As documented in earlier Topics, some difficulty has been encountered upgrading the software in preparation for installation of the VPN itself. Additionally, in order that people have some chance of working out what was done, I have included a new Topic in the Webserver Forum. This will guard against future Volunteers wondering where the VPN link came form all of a sudden if they are only concerned with the maintenance of the Webserver and happen to have no interest in the River System. At the moment of course some of us work on all parts, but I'm sure that won't always be the case.
This Topic will therefore be concerned only with VPN Server installation and work on the Webserver code will be covered in viewtopic.php?f=9&t=229.
Server Installation 2020
Re: Server Installation
I have now created a working Webserver SD Card see viewtopic.php?p=3493#p3493.
I will now reconnect that SD Card in my Pi3 to my home network. This is how I simulate the WMT installation with the home network connected to eth1 and the test hardware connected to eth0 on the simulated River System network. I am then able to view the web pages and log on to the the Pis in the River System network simply by connecting my phone / iPad / laptop to the WiFi Router that i have simulating the two WMT Antennas.
This afternoon I intend to install OpenVPN on the Webserver Pi using PiVPN and check that I am able to create a connection from my phone connected to the Internet through it's data connection (ie with WiFi off). If that works, I will then ask others to connect to my test River System network here before i attempt deployment at WMT.
I expect there to be some questions to be answered when we get to deployment, mainly because I doubt that the WMT LAN IP subnet will probably be different by default from the IP addresses that I have here. We won't know what they are until the new Router has been installed. We should be able to reconfigure the new WMT Router to have the same subnet as me, which would simplify things a bit; if not, I may have to think again.
I'll keep this Topic up to date with progress and queries as they arise.
I will now reconnect that SD Card in my Pi3 to my home network. This is how I simulate the WMT installation with the home network connected to eth1 and the test hardware connected to eth0 on the simulated River System network. I am then able to view the web pages and log on to the the Pis in the River System network simply by connecting my phone / iPad / laptop to the WiFi Router that i have simulating the two WMT Antennas.
This afternoon I intend to install OpenVPN on the Webserver Pi using PiVPN and check that I am able to create a connection from my phone connected to the Internet through it's data connection (ie with WiFi off). If that works, I will then ask others to connect to my test River System network here before i attempt deployment at WMT.
I expect there to be some questions to be answered when we get to deployment, mainly because I doubt that the WMT LAN IP subnet will probably be different by default from the IP addresses that I have here. We won't know what they are until the new Router has been installed. We should be able to reconfigure the new WMT Router to have the same subnet as me, which would simplify things a bit; if not, I may have to think again.
I'll keep this Topic up to date with progress and queries as they arise.
Terry
Re: Server Installation
Sitrep:
I hit a snag. As reported above, I had a working installation of nodogsplash on the pretend River System here in my workshop. I then installed and ran PiVPN (https://pivpn.io/) and nodogsplash immediately stopped working. I suspected that the problems was conflicting iptables rules being set up, but I know very little about iptables, so I posted a query on the Raspberry Pi Forums -https://www.raspberrypi.org/forums/view ... 6&t=276163.
A very helpful user responded and said that he had managed to install PiVPN and nodogsplash on the same Pi, but proceeded to baffle me a bit with lists of iptables rules etc. Also I have a suspicion that his setup is a bit simpler than ours and that may be the problem for me.
Unfortunately the helpful user has gone quiet, so I have been left floundering a bit. I had asked some preliminary questions, but had no response as yet. (he may just be away for the weekend.)
As part of the debugging of this, I uninstalled PiVPN and flushed the iptables, but nodogsplash still refuses to work again. This means I may have to rebuild the SD Card from scratch if I can't get nodogsplash functional.
One thing that the helpful user did suggest was the use of VLANs to alias the Ethernet ports and I can see how that would provide a fairly straightforward way to install the server. We could leave nodogsplash running on eth0 with its Internet connection being provided by eth1, while at the same time we could have the VPN server connected between eth0.0 and eth1.0 (say). (Or even eth0.0 to eth1.0 and eth0.1 to eth1.1.) The problem with that is that VLANs do not work apparently unless there are managed Routers connected to them. At this point in time, we have no real idea what the new router will be like although the User Manual for the expected one makes no mention of VLAN support. On the other side, the big Switch in the Wendy Street IP65 Box is likely to be a Managed Switch, but then we would need to access it's Control panel somehow.
The very helpful user also suggested:
Before I try this out, I'm going to need to understand more about what is going on. In particular, what does his line "but cannot be added to a bridge. (you can however build a macvlan interface off a bridge interface.)" mean?
I hit a snag. As reported above, I had a working installation of nodogsplash on the pretend River System here in my workshop. I then installed and ran PiVPN (https://pivpn.io/) and nodogsplash immediately stopped working. I suspected that the problems was conflicting iptables rules being set up, but I know very little about iptables, so I posted a query on the Raspberry Pi Forums -https://www.raspberrypi.org/forums/view ... 6&t=276163.
A very helpful user responded and said that he had managed to install PiVPN and nodogsplash on the same Pi, but proceeded to baffle me a bit with lists of iptables rules etc. Also I have a suspicion that his setup is a bit simpler than ours and that may be the problem for me.
Unfortunately the helpful user has gone quiet, so I have been left floundering a bit. I had asked some preliminary questions, but had no response as yet. (he may just be away for the weekend.)
As part of the debugging of this, I uninstalled PiVPN and flushed the iptables, but nodogsplash still refuses to work again. This means I may have to rebuild the SD Card from scratch if I can't get nodogsplash functional.
One thing that the helpful user did suggest was the use of VLANs to alias the Ethernet ports and I can see how that would provide a fairly straightforward way to install the server. We could leave nodogsplash running on eth0 with its Internet connection being provided by eth1, while at the same time we could have the VPN server connected between eth0.0 and eth1.0 (say). (Or even eth0.0 to eth1.0 and eth0.1 to eth1.1.) The problem with that is that VLANs do not work apparently unless there are managed Routers connected to them. At this point in time, we have no real idea what the new router will be like although the User Manual for the expected one makes no mention of VLAN support. On the other side, the big Switch in the Wendy Street IP65 Box is likely to be a Managed Switch, but then we would need to access it's Control panel somehow.
The very helpful user also suggested:
He gave some example code:Another option could be to use macvlan interfaces. Very much like a extra physical interfaces, does not require special router support, but cannot be added to a bridge. (you can however build a macvlan interface off a bridge interface.)
Code: Select all
root@sun:~# for i in 0 1; do ip l add mcv$i address b8:27:eb:0$i:1$i:2$i link eth0 type macvlan mode private; done
root@sun:~# ip r
default via 172.17.0.1 dev eth0 src 172.17.255.10 metric 202
default via 172.17.0.1 dev mcv0 proto dhcp src 172.17.255.241 metric 205
default via 172.17.0.1 dev mcv1 proto dhcp src 172.17.255.92 metric 206
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
169.254.0.0/16 dev eth0.314 scope link src 169.254.94.218 metric 204
172.17.0.0/16 dev eth0 proto dhcp scope link src 172.17.255.10 metric 202
172.17.0.0/16 dev mcv0 proto dhcp scope link src 172.17.255.241 metric 205
172.17.0.0/16 dev mcv1 proto dhcp scope link src 172.17.255.92 metric 206 Terry
Re: Server Installation
Hmm, that's a bit of a pain.
The new router does in all likelyhood support VLANs fortunately - I think most modern routers do. I'm not sure what he means by that either to be honest. I have a reasonable understanding of networking but that never really extended to VLANs very much - your helpful user will probably be a lot more helpful than me
This page (at least the first and last parts) https://hicu.be/bridge-vs-macvlan might be useful in terms of understanding the difference between a bridge and a macvlan. It eventually gets into a lot of detail, but I found the macvlan explanation helpful, having never heard of it before.
The new router does in all likelyhood support VLANs fortunately - I think most modern routers do. I'm not sure what he means by that either to be honest. I have a reasonable understanding of networking but that never really extended to VLANs very much - your helpful user will probably be a lot more helpful than me
This page (at least the first and last parts) https://hicu.be/bridge-vs-macvlan might be useful in terms of understanding the difference between a bridge and a macvlan. It eventually gets into a lot of detail, but I found the macvlan explanation helpful, having never heard of it before.
Hamish
Re: Server Installation
Sitrep2:
The firewall conflicts may yet be a problem, but I've come to the conclusion that it wasn't that which was causing the problem with nodogsplash. Even after I used PiVPN to completely uninstall OpenVPN and iptables -F to completely delete all rules, running nodogsplash again didn't restore functionality. I don't really know what the problem is, but I decided to try a different VPN Server package to eliminate that.
Over the past few days I've discussed this problem on the Dorset Linux User Group and tried to install wireguard. This is now part of the Linux kernel and is very attractive because it uses Public Key Encryption to safeguard the data exchanges. However, although modern Linux Distros all have wireguard in the their Repositories, Raspberry Pi OS doesn't yet. I tried to install it using several online Tutorials, with no success.
While I was discussing the problem with wireguard on the Raspberry Pi Forums a user suggested using PiStrong, which is a tool to install the well thought of VPN software StrongSwan on the Pi, see https://www.raspberrypi.org/forums/view ... 8#p1675114 and https://www.strongswan.org/.
The guy seems to be another Very Helpful User (as well as being the author of PiStrong ). He has offered to build a trial installation with a simulation of the architecture of our setup at WMT. If he is successful, that will be a major step forward. I have accepted the offer of his help and will report back shortly.
The firewall conflicts may yet be a problem, but I've come to the conclusion that it wasn't that which was causing the problem with nodogsplash. Even after I used PiVPN to completely uninstall OpenVPN and iptables -F to completely delete all rules, running nodogsplash again didn't restore functionality. I don't really know what the problem is, but I decided to try a different VPN Server package to eliminate that.
Over the past few days I've discussed this problem on the Dorset Linux User Group and tried to install wireguard. This is now part of the Linux kernel and is very attractive because it uses Public Key Encryption to safeguard the data exchanges. However, although modern Linux Distros all have wireguard in the their Repositories, Raspberry Pi OS doesn't yet. I tried to install it using several online Tutorials, with no success.
While I was discussing the problem with wireguard on the Raspberry Pi Forums a user suggested using PiStrong, which is a tool to install the well thought of VPN software StrongSwan on the Pi, see https://www.raspberrypi.org/forums/view ... 8#p1675114 and https://www.strongswan.org/.
The guy seems to be another Very Helpful User (as well as being the author of PiStrong
). He has offered to build a trial installation with a simulation of the architecture of our setup at WMT. If he is successful, that will be a major step forward. I have accepted the offer of his help and will report back shortly.Terry
Re: Server Installation
Oh good, I wish you luck.
How far away are we from the new router being installed by the way?
How far away are we from the new router being installed by the way?
Hamish
Re: Server Installation
Sitrep3:
The Very Helpful User on the Raspberry Pi Forums has confirmed that he has managed to install both nodogsplash and strongSwan (using his PiStrong tool) and they have both run successfully simultaneously. He believes that there are no conflicting iptable entries, so that looks very promising. I have asked him to give me some pointers on the order that he installed it and any useful information and if he responds this evening, I should be able to install it on the test rig here tomorrow.
In the meantime, here is some information about how to connect to the strongSwan server with various OSs:
The Very Helpful User on the Raspberry Pi Forums has confirmed that he has managed to install both nodogsplash and strongSwan (using his PiStrong tool) and they have both run successfully simultaneously. He believes that there are no conflicting iptable entries, so that looks very promising. I have asked him to give me some pointers on the order that he installed it and any useful information and if he responds this evening, I should be able to install it on the test rig here tomorrow.
In the meantime, here is some information about how to connect to the strongSwan server with various OSs:
- Linux - This uses a plugin to Network Manager: https://wiki.strongswan.org/projects/st ... orkManager. My Very Helpful User has tested it and it works.
- iOS and MacOS - These both use Apps in their various App Stores as I understand it. He has fully tested the iOS Client, but not MacOS. The info on this is a bit more dense: https://wiki.strongswan.org/projects/st ... pleClients.
- Windows - This probably less useful to us. He has fully tested it.
- Android - This uses an App which is available in the Play Store but he hasn't tested it. See https://wiki.strongswan.org/projects/st ... ki/Android and https://play.google.com/store/apps/deta ... an.android.
Terry
Re: Server Installation
Sitrep5:
The Very Helpful User on the Raspberry Pi Forums came back last night with an extremely detailed description of how he installed nodogsplash and strongSwan on the same Pi. Unfortunately, as with my previous Very Helpful User he has completely misunderstood the network architecture at WMT (I did provide a copy of the network configuration diagram that I posted at viewtopic.php?p=3502#p3502). He has made the Pi into a Wireless Access point with the Internet Router on the same network as the hosts that we want to access. This is the typical way that a VPN Server operates; the VPN clients query the server which encrypts their packets and puts them back out onto the same network on a different port number. As can be seen from the diagram of our system, the hosts that we want access to are on one side of the server, with the clients on the other.
I know that our architecture is a valid one because I checked with Paul before I even embarked on the process. I have also seen diagrams on the web that show how corporate systems are put together and that is a common approach with big networks.
I have responded with another diagram, side by side with his architecture, and pointed out the differences. Hopefully he will respond. Unfortunately this is the point where my previous Very Helpful User went quiet, so it may be that this is not a scenario that is readily understood in the Pi world.
I'll keep you posted.
The Very Helpful User on the Raspberry Pi Forums came back last night with an extremely detailed description of how he installed nodogsplash and strongSwan on the same Pi. Unfortunately, as with my previous Very Helpful User he has completely misunderstood the network architecture at WMT (I did provide a copy of the network configuration diagram that I posted at viewtopic.php?p=3502#p3502). He has made the Pi into a Wireless Access point with the Internet Router on the same network as the hosts that we want to access. This is the typical way that a VPN Server operates; the VPN clients query the server which encrypts their packets and puts them back out onto the same network on a different port number. As can be seen from the diagram of our system, the hosts that we want access to are on one side of the server, with the clients on the other.
I know that our architecture is a valid one because I checked with Paul before I even embarked on the process. I have also seen diagrams on the web that show how corporate systems are put together and that is a common approach with big networks.
I have responded with another diagram, side by side with his architecture, and pointed out the differences. Hopefully he will respond. Unfortunately this is the point where my previous Very Helpful User went quiet, so it may be that this is not a scenario that is readily understood in the Pi world.
I'll keep you posted.
Terry
Re: Server Installation
Sitrep5:
Yesterday evening, I successfully connected to the VPN Server on the WMT-Webserver Pi from this PC. This isn't a full test because I've yet to do the same thing from outside of my home network (through my laptop connected by WiFi to my tethered phone), but it's definite progress. Yes. Nodogsplash was still working.
I still have some questions, like exactly how will we (the users) access the files on the individual Pis now we have the connection, but i'm pretty hopeful to have everything working in plenty of time.
Yesterday evening, I successfully connected to the VPN Server on the WMT-Webserver Pi from this PC. This isn't a full test because I've yet to do the same thing from outside of my home network (through my laptop connected by WiFi to my tethered phone), but it's definite progress. Yes. Nodogsplash was still working.
I still have some questions, like exactly how will we (the users) access the files on the individual Pis now we have the connection, but i'm pretty hopeful to have everything working in plenty of time.
Terry