access to relay boards via VPN - url-rewriting

I have a few 'smart' relay boards on different sites. These boards have a ethernet connection and are running a built-in web server on TCP 8080. I can access them from the local network and control them via a browser.
To control these boards remotely, I could assign them a fixed local IP address, open TCP port 8080 on my router and forward it to that address. But this is a risky thing to do, off course.
And I would have to do this on the different routers (from different IPSs) on each site and keep track of all these public IP addresses. (Via a dyndns service. Most routers are not VPN-enabled, afaik.)
Is there a better way using VPN-tunnels? I already have a Linux VPS running for other purposes and could install a Raspberry Pi on each location. All these Raspi's could connect to my VPS. And I would no longer need the dyndns.
Maybe, I could also find a way to map the URLs for the different relay boards to a more human-friendly form. Like this: http://myvps.domain.com/site2/relayboard3
How can I achieve this? I could install OpenVPN on the VPS server and the Raspberry Pi's (one for each site). But how do I have to configure this? VPS in the role as VPN server and Raspi's as VPN clients?
(I assume the gateway address from the relay boards has to change to the local address from the Raspberry.)
And do I need a VPN client om my Android phone to be able to browse to the relay boards or not?
What do I need to forward the http connections to the correct relay board? A proxy server?

Related

Add HTTPS to intranet server

I am using a raspberry pi 3 to host an internal server on my cars wi-fi network. What I would like is for those connected to my network in the car to be able to access an intranet page with a map and stats about the trip's length, speed, ect. I am using Mapbox's GL JS library but the geolocation services requires a secure connection to function. Is there a way to ensure the connection between the intranet server (pi) and the user is secure so the location functionality can be enabled?
The short answer for your question will be that yes you can install SSL on raspberry pi use this link for that.
The long answer will be that you can't do that because you will have a problem with port 443 will enabling it on the firewall and you will suffer with it more, but you may same how find a solution here
or here I hope so.

Access a local machine form outside the LAN

Is there a way to access a machine from outside the LAN without port forwarding?
I have two scenarios in my current setup port forwarding is complicating:
I have two FTP servers on the same router I want to access from outside
I want to Remote Control/Access files on Windows computers on the network
Right now, the first option is possible, but it needs reconfiguring the router, while other one seems impossible outside the LAN.
Is there something like [global IP address]/[machine name] or [global IP address]/[Local IP address]?
We need more information. Are these addresses IPv4 RFC 1918 addresses, publicly routed addresses, or IPv6?
If they are in the RFC1918 (10.x.x.x, 172.16.x.x, 192.168.x.x) address space then, simply no. Those addresses are not publicly routed and therefore must be translated to a non-RFC 1918 address.
Otherwise, yes, you can.
If your servers should be available to the public - the answer will be "no".
If you plan to give a limited number of users (for example, only you) access to this servers then you have some options:
Use SSH tunnels with, for example, PuTTY and set up a Forwarding for each service you want to expose to your computer and access it over localhost:port.
localhost:21001 --> 192.168.1.3:21 (FTP1)
localhost:21002 --> 192.168.1.4:21 (FTP2)
Advantage: you can setup your "port-forwardings" at clinet-side
Disadvantage: you need a router or another computer running the SSH server
Use a VPN (for example, OpenVPN, PPTP, etc.) to get access to your LAN from outside. Then you can act like you are in your LAN.
Advantages:
easy to use if setup properly
you can use almost every protocol
Disadvantage: Need to setup VPN Service/Gateway

Boost-ASIO simple echo client-server cannot establish connection?

I'm using BOOST-ASIO for a simple echo client-server (there is a separate link for the client and server). When I try to run the server I use this async_tcp_echo_server 4000. For the client I use blocking_tcp_echo_client #.#.#.# 4000 (with #.#.#.# as the ip address). I'm on XP-SP3 with my computer connected to my wireless dsl modem using a usb card. After a few seconds on the client side I get this error:
Exception: connect: A connection attempt failed because the connected party did
not properly respond after a period of time, or established connection failed be
cause connected host has failed to respond
Any ideas what it could be? I turned off my firewall including the windows firewall and still I get no response. Could my port be in the incorrect range? Do I need to include a computer name to specify the machine on the network( there are other machines on the network sometimes active)? I did try running this on another computer directly connected to the dsl modem and same issue. I did ping my address and that did work for 4/4 packets.
It could be a variety of issues. Thus, it can be worthwhile to use lower level networking tools, such as netcat to serve a port on the server, and try connecting with netcat from the client side. This can help simplify the problem by removing any potential problems introduced by an application's network programming code. If the problem is identified as being a network issue, then there are a few things to check:
Verify firewall exceptions on the server.
Verify firewall exceptions in the server's network gateway.
If the server and client are on different networks, with the client trying to connect to the server's external IP, then verify that the server's gateway knows what traffic to route to the server. This may require setting up rules, such as port forwarding, in the routing device.
If the server and client are on the same network, but the client is trying to connect to the server through the network's external IP, then verify that the gateway supports looping back internal traffic destined to the external IP.
Use a network analyzer tool, such as Wireshark, to verify that the time to live field in the packets is high enough that it will not be discarded.
you could try
$ telnet server-ip 4000
from your client and see if it is possible to establish the tcp connection.

Ports with C++ Server/Client applications

If I create a c++ server/client application, the port I used to communicate does it need to be open on the router of the server and client machine
Or what other approach could I take? the client computer needs to receive information from the server but I am not able to have any ports opened because it is on a school network....
[edit]
Hmm My setup is a php page running on a server say when I press hello, the server makes a ssh connection through php and sends shell commands to the machine. The server is running off of a school server which I do have ssh access to and run all my things from there. The client computer will be my pc running off of the school wifi which is not connected to the server. The server will try to make a ssh connection to the public ip of my computer running off of the school wifi(no ports open/can ssh out but no ssh in). Will these methods you mention make this possible, in particular the connect.c since I can't run putty off of the server, and the connect.c I could call from the php.
The choice of language is highly irrelevant here.
There don't need to be ports 'open' on any router, unless your traffic must pass through it. On normal peer hosts in the same network (or subnet) there would hardly be any firewall policy, not even in schools.
Technically it is possible for the switch to block peer-2-peer traffic (meaning traffic not destined to the outgoing gateway), but that is not very usual.
Of course, if the school doesn't allow outbound (WAN) traffic on most ports, tough luck, and they're absolutely right :)
You can look at
ssh (with tunnels -L, -D and -R options, perhaps -o GatewayPorts on)
stunnel
connect.c
http-tunnel
All very readily googled
To establish a TCP/IP connection, only the server port needs to be accessible by the client. The connection is full-duplex, therefore data can flow from the client to the server and vice-versa.
If you are using UDP for your application, which is a connection-less protocol, what happens depends heavily on the firewall or router and whether it performs connection tracking for your service or not.
Unless you provide some additional information on your service and the network setup on both the client and the server side, we cannot provide more concrete information.

Headless Linux -> broadcast IP to Windows workstation?

I'd like to sell headless Linux servers to SOHO users. Typically, they'll have a DHCP-capable ADSL modem cum switch to which they'll connect their workstation and the server.
In order to just show up with the server, I need to find a way to just plug the server into the switch to get an IP address from the modem, and then have the server broadcast its adresse so I can then connect to it with Putty from the workstation.
I thought about using Samba to broadcast a message using the Messenger Service, but unless I'm mistaken, this only works if the two hots are configured to use the same workgroup/domain.
Do you know of way to get the server's IP address from the workstation?
Thank you for any tip.
Take a look at UPnP and zeroconf services like Apple's Bonjour.
I'd probably suggest using the normal approach for switches and modems as you are treating your device as an appliance, i.e. set a default IP 192.168.0.1, and connect to that to then configure the device into the local infrastructure.
I don't know of any good solutions.
Some DHCP servers will register the name you send in the request - then give that name in your setup instructions. But I suspect home user DSL routers aren't in that category.
Maybe you could ship a tool on CD that does arp requests to get the IP address? (Given the MAC address printed on the box)
Broadcast packets periodically on some arbitrarily chosen UDP port, and build some client software to listen for those packets.

Resources