Reminder to self to play around with [Wayback/Archive] Tailscale SSH · Tailscale
Tailscale SSH allows Tailscale to manage the authentication and authorization of SSH connections on your tailnet.
Archive for the ‘VPN’ Category
Tailscale SSH · Tailscale
Posted by jpluimers on 2024/07/12
Posted in *nix, *nix-tools, Hardware, Network-and-equipment, Power User, ssh/sshd, Tailscale, VPN, Wireguard | Leave a Comment »
OpenVPN somehow failed when tethering on the Android mobile hotspot from a new phone
Posted by jpluimers on 2023/04/07
A while after I got a new smartphone, I noticed that when my MacBook was connected over Wi-Fi to the mobile hotspot of my Android phone, the Tunnelblick connections over OpenVPN to my family members would not work. A telnet from the Android phone to the OpenVPN TCP port 1194 woud succeed, but not from the MacBook. Connecting from the phone using JuiceSSH to the OpenSSH endpoints at those family members would work too, so I was a bit flabbergasted.
In the end this seems to be a set of coincidences that fails in this particular setup, but I am not totally aware why.
The solution was to both re-configure the APN (Access Point Name) the smartphone uses to connect to the internet from ipv4/ipv6 to ipv4, and to reboot the phone.
For Dutch provider KPN Mobile, the APN is named internet and apparently changed default to ipv4/ipv6 without properly supporting ipv4. Note the configuration parameters are all lowercase, although they should be written IPv4 and IPv6.
Here are a few posts that got me on the right track (all via [Wayback/Archive] openvpn fails over android hotspot – Google Search):
- [Wayback/Archive] wireless networking – VPN Issues While Using Phone’s Hotspot – Super User (thanks [Wayback/Archive] Nicolas Roux)
Solved me, I had to change APN setting from IPv6 to IPv4.
- [Wayback/Archive] OpenVPN problemen | KPN Community
Probleem gevonden…. APN van KPN staat op ipv4/ipv6Ik krijg dus alleen een ipv6 ip nummer, dat verbindt geen ipv4 vpn server.APN van KPN veranderd in ipv4 en hij doet het weer - [Wayback/Archive] OpenVPN via mobiel internet van KPN ( 4G / 5G ) – Dit is wat Stijn ziet
Dit is eenvoud op te lossen door je Android in te stellen op IPv4 only. Standaard staat dit op IPv4/IPv6 en kiest je telefoon automatisch IPv6.
Note that sometimes the MTU can cause similar failures:
- [Wayback/Archive] [Solved] OpenVPN works over mobile tethering, but not on home router – MTU Problem – OpenVPN Support Forum
For posterity, would like to post that the error was on account of incorrect MTU size setting on the TCP packet in the router. The size was set to 1452 bytes instead of 1492 bytes. Because of that the SSL/TLS packet was fragmented and the server ACK was not received. On changing the MTU size, everything works perfectly!
Note too: some links to check for OpenVPN responding are below.
- [Wayback/Archive] GitHub – liquidat/nagios-icinga-openvpn: Nagios/Icinga check for OpenVPN availability monitoring
- [Wayback/Archive] security – How to check that an OpenVPN server is listening on a remote port without using OpenVPN client? – Server Fault (thanks [Wayback/Archive] Loic Dachary)
- [Wayback/Archive] OpenVPN connection test | It’s full of stars!
Various sites with (often different) APNs that KPN mobile supports:
- [Wayback/Archive] Can’t connect to VPN throught 4G mobile internet | KPN Community
- [Wayback/Archive] Uitleg over het gebruik van APN’s
- [Wayback/Archive] KPN Mobile Netherlands APN Configuration Settings – APN Settings Search Engine
- [Wayback/Archive] VPN via 4G/ipv4 | KPN Community (mentioning the
advancedinternetAPN without mentioning the firewall you need) - [Wayback/Archive] Werkt je mobiele data niet? Check je APN instellingen. Dit moet je doen.
There are quite a few APNs, some with firewall and/or proxy and/or compression, some with external IP address (which means your smartphone really needs a firewall).
–jeroen
Share this:
Posted in Android Devices, Hardware, Network-and-equipment, OpenVPN, Power User, VPN | Leave a Comment »
Dave Anderson on Twitter: “Cool minor @Tailscale moment: I’m recommissioning a server that got moved from a different network, so all its network config was wrong, and generally I couldn’t get at it over the network, only IPKVM console. But then my `ping` over Tailscale started working?!” / Twitter
Posted by jpluimers on 2023/04/04
Wow, I wrote about Tailscale a few times before, and it is still on my research list, but this is a very compelling reason to use it. [Archive] Dave Anderson on Twitter: “Cool minor @Tailscale moment: I’m recommissioning a server that got moved from a different network, so all its network config was wrong, and generally I couldn’t get at it over the network, only IPKVM console. But then my ping over Tailscale started working?!” / Twitter
I archived the thread so it becomes easier to read: [Wayback/Archive] A readable Thread by @dave_universetf Says Cool minor @Tailscale moment: I’ – UnrollThread.com.
The core are these three tweets:
Turns out, IPv6 autoconfiguration is what happened. Sure, v4 configuration was entirely wrong (it was trying to connect to wifi, via a wifi dongle that was no longer installed, and wanted to talk to a DNS server that doesn’t exist any more), but eno1 had a cable plugged in!The server noticed IPv6 router advertisements, went “I’ll have some of that”, and got global IPv6 connectivity automagically. IPv4 and DNS were still down though, so all it had at this point is the ability to send/receive IPv6 packets.So, how did Tailscale get from there to a working setup? It still needs to contact https://t.co/hEs4S8qvTw to get a network map, and still needs to talk to DERP servers to get p2p tunnels working outside the LAN. Enter bootstrap DNS!
It means I have to re-read Source: Some links on Tailscale / Wiregard, especially the [Wayback] How Tailscale works · Tailscale bit, then decide how I want to organise my infrastructure to run parts under Tailscale (I have the impression it is a peer based set-up, not router based).
Then I have to read [Wayback/Archive] IPv4, IPv6, and a sudden change in attitude – apenwarr of which the conclusion is this:
IP mobility is what we do, in a small way, with Tailscale’s WireGuard connections. We try all your Internet links, IPv4 and IPv6, UDP and TCP, relayed and peer-to-peer. We made mobile IP a real thing, if only on your private network for now. And what do you know, the math works. Tailscale’s use of WireGuard with two networks is more reliable than with one network.
Finally I need to not just read it, but understand all it (:
Or maybe I should ask Kris, as I got here through:
- [Archive] Kris on Twitter: “Ich bin übrigens komplett vergreist und sollte nicht mehr in die Nähe von Computern gelassen werden. Ich habe also die Wireguard Dokumentation gelesen und auf dem lokalen Windows-Laptop “scoop install wireguard” gemacht.” / Twitter
- [Archive] Brad Fitzpatrick on Twitter: “@eliasp @isotopp @Tailscale Und oft gibt es mehr als eine lokale Netzwerkoption (IPv6 link local + IPv4). Etwas verwandt: eine Geschichte über einen Überraschungs-Netzwerk-Link… …” / Twitter (linking to the Twitter thread at the top of this post)
I saved Kris’ message thread here at [Wayback/Archive] Thread by @isotopp on Thread Reader App – Thread Reader App.
An OK translation is at [Wayback/Archive] Thread by @isotopp on Thread Reader App – Thread Reader App.
–jeroen
Share this:
Posted in Hardware, Network-and-equipment, Power User, Scoop, Tailscale, VPN, Windows, Wireguard | 1 Comment »
I had some Windows ATOM issues before, but this beats them easily
Posted by jpluimers on 2022/10/19
I’ve had some issues with Windows ATOM tables filling up, but nothing like this security bypass:
A new Windows code injection technique, atombombing, which bypasses current security solutions.
Source: AtomBombing: Brand New Code Injection for Windows – Breaking Malware [WayBack] with source code at BreakingMalwareResearch/atom-bombing: Brand New Code Injection for Windows
Note that since writing the first draft, the above AtomBombing article moved via Wayback: blog.ensilo.com to [Wayback/Archive.is] AtomBombing – A Brand New Code Injection Technique for Windows | FortiGuard Labs.
Share this:
Posted in Development, FortiGate/FortiClient, Hardware, Network-and-equipment, Power User, Security, Software Development, VPN, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows 9, Windows Development, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | Leave a Comment »
Since about 5 months now, there has been a new Chocolatey package maintainer for OpenVPN
Posted by jpluimers on 2022/08/26
Last winter, I discovered that the OpenVPN version on Chocolatey was really old: it had not been updated since 2019.
Most Chocolatey maintainers are volunteers and sometimes the burden can become too large. Back then the maintainer was [Wayback/Archive] Chocolatey Software | wget, but luckily [Wayback/Archive] Chocolatey Software | dgalbraith has stepped in and in March 2022 bumped the version from [Wayback/Archive] Chocolatey Software | OpenVPN 2.4.7 to [Wayback/Archive] Chocolatey Software | OpenVPN – Open Source SSL VPN Solution 2.5.4 and kept maintaining (currently there is [Wayback/Archive] Chocolatey Software | OpenVPN – Open Source SSL VPN Solution 2.5.7).
Share this:
Posted in *nix, *nix-tools, Chocolatey, Hardware, Network-and-equipment, OpenVPN, Power User, ssh/sshd, VPN, Windows | Leave a Comment »
Perkeep lets you permanently keep your stuff, for life.
Posted by jpluimers on 2022/03/30
For my link archive: [Wayback] Perkeep
Via [Wayback] bradfitz – Joining Tailscale: Simplifying Networking, Authentication, and Authorization (which has many interesting linkis, including [Archive.is] bradfitz/homelab: Brad’s homelab setup)
- [Wayback/Archive.is] ycombinator: Perkeep: personal storage system for life | Hacker News.
- Perkeep – Wikipedia
Perkeep (previously Camlistore, Content-Addressable Multi-Layer Indexed Storage) is a set of open-source formats, protocols, and software for modeling, storing, searching, sharing, and synchronizing data.
- [Wayback] Documentation – Perkeep
- [Archive.is] Perkeep (née Camlistore)
–jeroen
Share this:
Posted in Cloud, Hardware, Infrastructure, Network-and-equipment, Perkeep, Power User, Storage, Tailscale, VPN, Wireguard | Leave a Comment »
Some links on Tailscale / Wiregard
Posted by jpluimers on 2022/03/29
For my link archive:
- WireGuard – Wikipedia
- Brad Fitzpatrick – Wikipedia
- [Wayback] Installing Tailscale on Windows · Tailscale
- [Wayback] How Tailscale works · Tailscale
- [Wayback] Tailscale · Best VPN Service for Secure Networks
Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.
Related: [Wayback] Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code – Scott Hanselman’s Blog
–jeroen
Share this:
Posted in Hardware, Network-and-equipment, Power User, Tailscale, VPN, Wireguard | Leave a Comment »
“Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code”
Posted by jpluimers on 2022/03/23
“Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code”
Points to [Wayback] Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code – Scott Hanselman’s Blog
Related:
–jeroen
Share this:
Posted in Hardware, Network-and-equipment, Power User, Tailscale, VPN, Wireguard | Leave a Comment »
Wake-on LAN over tailscale VPN
Posted by jpluimers on 2022/03/22
Hey macOS desktop in the basement, thanks for going to sleep while I was in the middle of typing at you via SSH.
Maybe that should be a signal not to sleep, eh?
$ sudo wakeonlan ac:87:a3:19:7e:81
Sending magic packet to 255.255.255.255:9 withWell, at least that works.
Related:
–jeroen
Share this:
Posted in Hardware, Network-and-equipment, Power User, Tailscale, VPN, Wireguard | Leave a Comment »
Some links on Wireguard as DHCP clients were not supported back then yet
Posted by jpluimers on 2021/11/12
Wireguard seems more light-weignt and secure than OpenVPN and IPsec. So I’m anxious to know how it is supposed to work for road warriors that often depend on receiving DHCP addresses into the network of the VPN server.
Some links that hopefully get me started to install a Wireguard VPN server and provide services to road warrior clients.
First the Twitter thread that got me investigating:
- [WayBack] Daniël Verlaan on Twitter: “Opgepast ⚠️ – nerd-tweet incoming. Ben echt ontzettend te spreken over WireGuard, een nieuw vpn-protocol dat sneller, veiliger en energiezuiniger is dan OpenVPN, IPSec of IKEv2. Goed te gebruiken met o.a. Algo, Mullvad of iVPN op desktop en mobile 🙌 … “
- [WayBack] Jeroen Pluimers on Twitter: “Hoe zit het met de handout van DHCP client adressen aan de VPN clients?… “
- [WayBack] Daniël Verlaan on Twitter: “durf ik niet te zeggen uit mijn hoofd, maar daar zal genoeg over te vinden zijn online… “
- [WayBack] Jeroen Pluimers on Twitter: “Mijn initiele poging was niet echt hoopvol, vandaar de vraag; ik denk dat ik iets over het hoofd zie. Mocht je iets tegenkomen met goede info, dan graag!… “
- [WayBack] Arian van Putten on Twitter: “Hai! Op dit moment nog niet gesupport. Maar wordt aan gewerkt https://t.co/qpdClRdRyw Waarschijnlijk niet via DHCP maar via ipv6… “
- [WayBack] Arian van Putten on Twitter: “Probleem is dat dynamic addresses en cryptokey-routing beetje tegen elkaar inwerken. Maar ipv6 geeft tools om dit wel mogelijk te maken zo ver ik begrijp… “
- [WayBack] Jeroen Pluimers on Twitter: “Eigenlijk ben ik al een tijd op zoek naar varvanging van Fritz!Box VPN naar meer moderne en liefst onderhoudsarme VPN zowel voor LAN-to-LAN als roaming mobiele apparaten die achter wisselende NATs hangen. Voorlopig (zie profiel) extreem laag in energie, dus alle hulp is welkom.… “
- [WayBack] Arian van Putten on Twitter: “maar maakt dan toch niet uit dat binnenin je VPN het netwerk static is? Wireguard lijkt me een goede fit. Vooral omdat het goed omgaat met roaming… “
- [WayBack] Jeroen Pluimers on Twitter: “Dank! Dit is waarom ik van Twitter hou: als je zelf even in een mentale dip zit en niet meer alles kunt overzien, gooit iemand het kwartje naar je toe zodat je het kunt laten vallen. Alle clients hun eigen vaste IPv4, dan maakt het niet meer uit vanachter welke NAT ze connecten.… “
- [WayBack] 𝓹𝓮𝓽𝓾𝓻 on Twitter: “Ik heb mijn clients allemaal een vast adres gegeven, dat lukt nog als het er niet te veel zijn. De server kant is een UBNT ER-X… “
- [WayBack] Arian van Putten on Twitter: “maar maakt dan toch niet uit dat binnenin je VPN het netwerk static is? Wireguard lijkt me een goede fit. Vooral omdat het goed omgaat met roaming… “
- [WayBack] Jeroen Pluimers on Twitter: “Eigenlijk ben ik al een tijd op zoek naar varvanging van Fritz!Box VPN naar meer moderne en liefst onderhoudsarme VPN zowel voor LAN-to-LAN als roaming mobiele apparaten die achter wisselende NATs hangen. Voorlopig (zie profiel) extreem laag in energie, dus alle hulp is welkom.… “
Then some links I found:
- [WayBack] WireGuard – Wikipedia
- [Archive.is] Brad Fitzpatrick on Twitter: “We just made the first bits of the @Tailscale code public, starting w/ the Linux client + its dependent/common code: … Still lots of rough edges & TODOs everywhere so temper expectations accordingly. We want to hack in open and not wait until it’s perfect.… “
- [WayBack] GitHub – tailscale/tailscale: The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO
- [WayBack] Tailscale
- [WayBack] Brad Fitzpatrick – Wikipedia
- [Archive.is] Brad Fitzpatrick on Twitter: “”An update on bradfitz” After ~12.5 years at Google and ~10 years working on Go, it’s time for me to do something new. Tomorrow is my last day at Google. 👋 I’ll still be involved with #golang but less, and differently. More: …”
- [Archive.is] Brad Fitzpatrick on Twitter: “Turns out Google’s internal business card order form only allows a few email address domain names in its drop-down. But that’s easy enough to fix by editing the DOM with Chrome DevTools. My parting gift arrived. (I couldn’t change the Google to a gopher, though.)… “
- [Archive.is] Brad Fitzpatrick on Twitter: “Unemployment got boring. I’m joining @Tailscale. More: …”
- [WayBack] bradfitz – Joining Tailscale
- [WayBack] Absolute scale corrupts absolutely – apenwarr
- [Archive.is] Dave Anderson on Twitter: “So, as of yesterday, I have a new job! I’m with @Tailscale. The ideas in the linked post were a huge part of what got me on board. I want to bring the LAN of old back into the modern world, and return to a simpler model for writing software.… “
- [Archive.is] David Crawshaw on Twitter: “What I am working on, and why. …”
- [WayBack] bradfitz – Joining Tailscale
- [WayBack] Installation – WireGuard
- [WayBack] Quick Start – WireGuard
- [WayBack] WireGuard: fast, modern, secure VPN tunnel
- [WayBack] TUMBLEWEED wireguard support?
- [WayBack] [Solved] Wireguard as a VPN “server” – Installing and Using OpenWrt – OpenWrt Forum
–jeroen
Share this:
Posted in Hardware, Network-and-equipment, Power User, Tailscale, VPN, Wireguard | Leave a Comment »
The Wiert Corner - irregular stream of stuff 