sudo systemctl start tinc@hub</code>
* Check status <code>sudo systemctl status tinc@hub</code>
Note that because <code>tinc@testvpn.service</code> requests tinc.service we don’t need to start that one, as it is started by <code>tinc@testvpn.service</code>
If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the <code>ping 10.1.0.2</code> and checking the status of tinc@hub<code>sudo systemctl status tinc@hub</code>.


==SSH to your node==
Add a new entry to your laptop ~/.ssh/config by following this template


<pre>
Host hub.PI_NAME
User yourname
Hostname  10.0.0.10?
ProxyJump yourname@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30
</pre>
Note: ls ~/.ssh to know what is filename for the Identityfile (private ssh key)
==Enable to ssh jump to RPI on XVM (staff)==
'''XPUB Staff on XVM''': use <code>jumpuser</code> script to enable to ssh jump to RPI.
If user's username and its ssh publickey is XVM's /home/
jumpuser add_ip username 10.0.0.XYZ
If not, also add the user with
jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT]
log you changes with:
rtlg
==Enable HTTP to tinc node (staff)==
To make the https://hub.xpub.nl/NEWNODE url work.
Note: The pi needs to run a webserver, otherwise there is nothing to see :).
'''XPUB Staff on XVM''' will need to as '''root''':
* edit /etc/nginx/sites-available/hub.xpub.nl
* adding to it a new location to the hub.xpub.nl server block
<pre>
        location /nodename {
                proxy_pass http://tinc.node.ip.addr/;
                client_max_body_size 200M;
        }
</pre>
* test the configuration
nginx -t
* if all good restart nginx
systemctl restart nginx
* visit url https://hub.xpub.nl/nodename


* ask gnd to associate your username+pub key to the Pi IP:
[[Category:Cookbook]]
[[Category:Tinc]]

Revision as of 13:39, 25 May 2022

Adding a node to the XPUB HUB

New nodes (machines) can be edited to the HUB Tinc network.

To add a node to the HUB, you will need to:

  • 0. Determine IP address of a new thing (see below)
  • 1. Add a new thing (see below)
  • 2. Ask user to give you a preferred username & a new ssh public key (see below)
  • 3. Add a new jump user on the XVM (see below)
  • 3. Jump user connects to his machine (see below)
Note: we will only add things that can only be ssh'ed via keys, no passwd logins plz.

Install Tinc

See instructions at Tinc page.


Add new tinc Node to HUB network (2022 -- no ssh keys or jump user)

Add yourself to the HUB list

Add your chosen Node name and IP to HUB#IP_allocation.

Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.

Invite the new node to the HUB network (staff)

In the XVM (xpub server)

As root:

create an invitation node the node as described in HUB#Adding_a_new_thing 

tinc -n hub invite $NAMEOFNODE

Which will generate an invitation address

Accept Tinc invitiation link

Back In the Pi

User invitation to join the network ($INVITE_ADDRES) 

sudo tinc join $INVITE_ADDRES

Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS): 

sudo tinc -n hub add subnet $NODE.IP.ADDRS

edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up

  • comment out the echo line
  • add the line ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
  • Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0

ifconfig

FOR DEBIAN You may need to install ifconfig 

   apt install net-tools

Test if Tinc works

Start th tincd daemon 

sudo tincd -n hub -D -d3

In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes: 

ping 10.0.0.1

If so Tinc is running :) yahh

Run Tinc as a service

To do this, we will make a tincd service file.

According to tinc documentation...

Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:

  • tinc.service is used to globally enable or disable all tinc daemons managed by systemd
  • tinc@netname.service is used to enable or disable specific tinc daemons.

These are located in the source directory, in the sub-directory systemd/

However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168

Hence we'll us the ones bellow that so far have worked fine.

/etc/systemd/system/tinc.service 

# This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.

[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target

/etc/systemd/system/tinc@hub.service 

[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=tinc.service

Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.

  • Enable
    • sudo systemctl enable tinc
    • sudo systemctl enable tinc@hub
  • Start sudo systemctl start tinc@hub
  • Check status sudo systemctl status tinc@hub

Note that because tinc@testvpn.service requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service

If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2 and checking the status of tinc@hubsudo systemctl status tinc@hub.

Add new tinc Node to HUB network (with ssh key)

User & SSH key

In your Pi: create a user with the same username as in the sandbox. Keeping it the same as in the sandbox will make things easier for us and gnd.

Add your public ssh key (from your own computer) to your account the Pi (same as mentioned) to ~/.ssh/authorized_keys. On some systems, there is a script (already installed) to do this, called ssh-copy-id: 

ssh-copy-id username@local.pi.IP.addr

Otherwise, the following attempts to do the same (basically you are just adding the contents of your public key as a new line to the file authorized_keys on the pi: 

cat ~/.ssh/id_rsa.pub | ssh local.pi.IP.addr "cat >> ~/.ssh/authorized_keys"

Disable SSH to your pi with password (allow ssh key only), by:

  • ensuring you laptops ssh public key is in your pi ~/.ssh/authorized_keys:
cat  ~/.ssh/authorized_keys
  • ensuring you can login to the Pi with ssh key:
ssh username@pi.ip.add -i ~/.ssh/id_rsa
  • edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
  • and uncomment the line:
#PasswordAuthentication no

to: 

PasswordAuthentication no
  • reload ssh:
sudo systemctl reload ssh

You end up with the following info: 

username: nameoftheuser
Node IP: 10.0.0.???
Node name: nameofnode 
ssh public key:
ssh-ed25519 ... ... nameoftheuser@laptop

Add yourself to the HUB list

Add your chosen Node name and IP to HUB#IP_allocation.

Student project IPs last number should have 3 digits, last one is Tisa's 10.0.1.112, so you can start from there.

Invite the new node to the HUB network (staff)

In the XVM (xpub server)

As root:

create an invitation node the node as described in HUB#Adding_a_new_thing 

tinc -n hub invite $NAMEOFNODE

Which will generate an invitation address

Accept Tinc invitiation link

Back In the Pi

User invitation to join the network ($INVITE_ADDRES) 

sudo tinc join $INVITE_ADDRES

Add the pi to the hub network under the chosen Node IP ($NODE.IP.ADDRS): 

sudo tinc -n hub add subnet $NODE.IP.ADDRS

edit the tinc-up file in /usr/local/etc/tinc/hub/tinc-up

  • comment out the echo line
  • add the line ifconfig $INTERFACE $NODE.IP.ADDRS netmask 255.255.255.0
Note: $INTERFACE should remain as is; $NODE.IP.ADDRS should be replace with the Node IP
  • Example tinc-up file:
#!/bin/sh
# echo 'Unconfigured tinc-up script, please edit '$0'!'
ifconfig $INTERFACE 10.0.0.105 netmask 255.255.255.0

ifconfig

FOR DEBIAN You may need to install ifconfig 

   apt install net-tools

Test if Tinc works

Start th tincd daemon 

sudo tincd -n hub -D -d3

In a new terminal window, ssh again to the pi and see if you can ping other tinc nodes: 

ping 10.0.0.1

If so Tinc is running :) yahh

Run Tinc as a service

To do this, we will make a tincd service file.

According to tinc documentation...

Tinc ships with systemd service files that allow you to start and stop tinc using systemd. There are two service files:

  • tinc.service is used to globally enable or disable all tinc daemons managed by systemd
  • tinc@netname.service is used to enable or disable specific tinc daemons.

These are located in the source directory, in the sub-directory systemd/

However this files, seem to give some issues, as metioned in the tinc github: issue 133, issue 168

Hence we'll us the ones bellow that so far have worked fine.

/etc/systemd/system/tinc.service 

# This is a mostly empty service, but allows commands like stop, start, reload
# to propagate to all tinc@ service instances.

[Unit]
Description=Tinc VPN
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
After=network.target
Wants=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/true
ExecReload= /usr/local/sbin/true
WorkingDirectory=/usr/local/etc/tinc

[Install]
WantedBy=multi-user.target

/etc/systemd/system/tinc@hub.service 

[Unit]
Description=Tinc net %i
Documentation=info:tinc
Documentation=man:tinc(8) man:tinc.conf(5)
Documentation=http://tinc-vpn.org/docs/
PartOf=tinc.service
ReloadPropagatedFrom=tinc.service

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/tinc/%i
ExecStart=/usr/local/sbin/tincd -n %i -D
ExecReload=/usr/local/sbin/tincd -n %i -kHUP
TimeoutStopSec=5
Restart=always
RestartSec=60

[Install]
WantedBy=tinc.service

Note: in my system tinc was installed inside /usr/local/bin/tinc, /usr/local/bin/tincd and its configuration is in /usr/local/etc/tinc. But this is system specific. Ensure you know where these directories are in your system.

  • Enable
    • sudo systemctl enable tinc
    • sudo systemctl enable tinc@hub
  • Start sudo systemctl start tinc@hub
  • Check status sudo systemctl status tinc@hub

Note that because tinc@testvpn.service requests tinc.service we don’t need to start that one, as it is started by tinc@testvpn.service

If all is good. We can test by rebooting the system and seeing that if after a while tinc@testvpn is up. You can check that by keeping starting a by pinging the ping 10.1.0.2 and checking the status of tinc@hubsudo systemctl status tinc@hub.

SSH to your node

Add a new entry to your laptop ~/.ssh/config by following this template 

Host hub.PI_NAME 
User yourname
Hostname  10.0.0.10?
ProxyJump yourname@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30

Note: ls ~/.ssh to know what is filename for the Identityfile (private ssh key)

Enable to ssh jump to RPI on XVM (staff)

XPUB Staff on XVM: use jumpuser script to enable to ssh jump to RPI.

If user's username and its ssh publickey is XVM's /home/ 

jumpuser add_ip username 10.0.0.XYZ

If not, also add the user with 

jumpuser create <USERNAME> <PI-INTERNAL_IP> <USER-PUBKEY> [COMMENT]

log you changes with: 

rtlg

Enable HTTP to tinc node (staff)

To make the https://hub.xpub.nl/NEWNODE url work. 

Note: The pi needs to run a webserver, otherwise there is nothing to see :).

XPUB Staff on XVM will need to as root:

  • edit /etc/nginx/sites-available/hub.xpub.nl
  • adding to it a new location to the hub.xpub.nl server block
        location /nodename {
                proxy_pass http://tinc.node.ip.addr/;
                client_max_body_size 200M;
        }
  • test the configuration
nginx -t
  • if all good restart nginx
systemctl restart nginx
Retrieved from "https://pzwiki.wdka.nl/mw-mediadesign/index.php?title=XPUB_HUB_New_Nodes&oldid=218549"