Re: [Dorset] Internet Access Using Tethering
On Sunday, 21 June 2020 10:25:47 BST Keith Edmunds wrote: > I know there are challenges, but being able to directly ssh to your RPis > from the outside, ideally filtered by source IP, would be considerably > simple. I know you said that network is owned by people who don't > understand it and so won't allow it - which is perverse logic. They don't understand either SSH or VPN but they've heard about VPN. These are Trustees; none of them are technical, but many of them have worked in Offices. If they used VPN in their Office then that is all the understanding needed. I suspect that applies to many senior managers. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Sun, 21 Jun 2020 10:20:24 +0100, d-...@hadrian-way.co.uk said: > Am I missing the point? Probably not. I know there are challenges, but being able to directly ssh to your RPis from the outside, ideally filtered by source IP, would be considerably simple. I know you said that network is owned by people who don't understand it and so won't allow it - which is perverse logic. -- Linux Tips: https://www.tiger-computing.co.uk/category/techtips/ -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Sunday, 21 June 2020 09:55:51 BST Keith Edmunds wrote: > I'm pleased you got it working, but...it sounds like a nightmare to > support and maintain. Very hacky, undocumented, alpha software, multi-hoop > jumping. Yes and no. It isn't entirely undocumented just somewhat inadequately undocumented. I agree that it is a very early version of the software and I haven't gained any impression that anyone else has used it yet apart from the developer. In any case, unless someone can suggest a viable alternative to this software (which they couldn't when I asked a week or so ago), it's this or nothing. If you recall I had installed PiVPN (which installs OpenVPN on a Pi), but that conflicted with the Captive Portal Software nodogsplash. Ralph suggested wireguard, but no-one was able to help me get it installed; this still in the early stages of support on Raspberry Pi. Then the developer popped up on the Raspberry Pi Forums and offered to help me install PiStrong so I gave it a go. If I had known then what I know now I'd have saved myself two weeks of work and installed the VPN server on a separate Pi and used PiVPN, but I didn't so I tried this tool. Putting in another Pi is far from ideal since we are still in lockdown (and we wouldn't have needed any of this if we weren't). > Do you have a clear understanding of how it works, what components do > what, why each is there, and a network diagram marked with subnet > addresses? If not, I'd suggest you get all of those or - my real > suggestion - make it orders of magnitude less complex. If I had a clear understanding of how this or any other software worked you'd hear a lot less from me on this list. ;-) I'm not sure what you mean by 'make it orders of magnitude less complex'. Do you mean PiStrong or the network at WMT? Clearly I have no control over the complexity of PiStrong (still less over the strongSwan software that it installs), so there's nothing I can do about that (other than stop using it). The network at WMT is fully documented in both specifications and diagrams - I published a link to a partial diagram showing the basic architecture in an earlier thread. Again, the WMT network is what it is and I don't really see how we could make it simpler. There is one subnet in the private network and one in the Office network. All the Pis are connected to the private network and there is a simple Ethernet cable between the two networks as shown in the diagram, The private network is firewalled from the Office network except for routes set up by nodogsplash and PiStrong. Am I missing the point? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
I'm pleased you got it working, but...it sounds like a nightmare to support and maintain. Very hacky, undocumented, alpha software, multi-hoop jumping. Do you have a clear understanding of how it works, what components do what, why each is there, and a network diagram marked with subnet addresses? If not, I'd suggest you get all of those or - my real suggestion - make it orders of magnitude less complex. -- Linux Tips: https://www.tiger-computing.co.uk/category/techtips/ -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 18:17:20 BST Patrick Wigmore wrote: > doesn't complete after 64 hops, but > > $ traceroute -I > > completes after 18 hops. The -I option is to 'Use ICMP ECHO as probe.' I tried that, but it didn't complete with the -I switch either. :-) So I was mulling over this last night and suddenly remembered one of the (numerous) times I'd been told by the developer of PiStrong to hack one or other of the Cert Config files to make it work. On Tuesday, I got it working by hacking the client Cert Config, but I had forgotten that particular fix. When I added it just now it worked! Don't ask me why traceroute -I doesn't work with my Router, but the Router's log shows my connection being made and I was able to log into a Pi on the private network. :-) I now need to roll it out to the users, but I may wait a day or two to see if the developer's promised update fixes all the issues. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Sat, 20 Jun 2020 17:22:02 +0100, Terry Coles wrote: > On Saturday, 20 June 2020 15:21:40 BST Terry Coles wrote: > > What's the minimum needed to get something up on the Internet that > > would respond to a query of some kind? I've looked at various > > Tutorials and they all seem to be a fair bit of work. I have > > another Pi which could be used in place of the one running the > > two servers, so is there something quick and dirty just to do > > this test? > > I just tried traceroute to see if the Home Router could be reached. > It does look as if using my phone's hotspot could be the problem > because although traceroute 8.8.8.8 completed in 14 hops after ~68 > ms, traceroute never completed after 64 hops. > There was a lot of stuff happening between hops 11 and 17 with > multiple IP Addresses being listed, but no sign of my Router's > address. > > Have I interpreted this correctly? It would appear to me that the > packets never arrive for some reason. That's a good idea. (Running traceroute.) I would interpret that result to mean that the network knows a route to the Home Router, but beyond a certain point along the route, no response packets are returned, for whatever reason. Probably the Home Router is ignoring the packets, but the same result would occur if a router along the way was blocking either the requests or the responses. Or, it could mean that there are more than 64 hops between the laptop connected to the hotspot and your Home Router, but that seems pretty unlikely. I just tried pinging my own home router over a mobile network. $ traceroute doesn't complete after 64 hops, but $ traceroute -I completes after 18 hops. The -I option is to 'Use ICMP ECHO as probe.' In both cases, the same set of IP addresses is listed for the earlier hops (i.e. the same route is used). When I configure the router to not respond to pings, the traceroute never completes, regardless of whether -I is used. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 17:21:04 BST Patrick Wigmore wrote: > You could use Python 3's http.server module, which you probably > already have installed. I asked for simple and that's what you gave me. I'll give it a go tomorrow (I have things to do this evening). The developer of PiStrong has come back to me in the last hour with a promise of an update to his code by Monday. If I can prove the hotspot is working or otherwise by then I would feel a bit more confident that this might work eventually. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 15:21:40 BST Terry Coles wrote: > What's the minimum needed to get something up on the Internet that would > respond to a query of some kind? I've looked at various Tutorials and they > all seem to be a fair bit of work. I have another Pi which could be used in > place of the one running the two servers, so is there something quick and > dirty just to do this test? I just tried traceroute to see if the Home Router could be reached. It does look as if using my phone's hotspot could be the problem because although traceroute 8.8.8.8 completed in 14 hops after ~68 ms, traceroute never completed after 64 hops. There was a lot of stuff happening between hops 11 and 17 with multiple IP Addresses being listed, but no sign of my Router's address. Have I interpreted this correctly? It would appear to me that the packets never arrive for some reason. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Sat, 20 Jun 2020 15:21:40 +0100, Terry Coles wrote: > > Personally my next step would be to temporarily stick some > > relatively easy-to-configure server of some kind online via the > > home router. E.g. a web server serving a unique web page, and > > then try to connect to that via the phone hotspot. That would at > > least prove whether you can connect to the home router from the > > Hotspot, which seems to be your aim with pinging it. > > I could try that, although I could end up doing a lot of work only > to learn that there's nothing wrong. I already have the Pi running > the VPN Server and nginx, but the webserver is only accessible from > the internal (private) network. > > What's the minimum needed to get something up on the Internet that > would respond to a query of some kind? I've looked at various > Tutorials and they all seem to be a fair bit of work. I have > another Pi which could be used in place of the one running the two > servers, so is there something quick and dirty just to do this > test? You could use Python 3's http.server module, which you probably already have installed. Running $ python -m http.server 8000 will serve the contents of the current directory. It runs in the foreground until you exit from it. It's documented here: https://docs.python.org/3/library/http.server.html#http-server-cli So, e.g. $ mkdir httptest $ cd httptest $ echo "Some somewhat unique text" > file.txt $ python -m http.server 8000 Obviously you can use a different port if it's more convenient. If `python` points to Python 2 rather than Python 3, then you may need to do $ python3 -m http.server 8000 instead. Alternatively, the python 2 equivalent is $ python -m SimpleHTTPServer 8000 Patrick -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 15:21:40 BST Terry Coles wrote: > What's the minimum needed to get something up on the Internet that would > respond to a query of some kind? I've looked at various Tutorials and they > all seem to be a fair bit of work. I have another Pi which could be used in > place of the one running the two servers, so is there something quick and > dirty just to do this test? Also. If I make a mistake installing this, I could end up with a double whammy. ;-) -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 14:48:50 BST Patrick Wigmore wrote: > Could you elaborate on what you mean by the Cert settings? Is that > something to do with the VPN software? Which VPN software did you end > up choosing anyway?! I don't remember you saying. :) Yes. The VPN Tools create a Cert Package which users then install on their device. I decided to go with PiStrong (https://github.com/gitbls/pistrong) because PiVPN (a Pi installer for OpenVPN stopped the Captive Portal working. I'm beginning to regret this decision because it would appear that I have become the Beta Tester for the tool. The developer is very kindly helping me, but he doesn't appear to have tested installing it on a machine that has no Domain name. So I'm the guinea pig for all potential users who want to connect via their Router's WAN Address. > I've heard of mobile networks faking ping responses for whatever > reason. Maybe in hotspot mode it disables that "feature", or enables > one that blocks all pings. Either way, I wouldn't trust the mobile > network not to be tricking you with regard to pings. I can ping everything else, just not my Howe Router. > Personally my next step would be to temporarily stick some relatively > easy-to-configure server of some kind online via the home router. E.g. > a web server serving a unique web page, and then try to connect to > that via the phone hotspot. That would at least prove whether you can > connect to the home router from the Hotspot, which seems to be your > aim with pinging it. I could try that, although I could end up doing a lot of work only to learn that there's nothing wrong. I already have the Pi running the VPN Server and nginx, but the webserver is only accessible from the internal (private) network. What's the minimum needed to get something up on the Internet that would respond to a query of some kind? I've looked at various Tutorials and they all seem to be a fair bit of work. I have another Pi which could be used in place of the one running the two servers, so is there something quick and dirty just to do this test? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Sat, 20 Jun 2020 10:53:14 +0100, Terry Coles wrote: > I'm trying to test my Raspberry Pi VPN Server which is currently > installed in my workroom. It has Internet access on one side via > my Home Router and access to my Pi network on the other. I have > successfully tested this setup from inside my home network using > the IP Address of the server in the Cert settings, so I know the > system basically works. Could you elaborate on what you mean by the Cert settings? Is that something to do with the VPN software? Which VPN software did you end up choosing anyway?! I don't remember you saying. :) > However, I can't ping my Home Router's WAN address. if I disable > the hotspot, I can ping it successfully from my Android phone. I've heard of mobile networks faking ping responses for whatever reason. Maybe in hotspot mode it disables that "feature", or enables one that blocks all pings. Either way, I wouldn't trust the mobile network not to be tricking you with regard to pings. Personally my next step would be to temporarily stick some relatively easy-to-configure server of some kind online via the home router. E.g. a web server serving a unique web page, and then try to connect to that via the phone hotspot. That would at least prove whether you can connect to the home router from the Hotspot, which seems to be your aim with pinging it. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 13:49:10 BST Hamish McIntyre-Bhatty wrote: > The only thing I know related to this is that Android devices sometimes > have a bug where you have to run a shell command on them to get > tethering working (I did on mine), but clearly that's not the problem > you're having seeing as general internet access is working. I don't have a problem with normal internetty things. > Ignoring the ping, can you connect to the VPN server through the router? How would I do that? At the moment, I have no certainty that the generation of the Cert pack is working correctly and the WAN Address of the Home Router is wrapped up in that. I have set up Port Forwarding on the Router with the specified ports but nothing shows up in the log when I try to connect. However. I have seen entries being forwarded to the VPN Server's IP Address when I wasn't actually trying to connect. I'm assuming that they came from some kind of port scanner that knows which ports to look out for. It wouldn't have done them any good, because the server wasn't running at the time. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
The only thing I know related to this is that Android devices sometimes have a bug where you have to run a shell command on them to get tethering working (I did on mine), but clearly that's not the problem you're having seeing as general internet access is working. Ignoring the ping, can you connect to the VPN server through the router? Hamish signature.asc Description: OpenPGP digital signature -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 13:12:42 BST PeterMerchant wrote: > I don't know who 8.8.8.8 is, That is one of Google's DNS Servers. > but can you 'ping google.com' or nasa.com? Yes and yes. Actually pinging the Fully Qualified Domain name of the site, simply shows that the DNS Server is accessible as well as the IP Address that it resolves to. Pinging 8.8.8.8 directly cuts out the middle man. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On 20/06/2020 10:53, Terry Coles wrote: Hi, I've got something going on that I don't under stand (this is normal I hear you saying). I'm trying to test my Raspberry Pi VPN Server which is currently installed in my workroom. It has Internet access on one side via my Home Router and access to my Pi network on the other. I have successfully tested this setup from inside my home network using the IP Address of the server in the Cert settings, so I know the system basically works. So now I need to test it from outside my home network and to do this I have set up my Android phone as a hotspot and connected my Kubuntu laptop to it. Unfortunately, I can't get the connection to work (I have changed the settings to point at my Home Router's WAN address instead of the servers IP Address on the home network. When I connect to the hotspot I can: 1. Browse the web. 2. Read back my public IP Address by typing what is my IP Address in Google. 3. Ping 8.8.8.8. However, I can't ping my Home Router's WAN address. if I disable the hotspot, I can ping it successfully from my Android phone. What am I missing here? As far as I can see there is nothing in the Router's config to make it reject ping requests (or connections) from certain sources, although it perhaps does that by default and I'm chasing the wrong issue. I don't know who 8.8.8.8 is, but can you 'ping google.com' or nasa.com? P. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 11:04:30 BST Terry Coles wrote: > I don't know why but I can no longer ping the Home Router from my Android > Phone. I was sure that it had worked earlier, but must have been mistaken. Ignore this. I had still got tethering enabled. If I disable tethering, but don't connect to my home WiFi, I can ping my Home Router's WAN Address. So why can't I do it from the tethered laptop? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Internet Access Using Tethering
On Saturday, 20 June 2020 10:53:14 BST Terry Coles wrote: > However, I can't ping my Home Router's WAN address. if I disable the > hotspot, I can ping it successfully from my Android phone. I don't know why but I can no longer ping the Home Router from my Android Phone. I was sure that it had worked earlier, but must have been mistaken. Also I've just stumbled across a posting in an ISPs forum from a user who had the same problem abd was told that Routers normally reject pings. So the question becomes, how can I check that my Router is receiving the packets (or the VPN Server is sending them to the right place). I know I could install wireshark, but is there a quicker/simpler way? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
[Dorset] Internet Access Using Tethering
Hi, I've got something going on that I don't under stand (this is normal I hear you saying). I'm trying to test my Raspberry Pi VPN Server which is currently installed in my workroom. It has Internet access on one side via my Home Router and access to my Pi network on the other. I have successfully tested this setup from inside my home network using the IP Address of the server in the Cert settings, so I know the system basically works. So now I need to test it from outside my home network and to do this I have set up my Android phone as a hotspot and connected my Kubuntu laptop to it. Unfortunately, I can't get the connection to work (I have changed the settings to point at my Home Router's WAN address instead of the servers IP Address on the home network. When I connect to the hotspot I can: 1. Browse the web. 2. Read back my public IP Address by typing what is my IP Address in Google. 3. Ping 8.8.8.8. However, I can't ping my Home Router's WAN address. if I disable the hotspot, I can ping it successfully from my Android phone. What am I missing here? As far as I can see there is nothing in the Router's config to make it reject ping requests (or connections) from certain sources, although it perhaps does that by default and I'm chasing the wrong issue. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
