Difference between revisions of "Info about back-tunnel here"

S14 tunnel https://e2h.totalism.org/e2h.php?_=X-s14-net

local/ S14 machine

ssh tunnel@10.94.185.76 sudo openvpn --config /home/tunnel/client.conf

HOW TO START OPENVPN ON REBOOT?

https://www.smarthomebeginner.com/configure-openvpn-to-autostart-linux/

edit /etc/default/openvpn

Remove the ‘#' infront of ‘AUTOSTART=”all”‘ so that OpenVpn allows to start the .conf files

sudo systemctl enable openvpn-client@.service

sudo systemctl daemon-reload sudo systemctl restart openvpn-client@anarcha.service

sudo openvpn --config <client-name>.ovpn Initialization Sequence Completed

Run client openvpn as daemon in the background - see `man openvpn` for more options sudo openvpn --config <client-name>.ovpn --daemon

To stop the daemon: Find the daemon process pgrep -lf openvpn

Kill the process sudo kill <process number>

Run client openvpn in the foreground for troubleshooting the tunnel: sudo openvpn --config <client-name>.ovpn if your verbosity in the client conf file is set to 4, then stdout of the above command should end with Initialization Sequence Completed

Run client openvpn systemd unit file: Copy your client conf file to /etc/openvpn/client/ directory

in this way you can stop, start and check status of the vpn with the systemctl command: e.x if your client file is called myvpn.conf, then the command goes:

sudo systemctl start|stop|status openvpn-client@anarcha.service

(All system unit files are in /lib/systemd/system/)

Explanation: the system unit script is in /lib/systemctl/system/openvpn-client@.service whatever name you put between openvpn-client@ and .service is passed inside this unit file. This unit file which changes dir to /etc/openvpn/client and executes openvpn --config <name>.conf

Run server openvpn systemd unit file: sudo systemctl start|stop|status openvpn@server.service

Check tunnel is up sudo ifconfig ip addr show dev tun0 tun0 should appear

Ping from your pi the server's tun0 IP 10.8.0.1 ping 10.8.0.1 traceroute 10.8.0.1

From your pi run ifconfig and find your tun0 IP, let's say it's 10.8.0.10

Ping from the anarchaserver your pi_tunnel_ip

SSH to tunnel pi from anarchaserver (2 ways) 1. edit /root/.ssh/config and update the Hostname IP to match the one of the pi's tun0 (once pi gets a dns or a static IP we won't have to edit this config file) then do: ssh tunnel-pi 2. OR do: ssh tunnel@1.8.0.10 OK*

copy files

MOUNT HARD DRIVE tunnel@<pi_tunnel_ip>:/mnt/S14-backup tunnel@<pi_tunnel_ip>:/mntmeme_bak

STORAGE Mount disks

NAS http://water.local:5000/ sudo mount.cifs -o user=tunnel,password=*****,uid=1001,rw,vers=2.0 //10.94.185.9/web/anarcha /mnt/S14-backup /mnt/S14-backup

DISK sudo mount /dev/sda1 /mnt/meme_bak

HOW TO DO THAT IN STARTUP? add the above mount command in /etc/fstab (double check online tips) to tell where the storage device will be automatically mounted when the Raspberry Pi starts up. https://www.raspberrypi.org/documentation/configuration/external-storage.md

REF:

   https://confluence.jaytaala.com/display/TKB/Mount+drive+in+linux+and+set+auto-mount+at+boot
   https://kwilson.io/blog/force-your-raspberry-pi-to-mount-an-external-usb-drive-every-time-it-starts-up/
   https://raspberrypi.stackexchange.com/questions/46171/how-do-i-mount-my-nas

DISK

In the fstab file, the disk partition is identified by the universally unique identifier

sudo blkid

ADD UUID=a164f220-cc96-450f-aa4a-27849ed21d44 /mnt/meme_bak ext4 defaults,auto,users,rw,nofail 0 0

mount cloud NAS

ADD //10.94.185.9/web/anarcha /mnt/S14-backup cifs user=tunnel,password=****,uid=1001,rw,iocharset=utf8,vers=2.0 0 0

Next challenge HOW TO REACH NAS water from the browser when tunnel is UP Need to mount NAS water on startup with adding the mount command also in /etc/fstab Register a domain name for the pi and either request from your internet provider a fixed IP or run a script in pi to update the dns service reqularly with its dynamic public IP. (mara has done the latter with her pi) install samba server on pi, or apache2, or nginx to serve content of the mounted disks Edit the /etc/openvpn/server.conf to push traffic to pi IP subnet. (lines 134- 140) The user's device which wants to reach pi or NAS via the browser, needs also to install openvpn and a client certificate

FIND tunnel pi IP when outside the house You need to know the CN in your certificate, Lookup the line starting with Subject: located in the file .cert or in the client conf if all keys and certs are bundled within. E.x Subject: C=SP, ST=Catalunya, L=Barcelona, O=AnarchaServer, OU=AnarchaServer, CN=FutureVintage/name=EasyRSA/emailAddress=anarchaserver@autistiche.org SSH to anarcha, and do: tail /var/log/openvpn.log search for the CN name, in our example FutureVintage, and check the IP In our example in openvpn.log it looks like:

   Fri Feb  7 21:14:57 2020 us=535934 MULTI: Learn: 10.8.0.10 -> FutureVintage/5.135.58.235:50855

LATER Add local subnet to vpn https://openvpn.net/community-resources/how-to/#pki https://community.openvpn.net/openvpn/wiki/FAQ https://forums.openvpn.net/viewtopic.php?t=14358 https://openvpn.net/archive/openvpn-users/2007-09/msg00094.html

Enable two-way traffic client-server Reach OpenVPN clients directly from a private network https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/

diagram https://e2h.totalism.org/e2h.php?_=X-s14-net