Re: Remote Debian installation assistance for newbies using WireGuard VPN
On Wed, 2018-04-25 at 14:50 +0200, Philip Hands wrote:
> ST <smntov@gmail.com> writes:
>
> > Hello Debian Install System Team,
> >
> > there used to be Linux install parties - a very cool event in itself and
> > a way to bring new users into community. However it is not so easy to
> > organize and it is somewhat limiting in time and space.
> >
> > Several weeks ago I learned about the kernel-space VPN - WireGuard [1]
> > and was so positively shocked by the ease of it's configuration/use [2]
> > so that I don't stop to think how it can be effectively utilized.
> >
> > Today I was thinking whether it would be possible to use this technology
> > to enable an experienced Linux user to help a fellow newbie to install
> > Debian on his Windows box?...
> >
> > The idea is to add an "Remote assistance mode" into win32-loader. Once
> > toggled - it will preseed and run Debian Installer (after reboot)
> > without any interaction until it:
> > 1. creates a WG interface,
> > 2. obtains an IP from a (not yet extent) Debian WireGuard VPN server [3]
> > (the assisting Linux profi also should be part of this VPN so he can SSH
> > to the newbie through NAT).
> > 3. runs SSH server listening on that IP.
> > 4. generates a short random password for the root user and displays it
> > together with its IP from step #2 on the monitor of the newbie. This
> > information (IP and root's password) are communicated by newbie to his
> > Linux profi friend by phone/sms/etc..
> >
> >>From this point on the Linux profi can SSH to the box and continue the
> > installation process in text mode.
> >
> > Is something like this possible?
>
> I've not yet used WireGuard, but from what I can see one needs a unique
> key per client to be known to the server (perhaps there's a way of
> telling it not to care). Also, the examples around the place also seem
> to suggest that one needs a UDP port per connection.
>
> Also, the wireguard.com front page does currently say:
>
> WireGuard is not yet complete. _You should not rely on this code._
>
> Anyway, I don't see that one actually needs WireGuard to implement it.
>
> A similar result could be achieved by configuring the new system to ssh
> to a server somewhere, and either have that connection used for the
> remote control, or have ssh also do port-forwarding back to the new
> installation.
Indeed?!... I'm positively shocked once again... Never knew it could be
possible. Let's say we have a newbie (with a private IP - N which is
behind NAT) and the same for a profie with IP P. And a publicly visible
server with the IP S. Let's say both can SSH to S:22 and know each
others' passwords/keys.
Could you, please, describe in details how one can implement both
approaches, namely:
1. "to ssh to a server somewhere, and either have that connection used",
i.e. `ssh newbie@S:22`... so what now? How profi can get through to N?
2. "or have ssh also do port-forwarding back to the new installation"
could you, please show the sequence of commands to achieve this?
>
> Of course we then have to work out under what circumstances the user
> should trust that person to be connected to their network,
I think a usual case is when they are just friends and trust each other
and have another shared communication channel, like phone/etc.. It's
kind of what TeamViewer is doing. The innovative part here though is to
enable terminal sharing for _bootstrapping_ an _not yet existent_ OS!
Thank you!
Reply to: