User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sailing:networksetup [2023/11/30 15:45] – [The Remote Access] willysailing:networksetup [2024/02/22 08:44] (current) – removed willy
Line 1: Line 1:
-Prev to: [[sailing:storagesetup|Storage Setup]] 
  
-Next to: [[sailing:organizers|The *Arr's setup]] 
----- 
- 
-==== Networking Setup ==== 
- 
-The network configuration is divided into two different parts: the home network and the remote access. The most complex part is being capable to remotely login to your home network because that requires the capability to actually reach your home network from outside some how. Back in the good days when you connected to the internet you where granted a public IP address that you could use to access your home network from outside. After some time, Internet Service Providers (ISPs) started giving you, more and more frequently, only a //private// ip address due to the well known scarcity of IPv4 address pool. This is much more common outside the U.S.A. and mostly common outside the western world. With mobile connections nowadays becoming quite common for the home connections (it's much cheaper to place a few 5G towers than to cable fiber everywhere) things are even worse than than. Luckily, at the same time, renting a VPS or a dedicated server with a public IP address is getting cheaper and easier. So there are always hopes for you. 
- 
-==== The Home Network ==== 
-Home networks are usually flat. This means you have no VLANs or managed Layer3 switches at home. You might have a //guest// network in addition to your main network (for the more advanced or privacy concerned of you) but that doesn't change the gist of it. Your server will be sitting connected to your home network and it will be reachable by all your devices (smart TVs, phones, tablets and PCs). 
- 
-I will assume your home network is on **192.168.0.0/255**, and i will make the follow assumptions: 
-  * You **should** have a [[https://pi-hole.net/|Pi Hole]] on your network, but it's not mandatory. 
-  * You are connected to the internet using a router provided by your ISP at 192.168.0.254 
-  * Your server will have a static IP address set up as 192.168.0.1 
-  * The rest of your devices are on DHCP 
- 
-Why static IP for your server? So that you can always reach it and you can easily set it's address to your devices without resorting to weird DNS setups or modifying your ISP (or Pi Hole) provided DHCP settings.  
- 
-You should have already configured your network during the Gentoo installation, but in case you didn't, you should do it now. There are many ways to do so with Gentoo: you can go fully manual or use NetworkManager, for example. Please refer to the great [[https://wiki.gentoo.org/wiki/Handbook:AMD64/Full/Networking|Gentoo Full Networking Handbook page]] for more details. 
- 
-I strongly suggest you use some better DNS settings than your own provider, since in many countries torrent sites and such might be filtered by laws. Edit your **/etc/resolv.conf**: 
-<code> 
-nameserver 8.8.8.8 
-nameserver 8.8.8.4 
-</code> 
- 
-(Note: be aware that if you use NetworkManager you need to set DNS within it's interface. The resolv.conf file will be overwritten) 
- 
-to use Google's own DNS. No i don't like Google in particular, but their DNS servers works just fine and don't censor any interesting site (so far). 
- 
-==== The Remote Access ==== 
- 
-Remote accessing your home network can be an hassle. Let's see the most common options: 
-  * Public IP address. Easiest: go get a DynDNS account of any kind and set it up in your ISP router, enable port-forwarding for your server or DMZ it, and you are all set. There are plenty of guides for this case, i will not get into more details. 
-  * Private IP address, but with //port-forwarding// supported by your ISP: still easy, enable the relevant settings in your ISP router and go to a website like [[https://whatismyipaddress.com/|this one]] and find out your IP address. It might change over time, but you can still use the DynDNS trick by installing the DynDNS client on your server. Again, i will not get into more details for this option. 
-  * Private IP address and no //port-forwarding//. Please note that your ISP router will still have port-forwarding options, but they will be totally useless as they will only forward your ports to your ISP private network, and NOT the real internet. A clear example of this is when your supposedly **external** ip (you can usually see this in your ISP router page) is in fact on a private subnet (ex: 10.x.y.z). I will cover this case. 
- 
- 
- 
-Well, you are in the worst possible condition and, let's be honest, there is NO way out unless you go down two different paths: 
-  * Buy a VPN that provides port-forwarding. Avoid any VPN without port-forwarding. This is, again, easy but it's pricey and doesn't really gives you any more advantages, so this is not my preferred solution and i will let you explore this one yourself. 
-  * Rent (or access somehow) a server on the internet with a public static IP address. This is the best solution in my view (albeit probably more expensive than a VPN) because it opens a world of opportunities for you. 
- 
-I choose to rent a remote real (not a virtual machine) for a fairly little amount of money each month (just a few bucks/quids/greens more than the monthly cost of a port-forwarding VPN to be honest, shop around!). It has a somewhat slow CPU, only 8gb of RAM and very little storage space (100gb range), but it gives me a public and static IP address without any limitation in open ports nor filtering. Also, remember that you don't need to rent it near you, nor in your home country. You can find very good deals in cheaper countries... 
- 
-Once you have rented your server, go ahead and install Gentoo on it (of course!) again, you will need a text-only installation, because you will only use **socat** to forward public connections over an SSH tunnel to your home. I will from now on assume that you have a Gentoo installed on your //remote server// and that server can be reached at the IP **99.99.99.99** (this is a fictional IP, just for future reference). 
- 
-=== Remote Server Securization === 
- 
-You want your remote server to be as secure as possible. So, do not install ANY service on it except for SSH (installed by default on Gentoo, just remember to enable it). Some points to follow during or after installation: 
-  * Create one non-privileged user (let's call it //tunnel//, you will see why) 
-  * Move SSH from port 22 to port 622 (edit **/etc/ssh/sshd_config**) 
-  * Disable root login for SSH (by default in Gentoo) 
-  * For added security, you might want to disable password authentication via SSH and force RSA public/private keys authentication. But be careful! Or you risk to lose remote access to your server which might prove difficult to recover from. 
- 
-I might add more details in the future **TODO**. 
- 
-=== Tunnelling from home to the Remote Server === 
- 
-SSH is a great tool which lots of advanced features. You can, for example, perform port-forwarding and reverse-port-forwarding with it without the need to install any additional tools, and you will be taking advantage of this feature to allow remote access to your home network from your remote server. 
- 
-You need to setup an SSH connection from your home server to your remote server, and adding a few port-forwards to it. The syntax you need is: 
-<code bash> 
- > ssh -R0.0.0.0:6022:127.0.0.1:22 -p 622 -l tunnel -i /path_to/id_rsa.tunnel 99.99.99.99 -nNT 
-</code> 
-and i will explain it here: 
-  * //-R0.0.0.0:5022:127.0.0.1:22//: on //remote server//, listen on port 522 and fotward all traffic to //local server port// 22. This will create a reverse-port-forward to access home server by doing an SSH session to remote server, on port 6022. 
-  * //-p 622//: remember that you moved remote server SSH port from 22 to 622 for security? 
-  * //-l tunnel//: you connect with the unpriviledged user tunnel on remote server 
-  * //-i path-to-rsa-key//: if you enabled only RSA key authentication, specify the path here 
-  * //99.99.99.99//: remote server IP address (you can buy a domain name too if you like of course) 
-  * //-nNT//: do not create an interactive session on remote server, do not require a real pipe on home server, and perform SSH keepalive pings to avoid the connection from closing due to inactivity. 
- 
-Well, that's the core of it. You will need to add a few more ports and a way to automate this when home server reboots, and maybe some robustness in case yout home internet connection gets disconnected: you want this tunnels to be restarted. I wrote the following small script that you need to drop into **/etc/local.d/99-tunnel.start**, Gentoo will start it at every boot: 
-<code bash> 
-#!/bin/bash 
- 
-LOG=/var/log/tunnel  
- 
-(while [ true ] 
-do 
-        source /etc/conf.d/tunnel 
-        echo $(date) testing network connection... 2>&1 >$LOG 
-        ping -c 10 -W 5 $REMOTE_SERVER &> /dev/null 
-        if [ $? -eq 0 ]  
-        then 
-                echo $(date) $REMOTE_SERVER pinged successfully. 2>&1 >$LOG 
-                ( 
-                        echo $(date) Starting tunnel... 2>&1 >$LOG 
-                        source /etc/conf.d/tunnel 
-                        REMOTES="-R0.0.0.0:$HOME_SERVER_REMOTE_SSH_PORT:127.0.0.1:22" # SSH port we always export 
-                        for i in $REMOTE_TO_HOME 
-                        do 
-                                REMOTES="$REMOTES -R$i" 
-                        done 
-                        for i in $HOME_TO_REMOTE 
-                        do 
-                                LOCALS="$LOCALS -L$i" 
-                        done 
-                        echo $(date) Running: ssh $LOCALS $REMOTES -p $REMOTE_SERVER_SSH_PORT -l tunnel -i /root/.ssh/id_rsa.tunnel $REMOTE_SERVER -nNT 2>&1 >$LOG 
-                        ssh $LOCALS $REMOTES -p $REMOTE_SERVER_SSH_PORT -l tunnel -i /root/.ssh/id_rsa.tunnel $REMOTE_SERVER -nNT 2>&1 >$LOG 
-                        echo $(date) ssh disconnected, retrying... 2>&1 >$LOG 
-                        sleep 10 # after disconnection, wait a bit before retrying 
-                ) 
-        else 
-                echo $(date) $REMOTE_SERVER pinged failed, retrying... 2>&1 >$LOG 
-                sleep 1 # wait a bit before retry ping 
-        fi 
-done)& 
- 
-</code> 
- 
-remember to make this file executable, it will be executed at every boot: 
-<code bash> 
- > chmod +x /etc/local.d//99-tunnel.start 
-</code> 
- 
-This script is written so that you need to actually write all the ports you want to forward and reverse-forward in the **/etc/conf.d/tunnel** file, like this: 
-<code bash> 
-REMOTE_TO_HOME=\ 
-"127.0.0.1:8080:127.0.0.1:80 "\ 
-"127.0.0.1:8443:127.0.0.1:8443 " 
-HOME_TO_REMOTE= 
-REMOTE_SERVER=99.99.99.99 
-REMOTE_SERVER_SSH_PORT=622 
-HOME_SERVER_REMOTE_SSH_PORT=6022 
-</code> 
- 
-Here you are forwarding two ports: 
-  * The home server HTTP port (8080, this is the port NGINX will create for you for remote access over HTTP) 
-  * The home server HTTPS port (8443, this is the port NGINX will create for you for remote access over HTTPS) 
- 
-You can now start the tunnel manually: 
-<code bash> 
- > /etc/local.d//99-tunnel.start 
-</code> 
- 
-=== HTTP/HTTPS ports redirection on the Remote Server === 
- 
-Unfortunately SSH is not capable, by design choice, to perform forwards on reserver ports, and in paricular on port 80 and 443, which you will need for HTTP and HTTPS access to your home server from outside. 
- 
-SOCAT 
- 
- 
-You can try to connect to your remote server on port 622 via SSH to verify that your port forwards are working. After you will setup your NGINX on the home network, you will also be able to access it. 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
----- 
-Next to: [[sailing:organizers|The *Arr's setup]] 
- 
-Prev to: [[sailing:storagesetup|Storage Setup]] 

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information