Info about back-tunnel here
S14 tunnel https://e2h.totalism.org/e2h.php?_=X-s14-net
local/ S14 machine
ssh tunnel@10.94.185.76 sudo openvpn --config /home/tunnel/client.conf
HOW TO START OPENVPN ON REBOOT?
https://www.smarthomebeginner.com/configure-openvpn-to-autostart-linux/
edit /etc/default/openvpn
Remove the ‘#' infront of ‘AUTOSTART=”all”‘ so that OpenVpn allows to start the .conf files
sudo systemctl enable openvpn-client@.service
sudo systemctl daemon-reload sudo systemctl restart openvpn-client@anarcha.service
sudo openvpn --config <client-name>.ovpn Initialization Sequence Completed
Run client openvpn as daemon in the background - see `man openvpn` for more options sudo openvpn --config <client-name>.ovpn --daemon
To stop the daemon: Find the daemon process pgrep -lf openvpn
Kill the process sudo kill <process number>
Run client openvpn in the foreground for troubleshooting the tunnel: sudo openvpn --config <client-name>.ovpn if your verbosity in the client conf file is set to 4, then stdout of the above command should end with Initialization Sequence Completed
Run client openvpn systemd unit file: Copy your client conf file to /etc/openvpn/client/ directory
in this way you can stop, start and check status of the vpn with the systemctl command: e.x if your client file is called myvpn.conf, then the command goes:
sudo systemctl start|stop|status openvpn-client@anarcha.service
(All system unit files are in /lib/systemd/system/)
Explanation: the system unit script is in /lib/systemctl/system/openvpn-client@.service whatever name you put between openvpn-client@ and .service is passed inside this unit file. This unit file which changes dir to /etc/openvpn/client and executes openvpn --config <name>.conf
Run server openvpn systemd unit file: sudo systemctl start|stop|status openvpn@server.service
Check tunnel is up sudo ifconfig ip addr show dev tun0 tun0 should appear
Ping from your pi the server's tun0 IP 10.8.0.1 ping 10.8.0.1 traceroute 10.8.0.1
From your pi run ifconfig and find your tun0 IP, let's say it's 10.8.0.10
Ping from the anarchaserver your pi_tunnel_ip
SSH to tunnel pi from anarchaserver (2 ways) 1. edit /root/.ssh/config and update the Hostname IP to match the one of the pi's tun0 (once pi gets a dns or a static IP we won't have to edit this config file) then do: ssh tunnel-pi 2. OR do: ssh tunnel@1.8.0.10 OK*
copy files
MOUNT HARD DRIVE tunnel@<pi_tunnel_ip>:/mnt/S14-backup tunnel@<pi_tunnel_ip>:/mntmeme_bak
STORAGE Mount disks
NAS http://water.local:5000/ sudo mount.cifs -o user=tunnel,password=*****,uid=1001,rw,vers=2.0 //10.94.185.9/web/anarcha /mnt/S14-backup /mnt/S14-backup
DISK sudo mount /dev/sda1 /mnt/meme_bak
HOW TO DO THAT IN STARTUP? add the above mount command in /etc/fstab (double check online tips) to tell where the storage device will be automatically mounted when the Raspberry Pi starts up. https://www.raspberrypi.org/documentation/configuration/external-storage.md
REF:
https://confluence.jaytaala.com/display/TKB/Mount+drive+in+linux+and+set+auto-mount+at+boot https://kwilson.io/blog/force-your-raspberry-pi-to-mount-an-external-usb-drive-every-time-it-starts-up/ https://raspberrypi.stackexchange.com/questions/46171/how-do-i-mount-my-nas
DISK
In the fstab file, the disk partition is identified by the universally unique identifier
sudo blkid
ADD UUID=a164f220-cc96-450f-aa4a-27849ed21d44 /mnt/meme_bak ext4 defaults,auto,users,rw,nofail 0 0
mount cloud NAS
ADD //10.94.185.9/web/anarcha /mnt/S14-backup cifs user=tunnel,password=****,uid=1001,rw,iocharset=utf8,vers=2.0 0 0
Next challenge
HOW TO REACH NAS water from the browser when tunnel is UP
Need to mount NAS water on startup with adding the mount command also in /etc/fstab
Register a domain name for the pi and either request from your internet provider a fixed IP
or run a script in pi to update the dns service reqularly with its dynamic public IP. (mara has done the latter with her pi)
install samba server on pi, or apache2, or nginx to serve content of the mounted disks
Edit the /etc/openvpn/server.conf to push traffic to pi IP subnet. (lines 134- 140)
The user's device which wants to reach pi or NAS via the browser, needs also to install openvpn and a client certificate
FIND tunnel pi IP when outside the house You need to know the CN in your certificate, Lookup the line starting with Subject: located in the file .cert or in the client conf if all keys and certs are bundled within. E.x Subject: C=SP, ST=Catalunya, L=Barcelona, O=AnarchaServer, OU=AnarchaServer, CN=FutureVintage/name=EasyRSA/emailAddress=anarchaserver@autistiche.org SSH to anarcha, and do: tail /var/log/openvpn.log search for the CN name, in our example FutureVintage, and check the IP In our example in openvpn.log it looks like:
Fri Feb 7 21:14:57 2020 us=535934 MULTI: Learn: 10.8.0.10 -> FutureVintage/5.135.58.235:50855
LATER Add local subnet to vpn https://openvpn.net/community-resources/how-to/#pki https://community.openvpn.net/openvpn/wiki/FAQ https://forums.openvpn.net/viewtopic.php?t=14358 https://openvpn.net/archive/openvpn-users/2007-09/msg00094.html
Enable two-way traffic client-server Reach OpenVPN clients directly from a private network https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/