On Saturday, 6 June 2020 12:52:14 BST Ralph Corderoy wrote:
> Clearly, the office computers are exposed to the Internet. :-)
Yes. But only in the same way as any computer on a network connected to an
ADSL Router. Currently no incoming connections are allowed.
> Does WMT's office router have a static IP address when viewed from the
> Internet?
No. We will be using DDNS.
> Can an office computer reach a river-system Pi, i.e. does the
> railway-room's Pi route packets between eth1 and eth0?
No.
> The office router probably provides a VPN. Perhaps it can be configured
> so only the railway-room Pi and beyond is accessible, especially if they
> have a different private network address than the office.
The Office Router is a consumer grade device and doesn't provide VPN. In any
case the Trustees are very sensitive to anything that might open up the Office
computers to being hacked.
We had to assure them that the VPN Server would only route between the Office
Router and the Pis, hence it needs to have two ethernet ports so that data
isn't routed back onto the Office network (as simple OpenVPN installations seem
to do).
> Who configures the office router?
Currently no-one, other than the ISP. The only volunteer who is an ex-
engineer and has physical access to the site will do whatever is necessary on
site. However, he is a hardware engineer and so will need some virtual hand-
holding from those of us who are stuck at home.
> How are you expecting a VPN to work? A home user will contact WMT's
> static IP address on a particular port, expecting the office-router to
> forward those packets to r-r Pi? The same would be required for SSH
> access. Does r-r's Pi SSH server currently listen on both eth0 and eth1
> interfaces?
It only listens to eth0.
The problem we have is that none of the Trustees are technical. They have no
idea what SSH is, but they are aware of VPN (probably as much as anything else
because lots of companies charge big bucks for setting up VPN servers for
businesses :-) ). It's a bit like the companies who only bought from IBM 50
years ago, because they knew about them.
We might be able to make a case for using SSH; we certainly don't need more,
but we have approval to install VPN , so I'd like to get it working if
possible.
--
Terry Coles
--
Next meeting: Online, Jitsi, Tuesday, 2020-07-07 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
