-
Notifications
You must be signed in to change notification settings - Fork 17
use case 3
Related artifacts:
- Hololens used for remote maintenance at Weidmüller
- Connects via an access point to Weidmüller Kubernetes server
- On the server, a proxy and VPN client is running as a CNF/Docker container on k8s
- The VPN client connects to the VPN server, which is running on a VM at UPB
- The Hololense connects via the proxy and the VPN connection to the internet such that the traffic is isolated and secure
Problem: Skype traffic uses many TCP and UPD ports and not just HTTP and sends traffic not through the proxy... But sufficient for Skype control traffic and any other video streams, eg, YT, or websites.
- Using
fgcn-tango-vpn.cs.upb.de
as VPN server and CA machine - OpenVPN default port is 1194, which is open from the outside (not just within University network)
TODO Kai
Option 1 (recommended): Pull the image from Docker hub
docker pull sonatanfv/vnf-proxyvpn:latest
Option 2: Build the image manually using the Dockerfile
cd vnfs
./build_usecase3.sh
Start the proxy and VPN client in a container. Needs privileged mode to enable tunneling (does not work on Windows!).
docker run -d --rm -p 3128:3128 -p 1194:1194/udp --privileged --name vnf-proxyvpn sonatanfv/vnf-proxyvpn:latest
First check the local IP address without the proxy and VPN connection:
curl ifconfig.me
This should return your local IP address. Then do a curl
using the container as proxy (port 3128):
curl --proxy 127.0.0.1:3128 ifconfig.me
This should show the IP address of the VPN server, which is 131.234.28.141
, not your local IP address.
With Firefox, configure the proxy settings via the browser's preferences (network settings). Chrome uses the system-wide configured proxy (Ubuntu GUI: Settings, Netework Proxy).
Proxy settings: Manual. Proxy 127.0.0.1
for HTTP, HTTPS, etc. with port 3128
.
If no GUI is available via the command line:
export HTTPS_PROXY=172.17.0.1:3128 # or HTTP_PROXY
Then Internet access should only be possible if the container is running. Try to access any website or streaming a video.
- Create tunnel interfaces at computer/access point of Hololens and at container
- Tunnel all traffic, including Skype traffic
- Need root permissions in container for creating tunnel interfaces
TODO
- http://www.dest-unreach.org/socat/doc/socat-tun.html
- Simple, but probably slow
Build Docker image
cd vnfs
./build_usecase3.sh
Run container with Socat TUN server:
docker run -d --rm -p 11443:11443 --privileged --name vnf-socat sonatanfv/vnf-socat:latest
Connect to running container with Socat TUN client (on same machine). This will block. can be terminated with ctrl+c, which will also stop the docker container.
sudo socat TCP:127.0.0.1:11443 TUN:192.168.255.2/24,up
# alternatively from another machine, replace 127.0.0.1 with the IP/DNS of the first machine, eg:
sudo socat TCP:schneider-dev.cs.upb.de:11443 TUN:192.168.255.2/24,up
Test the connection (on same machine, new terminal):
# on the machine, ping the Docker container
ping 192.168.255.1
https://how-to.fandom.com/wiki/How_to_set_up_a_NAT_router_on_a_Linux-based_computer
https://www.revsys.com/writings/quicktips/nat.html
Use the server's tunnel interface (IP 192.168.255.1
) as default gateway for all Internet traffic:
# check existing routes
route -n
# add new default gw
sudo route add default gw 192.168.255.1
# check again that the new route is there
route -n
Ensure that IP forwarding is enabled:
sysctl net.ipv4.ip_forward # should be 1, not 0
# else
echo 1 > /proc/sys/net/ipv4/ip_forward
Share the Internet access from eth0
through the tunnel interface tun0
(NAT):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
In theory this should now allow pinging any public IP address (eg 216.58.207.46
of Google) from the client via the tunnel through the server's internet access. Unfortunately, it doesn't work (for me).
- I don't have Internet access anymore on the client. Pinging doesn't work.
- During
ping
, the TX packet counter at the client increases, so the client configuration seems to work and send all traffic to the tunnel interface - But the RX packet count at the server does not increase. So the packets apparently don't even arrive at the server. Neither for public IPs nor for the IP of the server's tunnel interface.
- Is it possible that the
sudo route add default gw 192.168.255.1
destroys the Internet connection over which the tunnel works such that the tunnel doesn't work anymore?
- Try pinging each other and outside IP addresses.
- Use
watch ifconfig
to see if the packet counter is increasing and for which interface. - The
tun0
interface only shows up inifconfig
aftersocat
is started on both client and server.