Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 17:52:50 BST Ralph Corderoy wrote: > As I think you suggested earlier, another option is an extra Pi with two > network interfaces. One on the office LAN and the other on the Pi > network. It would run WireGuard. The office router would port-forward > to it. I asked if that was the only way forward when I first posted to the Raspberry Pi Forum and my helpful user said 'Methinks you'd need a better excuse than that to buy a new Pi.' :-) He claims that he got it working, but from the things that he said, I suspect he was using the Pi as a WiFi AP, instead of having two Ethernet ports. He also installed PiVPN and then nodogsplash, so that may have a bearing. Unfortunately he's gone quiet since Thursday. I can scrape together another Pi and USB / Ethernet Adaptor, but I'll have to scrabble around in my drawers for an SD Card, since I have no new ones left. Then the on-site volunteer will have to install it somehow. I'll keep at it for a day or two before I resort to that. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, > > > I'm not sure I fully understand nodogsplash, but I understood > > > enough 2-3 years ago to get the functionality I wanted. I want to > > > retain that functionality and also have the VPN. > > > > Which may not be possible. > > Well. If it's not possible, I need to find out ASAP so that we can > think of another solution; (lending the on-site volunteer a configured > laptop perhaps), As I think you suggested earlier, another option is an extra Pi with two network interfaces. One on the office LAN and the other on the Pi network. It would run WireGuard. The office router would port-forward to it. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 17:02:11 BST Ralph Corderoy wrote: > > I'm not sure I fully understand nodogsplash, but I understood enough > > 2-3 years ago to get the functionality I wanted. I want to retain > > that functionality and also have the VPN. > > Which may not be possible. Well. If it's not possible, I need to find out ASAP so that we can think of another solution; (lending the on-site volunteer a configured laptop perhaps), so he can do the things that I used to do. It's far from ideal because rolling out updated software would require many SD Cards to be delivered to WMT and substituted. Then, if the new code doesn't work, then the on-site volunteer wouldn't have much chance of debugging it. > Sorry, I've no idea. On your duplicate test rig, I'd disable > nodogsplash and get other things working, e.g. a reverse-forwarding SSH I have disabled nodogsplash (and flushed iptables) but I can't get it working when I restart it even with Open VPN (PiVPN) uninstalled. I'm going to have to start again and get VPN working first, as you suggest, and then add nodogsplash afterwards. I have a backup of the SD Card with nodogsplash working, but I neglected to take a backup of the basic Webserver, without nodogsplash installed. Unless I can diagnose this, I'll have to rebuild the SD Card from a clean install of the OS. That's why I wanted to try some kind of VLAN; to avoid having to start from scratch if iptables was the problem. (I thought that creating virtual interfaces would be a quick way to prove that the firewall was or wasn't the issue. Clearly it's not going to be quick. ;-( ) Maybe the problem isn't iptables and nodogsplash is being affected by something else in OpenVPN, even after the PiVPN code has been uninstalled. Maybe I should try to find out why nodogsplash doesn't work some other way, although I'm not sure how. > client and WireGuard. (I think I noticed PiVPN supports WireGuard.) > Then, with two sets of working configurations, I'd try and get both > going at once, being sure to limit the bits of the network each treats > as theirs. If there's a conflict then that might be the time to > complicate things further by adding virtual network devices, having > understood the nature of the conflict. If I had two sets of working configurations, then I wouldn't have a problem :-) Re-reading what you said, I think you mean start with Open VPN and no nodogsplash, dump the iptables config to disc, then uninstall / disable OpenVPN and do the same with nodogsplash running. The trouble is I might have to do a complete reinstall from scratch between each iteration if I can't find out why nodogsplash breaks. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, > I'm not sure I fully understand nodogsplash, but I understood enough > 2-3 years ago to get the functionality I wanted. I want to retain > that functionality and also have the VPN. Which may not be possible. A quick read of https://nodogsplashdocs.readthedocs.io/en/stable/howitworks.html suggests it's only concerned with controlling the incoming local interface, i.e. the Pi's Wi-Fi, so I'm surprised it hampers a VPN. Perhaps it's the VPN which thinks it too has to look after the Wi-Fi interface and causes the interference. Careful study of the iptables(8) at various stages may show what changes occur. > > The bottom line: Can macvlan interfaces be used in this instance? ... > Would this be the way to go? Sorry, I've no idea. On your duplicate test rig, I'd disable nodogsplash and get other things working, e.g. a reverse-forwarding SSH client and WireGuard. (I think I noticed PiVPN supports WireGuard.) Then, with two sets of working configurations, I'd try and get both going at once, being sure to limit the bits of the network each treats as theirs. If there's a conflict then that might be the time to complicate things further by adding virtual network devices, having understood the nature of the conflict. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 15:00:14 BST Ralph Corderoy wrote: > If you understand the method nodogsplash uses for control and want to > get something working alongside it, whether SSH, OpenVPN, or Wireguard, I'm not sure I fully understand nodogsplash, but I understood enough 2-3 years ago to get the functionality I wanted. I want to retain that functionality and also have the VPN. > then > https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfac > es-for-virtual-networking/ might be useful in understanding all the terms > and what they provide. That's certainly a useful site. Going back to my original question: > > Another option could be to use macvlan interfaces. Very much like a extra > physical interfaces, does not require special router support, but cannot be > added to a bridge. (you can however build a macvlan interface off a bridge > interface.) > > root@sun:~# for i in 0 1; do ip l add mcv$i address b8:27:eb:0$i:1$i:2$i > link eth0 type macvlan mode private; done > root@sun:~# ip r > default via 172.17.0.1 dev eth0 src 172.17.255.10 metric 202 > default via 172.17.0.1 dev mcv0 proto dhcp src 172.17.255.241 metric 205 > default via 172.17.0.1 dev mcv1 proto dhcp src 172.17.255.92 metric 206 > 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 > 169.254.0.0/16 dev eth0.314 scope link src 169.254.94.218 metric 204 > 172.17.0.0/16 dev eth0 proto dhcp scope link src 172.17.255.10 metric 202 > 172.17.0.0/16 dev mcv0 proto dhcp scope link src 172.17.255.241 metric 205 > 172.17.0.0/16 dev mcv1 proto dhcp scope link src 172.17.255.92 metric 206 > > > Before I try this out, I'm going to need to understand more about what is > going on. In particular, what does his line "but cannot be added to a > bridge. (you can however build a macvlan interface off a bridge > interface.)" mean? > > The bottom line: Can macvlan interfaces be used in this instance? Looking at your link, the example code given there looks nothing like the example code given by my helpful user on the Raspberry Pi Forums as above. At https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking/ the example code is: # ip link add macvlan1 link eth0 type macvlan mode bridge # ip link add macvlan2 link eth0 type macvlan mode bridge # ip netns add net1 # ip netns add net2 # ip link set macvlan1 netns net1 # ip link set macvlan2 netns net2 I'm assuming that I would need something like: # ip link add macvlan1 link eth0 type macvlan mode private # ip link add macvlan2 link eth1 type macvlan mode private # ip netns add net1 # ip netns add net2 # ip link set macvlan1 netns net1 # ip link set macvlan2 netns net2 Would this be the way to go? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, > If I can get this working with my simulated WMT network here in my > home, then the on-site volunteer should only have to set up port > forwarding on the Office Router. Surely he'd have to do that anyway, > whether we used VPN or SSH ultimately? Ultimately, but if the r-r Pi is allowed to the Internet by the existing router configuration then the SSH reverse tunnel works before changing the router. Even if you have VPN and router-changes working, you might still want to have it running as a backup access method. > The 'simulated WMT network' is a physical representation of the real > network at WMT, so I have an RPi3 with the Webserver software on it > (and ulimately the VPN if I can get it to co-exist with nodogsplash). If you understand the method nodogsplash uses for control and want to get something working alongside it, whether SSH, OpenVPN, or Wireguard, then https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking/ might be useful in understanding all the terms and what they provide. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 13:40:26 BST Ralph Corderoy wrote: > Getting this all working whilst talking someone else through the > experimentation and typing sounds hard. If I can get this working with my simulated WMT network here in my home, then the on-site volunteer should only have to set up port forwarding on the Office Router. Surely he'd have to do that anyway, whether we used VPN or SSH ultimately? The 'simulated WMT network' is a physical representation of the real network at WMT, so I have an RPi3 with the Webserver software on it (and ulimately the VPN if I can get it to co-exist with nodogsplash). On the eth0 side of the RPi3 I have several actual Pi-based devices that are simply spares of the ones installed at WMT, eg a Gate Valve and a Sensor and Control Assembly which connects to the measurement probes. In this setup eth0 is connected to the devices and eth1 is connected to my home Router. Before I ask the on-site volunteer to do anything, I'll get this lot working here and test it by getting the on-site volunteer and others to log in to the Pi network. I will then simply pass the (fully backed-up) SD Card to the on-site volunteer who will substitute it for the one currently in the on-site RPi3 and then configure the Office Router. Only the latter activity should need hand-holding. > I'd start by having autossh(1) on the r-r Pi maintain a SSH connection > from r-r Pi through the office router to an Internet SSH server, which > may be in your home. The Pi's user account would have a private key > with the matching public key installed on the server so no password is > required. The password option should also be forbidden on the server. > > The Pi's .ssh/config would use RemoteForward to forward connections made > to a port on the server back across the established SSH connection where > they'd pop out to the Pi's SSH server's port. Thus you'd have SSH > access to the Pi if you have access to the server and this allows > further experimentation, though there's always a risk what you do will > break everything. A second Pi acting as the SSH tunnel and future VPN > would avoid co-existing with nodogsplash. Is this instead of VPN or both together? Until I go in, I would have to rely on the on-site volunteer to install and integrate the second Pi. That's a bit more than the tasks that I have in mind for him at the moment. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, > > Who configures the office router? > > Currently no-one, other than the ISP. The only volunteer who is an > ex- engineer and has physical access to the site will do whatever is > necessary on site. However, he is a hardware engineer and so will > need some virtual hand- holding from those of us who are stuck at > home. Getting this all working whilst talking someone else through the experimentation and typing sounds hard. I'd start by having autossh(1) on the r-r Pi maintain a SSH connection from r-r Pi through the office router to an Internet SSH server, which may be in your home. The Pi's user account would have a private key with the matching public key installed on the server so no password is required. The password option should also be forbidden on the server. The Pi's .ssh/config would use RemoteForward to forward connections made to a port on the server back across the established SSH connection where they'd pop out to the Pi's SSH server's port. Thus you'd have SSH access to the Pi if you have access to the server and this allows further experimentation, though there's always a risk what you do will break everything. A second Pi acting as the SSH tunnel and future VPN would avoid co-existing with nodogsplash. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 12:52:14 BST Ralph Corderoy wrote: > Clearly, the office computers are exposed to the Internet. :-) Yes. But only in the same way as any computer on a network connected to an ADSL Router. Currently no incoming connections are allowed. > Does WMT's office router have a static IP address when viewed from the > Internet? No. We will be using DDNS. > Can an office computer reach a river-system Pi, i.e. does the > railway-room's Pi route packets between eth1 and eth0? No. > The office router probably provides a VPN. Perhaps it can be configured > so only the railway-room Pi and beyond is accessible, especially if they > have a different private network address than the office. The Office Router is a consumer grade device and doesn't provide VPN. In any case the Trustees are very sensitive to anything that might open up the Office computers to being hacked. We had to assure them that the VPN Server would only route between the Office Router and the Pis, hence it needs to have two ethernet ports so that data isn't routed back onto the Office network (as simple OpenVPN installations seem to do). > Who configures the office router? Currently no-one, other than the ISP. The only volunteer who is an ex- engineer and has physical access to the site will do whatever is necessary on site. However, he is a hardware engineer and so will need some virtual hand- holding from those of us who are stuck at home. > How are you expecting a VPN to work? A home user will contact WMT's > static IP address on a particular port, expecting the office-router to > forward those packets to r-r Pi? The same would be required for SSH > access. Does r-r's Pi SSH server currently listen on both eth0 and eth1 > interfaces? It only listens to eth0. The problem we have is that none of the Trustees are technical. They have no idea what SSH is, but they are aware of VPN (probably as much as anything else because lots of companies charge big bucks for setting up VPN servers for businesses :-) ). It's a bit like the companies who only bought from IBM 50 years ago, because they knew about them. We might be able to make a case for using SSH; we certainly don't need more, but we have approval to install VPN , so I'd like to get it working if possible. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, More questions, including based on your reply to me in the other branch of the thread. > The Trustees are very concerned that machines in the Office are not > exposed to the Internet. > > This link shows the setup: > > https://wmtprojectsforum.altervista.org/forum/viewtopic.php?p=3502#p3502 Clearly, the office computers are exposed to the Internet. :-) Does WMT's office router have a static IP address when viewed from the Internet? Can an office computer reach a river-system Pi, i.e. does the railway-room's Pi route packets between eth1 and eth0? The office router probably provides a VPN. Perhaps it can be configured so only the railway-room Pi and beyond is accessible, especially if they have a different private network address than the office. Who configures the office router? How are you expecting a VPN to work? A home user will contact WMT's static IP address on a particular port, expecting the office-router to forward those packets to r-r Pi? The same would be required for SSH access. Does r-r's Pi SSH server currently listen on both eth0 and eth1 interfaces? -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 12:24:14 BST Ralph Corderoy wrote: > You've a main Pi at WMT which is the one running nodogsplash. > It's connected to the Internet, but nodogsplash blocks > Internet access for local Wi-Fi users once Android has seen just enough > of the world. Correct. > Do you currently allow SSH access to that Pi? Would this be sufficient, > e.g. to ‘download the measurement results’. If not, what requirements > do you have as a home user which you think SSH doesn't meet? Only from inside on the Private network. I can't SSH into the WMT. > Is that Pi the only machine available at WMT to aid access from > authorised users at home? It's the only one connected directly to the Internet, apart from the machines in the Office (see my previous post to Keith). > For a VPN, if that's really what's required, I'd start by considering > https://www.wireguard.com rather than OpenVPN. See the link I provided earlier to the WMT Forum :-) I think maybe I did my usual trick of providing too much information :-) I need to install a VPN Server on site, I already have a Pi connected to the Internet, but Open VPN appears to prevent nodogsplash working. My suspicion is that this is something to do with iptables rules applied by both pieces of software. If I could set up a vlan on each physical interface I could perhaps test that. I just want to understand if a maclan will allow me to do this. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 12:16:57 BST Keith Edmunds wrote: > So you need remote access to Raspberry Pi. To about 20 Pis actually :-) > If you have fixed IP addresses at home, ssh that is firewalled to those > addresses is easiest. > > If you don't have fixed IP addresses, ssh access authenticated only by > keys is easy once set up. If you'd like help with that, what operating > systems will the remote accessors be using? We can't use anything like that; the requirement is to install VPN because the route to the Pis is via the Office network. The Trustees are very concerned that machines in the Office are not exposed to the Internet. This link shows the setup: https://wmtprojectsforum.altervista.org/forum/viewtopic.php?p=3502#p3502 > The link you provided goes to the index of a forum, so it's not clear to > me which VPN software you have been trying. If you do go down the VPN > route, in my experience OpenVPN is relatively easy to set up, is secure, > and it's supported on Windows, Linux, OSX, Android (don't know about > iPhone, never used one). Yes I provided that link rather than detail all the things that I had done so far :-) I have been using PiVPN which is a script to automate the installation of OpenVPN on a Pi. I have been able to install it OK, but it stops nodogsplash working, hence the query about setting up maclans. > Happy to help more, but I would urge "keep it simple". There are constraints that prevent too much KISS at the moment. If I could go in, I could temporarily install another Pi to run the VPN Server on. If I could go in... -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Hi Terry, > We are stuck at home and the Raspberry Pi network is at WMT. > We haven't yet finished the development of the software running in the > Pis in the network (they are monitoring water levels in butts > supplying the model river), plus we can't download the measurement > results from the SD Cards. > > So we need to be able to do those activities from here instead of > going into WMT once or twice a week. You've a main Pi at WMT which is the one running nodogsplash. It's connected to the Internet, but nodogsplash blocks Internet access for local Wi-Fi users once Android has seen just enough of the world. Do you currently allow SSH access to that Pi? Would this be sufficient, e.g. to ‘download the measurement results’. If not, what requirements do you have as a home user which you think SSH doesn't meet? Is that Pi the only machine available at WMT to aid access from authorised users at home? For a VPN, if that's really what's required, I'd start by considering https://www.wireguard.com rather than OpenVPN. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
So you need remote access to Raspberry Pi. If you have fixed IP addresses at home, ssh that is firewalled to those addresses is easiest. If you don't have fixed IP addresses, ssh access authenticated only by keys is easy once set up. If you'd like help with that, what operating systems will the remote accessors be using? The link you provided goes to the index of a forum, so it's not clear to me which VPN software you have been trying. If you do go down the VPN route, in my experience OpenVPN is relatively easy to set up, is secure, and it's supported on Windows, Linux, OSX, Android (don't know about iPhone, never used one). Happy to help more, but I would urge "keep it simple". -- Linux Tips: https://www.tiger-computing.co.uk/category/techtips/ -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
On Saturday, 6 June 2020 11:56:32 BST Keith Edmunds wrote: > Terry, rewind. You've decided you need a VPN, but the VPN is to achieve > something. Define clearly what that something is. > > What are you are trying to achieve? We are stuck at home and the Raspberry Pi network is at WMT. We haven't yet finished the development of the software running in the Pis in the network (they are monitoring water levels in butts supplying the model river), plus we can't download the measurement results from the SD Cards. So we need to be able to do those activities from here instead of going into WMT once or twice a week. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Using macvlan to increase Ethernet Ports
Terry, rewind. You've decided you need a VPN, but the VPN is to achieve something. Define clearly what that something is. What are you are trying to achieve? -- Linux Tips: https://www.tiger-computing.co.uk/category/techtips/ -- Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk