I need to build some software infrastructure to manage computers which are connected to the internet using a 3G modem (about 30-40 clients).
The scenario that I came up with for project needs:
Client established internet connection (this is made on OS startup - no user action needed)
Client make connection to some server in internet (I named it "PROXY" - maybe there is a better name)
From now client is connected to PROXY server and it is listening for connections on some port (static or dynamic port?)
The same is true for all other machines.
What I need:
When I connect to PROXY server I want to see list of all connected clients to it (optionaly time of connection, client IP etc)
I can make connection to any clients but not P2P I want to connect using PROXY server (some kind of tunneling?)
Access to client should be impossible without PROXY server.
Example:
Client connect to internet using 3G modem - received IP: 149.10.20.30
Client connect to PROXY (79.10.11.12)
I connect to PROXY (terminal / VNC / putty / whatever). I can list connected clients (ex. using some command: $ show_connected_clients). And I see list: IP / MAC or other informations.
From my computer (or PROXY server if this is simpler) I can make connection to client (terminal / VNC / RDP whatever) using for this PROXY server.
$ connect_to 149.10.20.30 using 79.10.11.12
Is such a thing is to realize with the help of the built-in OS services? Or maybe I need to use some commercial software or write my own application?
Writing this from scratch is possible but I do not want to reinvent the wheel.
Some advice? Thanks in advance for any help.
PS. Clients OS (probably all) is Linux. PROXY server OS - I can make decision by my own.
I've decide to use VPN. Perfect in its simplicity. If someone is interested.
Client connects to VPN. Gets IP from VPN network
VPN server on PROXY server
My machine connects to VPN
On PROXY server I can list connected clientes to VPN
Using (ex RDP) I can connect to any client by VPN network
I think I can configure client to deny connection from other network then VPN. If so, I have everything I need.
Simple :)
Related
What I'm trying to achieve is:
Connect to a VPN as client and route all my internal network's traffic over the VPN.
Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.
I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.
Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?
(I'm not looking for a tutorial, just a direction)
Thanks!
This thread probably does not belong here.
Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.
You can setup a OpenVPN server and OpenVPN client using the standard
documentation available on OpenWRT Wiki and also OpenVPN site.
Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.
Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts
Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules
Before setting up the OpenVPN server, make sure
The remove VPN server is pushing the default gateway to your VPN
client
You have setup the firewall correctly
You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help
Yes this is possible with dd-wrt on Netgear.
There is no need of Raspberry (unless you meant to run the remote VPN server on it).
Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.
Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server.
So far so good.
The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.
This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.
With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.
The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask.
If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.
I have a zentyal in a vps in the internet that I use to connect some companies with their external offices, so far with windows this is not a problem I connect the windows server to zentyal via openvpn client and configure as many openvpn clients as external offices that they have and they work perfectly but when I try to connect same way using zentyal in a company it fails, I mean I can check the option that states allow zentyal to zentyal tunnel. ok the server of the company can connect to the zentyal vps but I cannot download a bundle for normal clients to connect to the same network, is there a work arrout to connect both zentyals and normal hosts on a same netork via openvpn? If I try to use a normal client bundle in zentyal it doesnt let me connect.
Zentyal to Zentyal connections don't work for normal clients.
Zentyal allows you to define more than one VPN server. You should use a separate VPN server for other clients.
Note that the two modes have different semantics, in regard to how routing works for each of the VPN models. In brief:
Zentyal-to-Zentyal VPN tunnels use RIP and exchange the static routes accessible to each server.
For normal "road-warrior" clients, networks that needs to be accessed by clients have to be published using the "Advertised networks" section.
In addition, it's better practice to use a separate VPN network for road warriors, another VPN for server-to-server communications.
If I guess correctly, you'd like to use Zentyal as a normal VPN client (using a normal client bundle). It's a requested feature but I believe it's not available. You could configure the OpenVPN client manually in the Zentyal box (unmanaged by Zentyal, unless you use hooks). Alternatively, you could use a Zentyal-to-Zentyal tunnel for all clients, but configure Windows clients manually based on the certificates present on the bundle and the Windows OpenVPN configuration files you already have (this way, you'd be missing RIP (route exchange) funcionality between Windows and Zentyal but it shall work).
For your use case, i think there is not way inside zentyal to manage S2S connection.
To achieved that i use one server as client (S2), download a Linux bundle from the other zentyal(S1) server, then configure the S2 to act as the others clients to connect to the S1.
here is a link for client side configuration openpvn linux client
Hope that help
I'm currently working on my group voice chatting program. This is my plan:
Build up a server on 192.168.1.125. Listen to port 3490 and forward it to the router.
Clients connect to the server and get the user IP list(Whenever a client connects to the server, its IP address is recorded by the
server)
Clients communicate with each other using UDP multicast(is this ever possible across the router?).
But now I'm running into troubles. If a client inside the LAN, e.g. 192.168.1.120, connects to the server, it's taken down as 192.168.1.120, which won't work for clients from WAN.
I'm wondering if there is any way to convert the LAN IP to public IP? (this might have something to do with the router, I think)
Thanks.
You will have to be prepared for the case where direct client-to-client communication fails. Relaying through the server or NAT traversal/penetration may be necessary. Significant expertise is required to do this correctly.
I am working on a program related to network, and there's a situation that the client has to connect to a server which is inside a LAN.
As I know, when establishing a TCP connection, the port the server is listening on has to be accessable to the client. If the server is inside a LAN, port accesses are blocked by the router. One solution I know is to use UPnP to perform a port mapping on the router. However, in some cases, the router does not support UPnP, are there other solutions?
IM applications came up into my mind. Many IM applications have the functionality that users can send files to each other, whatever the network environment is, as long as you can access to the internet. I don't think a public server is used as a file data exchanger between the two, the connection has to be a direct one. How do they actually do to enable the client to connect to a "hidden" server?
Typically such programs try a series of steps:
A connect directly to B
B connect directly to A
A tries to connect to a firewall (uPnP) forwarded port to B
B tries to connect to a firewall (uPnP) forwarded port to A
A and B both connect to a central server and exchange data through that
The last step is obviously the least preferred because the provider has to have sufficient resources to manage all simultaneous transfers. Rate-limiting is common.
Since IM has central management anyway, it's not too difficult to coordinate all this.
If uPnP or an open port can't be done at one end or the other then the only option left would seem to be passing it via a server in the middle
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)