A friend of mine told me there was a way to connect two private IPs without using a proxy server. The idea was that both computers connected to a public server and some how the server joined the private connections and won't use any more bandwidth.
Is this true? How's this technique named?
There is a technique called "Hole Punching" that works well with "Cone" NAT (Cone is a technical familly of router). That's not an 100% sure technique, today, it works well with UDP on about 80% of the router.
There is some implementations of library to realize Hole Punching: STUN (wikipedia)
This is true. It's the way FogCreek Copilot works
Take a look at item 2 on Joel's Copilot 2.0 post.
Your friend might be referring to VIP's (Virtual IP's). From my understanding a VIP is usually controlled by a piece of hardware like a router and then redirects to one of your 2 private IP's. We use this with a cluster of machines behind a VIP. I'm not a network guy so that's pretty much the extent of my knowledge.
If you're looking at joining two private networks (two networks of machines behind a NAT), the best way to do this is with a VPN. There are many pieces of equipment available to accomplish this.
I'm not sure it's what you're thinking of, but you could do something similar with ssh tunneling. Let's say you wanted userA on 10.1.2.3/24 to connect a mysql server on userB's on 192.168.0.3/24. There's no direct network connectivity between the two networks, but both machines can connect to serverA on the public internet.
userB runs this command:
ssh -R localhost:13306:localhost:3306 username#serverA
userA runs this command:
ssh -L 3306:localhost:13306 username#serverA
Now userA can use whatever tool they please to connect to mysql on localhost and the cxn will be tunneled through serverA and to the mysql daemon running on localhost on userB's machine.
(hopefully no typos, typed with one hand as I hold my two day old daughter =))
Related
I have a raspberry pi connected to my router with a local IP. I want to access the raspberry pi from outside (from another country) the local network via web browser. So, I have purchased a VPS which has its public IP.
Now how can I assign this VPS IP to the raspberry pi or any other local devices?
how can I assign this VPS IP to the raspberry pi or any other local devices?
That's not how the internet works.
In short, the VPS provider has a pool of IPs and it or its ISP is responsible for publishing routes to the rest of the internet, informing the rest of the internet how to route to those IPs.
You can't just "move" the public IP to your local network; the rest of the internet won't route traffic to it. It would be kind of like writing "1600 Pennsylvania avenue" on the front of your house - you wouldn't cause you to get White House mail, right? Because regardless of what you write there, the post office doesn't use it as a source of truth for mail routing.
There's a few of the options you have:
use ngrok to expose an endpoint to your local service. Ngrok's servers can proxy connections back to your local environment without it having to be online. This will be accessible by anyone on the internet, but is more obscure than an ipv4 address which can and will be easily found (see below). This is a quick and easy solution, and what I'd recommend in your case.
you already have the VPS. Run the code there instead of on the raspberry pi. It will almost certainly be more reliable and higher speed than your home internet.
you also already have a public IP, assuming your pi's local router has a route to the internet. the router is performing NAT so that devices "behind" it with only internal addresses can still communicate with the world. You can almost certainly configure your router to forward a certain port to your pi's internal IP address.
set up a VPN between the private networks, or between the individual hosts on the private networks. This is a lot of work and will require more knowledge of IP networking. If this interested you, I'd recommend looking at Wireguard (recommended) or OpenVPN.
Finally, keep in mind that unless you do something to make it not the case, your service, once on a public IP, will be accessible from the wide world. Since IPv4 space is pretty small by 2022 standards, and there are only 65000 some IP ports per address, it won't take nefarious parts of the internet long to find your service. You can't hide in the obscurity of an IPv4 network.
If your public address is ipv6 instead, those are essentially unguessable and much more likely to go unnoticed. Same thing is true of ngrok - since it has very large set of potential URLs, it's hard to guess. Still, I'd set up some sort of authentication in front of the service. It's just good practice, like locking your house.
Run this on vps:
echo "GatewayPorts yes" >> /etc/ssh/sshd_config
And this on your raspberry pi:
ssh -L remote-port:localhost:your-local-port your-vps.com
You will access server using: your-vps.com:remote-port
I have followed the guide https://www.azerothcore.org/wiki/installation to the letter and everything is working great, but friends cannot connect through my external IP though and I'm out of ideas.
I have:
No firewall or AV in the way
Forwarded ports 8085 and 3724
Added my computer to the router's DMZ (Nuclear option when forwarding didn't seem to work)
Changed the address field in the DB realmlist table to my external IP
authserver and worldserver running and allowing local connections
An extra note is https://www.yougetsignal.com/tools/open-ports/ says the ports are not open while I have the servers running as if they aren't listening on them.
I just learned that my modem from CenturyLink is also acting as ANOTHER router so fun stuff. Making it a transparent bridge is just a bag of cats I'm not gonna open so I guess I get to play WoW with myself for now.
I probably don't have the solution for u but thought id share some thoughts
People can connect to my server but that website u linked at the end does also say that the ports are closed for me as well so I'm not sure how trustworthy it is
When I first made my server the DB realmlist change was the fix that worked for me but since u already seem to have done that I'm afraid Ive no idea
With that said. In Heidisql at least there were 2 places in realmlist u had to change the IP, in the Table:Realmlist and Data tabs
I want to create a Minetest server on my Raspberry Pi 3 in my own network.
I know some discussions have been made (like Any risks in installing my own http server?), but I want to create a Minetest server.
I would like to know
• If it's dangerous to create a server in my own network
• If I can make a protection if it's dangerous.
Thanks
PS : Sorry for the mistakes, I'm French!
I'm going to assume here that you're intending to serve this internally. You certainly wouldn't want to put an external game server on a network that was also shared by your household. The Raspberry PI is assumed to be internal itself without a public IP or any way to be addressed beyond the local network.
Realistically speaking, you can probably assume an internal network is safe enough for inconsequential internal services, if physical and wireless access is adequately controlled. Looks like minetest is a game server, so unless you combine its server with other far more sensitive tasks, it's not like there's any dire consequence to unauthorized access.
But that perspective does seem a little naive, doesn't it? If access were to occur, the raspberry pi could probably be compromised, and from there, the IoT devices in the home, other private services, etc are at risk too. So, perhaps you're just a little too paranoid / experienced / virtuous to leave it at that.
If so, we can probably assume that the connection itself doesn't support much in the way of encryption, but it's likely we can successfully tunnel the connection in any number of ways to add an encryption layer "between" client and server.
The simplest of these is probably ssh. You're already using it to manage your raspberry pi, probably, and if you're not, you might want to (I for one need copy/paste between web and terminal, and I don't want to run gui on pi!). SSH offers a much higher standard of security than most protocols.
Conceptually, you execute an ssh client locally on the game client configured to open a local port on the game client, and forwards packet recieved on that port to a remote port on the ssh server. The remote port need not be accessible on the network directly, only ssh ( the game server would listen on localhost). The ssh tunnel uses strong encryption methods to pass the traffic over the untrusted network ( yours, or perhaps any network for some traffic ).
The process when implemented, would look something like this:
actiate ssh server on pi if not yet done,
obtain ssh client for game client machine. ( Putty for old windows, built in for linux or osx etc, new windows might have better support).
generate ssh keypair on client (each client should do these steps. private keys are ideally never transferred. )
add public key to ssh user on pi and verify that you can login without password
Use SSH tunnel in oyur client to create a local port that tunnels to the remote game server port. https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ looks like a good putty tutorial, https://www.revsys.com/writings/quicktips/ssh-tunnel.html looks decent for unixy environs.
I prefer to take the safe and lazy route, assuming no network is necessarily secure, and weighing the convenience of accessibility against the securiry concerns. Using an ssh tunnel is, once you get used to it, a simple and straightforward way to access services across any untrusted network, by it your own, a public wifi, or the internet at large.
I'm trying to establish a TCP connection between a client machine and a guest VM running inside an ESXi server. The trick is that the guest VM has no network configured (intentionally). However the ESX server is on the network, so in theory it might be possible to bridge the gap with software.
Concretely, I'd like to eventually create a direct TCP connection from python code running on the client machine (I want to create an RPyC connection). However anything that results in ssh-like port tunneling would be breakthrough enough.
I'm theorizing that some combination of VMWare Tools, pysphere and obscure network adapters could be possible. But so far, my searches don't yield any result and my only ideas are either ugly (something like tunneling over file operations) and/or very error prone (basically, if I have to build a TCP stack, I know I'll be writing lots of bugs).
It's for a testing environment setup, not production; but I prefer stability over speed. I currently don't see much need for high throughput.
To summarize the setup:
Client machine (Windows/Linux, whatever works) with vmware tools installed
ESXi server (network accessible from client machine)
VMWare guest which has no NICs at all, but is accessible using vmware tools (must be Windows in my case, but a Linux solution is welcome for the sake completeness)
Any ideas and further reading suggestions would be awesome.
Thank you Internet, you are the best!
It is not clear the meaning of 'no NICs at all on guest'. If I can assume that, there is no physical NICs assigned for the guest is what is meant here. The solution is easy as a vmWare soft NIC can be provisioned for the guest VM and that will serve as the entry point to the guest netstack.
But if the soft NIC is also not available, i really wonder how and what can serve as the entry point to the netstack of guest, be it Linux/Windows. To my understanding, if thats what you meant, then you might need to make guest OS modifications to use a different door to access the guest netstack and to post/drain pkts from it. But again, when you do a proper implementation of this backdoor, it will become just another implementation of softNIC which vmware by default support. So, why not use that?
It's a bit late but a virtual serial port may be your friend. You can pick the serial port on the outer end via network or locally depending on your options. Than you can have some ppp stuff or your custom script on both ends to communicate. You could also run some tool to create a single socket from the serial link on the guest end if you want to avoid having a ppp interface but still need to tunnel a TCP connection for some application.
This should keep you safe when analyzing malicious code as long as it's not skynet :-) You still should do it with the permission of the sysadmin as you may be violating your company's rules by working around some security measurements.
If the VM 'intentionally' has no network configured, you can't connect to it over a network.
Your question embodies a contradiction in terms.
I have several virtual machines running on a server in network A. However, I need them to act as if they are part of network B (IP-s, hostnames, etc.). What is the best approach to this?
EDIT: QEMU + KVM for virtualization.
I think you need to take a look at a VPN network then. Then you can contact your servers as if they are in the same network.