Experiment – Mesh VPN setup with Tinc

This is super short post on my experiment with setting up a mesh VPN using tinc.

Why?

  • It’s used in creating a VPN out of many small networks that are geographically distributed
  • There is no concept of server or client in tinc, so nodes try to talk to each other directly or through other nodes

Actors in the mesh

<name> – name for each actor

  • Digital Ocean droplet <externalnyc> – to which all below actors connect to
  • Digital Ocean droplet <externalblr>
  • Laptop <fedora> (Home LAN)
  • RaspberryPi <pi> (Home LAN)

How Actors are connected ?

  • externalblr ===> externalnyc
  • fedora ===> externalnyc
  • pi ===> fedora

Assumption is that except externalnyc all others are behind a NAT/Firewall

IP for each actor in VPN

  • externalnyc – 10.0.0.1
  • externalblr – 10.0.0.3
  • fedora – 10.0.0.2
  • pi – 10.0.0.4

Results

  • Every actor is able to talk to every other actor
  • Access services that are allowed in firewall

Sources

tinchttps://www.tinc-vpn.org/documentation-1.1/Concept-Index.html
Tutorialhttps://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04

Advertisements

Creating a Logical Volume in LVM

Background

I wanted to upgrade from Fedora 24 to Fedora 25 using the dnf upgrade utility. Before doing that, I wanted to take a backup in case any issue occurs. While installing Fedora 24 I chose LVM partioning scheme which I felt would help in case I needed to resize my drives without having shrink and expand other drives, which I was doing earlier.

Prerequisites

The volume group that was created as part of installation had already used up all the space of the underlying physical volume. There was nearly half of the HDD space still unallocated, I had the following options:

  • Create a new physical volume and add it to the existing volume group
  • Create a new physical volume and add it to a new volume group
  • Extend the existing physical volume

Creating the partition

I felt it would be better to take option 2 from the above. I looked at some tutorials online like a crash course kind of stuff in playing around with LVM. So, the first step was to create a physical partion and for that I chose cfdisk which is an ncurses version of the fdisk utility. The process is as follows:

  • Launch the program with sudo cfdisk
  • The program showed the list of partitions and free space available
  • Choose Freespace from list of devices and select [ New ]
  • Give the partition size like Partition size: 100G and press Enter
  • It will ask if the partion is [ primary ] [ extended ] and I chose [ primary ]
  • The partition table will be listed with a new device for ex: /dev/sda2 (nothing is saved yet)
  • Choose [ Type ] and select 8e Linux LVM
  • Finally, choose [ Write ] to persist the changes

Creating Physical Volume

Check for the new device using lsblk or anyother equivalent command. Now its time to create the physical volume,

sudo pvcreate /dev/sda2

Check if the physical volume is created using the following command,

sudo pvdisplay

Creating Volume Group

Use the following command to create the volume group. The command used below takes the name for the volume group and space separated physical volumes that this volume group will handle.

sudo vgcreate <volume_group_name> /dev/sda3

Check if the volume group is created using the following command,

sudo vgdisplay

Creating Logical Volume

Use the following command to create the logical volume. The command below takes the size & name of the logical volume and name of the volume group which this logical volume will be a part of.

sudo lvcreate -L 149G -n <logical_volume_name> <volume_group_name>

Check if the logical volume is created using the following command,

sudo lvdisplay

Creating a disk out of the logical volume

Now that we have a logical volume, its time to create a drive out of it like /, /home, /boot, etc. Use the following command to create an ext4 partition,

sudo mkfs.ext4 /dev/<volume_group_name>/<logical_volume_name>

Check if the disk is created using either lsblk or sudo fdisk -l

Finally

A drive is now ready to backup the files or use it for any purpose. There are lots of ways and configurations available and I only picked ones which I needed at this particular moment.

 

Freifunk Gluon – My experiments so far – Updates

In my last post I was talking about Freinfunk Gluon,  Freemesh and what I was doing about it. This post would be a follow up to that.

So for a quick recap,

  • I had setup a node with Freifunk Gluon firmware from the Freemesh Denkmark community
  • Started setting up the gateway node to which other routers connect to and form a mesh

What is the current status ?

Well, I have completed the gateway setup and this post I am writing along with other network traffic from my laptop is going through the gateway. It’s not a big deal, because communities are using tools like Ansible & Puppet to automate the entire setup. But hey, this is very important to me doing it the long way.

How did I achieve it ?

My single source of knowledge of this setup (most of it) was based on Generic Freemesh Gateway from Freemesh Ireland community. Here’s what I did with respect to Gateway and Firmware setup

Gateway

  • Create a VPS (5$) with Debian Jessie from Digital Ocean
  • Setup the necessary users, disable remote login for root, disable password logins and only allow key based logins
  • Setup a basic firewall
  • Download the necessary software
  • Setup B.A.T.M.A.N (for routing) & Fastd VPN (for connecting nodes)
  • Setup network interfaces
  • Setup DHCP & DNS (for mesh nodes & clients)
  • Setup NAT to forward the traffic from mesh nodes & clients to the internet
  • Setup vnstat for network statistics from various network interfaces
  • Setup Hopglass (frontend) & Hopglass Server to collect info from the nodes & display them on the map
  • Setup Grafana & Prometheus that provides data visualisation & monitoring respectively
  • Setup Fail2Ban to ban IP’s by reading logs & dynamically add rules to iptables

Building Firmware

  • Clone the stable branch of Freifunk Gluon
  • Clone an existing site configuration (its mesh node configuration actually)
  • Update the site configuration with details like community name, IP’s for the node, WiFi & ad-hoc AP configuration, gateway information (so the nodes could connect to it via Fastd VPN), etc.,
  • Build the firmware
  • Flash it on to the router

Some hurdles faced

In any task there would be some hurdles and its up to us to solve them and proceed. The main hurdle I faced was lack of understanding in networks & its configurations. So, I didn’t solve or learn all of them, instead I took steps to learn and understand them better through simple setup.

I wanted to try out some of the software I mentioned above and see how the configurations would actually work. Since, I mostly use my laptop for development, I made a better use of Raspberry Pi by turning it into a test bed to hone my skills. So, for the initial part I tried setting up the following on my Pi and use them from my laptop,

  • DHCP
  • DNS
  • NTP
  • Fastd
  • Iptables & NAT

For most of the part, I used tcpdump and syslog to monitor the output. By playing with the configurations, I was able get a good grasp on what was happening. There is still a lot to learn, but its a start nonetheless.

Then I faced some issues where the map wasn’t updated anymore, DNS & NTP requests were denied. Then after checking the logs could see that firewall was blocking those packets and so I had to add rules to allow the following (all these rules apply only to the private subnet),

  • DNS
  • Multicast
  • NTP

Some Pics

This slideshow requires JavaScript.

You can check the map here.

What then ?

I will be continuing to experiment with the gateway and node, then see what else I can do to proceed. I am planning to look at the Ansible scripts to automate the gateway setup and further improve my knowledge on networks.

Note: If peers in my local community are interested in this concept, we could try it out.