From 020662dc70d230e9bb81c4cb2742286661d2972d Mon Sep 17 00:00:00 2001 From: grok13 <76906369+grok13@users.noreply.github.com> Date: Sun, 6 Feb 2022 23:54:59 +0100 Subject: [PATCH 1/2] Add Tailscale section to securing-your-node.md I put together a section to add to "Securing your Node" describing how to install Tailscale. Sources: 1) https://www.reddit.com/r/rocketpool/comments/rkgyn8/guide_how_to_seamlessly_access_your_rocket_pool/ (I didn't add the point 8 about global nameservers, I don't know if it's needed) 2) https://tailscale.com/kb/1039/install-ubuntu-2004/ 3) https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/ I'm not an expert, so give a good look at it! --- src/guides/node/securing-your-node.md | 91 +++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/src/guides/node/securing-your-node.md b/src/guides/node/securing-your-node.md index c271c27e..336ea938 100644 --- a/src/guides/node/securing-your-node.md +++ b/src/guides/node/securing-your-node.md @@ -650,5 +650,96 @@ Finally, restart the service: sudo systemctl restart fail2ban ``` + +## (Optional) Install Tailscale + +::: Warning NOTE + Consider this section only if you intend to connect to you **node machine** remotely. +::: + +Tailscale is an open source p2p VPN tunnel and hosted endpoint discovery service ([how it works](https://tailscale.com/blog/how-tailscale-works/)). This facilitates all the NAT traversal required to establish an end-to-end encrypted path between your machine and your node without sending any sensitive traffic to a centralized server. + +In short, you will be able to SSH securely into your node **and** monitor your Graphana dashboard from anywhere in the world and without exposing your SSH port to the internet. + +First, create a free account on [Tailscale](https://tailscale.com/). For extra protection you may consider using a Google Account with [Advanced Protection](https://landing.google.com/advancedprotection/) enabled. + +Follow their onboarding to install Tailscale on your **client**. You should see your computer as 'connected' on the [Tailscale dashboard](https://login.tailscale.com/admin/machines). + +Now it's the time to install Taiscale on your node ([source](https://tailscale.com/kb/1039/install-ubuntu-2004/), [source](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/)). **Run these on the node machine.** + +Add Tailscale’s package signing key and repository: + +```shell +curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add - +curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list +``` +Install Tailscale: + +```shell +sudo apt-get update +sudo apt-get install tailscale +``` +Authenticate and connect your machine to your Tailscale network: + +```shell +sudo tailscale up +``` + +You’re connected! You can find your Tailscale IPv4 address by running: + +```shell +tailscale ip -4 +``` +You should now see your node machine added to the on the [Tailscale dashboard](https://login.tailscale.com/admin/machines). +You may also change the name of the **node machine** through the dashboard, e.g. to `rocketnode`. + +It is suggested to [disable key expiry](https://tailscale.com/kb/1028/key-expiry) to prevent the need to periodically re-authenticate. + +You should now be able to `exit` the session and ssh again into the **node machine** through Tailscale using `ssh your.user@rocketnode`. + +::: Warning NOTE +In case you modified the ssh port of the **node machine** by editing `/etc/ssh/sshd_config` you should either make it `22` again or use `ssh your.user@rocketnode -p your.port` +::: + +You can now also visit `rocketnode:3001`in your web browser to access your Grafana dashboard from your **client**. + +In case the connection is working, you can now set a rule to accept any incoming ssh connections over Tailscale. **Run these on the node machine.** + +```shell +sudo ufw allow in on tailscale0 comment +sudo ufw allow 41641/udp +``` +Remove the ssh port added before from the firewall: + +```shell +sudo ufw delete "22/tcp" comment 'Allow SSH' +``` +Once you’ve set up firewall rules to restrict all non-Tailscale connections, restart ufw and ssh: + +```shell +sudo ufw reload +sudo service ssh restart +``` +Let's make sure that everything is working as expected. +First, let’s `exit` the existing ssh session (remember to keep one backup ssh session). + +Then, let’s try to connect to the **node machine** with its public address. You should see that we’re not able to connect, and the operation times out: + +```shell +ssh your.user@server.public.ip + +ssh: connect to host port 22: Operation timed out +``` +Now, let’s try to ssh in using the Tailscale IP address: + +```shell +ssh your.user@rocketnode +``` + +If it works, you did everything right! + +Feel free to remove the port forwarding in the router for the ssh connection as well. + + And with that, you've just greatly improved the security posture of your node. Congratulations! From 1f1b29c66018bf13c24781c79a01928eae322a52 Mon Sep 17 00:00:00 2001 From: grok13 <76906369+grok13@users.noreply.github.com> Date: Mon, 7 Feb 2022 10:44:48 +0100 Subject: [PATCH 2/2] UFW comments fix --- src/guides/node/securing-your-node.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/guides/node/securing-your-node.md b/src/guides/node/securing-your-node.md index 336ea938..f899de3c 100644 --- a/src/guides/node/securing-your-node.md +++ b/src/guides/node/securing-your-node.md @@ -706,8 +706,8 @@ You can now also visit `rocketnode:3001`in your web browser to access your Grafa In case the connection is working, you can now set a rule to accept any incoming ssh connections over Tailscale. **Run these on the node machine.** ```shell -sudo ufw allow in on tailscale0 comment -sudo ufw allow 41641/udp +sudo ufw allow in on tailscale0 comment 'Allow Tailscale' +sudo ufw allow 41641/udp comment '(Optional) Extra Tailscale port in case of difficult networks' ``` Remove the ssh port added before from the firewall: