# Varia hub documentation
by Roel Roscam Abbing

## Introduction

The '''varia hub''' is a collection of techniques which allows our server in varia act as a transit point to make other servers, whether located in varia or outside, reachable over the internet.

This for example allows the Rosa machine, located in someone's house, but otherwise not exposed to the public internet, be reachable on hub.vvvvvvaria.org/rosa

This works based on three techniques:

* There is a Virtual Private Network (VPN) which connects the varia server and the other boxes
* The varia server is configured as a "jump host", that allows to ssh from the public internet in to machines on the vpn
* The varia server reverse proxies all web traffic on a subdomain to a host on the vpn, relying on wildcard certificates to make this easy

## VPN

For a general overview look at VPN. For information on how to add a new machine to the VPN have a look at How to add a new device to the VPN.

## Jump Hosts

A jump host is a host which is reachable on the public internet which provides access to an internal network (the VPN).

Configuring a jump host allows you do <code>ssh rosa</code>. Without even knowing where rosa is!

Schematically it works like this:

  Your Computer ----> Varia Server (with public IP) ----> Rosa (with unknown IP but on the VPN)

More in depth:

  Your Computer ----> jump@vvvvvvaria.org ----> friends@10.5.1.2

### Config notes for jump host

'''N.B. this has already been done, and does not need to be repeated.''' This is only for the sake of documenting.

The jump user is assumed to be shared among many people, some of which are not part of Varia. It is what is required to get access to machines behind the VPN. 
Therefore we need to configure it with restricted permissions so that the account can be shared without worries and without risk of exploitation.

To make this work a common user is made called <code>jump</code> with:
  useradd -m -s /usr/sbin/nologin jump

N.B. that a regular shell is disabled. 

Edit <code>/etc/ssh/sshd_config</code> to tweak the permissions:

 # Jump user is added to the allowlist of who can SSH to the varia machine
 AllowUsers jump

 # Further restrict what is possible over SSH with the jump user
 Match User jump
  PermitTTY no
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  ForceCommand /usr/sbin/nologin

### Making use of the jump user to access machines on the VPN

If you want to make use of the jump user you need to follow two steps:

*add your public key to the jump user's <code>~/.ssh/authorized_keys</code>
(create your public key with ssh-keygen (explain this in more detail))

*configure your <code>~/.ssh/config</code> to make use of the jump host.

#### Generate a private/public key for the jump user's list of keys

To generate your keys


You will be prompted to enter passphrase. This is NOT the passphrase to connect to your remote host. This is the passphrase to unlock the private key so that no one can access your remote server even if they got hold of your private key. The passphrase is optional. To leave it blank, just press “Enter”.

Your public and private SSH key should now be generated. Open the file manager and navigate to the .ssh directory. You should see two files: id_rsa and id_rsa.pub.



#### Adding your public key to the jump user's list of keys

First find your public key in <code>.ssh/key.pub</code> (note the .pub part indicating it is the public part of the key)

Copy it to your clipboard. It should look something like this:

<code>ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAC169WFbhRc5tqgyJ0rkgwJHYFT6jawlB2gmnZUgK31XYhiLs4328sTLeAdMqpUUfEXsqE8nc0F6L8ZjWEVIHh9dwGqw6uHhdYbxXlbYy0RDECqjuYLzhWomL1dJfoCByBHuULmij6GILT96lMq5Hzrk1XyMaZyqBuTpWDIglRT2BPyqQ== r@badjak</code>

On the server, as root, become the jump user
  sudo -s -u jump && cd

Append the key to the authorized keys list:

 echo "ecdsa-sha2-nistp521...copy_your_key_here..asdklhashl" >> .ssh/authorized_keys 

Return to the normal user with
  exit

#### Configuring your ssh to make use of the jump host

N.B. that the key path/name should be made specific to your own situation 

 host varia_hub
      Hostname vvvvvvaria.org
      User jump
      Port 12345
       ForwardAgent yes
      IdentityFile ~/.ssh/id_varia

#### Make an entry for the specific machine on the VPN to be accessed via the hub

N.B. that the particular details are specific to the machine being reached. The below example is for the rosa server. 
The <code>ProxyJump</code> statement is the part that does the magic.

  host rosa
      Hostname 10.5.1.2
      User friend
      Port 22
      ForwardAgent yes
      ProxyJump varia_hub

With the above config you can now do <code>ssh rosa</code> and it will access it via the <code>varia_hub</code>

## Web proxy for devices on the HUB

To make sure that all the webservices on the host on the VPN are reachable from the public internet, under a subdomain of <code>vvvvvvaria.org</code> NGINX is set up to proxy the traffic.

### Config notes for webproxy for arbitrary subdomains

To make this work an new Nginx config was made in <code>/etc/nginx/sites-enabled/hub.vvvvvvaria.org</code>:
'''N.B. this has already been done, and does not need to be repeated.'''

  map $subdomain $target {
      default http://127.0.0.1;
      rosa http://10.5.1.2;
  }

  server {

      # SSL configuration
       listen 443 ssl;
       listen [::]:443 ssl;

      server_name ~^(?P<subdomain>.+?)\.vvvvvvaria\.org$;

      root /var/www/html;
      index index.html index.htm index.nginx-debian.html;

      location / {
          try_files $uri $uri/ =404;

          if ($subdomain){
              proxy_pass $target$uri;
          }
      }     

      ssl_certificate /etc/acme-certs/vvvvvvaria.org.crt;
      ssl_certificate_key /etc/acme-certs/vvvvvvaria.org.key;
  }
</code>

### Making your device visible on a *.vvvvvvaria.org subdomain

Edit <code>/etc/nginx/sites-enabled/hub.vvvvvvaria.org</code>.

Add a subdomain, and IP address to the "map" section of the file:

  map $subdomain $target {
      default http://127.0.0.1;
      rosa http://10.5.1.2;
  }

This means <code>hub.vvvvvvaria.org/default</code> will be proxied to <code>localhost</code> and <code>hub.vvvvvvaria.org/rosa</code> will be proxied to <code>10.5.1.2</code>

Note that the varia hub does all SSL termination, meaning that you don't need to request SSL certificates for these services on your device AND that you should make all traffic available on plain HTTP!

Note: Aymeric Mansoux developed the idea of the hub in the context of XPUB in 2019, enabling networked experiments and server related work to be done within the institution.¹

__PUBLISH__
__VARIA__