FreedomBox for Communities/Remote Connection

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Sometimes a group of technologist take on the responsibility of managing many community networks setup with FreedomBox. They can't always be present physically to manage or debug problems with the network. In such cases, the ability to remotely connect to FreedomBox server on the community networks can prove very helpful. After connecting to the FreedomBox via a secure shell, the administrator of the network can further get the status of various services and hardware equipment such as Wi-Fi access points. Many times, problems can be fixed remotely.

When a FreedomBox network has a public IP address given by its ISP, then it might be possible to directly connect to the FreedomBox machine as the network will be configured to forward all requests from the Internet to FreedomBox machine. In these cases, an administrator can remotely login using a secure shell connection or access FreedomBox web administration interface.

However, a public IP address may not be provided by an ISP. In such cases, the following methods could be used to connect to a FreedomBox instance in the community from outside.

Reverse SSH[edit]

In this approach, a Secure Shell (SSH) connection is made from the FreedomBox machine to a intermediate server. This connection is always kept alive by reconnecting whenever the connection breaks. This SSH connection is somewhat special in that it allows someone to connect back the machine from which the connection is made.

This method, to no surprise, requires an always-on intermediate server which is publicly reachable. This server could be provisioned on a hosting provider or on a different network managed by the administrator of the FreedomBox network.

Intermediate Server[edit]

Execute the following steps on the server that will be used as intermediary between the FreedomBox server on the community network and the administrator's machine.

  1. Create a new user one for each community being administered.
    sudo adduser [community]
    

    Provide a strong password.

FreedomBox Server Setup[edit]

Execute the following steps on the FreedomBox machine that serves the community. One must have already created an administrator user account, say admin, using web interface during initial setup of FreedomBox. Login as that user on the terminal, using Cockpit or using SSH.

  1. Create an SSH key for the user.
    ssh-keygen
    
  2. Add the public key just generated to the authorized keys list in intermediate server.
    ssh-copy-id [community]@[intermediate server]
    

    Provide the password for [community] user from the previous section.

  3. Create a service that always keeps an remote SSH tunnel open to the intermediate server.
    cat << EOF > /etc/systemd/system/ssh-remote.service
    [Unit]
    Description=Remote maintenance SSH tunnel
    Documentation=man:ssh(1)
    After=network.target
    
    [Service]
    ExecStart=/usr/bin/ssh -o ExitOnForwardFailure=yes -v [community]@[intermediate server] -C -N -R 4422:localhost:22
    Restart=always
    RestartSec=60s
    User=admin
    Group=admin
    
    [Install]
    WantedBy=multi-user.target
    EOF
    

    The Restart=always ensures that when the command fails, systemd will automatically restart it. RestartSec=60s makes the interval between each restart attempt to be at least 60 seconds. It also makes sure that too many failures don't lead to systemd permanently halting the process. The port 4422 above must be unique for each community that maintains a tunnel to the intermediate machine. Allocate a different port number for each community you manage.

  4. Reload systemd to read the new service file created in the previous step.
    systemctl daemon-reload
    
  5. Ensure that the service starts automatically after each boot.
    systemctl enable ssh-remote
    
  6. Start the service or reboot the machine.
    systemctl start ssh-remote
    

Administrator's Machine Setup[edit]

Execute the following steps on the administrator's machine. This is merely to ease the login process into FreedomBox machine.

  1. Setup SSH configuration by editing `~/.ssh/config`.
    Host [community]
        HostName localhost
        Port 4422
        ProxyJump [community]@[intermediate server]
        User [admin]
    

    The port number 4422 will be different for each community as allocated in the previous section.

  2. Create and copy administrator's SSH key to authorized keys lists of intermediate server and community's FreedomBox server.
    ssh-copy-id [community]@[intermediate-server]
    ssh-copy-id [admin]@[community]
    
  3. Login from administrator's machine
    ssh [admin]@[community]
    
  4. To use the FreedomBox administration web interface, open an SSH tunnel to the FreedomBox machine:
    ssh -N -L 4443:localhost:443 [admin]@[community]
    

    Open browser and go to the following URL: https://localhost:4443/plinth.

Tor Onion Service[edit]

In this approach, the Tor network will be used connect to the FreedomBox machine from the Internet. A server hosting a Tor Onion Service (previously known as Tor Hidden Service) does not need to have a public IP address. The server hosting the service will initiate a connection to the Tor network and register itself for providing a service. When a client wants to connect to the service, nodes in the Tor network will forward the traffic to the server machine via the connection it has initiated. This is similar to intermediate server approach above but is much more easier to setup as the administrator can use the Tor network instead of provisioning a separate server to act as intermediate server.

FreedomBox Server Setup[edit]

  1. Login in to FreedomBox web interface as administrator. Click on Tor in Apps. Install Tor when prompted. Make sure Enable Tor is checked and Enable Hidden Service is checked. You may uncheck Enable Tor Relay, Enable Tor Bridge Relay and Download software packages over Tor options. They are not relevant. Submit the configuration changes.
  2. Note down the onion service address. It ends with .onion.

Administrator's Machine Setup[edit]

Execute the following steps on the administrator's machine. The following steps are for a machine running Debian GNU/Linux.

  1. Install Tor.
    sudo apt install tor
    
  2. Edit SSH configuration so that Tor is used to connect to the server. Edit ~/.ssh/config and the following lines.
    Host [community]-tor
        HostName [onion service address].onion
        ProxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
        User [admin]
    
  3. Copy your SSH key to the remote server.
    ssh-copy-id [admin]@[community]-tor
    
  4. Login to the server.
    ssh [admin]@[community]-tor
    
  5. To access the FreedomBox's web administration interface, download and unzip Tor Browser Bundle. Open FreedomBox administration page in Tor Browser Bundle using the following URL https://[hidden service address].onion/plinth/.