Skip to content

use case 3

Jump to bottom
Stefan Schneider edited this page Dec 19, 2019 · 24 revisions

Use Case 3

Related artifacts:

New approach: Tunneling of all traffic

  • Create tunnel interfaces at computer/access point of Hololens and at container
  • Tunnel all traffic, including Skype traffic
  • Need root permissions in container for creating tunnel interfaces

Option 1: SSH Tunneling

TODO

Option 2: Tunneling with Socat

Preparation

Build Docker image

cd vnfs
./build_usecase3.sh

Run container and connect

Run container with Socat TUN server:

docker run -d --rm -p 11443:11443 --privileged --name vnf-socat sonatanfv/vnf-socat:latest

Connect to running container with Socat TUN client (on same machine). This will block. can be terminated with ctrl+c, which will also stop the docker container.

sudo socat TCP:127.0.0.1:11443 TUN:192.168.255.2/24,up
# alternatively from another machine, replace 127.0.0.1 with the IP/DNS of the first machine, eg:
sudo socat TCP:schneider-dev.cs.upb.de:11443 TUN:192.168.255.2/24,up

Test the connection (on same machine, new terminal):

# on the machine, ping the Docker container
ping 192.168.255.1

Configure routes to send all relevant traffic through the tunnel

https://how-to.fandom.com/wiki/How_to_set_up_a_NAT_router_on_a_Linux-based_computer

https://www.revsys.com/writings/quicktips/nat.html

At the client (the computer/access point of the Hololens)

Use the server's tunnel interface (IP 192.168.255.1) as default gateway for all Internet traffic:

# check existing routes
route -n

# add new default gw
sudo route add default gw 192.168.255.1

# check again that the new route is there
route -n

####At the server (inside the Docker container)

Ensure that IP forwarding is enabled:

sysctl net.ipv4.ip_forward	# should be 1, not 0

# else
echo 1 > /proc/sys/net/ipv4/ip_forward

Share the Internet access from eth0 through the tunnel interface tun0 (NAT):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

FIXME!

In theory this should now allow pinging any public IP address (eg 216.58.207.46 of Google) from the client via the tunnel through the server's internet access. Unfortunately, it doesn't work (for me).

  • I don't have Internet access anymore on the client. Pinging doesn't work.
  • During ping, the TX packet counter at the client increases, so the client configuration seems to work and send all traffic to the tunnel interface
  • But the RX packet count at the server does not increase. So the packets apparently don't even arrive at the server. Neither for public IPs nor for the IP of the server's tunnel interface.
  • Is it possible that the sudo route add default gw 192.168.255.1 destroys the Internet connection over which the tunnel works such that the tunnel doesn't work anymore?

Debugging

  • Try pinging each other and outside IP addresses.
  • Use watch ifconfig to see if the packet counter is increasing and for which interface.
  • The tun0 interface only shows up in ifconfig after socat is started on both client and server.

Old VPN approach

Scenario

industry-pilot-ns3

  • Hololens/Skype used for remote maintenance at Weidmüller
  • Connects via an access point to Weidmüller Kubernetes server
  • On the server, a proxy and VPN client is running as a CNF/Docker container on k8s
  • The VPN client connects to the VPN server, which is running on a VM at UPB
  • The Hololense/Skype connects via the proxy and the VPN connection to the internet such that the traffic is isolated and secure

Problem: Skype traffic uses many TCP and UPD ports and sends traffic not through the proxy...

VPN Server

  • Using fgcn-tango-vpn.cs.upb.de as VPN server and CA machine
  • OpenVPN default port is 1194, which is open from the outside (not just within University network)

Server setup

TODO

Use Case Steps

1. Build or pull the Docker image

Option 1 (recommended): Pull the image from Docker hub

docker pull sonatanfv/vnf-proxyvpn:latest

Option 2: Build the image manually using the Dockerfile

cd vnfs
./build_usecase3.sh

2. Start the Docker container

Start the proxy and VPN client in a container. Needs privileged mode to enable tunneling (does not work on Windows!).

docker run -d --rm -p 3128:3128 -p 1194:1194/udp --privileged --name vnf-proxyvpn sonatanfv/vnf-proxyvpn:latest

3. Check the connection with curl

First check the local IP address without the proxy and VPN connection:

curl ifconfig.me

This should return your local IP address. Then do a curl using the container as proxy (port 3128):

curl --proxy 127.0.0.1:3128 ifconfig.me

This should show the IP address of the VPN server, which is 131.234.28.141, not your local IP address.

4. Test with Skype

https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server

Before starting Skype, set the env var HTTPS_PROXY as follows:

export HTTPS_PROXY=172.17.0.1:3128
Clone this wiki locally