* updating /A

install/VPN_Server/PiVPN@rpi.md

@@ -1,64 +0,0 @@
-#
-# Configuring VPN server on Raspberry Pi
-#
-
-# 2022-09-07  + merged with installation logic in general
-
-
-# source https://docs.pivpn.io/install/
-
-# download recent Raspberry Pi OS Lite image and burn it to flash card [link]
-
-# install recent Raspberry Pi Lite (without GUI interface) [link]
-
-# configure firstboot [RPi/install_firstboot]
-
-# configure manual IP address [link] (for port forwarding from router to VPN server)
-
-# configure Dynamic DNS to ensure that VPN server is reachable, in case IP address changes [link]
-
-# download PiVPN installer and execute
-```
-sudo su
-curl -L https://install.pivpn.io > installer.sh
-chmod +x installer.sh
-./installer.sh
-```
-
-
-# unattended updates
-Good idea, if system will stay long time alone.
-Not so good idea, because of lack of control (inspection), which packages will be updated
-
-reboot
-
-login into local user, which is holding pivpn configuration files
-
-# VPN Clients
-list and add
-```
-pivpn list
-pivpn add
-    Name: (client)
-    How many days should the certificate last? [1080]
-    Password: (pass)
-```
-now new user should be in the list and opvn config generated and can be found
-```
-ls -la /home/(config user)/ovpns/
-(client).ovpn
-```
-
-# Config files
-You can copy config file in any desired way (scp probably is the best).
-
-Or generate QR-code for WireGuard Android's application
-```
-pivpn -qr
-```
-
-
-
-
-Books:
-- [Anton's bookshelf](https://og2k.com/books/)

install/firstboot/README.md

@@ -3,21 +3,31 @@
 #
 # 2020 06 12  + init of firstboot@rpi.md /A
 # 2022 03 19  + published on https://github.com/InstallAndUse/RPi /A
+# 2023-03-12  * adjustments /A
 #
 
+# initial config (if not done with Raspberry Pi Imager)
+
+
 # set pi pass
+```
 passwd
+```
 
 # set root pass
+```
 sudo su
 passwd
+```
 
 # add yourself (for ssh keys, security. etc...)
+```
 useradd (you)
 passwd (you)
 usermod -aG sudo (you)
 mkdir /home/(you)
 chown -R (you):(you) /home/(you)
+```
 
 # update, reboot and run update one more time
 ```
@@ -26,13 +36,18 @@ shutdown -r now
 apt update && apt upgrade -y
 ```
 
-# initial config
+# other settings
+```
 raspi-config
 2. N1, set hostname
 4. localisation, I2, set timezone
 5. interfacing, P2, enable ssh
+```
 
 # reboot
+```
+shutdown -r now
+```
 
 
 

install/firstboot/networking_static_ip.md

@@ -0,0 +1,25 @@
+# Configuring static IP on Raspberry Pi (ethernet/eth0/LAN)
+
+
+```
+nano /etc/dhcpcd.conf
+
+interface eth0
+static ip_address=192.168.72.8/24
+static_routers=192.168.72.1
+static domain_name_servers=192.168.72.1
+
+
+```
+
+Restart with caution, remember, your IP will be changed:
+```
+shutdown -r now
+```
+
+
+
+Clean old key with:
+```
+ssh-keygen -R 192.168.72.195
+```

install/networking/Teleport/Teleport@Debian(Raspberian).md

@@ -0,0 +1,234 @@
+#
+# Objective: to connect to internal resources
+#
+#
+# 2023-03-13  * second deployment, reviewed and updated /A
+
+
+Official documentation is located here:
+https://goteleport.com/docs/deploy-a-cluster/open-source/
+
+# utils needed, but not mandatory
+```
+apt install tmux
+```
+
+# Host-based firewall, port forwardings in routers
+open (80,443)/tcp to access Teleport and let CertBot to verify domain (it will start webserver for validation)
+
+
+# get certbot running with Let's Encrypt first
+```
+apt install certbot
+certbot certonly --standalone -d (domain) --staple-ocsp -m (host)-certbot@(domain) --agree-tos
+```
+to test cert renewal:
+```
+certbot renew --dry-run
+```
+
+
+# run webserver test
+```
+nano demo-app/index.html
+python3 -m http.server 9000 --directory demo-app
+```
+
+# Downloading and installing
+determine which architecture in use (I got on my RPi3)
+```
+getconf LONG_BIT
+32
+uname -a
+Linux (host) 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux
+```
+download from original source, upload to destination and install package from (choose Linux in Top-Right corner)
+https://goteleport.com/download/#install-links
+or download directly from host
+```
+wget https://cdn.teleport.dev/teleport_12.1.0_arm.deb
+dpkg -i ./teleport_12.1.0_arm.deb
+```
+? possible dependecies fix, if needed
+```
+apt-get -f install
+```
+
+
+# Configuration
+set variable by executing commands and launch configuration tool
+```
+DOMAIN=(domain)
+EMAIL=(host)-teleport@(domain)
+teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | tee /etc/teleport.yaml > /dev/null
+```
+Add web-based frontend for Teleport by editing config file
+```
+nano /etc/teleport.yaml
+app_service:
+  enabled: yes
+  apps:
+  - name: "demo"
+    uri: "http://localhost:9000"
+    public_addr: "(domain)"
+```
+
+
+# enable and start the service
+```
+systemctl enable teleport
+systemctl restart teleport
+systemctl status teleport
+```
+
+
+# Configuring via WebUi (at this point, it should be accessible)
+URL should look like something like this:
+https://(domain)/web/login?redirect_uri=https://(domain)/web
+
+
+# create admin user and set pass (list usernames, which user can represent (='login as'))
+```
+tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user
+User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
+https://(domain):443/web/invite/953f9ea8c84c???????8f630874638c
+
+NOTE: Make sure (domain):443 points at a Teleport proxy which users can access (networking works properly).
+```
+open link in browser and set pass for created user (it is supposed to send this link to end-user)
+QR code of OTP token will be generated, use any token management (authentication application) to store it and provide OTP to finalize registration
+
+
+# connecting via WebUI
+choose "server", [connect] and choose which user to use as login (Teleport instance should be visible)
+
+
+# creating normal users (father-mother-sister-brother) with access role only
+tctl users add (user) --roles=access --logins=(user)
+
+
+
+
+
+# adding new resource - server
+it is not possible to deploy Teleport as a resource to itself
+from WebUi, Servers > Add Server > Server [Next], copy-paste shell command and execute it on destination (new) server.
+looks like, access to internet is needed to: https://get.gravitational.com/
+```
+
+root@(host):/home/(user)# bash -c "$(curl -fsSL https://(domain)/scripts/c1f0d3d9c6617773a230f89795b40a08/install-node.sh)"
+2022-12-05 08:01:00 GMT [teleport-installer] TELEPORT_VERSION: 11.1.1
+2022-12-05 08:01:00 GMT [teleport-installer] TARGET_HOSTNAME: (domain)
+2022-12-05 08:01:00 GMT [teleport-installer] TARGET_PORT: 443
+2022-12-05 08:01:00 GMT [teleport-installer] JOIN_TOKEN: c1f0d3d9c6617773a230f89795b40a08
+2022-12-05 08:01:00 GMT [teleport-installer] CA_PIN_HASHES: sha256:94aa8871de87837e5a936f1963d4c6baf21a22031af87637122fcc636211e210
+2022-12-05 08:01:00 GMT [teleport-installer] Checking TCP connectivity to Teleport server ((domain):443)
+2022-12-05 08:01:00 GMT [teleport-installer] Connectivity to Teleport server (via nc) looks good
+2022-12-05 08:01:00 GMT [teleport-installer] Detected host: linux-gnueabihf, using Teleport binary type linux
+2022-12-05 08:01:01 GMT [teleport-installer] Detected arch: armv7l, using Teleport arch arm
+2022-12-05 08:01:01 GMT [teleport-installer] Detected distro type: debian
+2022-12-05 08:01:01 GMT [teleport-installer] Using Teleport distribution: deb
+2022-12-05 08:01:01 GMT [teleport-installer] Created temp dir /tmp/teleport-Fol7L1QOSH
+2022-12-05 08:01:01 GMT [teleport-installer] Downloading Teleport deb release 11.1.1
+2022-12-05 08:01:01 GMT [teleport-installer] Running curl -fsSL --retry 5 --retry-delay 5 https://get.gravitational.com/teleport_11.1.1_arm.deb
+2022-12-05 08:01:01 GMT [teleport-installer] Downloading to /tmp/teleport-Fol7L1QOSH/teleport_11.1.1_arm.deb
+2022-12-05 08:01:57 GMT [teleport-installer] Downloaded file size: 103483964 bytes
+2022-12-05 08:01:57 GMT [teleport-installer] Will use shasum -a 256 to validate the checksum of the downloaded file
+[...]
+2022-12-05 08:02:01 GMT [teleport-installer] The downloaded file's checksum validated correctly
+2022-12-05 08:02:01 GMT [teleport-installer] Using dpkg to install /tmp/teleport-Fol7L1QOSH/teleport_11.1.1_arm.deb
+Selecting previously unselected package teleport.
+(Reading database ... 43613 files and directories currently installed.)
+Preparing to unpack .../teleport_11.1.1_arm.deb ...
+Unpacking teleport (11.1.1) ...
+Setting up teleport (11.1.1) ...
+2022-12-05 08:03:05 GMT [teleport-installer] Found: Teleport v11.1.1 git:v11.1.1-0-gbf4e8ea41 go1.19.2
+2022-12-05 08:03:05 GMT [teleport-installer] Writing Teleport node service config to /etc/teleport.yaml
+
+A Teleport configuration file has been created at "/etc/teleport.yaml".
+To start Teleport with this configuration file, run:
+
+sudo teleport start --config="/etc/teleport.yaml"
+
+Note that starting a Teleport server with this configuration will require root access as:
+- The Teleport configuration is located at "/etc/teleport.yaml".
+- Teleport will be storing data at "/var/lib/teleport". To change that, run "teleport configure" with the "--data-dir" flag.
+
+Happy Teleporting!
+2022-12-05 08:03:06 GMT [teleport-installer] Host is using systemd
+2022-12-05 08:03:06 GMT [teleport-installer] Starting Teleport via systemd. It will automatically be started whenever the system reboots.
+Created symlink /etc/systemd/system/multi-user.target.wants/teleport.service → /lib/systemd/system/teleport.service.
+
+Teleport has been started.
+
+View its status with 'sudo systemctl status teleport.service'
+View Teleport logs using 'sudo journalctl -u teleport.service'
+To stop Teleport, run 'sudo systemctl stop teleport.service'
+To start Teleport again if you stop it, run 'sudo systemctl start teleport.service'
+
+You can see this node connected in the Teleport web UI or 'tsh ls' with the name '(host)'
+Find more details on how to use Teleport here: https://goteleport.com/docs/user-manual/
+```
+service may be checked with
+```
+root@(host):/home/(user)# systemctl status teleport
+```
+and in WebUI below message will appear:
+```
+The server successfully joined this Teleport cluster
+```
+click [Next], choose OS users, who can connect to new server.
+choose which OS user to test connection
+```
+Step 2
+Verify that the server is accessible
+Testing complete
+You have access to the Node.
+Node is alive and reachable.
+The requested principal is allowed.
+"(user)" user exists in target node
+```
+you may test a session by connecting directly from WebUI by pressing [Test session]
+
+Finally, press [Finish]. New server will appear in the list.
+
+
+
+
+
+# connecting using tsh (Teleport SSH)
+download and install tsh client from:
+https://goteleport.com/download/?os=mac
+reopen terminal to be able to find 'tsh' command
+```
+(user)@(local) ~ % tsh login --proxy=(domain) --user=(local)
+Enter password for Teleport user anton:
+Enter your OTP token:
+> Profile URL:        https://(local):443
+  Logged in as:       (user)
+  Cluster:            (domain)
+  Roles:              access
+  Logins:             (user), -teleport-internal-join
+  Kubernetes:         enabled
+  Valid until:        2023-03-14 05:58:00 +0300 +03 [valid for 12h0m0s]
+  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
+  ```
+
+
+
+
+
+# list and connect to the new server
+```
+tsh ls
+Node Name Address        Labels
+--------- -------------- ----------------
+(host)   127.0.0.1:3022 hostname=(host)
+tsh ssh (user)@(host)
+```
+
+
+
+
+# Download Desktop Clients (Teleport Connect), if needed (graphical interfaces):
+https://goteleport.com/download/#install-links

install/networking/VPN_Server/PiVPN@rpi.md

@@ -0,0 +1,99 @@
+#
+# Configuring VPN server on Raspberry Pi
+#
+
+# 2022-09-07  + merged with installation logic in general /A
+# 2023-01-20  * reviewed due to reinstallation /A
+# 2023-03-12  * reinstalling, reviewing /A
+
+# download recent Raspberry Pi OS Lite image and burn it to flash card [link]
+
+# install recent Raspberry Pi Lite (without GUI interface) [link]
+
+# configure firstboot [RPi/install_firstboot]
+
+# configure manual IP address [link] (for port forwarding from router to VPN server)
+
+# configure Dynamic DNS to ensure that VPN server is reachable, in case IP address changes [link]
+
+
+# download PiVPN installer and execute
+```
+cd
+sudo su
+apt install curl
+curl -L https://install.pivpn.io > installer.sh
+chmod +x ./installer.sh
+./installer.sh
+```
+
+
+# PiVPN can configured in two ways:
+WireGuard and OpenVPN (differnce in protocol and listening port), clients' configuration is almost the same for both. Check which will work for you. Depends on your geographical location and locations you intended to connect from.
+
+
+# unattended updates
+Good idea, if system will stay long time alone.
+Not so good idea, because of lack of control (inspection), which packages will be updated
+
+reboot
+
+login into local user, which is holding pivpn configuration files
+
+
+# VPN Clients (*.ovpn files)
+list and add VPN clients (users) "father-mother-sister-brother"
+```
+pivpn list
+pivpn add
+    Name: (client)
+    How many days should the certificate last? [1080]
+    Password: (pass)
+```
+now new user should be in the list and opvn config generated and can be found
+```
+pivpn list
+ls -la /home/(user)/ovpns/
+cat /home/(user)/ovpns/(client).ovpn
+```
+
+
+# Config files
+You can copy config file in any desired way (scp probably is the best).
+Or cat it and copy-paste.
+Or generate QR-code for WireGuard Android's application (is not available for OpenConnect)
+```
+pivpn -qr
+```
+
+
+# troubleshooting
+```
+netstat -ntap
+netstat -p | grep openvpn
+systemctl status openvpn
+iptables -L -n -v --line-numbers
+```
+
+
+# to fix broken IP forwarding, run command below and follow instructions
+```
+pivpn debug
+```
+
+
+mkdir -p /etc/openvpn/easy-rsa/pki/
+/usr/sbin/openvpn --genkey secret /etc/openvpn/easy-rsa/pki/ta.key
+? /usr/sbin/openvpn --genkey secret /etc/openvpn/ta.key
+? /usr/sbin/openvpn --genkey secret /etc/openvpn/easy-rsa/keys/ta.key
+
+
+
+# source https://docs.pivpn.io/install/
+
+
+
+
+
+Books:
+- [Anton's bookshelf](https://og2k.com/books/)