I never used VPNs, I know what they are and how they work in general, but I never had to use one in practice; now I need to use it to connect to a machine in my university lab, my teacher provided the configuration file and the other needed files to set it up.
I installed the OpenVPN GUI with admin privileges, I imported the config file (".ovpn" file in my case) and launched (always as admin) the connection, which immediately works and I am assigned a new IP address. However, if I quickly check on "whatIsMyIP.com" or on Google, the IP is unchanged, it's still my original IP.
Now I also tried with other random VPNs downloaded from VPNBook, and they work, meaning that I can see that the IP changes as soon as I turn them on. I really cannot understand what I am doing wrong (my professor told me that he tried connecting through a VPN as well and it worked for him, so the problem must be on my client side)...
PLUS: when this problem of the unchanged IP is fixed, I am supposed to use ssh to connect to the remote machine. I was asked to generate a pair of public+private keys, passed the public to my teacher who added it on the machine and then connect through the command:
"ssh username#hostname"
Besides the fact that it does not work due to the VPN not changing the IP, I get the error "No address associated with hostname", so I understand it cannot resolve the given hostname, nonetheless my professor gave me only that: is it correct that I can ssh to the remote machine by only having the hostname or (as I believe) I also need the IP, which I can associate with the hostname and then connect?
Related
I've set up tailscale and connected to an exit node on my VPS on vultr.com. Predictably, I was kicked out and couldn't reconnect, as the VPS's public IP address has changed.
I can reboot the VPS and try again. What steps will I need to take? Does my VPS running behind an exit node even have a unique public address (which?), or does it need to be set up for something like port forwarding?
From looking at tailscale documentation, it looks like they came up with their own ssh, why? Why is the standard ssh inadequate for the purpose? I am not the admin of my tailscale network, and the admin is swamped right now. What can I do?
SSH uses TCP as transport and therefore requires the (srcaddr, srcport, dstaddr, dstport) tuple to be constant over the connection's lifetime.
I believe that since tailscale rotates connections dynamically, it is more suitable for use by clients than servers in a traditional client-server model, unless it provides an 'internal' virtual network over the distributed transport (which would kind of defeat the purpose of covering your tracks).
If you want to connect to your VPS over tailscale, you need to use their tools probably because of that. You can still connect directly to your VPS, though, through plain Internet, if it has any address of its own, and is not firewalled away (or similarly, NATed away). Your provider should either show you the address, or even better, provide access to out-of-band (like serial-port) command line access, where you can query the current addresses using commands like ip addr show.
In your Tailscale Admin console you should be able to see the machine's IP. Just use normal ssh and login that way.
So instead of ssh user#8.8.8.8 you'd do ssh user#100.64.0.1. Tailscale's own ssh client is useful if you want to hook deeper into their MagicDNS stuff, but it's not meant to be the only way to ssh into your machine.
If you run into errors, ping the machine you want to connect to (tailscale ping vps-machine-name). That should help you debug any tailscale client connection problems.
I have an Apache2 server running in Debian 9.
I am using it to host a custom MediaWiki Wiki.
To navigate to the Wiki I use something of this form "10.200.200.20/mediawiki" where the Apache2 server is running on 10.200.200.20.
This works fine however sometimes the IP Address (10.200.200.20) will change and then everyone on the local network navigating to the Wiki will have to be notified and use the new IP Address which is a hassle.
I wish to change it to something consistent, for example "OurWikiServer/mediawiki" it doesn't really matter that much as long as it can always be found at the same place.
I know this is possible as the MediaWiki installation was previously maintained by someone else who used XAMPP in Windows 7 and it was configured to be found at "stringHere/mediawiki" on the local network.
I have tried changing it in /etc/hosts and can get it changing on individual machines as expected, however have no idea how to get it working network wide.
The best way to do this is to define the IP of this station static. This can be done via reservation in DHCP server or assign IP outside of the DHCP IPs. Also consider adding small DNS server to provide hostname instead of IP
The entire scenario of my situation seems 10/10 sketchy, I'll admit. So I won't bother convincing you this isn't a malicious attempt to access a server that isn't mine - I'll simply say once, that this is a legitimate need for assistance.
That said, basically my problem goes back to me being a little too restrictive when it came to SSH access to my CentOS 6 server. Basically I restricted access to my custom SSH port from only two IP addresses - one being my home address, and one being my work address - via iptables. The problem is, I no longer work where I do, and my home IP address changed ever since I upgraded my internet.
Obviously this means I no longer am able to connect to my server via SSH since I don't own that IP address anymore.
My question is, is there anything I can do to access this server? I have no console access, but I do at least know the IP address I used to use to log into the server (maybe possible to spoof an IP address, but I have no clue). The only other thing I can think of is I have DirectAdmin installed on the server and can still login with the admin account. Other than that, I've got nothing.
If anyone has any idea on what I can do, it would be greatly appreciated.
You can change the SSH port number from Directadmin file editor (if you have root password),
Then restart the sshd service from service manager
And you can connect to SSH via new port number!
We have a Win Server 2008 box being hosted (dedicated) for us.
I need to connect to one of it's DB's from a server in our LAN.
What started out as a "sure, I'll just throw that together for you real quick" project has turned into a week-long hair-pulling pile of WTF :)
I am able to RDP into that server without fail or issue.
When I tried to connect to the DB, I got a generic "could not connect" error, so I went hunting.
Telnet attemtps and pings time out.
Since then, we have tried endless variations of firewall settings (including wide open), and still ... no go.
In addition to our firewall, the hosting provider also has a firewall layer.
We turned on all logging, and we don't even see any connection attempts at our FW.
We then had the hosting provider turn on all logging, and they don't see any connection attempts either!
Hrmmmph
I'm at a complete loss.
Any suggestions?
BTW, while I'm comfortable enough with all this to explore and make changes, my experience with firewalls and stuff is fairly limited, so don't hesitate to dumb it down ;)
It is hard to give just one answer to this question, because the interim results of the problem analysis lead to different steps that you need to do next. It will more likely be a step by step help with tracing down the problem.
Do not trust any firewall setting (esp. not any that someone else did, and again esp. not if you don't know him), unless you tested it. Firewall settings are tricky and even experienced professionals get them wrong now and then.
In the guide below, I will write <win2008server> in commands where you have to put the name or IP of the windows 2008 server to which you want to connect. On the other side, I will use the expression "office PC" when I mean your workstation PC in the office from where you are trying to connect to the win2008server.
STEP 1: Checking the Endpoints
1.) Can you telnet to the RDP port?
On your office PC, try this on a command prompt:
telnet <win2008server> 3389
This is to make sure that DNS name resulution works for telnet, as well as network hardware and routing. It should, because you can use RDP to establish this connection. However, anything can get in between, like the telnet command being in any way configured nonstandard or being replaced for whatever reason on a company pc (sysadmins have strange ideas at times...).
2.) Can you telnet locally on the win2008server to the database?
When logged in using RDP on the win2008server, open a command prompt on the server and issue the command
telnet <win2008server> <database port>
That means you are trying to connect from the server to itself. This is to make sure the database port is open on the server.
STEP 2: Checking the Firewalls of the Endpoints
If for 1.) and 2.), your answer is yes it works, you have to test if either the remote side can not be reached or your location can not connect to the internet on the port you are testing (database port). You do this by replacing the respective other side with any other host on the internet for which you know it's reachable or can reach other servers. Typically, you google for a port checker ;)
3.) Check if the win2008server can be reached from another location than yours:
3.1.) Check if the RDP port of the win2008server can be reached from a third party location:
Google for port checker and take the first result (e.g. http://www.yougetsignal.com/tools/open-ports/ ). Type in the name or IP address of the win2008server and the RDP port, usually 3389 . Click on "check" and wait for the success or the timeout.
3.2.) Check if the database port of the win2008server can be reached from a third party location:
Do the same as in 3.1.), just with the database port instead of the RDP port.
4.) Check if you can connect to an outside server on the database port:
For this to work, you need to know a server or create one, which is somewhere outside on the internet, and which listens on the database port. You typically do this by keeping your private PC at home run and accessible through RDP or SSH, and there you open a server and configure your private internet router to forward the connection correctly.
Another way to do this test is webspace with SSH access. Many webspace providers nowadays allow for an SSH login (usually any webspace at $4/month and above).
Let's assume you have SSH access to any such third party place. You can use nc (netcat) there to open a server socket on the database port with this command:
nc -l <database port>
If it's your private PC at home, you usually have to also configure your private router and set up a dynamic DNS name for your internet access for the whole story to work out. You do not have this extra work with a webspace based SSH login. However, there you can not test ports below 1024 because you do not have the privileges. Good luck with this ;)
After you got this, try connecting to the port that you opened:
4.1.) From your office PC with
telnet <third party location> <database port>
4.2.) If 4.1.) does not work, also try with the port checker, because you might have gotten something wrong with setting up the server. Look at 3.) for this, and use the <third party location> and <database port> with the port checker (fourth party check).
STEP 3: Blaming ;)
At least one of the things should have failed by now and you can start calling people and letting them know about your tests and the results. You should be able to combine the results logically, but never start with that. Think about how to convey the information. Start out with your findings and then let them have a moment for their own conclusion. It can be difficult to tell someone in another company or department that their firewall isn't configured correctly. They might deny this even in the presence of proof. Be patient. Explain your findings again. Hint at the conclusion. This can be the trickiest part of the whole problem solution.
I have to say that today I had the same problem.
My solution was just to edit secpol.msc and disable all the FW profiles; then, run services.msc and also disable Windows Firewall service.
After this server was pingable for me.
I have written some VBScripts to automate tasks that I perform on computers over the network. These work great for most tasks however within our network we have problems with the IP address in DNS being correct all the time. This mainly occurs with laptops where we have different IP ranges for machines on the wireless and wired network.
For example a machine may boot up wired in the morning and get an IP address: 10.10.10.1
When it switches to wireless it will obtain an address in a different subnet: 10.11.10.1
When you try to connect to that machine it still returns the old IP address (10.10.10.1) even though the computer now has a new one.
I have found that I can still connect to that computer's C$ share via \computer name\c$ even though the machine does not ping. Obviously there is some other kind of address resolution going on, my question is how do I harness this to allow my VBScripts connect to WMI?
Thanks!
If DNS doesn't have the correct address, then perhaps it is likely being resolved with NetBios. What you would have to do is resolve the computer name with either a WINS Server or through Broadcasts to the network. Depending on your network environment you would use one or both of those options.
Microsoft has a tool called NBLookup which should be able to lookup the name from WINS at the very least.
You can call NBLookup and parse the results. I don't recall another method for NetBios resolution natively within VBScript, but I haven't looked awfully hard recently.
Your problem is name resolution. Windows uses 2 types of name resolution: DNS and NetBIOS.
DNS will resolve a name like .comcast.net or www.google.com
NetBIOS resolves names that are 15 characters or less, like your computer name likely is.
When your computer looks for a name it doesn't know how to turn into an IP address, it goes to a DNS server and/or uses NetBIOS name resolution. Once it's looked up a name, it saves it in a cache for some period of time (usually about an hour) before looking it up again.
You can look at the list of names your computer has cached for each type of name resolution using the command-line this way:
DNS
ipconfig -displaydns
NetBIOS
nbtstat -c
Each of those commands also alllows you clear that cache as well, which will force your system to rediscover what IP address the name points to. Here are those commands:
DNS
ipconfig -flushdns
NetBIOS
nbtstat -R
Between those commands, you should be able to determine which type of name resolution is the culprit and resolve it by flushing that cache.
From my own experience I have found the Microsoft TechNet ScriptCenter has just about anything you could ever want relating to VBScript. That's generally where I start when I want to delve into a new area of VBScript that I haven't previously explored.
The WMI FAQ on the Microsoft TechNet website has links to the ScripCenter along with links to many other usefule sites for learning how to script WMI. I would recommend finding a script that already does what you want since someone is bound to have already written what you need.
The article Automating TCP/IP Networking on Clients may have what you need to get started with resolving this problem.