Mandos WAN setup

Teddy Hogeborn teddy at recompile.se
Thu May 24 10:49:53 CEST 2018 

Ricardo Gabriel <rmbgabriel at gmail.com> writes:

> I have the followinf scenario:
>
> A box with OS ubuntu 14.04.5) encrypted LVM needs to be auto
> unencrypted from outsite its local network when it reboots.
>
> From what i have read mandos should be the perfect solution. I tried
> to fiddle with it but only managed to use mandos on local network.
>
> Is is possible to setup a configuration where the box contacts an
> outside IPv4 mandos server? Or is mandos limited to local network
> usage?
>
> You probably have documentation on this, but i could not find it, i
> apologise in advance if that is the case.

The mandos-client binary has the --connect option, which accomplishes
part of what you want.  You would add something like

--options-for=mandos-client:--connect=192.0.2.2:85

to the /etc/mandos/plugin-runner.conf file.  (Don't forget to update the
initramfs images, probably using "update-initramfs -k all -u").  Note
that you will also have to:

1. Configure the Mandos server to have a static port number (85 in this
   example).  Do this by setting the "port" option in
   /etc/mandos/mandos.conf on the server.  Restart the server to make it
   use the new port number.

2a. Add an IP address and a route to the Mandos client system so that it
    is able to connect to the Mandos server system.  You can do this by
    using the ip= kernel command line option (as documented by the file
    /usr/share/doc/linux-doc-*/Documentation/filesystems/nfs/nfsroot.txt.gz).
    To add a kernel command line parameter, add it to the
    GRUB_CMDLINE_LINUX setting in /etc/default/grub.  Don't forget to
    run "update-grub" after modifying this file.  If you are using some
    other bootloader than Grub, see its documentation on how to add
    kernel command line parameters.

2b. Alternatively, you could add an IP address and a route yourself
    using a "network hook" program, run by mandos-client.  See the
    section "NETWORK HOOKS" in the mandos-client(8) manual page for
    details.  In particular, note that it is important to not only add
    IP addresses and routes, but also to *remove* them and take down the
    network when called with the "stop" argument, as documented.

/Teddy Hogeborn

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20180524/3fd05bad/attachment.sig>

More information about the Mandos-Dev mailing list