Tinc vpn 2 interfaces bridging
Hello everyone , this is my first post in the community , so i hope i wont screw up.
First of all i want to appologize for any future spelling mistakes , i'm not a native english speaker.
Im a noob when it comes to networking , my problem is as follows:
I have 3 linodes running Ubuntu 18.04 LTS , i will name them Linode1 Linode2 and Linode3.
All 3 linodes are on the same Datacenter(Singapore)
Every linode has a 192.168.xx.xx private ip(linode private networking)
I plan to create a vpn mesh between the 3 linodes.
The servers must connect over the private network(192.168.xx.xx) , not over the public one.
BUT one server , let's say Linode3 must be connected to the mesh(192.168.xx.xx) but also listen for connections on the public ip so i can connect with my home pc.
Once my home pc is connected to the tinc daemon on linode3 i must be in the same tinc network(10.0.0.xx) as linode1 and linode2 and be able to connect to their services(www ssh ftp etc.)
BUT only Linode3 must listen on the public ip.
Hope i explained this well enough
for further understanding i explain my goal
On linode 1 i will host websites for my clients
On linode 2 i will host a control panel for my clients and webmail and a cloud server(maybe Owncloud)
Linode3 is only for me ,to administer the other servers more securely
so i don't have any vital ports open to the public(ssh , webmin) and also any person visiting a clients website wont be able to find any control panel to exploit or email to hack. Webmin , ssh and any other administrative service would be accessible only on the vpn network.
i will try to make some kind of visual representation of what i want if this is not clearly enough.
AND a Second question , how to i find the interface name that is used for the private 192.168.xx.xx network ? by typing ifconfig i only get eth0(public ip) and lo
What i am demanding it might be non sense , but as i said im noob at this kind of things. Im trying to learn.
Thank you in advance !
2 Replies
Welcome to Linodia @cbits. Your English is great!
Down to business.. I've broken down my recommended architecture below for you:
--Private Network --> Linode 2
Internet --> Cloudflare(?) --> Linode 1
--Private Network --> Linode 3
Linode 1: Apache Web Server ; Ubuntu 18.04. This will be the Linode serving client websites and have an exposed Public IP address. You can set this up like any old web server. If it's a small site our cheapest $5 Nanode would probably work. Follow the guide below to install the LAMP Stack.
https://www.linode.com/docs/web-servers/lamp/install-lamp-stack-on-ubuntu-18-04/
If you wanted to hide the public IP address, you could use a service like Cloudflare - which acts as a reverse proxy. It also can mitigate risk against bots and DDOS attacks as well. They have a free plan.
https://www.cloudflare.com/plans/
To make your infrastructure more redundant you could also utilize Apache's keepalive configuration parameter.
https://www.linode.com/docs/websites/host-a-website-with-high-availability/#keepalived
You would first clone the Linode and then edit the configuration file to failover to the clone if it ever goes down. The guide below goes over how to to complete the configuration in the Linode Manager:
https://www.linode.com/docs/platform/manager/remote-access/#configuring-ip-failover
Linode 2: Apache Web Server ; Ubuntu 18.04. You can follow the guide below for setting up cPanel.
https://www.pickaweb.co.uk/kb/install-and-setup-cpanel-on-a-linux-server/
You will also need to edit the iptables to make sure the firewall is only listening on intended private IP addresses - and drop public internet traffic.
https://www.linode.com/community/questions/17004/setup-private-networking-between-2-linodes
https://www.linode.com/docs/websites/cms/set-up-dns-services-on-cpanel/
Linode 3: Management Server ; Nagios ; Ubuntu 18.04. This will act as your management server. I generally recommend Nagios for this sort of thing. It's free, reliable and easy to deploy.
https://www.nagios.org/projects/nagios-core/
Also, same thing as Linode 2 for the iptables and private networking rules.
This setup would work unless you do not want your client websites on the public internet at all. Are they corporate intranet sites? Would you be authenticating any traffic via your management server first? Then my recommendation may not be what you are looking for. If so, you may be worth looking in setting up a peer-to-peer network.
https://www.linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/
Best,
Preston
Linode Support Team
Thank you very much for your reply @pambrosky , following the tutorial helped me to understand how tinc works and i managed to configure the way i wanted.
I want to use tinc because i want to be able to easily deploy another linode from the same data center or not and connect it to the tinc network.
It was so easy , after configuring tinc was just a matter of iptables to shape my traffic the way i wanted tinc is way easier than OpenVPN. Now my home pc is in the same network as my linodes and i can manage all my linodes without being worried of open ports.
I prefer Webmin virtualmin over cpanel because is Open Source and free.
As for cloudflare , this would be my last resort , the free plan is for one website only , i intend to host multiple sites , most of the hosted websites would be website for local busines , in case of ddos attack i could block offending ips countries to minimize (i think) or buy a cloudflare plan for the affected domain or ip.
Thank you for the Nagios link this is golden !