[tech] 4G backup administration now operational

James Arcus jimbo at ucc.asn.au
Wed Apr 22 21:26:47 AWST 2020 

Good news!

After some amount of wrangling with Wireguard and the various firewalls 
involved, I can finally announce that the backup VPN to Murasoi is 
functional.

I have configured a site-to-site tunnel called `wg-backup` from Murasoi 
(assigned 192.168.5.2) to Cloud-Mooneye (assigned 192.168.5.1). The 
configuration is fairly straightforward, although I did most of it via 
interfaces(8) instead of wg-quick(8). Wireguard has a builtin method to 
tag its own packets for special treatment, so writing a policy to route 
it exclusively via 4G was a two-line configuration change.

Murasoi is also set to heartbeat every 30 seconds, to keep Cloud-Mooneye 
up to date on its latest public IP. Without that Wireguard only 
exchanges data on demand, and so the NAT mappings allowing the 
connection will likely disappear.

Wheel members can now gain administrative access to Murasoi via having a 
root key loaded into their SSH agent, and running something like `ssh -A 
-J root at cloud-mooneye.ucc.asn.au root at 192.168.5.2`.

Warning: flaky 4G is slooooow... maybe there's somewhere in the clubroom 
with better signal?

Cheers,

James [MPT]

On 19/4/20 11:07 pm, dylanh333 at ucc.asn.au wrote:
> Hi James,
>
> I think that seems pretty reasonable.
> Please keep track of what packages you install, commands you run, and 
> config changes you make, however, that way we know what needs to be 
> done if we need to rebuild cloud-mooneye.
> It'll also give us a starting point for getting such a VPN setup 
> automated via Ansible.
>
> Cheers,
> Dylan Hicks [333]
>
> On 19 Apr 2020 10:34 pm, James Arcus <jimbo at ucc.asn.au> wrote:
>
>     Hi all,
>
>     Good news: source-based routing is working. Any packet leaving
>     Murasoi sent from a 192.168.4.0/24 address gets directed out the
>     4G link via 192.168.4.1. So far that's only available to Murasoi
>     itself.
>
>     Unfortunately, the 4G link is on CGNAT (i.e. doesn't even have 1
>     public IPv4 address) and I can't manage to get inbound working via
>     IPv6 either. (Maybe it's filtered either by Telstra or the Netgear
>     modem?) Either way, looks like we'll need an intermediary of some
>     kind.
>
>     What are people's thoughts on using cloud-mooneye for that
>     purpose? It's globally accessible and its reliability is untied to
>     uni. We could set up a Wireguard or other VPN site-to-site tunnel.
>
>     Cheers,
>
>     James [MPT]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20200422/10eb3937/attachment.htm

More information about the tech mailing list