<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Good news!</p>
<p>After some amount of wrangling with Wireguard and the various
firewalls involved, I can finally announce that the backup VPN to
Murasoi is functional.</p>
<p>I have configured a site-to-site tunnel called `wg-backup` from
Murasoi (assigned 192.168.5.2) to Cloud-Mooneye (assigned
192.168.5.1). The configuration is fairly straightforward,
although I did most of it via interfaces(8) instead of
wg-quick(8). Wireguard has a builtin method to tag its own packets
for special treatment, so writing a policy to route it exclusively
via 4G was a two-line configuration change.<br>
</p>
<p>Murasoi is also set to heartbeat every 30 seconds, to keep
Cloud-Mooneye up to date on its latest public IP. Without that
Wireguard only exchanges data on demand, and so the NAT mappings
allowing the connection will likely disappear.<br>
</p>
<p>Wheel members can now gain administrative access to Murasoi via
having a root key loaded into their SSH agent, and running
something like `ssh -A -J <a class="moz-txt-link-abbreviated" href="mailto:root@cloud-mooneye.ucc.asn.au">root@cloud-mooneye.ucc.asn.au</a>
<a class="moz-txt-link-abbreviated" href="mailto:root@192.168.5.2">root@192.168.5.2</a>`.</p>
<p>Warning: flaky 4G is slooooow... maybe there's somewhere in the
clubroom with better signal?</p>
<p>Cheers,</p>
<p>James [MPT]<br>
</p>
<div class="moz-cite-prefix">On 19/4/20 11:07 pm,
<a class="moz-txt-link-abbreviated" href="mailto:dylanh333@ucc.asn.au">dylanh333@ucc.asn.au</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:417025e2-20ea-48ea-9b73-1d385baefcfa@email.android.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div>Hi James,</div>
<div dir="auto"><br>
</div>
<div dir="auto">I think that seems pretty reasonable.</div>
<div dir="auto">Please keep track of what packages you install,
commands you run, and config changes you make, however, that
way we know what needs to be done if we need to rebuild
cloud-mooneye.</div>
<div dir="auto">It'll also give us a starting point for getting
such a VPN setup automated via Ansible.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers,</div>
<div dir="auto">Dylan Hicks [333]<br>
<div class="gmail_extra" dir="auto"><br>
<div class="gmail_quote">On 19 Apr 2020 10:34 pm, James
Arcus <a class="moz-txt-link-rfc2396E" href="mailto:jimbo@ucc.asn.au"><jimbo@ucc.asn.au></a> wrote:<br
type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Hi all,</p>
<p>Good news: source-based routing is working. Any
packet leaving Murasoi sent from a 192.168.4.0/24
address gets directed out the 4G link via
192.168.4.1. So far that's only available to Murasoi
itself.</p>
<p>Unfortunately, the 4G link is on CGNAT (i.e.
doesn't even have 1 public IPv4 address) and I can't
manage to get inbound working via IPv6 either.
(Maybe it's filtered either by Telstra or the
Netgear modem?) Either way, looks like we'll need an
intermediary of some kind.</p>
<p>What are people's thoughts on using cloud-mooneye
for that purpose? It's globally accessible and its
reliability is untied to uni. We could set up a
Wireguard or other VPN site-to-site tunnel.</p>
<p>Cheers,</p>
<p>James [MPT] </p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>