Remote management guide

Table of Contents

My rough and DRAFT - remote management guide…

Who is this for?

  • Do you have a hotspot / miner / rig at a remote location?
  • Do you want to access your remote infrastructure as if it is on your own network in a secure manner? ie. https://myrig.mydomain.com ?
  • Do you need special routing because of CG-NAT or port forwarding reasons?

NOTE: This is ONLY a guide which uses cheap gear, it is not the best or only way to do this task, however I suspect this is a good middle-ground in getting peeps running this kind of setup with minimal network & Linux experience - if ANYTHING is unclear and you need more verbage to explain a particular step/task give a shout!

Use cases

Some real world examples of what you can do when you manage infrastructure remotely,

  • Turning remote kit on/off when it becomes problematic
  • Ensuring your kit is online/offline (ping)
  • Accessing miner/etc dashboards and management interfaces
  • Helium/other mining being CG-NAT’d and needing to fix relaying
  • Routing all internet-bound traffic via a VPN rather than over the remote hosts network

Prerequisites

  • Mango gl.inet - is used in the examples below but there are plenty of alternatives
  • Linux based VPS with root access and its own external IP - or any ‘server’ which will run your VPN server software, this does not need to be Linux however will be used in the examples below. In our example we will use a Ubuntu/Debian based Linux VPS.
  • A domain name and ability to add/remove/modify DNS records, we will use this for secure access
  • A laptop/machine/phone to either connect to the LAN port or WiFi of the Gl.Inet
  • Ability to create/edit files on Linux-like operating systems, happy to link to guides if required
  • Time & a bit of willingness for adventure :slight_smile:

NOTE: If your intention is to expand this to several hosts over time, consider getting a VPS service which lets you buy extra IP’s, this means you do not have to have several VPS’s setup (one for each host), especially worth considering in CG-NAT cases

What are we going to do?

  • We will install VPN software on our VPS server, this is for the gl.inet (and ourselves) to connect to it in a secure manner
  • We do a initial setup on the gl-inet
  • We setup VPN access on the gl-inet towards the VPN server
  • We therefore assume a typical network setup:

– Your host has a normal consumer router
– You plug your Gl.Inet into one of the free pors of the customer’s router and plug it into the GL.Inet’s WAN port (we will cover using WiFi instead at some later date)
– You plug your hosted equipment into the LAN port of the GL.Inet (you can use a switch for more physical ports if you want)
– Therefore your host cannot access your equipment directly, as they will ‘hit’ your router
– You can however access YOUR equipment or the host’s via the VPN as required

VPS install

Get your VPS up and running, with root access to it.

A good/cheap deal is usually available from https://www.racknerd.com

Initial Packages

In our example, we will be installing Wireguard on our VPS server. This can also be OpenVPN, we choose Wireguard since it’s easy to setup and performs better than OpenVPN.

First we update the software repository and then install some software to get us going, including docker, I am assuming you are logged in as root:

# apt-get update && apt-get -y install docker.io telnet curl

DNS Configuration

Next - lets confirm the IP address of your server, you might already know this (to access the VPS), if not, you can confirm by running:

# curl --insecure https://whatismyip.akamai.com/ ; echo
111.222.111.1

If you have access to a domain name, add a DNS ‘A record’ or ‘host record’ - we will call it wireguard.mydomain.com = 111.222.111.1 (using the example above)

It is encouraged to go to your DNS host’s page and add a wildcard (’*’) record to point to wireguard.mydomain.com

This will ensure that abc123.mydomain.com points to wireguard.mydomain.com (which in turn points to your VPS’s IP address) as we did with the initial VPS setup steps

Wireguard & Nginx-proxy-manager installation

Now let’s add a user for running wireguard and get the UID it runs as:

# useradd wireguard
# id wireguard
uid=1001(wireguard) gid=1001(wireguard) groups=1001(wireguard)

In the above example, the wireguard UID is 1001.

Next - let’s make a directory for Wireguard’s docker container to store its configuration in:

# mkdir -p /docker/wireguard/config /docker/nginx-proxy-manager/init

Now make a file called /docker/nginx-proxy-manager/init/03-routing and put this in there:

#!/usr/bin/with-contenv bash
#

if [ ! -e /root/.installed ] ; then
  apt-get update && apt-get -y install iputils-ping net-tools
  touch /root/.installed
fi

/sbin/route add -net 10.100.10.0 netmask 255.255.255.0 gw wireguard
/sbin/route add -net 192.168.8.0 netmask 255.255.255.0 gw wireguard

Then run:

# chmod +x /docker/nginx-proxy-manager/init/03-routing 

This does the following:

  • When nginx-proxy-manager starts up it will route all wireguard vpn traffic on the 10.100.10.0/24 network to the wireguard docker container
  • When ngint-pxoy-manager tries to contact your wireguard VPN connection with clients on the 192.168.8.0/24 network it will route it via the wireguard container
  • Marks the file as executable

Now let’s install a known version of docker-compose:

# curl -L https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

Make it executable with:

# chmod +x /usr/local/bin/docker-compose

Now let’s create a docker-compose file, create a file called /docker/docker-compose.yaml and put this in it:

version: '3.4'
services:
  wireguard:      
    image: linuxserver/wireguard
    container_name: wireguard
    hostname: wireguard
    networks:
      - proxynet
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:     
      - PUID=1001
      - PGID=1001
      - PEERS=vpnminer01
      - PEERSDNS=auto
      - TZ=Europe/London
      - SERVERURL=wireguard.mydomain.com
      - SERVERPORT=51820 #optional
      - INTERNAL_SUBNET=10.100.10.0 #optional
    volumes:
      - /docker/wireguard/config:/config
      - /lib/modules:/lib/modules      
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  nginx-proxy-manager:
    container_name: nginx-proxy-manager
    image: jc21/nginx-proxy-manager:latest
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    networks:
     - proxynet
    depends_on:
      - wireguard
    ports:
      - 80:80
      - 443:443
      - 9099:81 # Admin Web Port
    volumes:
      - /docker/nginx-proxy-manager/data:/data
      - /docker/nginx-proxy-manager/letsencrypt:/etc/letsencrypt
      - type: bind
        source: /docker/nginx-proxy-manager/init/03-routing
        target: /etc/cont-init.d/03-routing

networks:
  proxynet:
    name: custom_network

To note in the above:

  • Replace wireguard.mydomain.com with your DNS name you created OR the external IP address of the VPS.
  • Replace PUID and PGID with the UID values as discussed earlier. This is so that the container runs as the ‘wireguard’ user for security purposes
  • INTERNAL_SUBNET would be the network your Wireguard VPN will create, in our example it is 10.10.10.0/24 which should be a ‘free’ network for anybody reading this.
  • PEERS=vpnminer01 means we will pre-configure this Wireguard installation with one VPN client called ‘vpnminer01’ - this automatically generates the server and client’s secure keys for us so we don’t have to do this manually later - for now just keep in mind that our first VPN client will be called vpnminer01

Now let’s create and start the wireguard and nginx-proxy-manager containers:

# docker-compose -f /docker/docker-compose.yaml up -d

It should pull down the necessary image and create your docker container running Wireguard

Once done, let’s confirm it is up and running

# docker ps
CONTAINER ID   IMAGE                                            COMMAND                  CREATED         STATUS                  PORTS                                                                              NAMES
8ab71814158c   linuxserver/wireguard                            "/init"                  10 seconds ago   Up 8 seconds            0.0.0.0:51820->51820/udp                                                           wireguard
c22d6be8b16b   jc21/nginx-proxy-manager:latest                  "/init"                  10 hours ago   Up 10 hours                             0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:9099->81/tcp   nginx-proxy-manager

If something like the above is displayed all is well, we now have Wireguard & Nginx-proxy-manager running!

Lastly lets edit the Wireguard configuration file which was just automatically created, edit /docker/wireguard/config/wg0.conf

The last line of the file should read:

AllowedIPs = 10.100.10.2/32

Change this to:

AllowedIPs = 10.100.10.2/32, 192.168.8.0/24

NOTE: This ensures that 'vpnminer01’s network ALSO routes the 192.168.8.0/24 network - this means that any device on the LAN port (or Wifi) of the Gl.Inet will be ‘visible’ from your VPS

Restart your docker container so it picks up this change with:
# docker restart wireguard

Now on to the Gl.Inet…

Router installation

Assuming you have a brand new gl.inet, you would plug the ‘WAN’ port into the host’s ‘LAN’ port. (We can cover Wifi at some later stage).

You can then proceed to plug your hosted equipment into the ‘LAN’ port of the GL.Inet - note - you can add a switch if you need more physical ports.

You can then plug in a laptop/yourself into the ‘LAN’ port as well, or simply join the Gl.Inet SSID to start configuring the router (the SSID & password is printed on the bottom of the device).

Browse to http://192.168.8.1 - the default IP address of the Gl.inet you are greeted with:

Choose your language and next.

Then you get tho choose your password:

Your gl.inet is now on the network and ccessable - you will see something like this:

Firmware update

Now click on the ‘Upgrade’ window (top right list menu → upgrade if on mobile) - at first it might look like this:

But after a while (30mins) it might offer up a new firmware image:

Hit the button and it should start installing the update:

Wifi Setup

You may or may not want to enable Wifi for the Gl.Inet

Browse to http://192.168.8.1 and login - on the left hand panel choose ‘Wireless’ and ensure you are on the ‘2.4G WiFi’ tab.
Here you can disable/enable wifi, change the SSID and password as you wish

Wireguard client setup

Now it is time to configure your VPN access to the VPS we have already setup!
Login to http://192.168.8.1 and on the left panel choose VPN → Wireguard Client:

Click on ‘Set up WireGuard Manually’, and click on the ‘Configuration’ tab:

On your VPS, run the following command as root:
# cat /docker/wireguard/config/peer_vpnminer01/peer_vpnminer01.conf

Paste the output of that into your browser for the Wireguard configuration

You will then get:

Give your VPN a friendly name.

You will be greeted with:

Do the following:

  • Slide the tab to ‘Allow Access Local Network’ - this is so we can see our equipment on the LAN interface of the GL.Inet. Confirm the warning box
  • Click on ‘Connect’

After ~30 seconds or so you should see that it has connected by showing the IP address and ‘Upload/Download’
inet15

You can confirm this on your VPS by running:

# docker exec -it wireguard ping 10.100.10.2

Output should look like this:

inet16

Hit Ctrl-C or Cmd-C to quit

NOTE: If you run into issues at this point you have a connectivity issue - or wireguard client/server issue - figure it out :slight_smile:

NOTE: At this point, any Wifi or LAN client plugged into the GL.Inet WILL go through the VPN connection and exit via the VPS - and NOT through the host’s Internet. We can change this by using the VPN policy later, see where we setup a new miner further down if you want to do that.

Configuring nginx-proxy-manager

Now for the cool stuff - let’s discuss what nginx-proxy-manager is first,

Nginx-proxy-manager is known as a ‘reverse proxy’ and will sit and listen for connections on your VPS and based on the content asked for, then forward it to the destination you want to send it to via the VPN connection.

This part will assume you managed your ‘domain name’ settings mentioned in the VPS section

First let’s configure nginx-proxy-manager, it will be avaiable on http://wireguard.mydomain.com:9099/

You will be greeted by this screen:

The default username is: admin@example.com and password is ‘changeme’

You then see:
nginx2

You need to change at least the email address but of course can also change your Name and Nickname here then click ‘Save’ to continue

Next you see:
nginx3

Type in the current password (‘changeme’) and enter a new password and click ‘Save’ to continue

You should then be greeted with:

Where you can see yourself (the administrator), email address and role.

nginx-proxy-manager ACL's

Next - let’s create a user to authenticate when they visit pages on this VPS.

Click on ‘Access Lists’ at the top, it should look like this:

Click the ‘Add Access List’ button

Give your access list a name, such as ‘VPS VPN users’

  • Enable the ‘Satisfy Any’ flag
  • Do not enable ‘Pass Auth to Host’
  • Now click on the ‘Authorization’ tab

Specify a user and a password and click ‘Save’
nginx7

Click ‘Save’ again and we should get back to the ‘Access Lists’ tab looking like this:

That’s it - lets move on!

Proxying GL.Inet GUI

Now we can finally do the first cool thing - make the gl.inet’s management interface available on the Internet through the VPS!

Click on Hosts->Proxy Hosts as pictured here:
nginx9

At this point it should be empty like this:

Now click ‘Add Proxy Host’

Fill it in to look like this:

To explain each field:

  • ‘Domain Names’ is the DNS name of the URL - in our example glinet.mydomain.com
  • ‘Scheme’ can be http or https, we know that the gl.inet presents pages over http so choose ‘http’
  • ‘Forward Hostname / IP’ - as we know from when we setup the GL.Inet’s VPN connectivity, it has the IP address of 10.100.10.2, so we type that
  • ‘Forward Port’ - since this is ‘http’ traffic it is on port ‘80’, so we type that
  • We leave ‘Access List’ to ‘Publicly Accessible’ as the Gl.Inet does its own authentication (when we setup the GL.Inet)
  • Click ‘Save’ for now

It should look like this:

As you can see, we now have http://glinet.mydomain.com setup to forward to http://10.100.10.2:80 which is Public and shows as Online - which means that our nginx-proxy-manager can see the destination

Of course the next step is to browse to http://glinet.mydomain.com and make sure it works!
NOTE: Do not login!

If you made an error, the page will time out - go over the above and check that you did everything ok.

Now - let’s make this secure!

Go back to same screen and click the ‘menu’ button and choose ‘Edit’
nginx13

Now click on the ‘SSL’ tab and it should look like this:
image

To explain each field:

  • ‘SSL Certificate’ should be set to ‘Request a new SSL Certificate’ this is so nginx-proxy-manager can reach out to the certificate authority, verify your ownership of the name, and then issue a certificate for this name
  • ‘Force SSL’ will ensure that traffic to the unsecure version of your site (http://glinet.mydomain.com) automatically get re-directed to the secure version (https://glinet.mydomain.com) to keep it secure
  • ‘I Agree…’ is of course to agree to the TOS of Let’s Encrypt - who will be issueing your secure certificate
  • Click ‘Save’

At this point, nginx-proxy-manager will reach out to the certificate authority (Let’s Encrypt), check, validate and issue the certificate, once done you can verify it by browsing to https://glinet.mydomain.com

Now you should notice the ‘padlock’ icon when browsing the site, and can therefore now authenticate with the GL.Inet, knowing that traffic is end-to-end encrypted

Well done, you have setup your first reverse proxy site!

Proxying a miner's web interface

Moving on to a real-world implementation.

Let’s say you have a new miner/rig/hotspot and you want to have its web interface exposed like you did with the GL.Inet above.

Firstly - of course plug in the miner onto the LAN port (or Wifi) of the GL.Inet.

Then, access your GL.Inet’s webUI and click on the ‘Clients’ tab, you should see something like this:

Make a note of the IP address and the ‘MAC’ address of the device

Setting a static lease

Next, we need to ensure that this device, with this particular MAC get the same IP address every time.
NOT doing this will cause the device to get a random IP and therefore break any of the traffic we send from the VPS to your device.

Now, let’s click on ‘More Settings’ and then ‘LAN IP’ you should see something like this:

Type in the previously noted MAC and IP address of the miner you have plugged into the LAN port and click ‘Add’
In my example this is 192.168.8.181

Now that we know the IP address, we can setup nginx-proxy-manager to send traffic to it!

nginx-proxy-manager webgui proxy

Back on your nginx-proxy-manager Administration web interface, click on Hosts → Proxy Hosts → Add Proxy Host
miner4

Now, as before, we simply fill in the relevant information:

To explain each one:

  • ‘Domain Names’ would be the DNS name / URL you would like to make this accessable on, I called mine sensecap.mydomain.com
  • ‘Scheme’ again is ‘http’ as the Sensecap has a dashboard on http which is port 80
  • ‘Forward Hostname / IP’ as we just saw on the GL.Inet, the miner had a IP address of 192.168.8.181 so we type this here
  • ‘Forward Port’ again is port ‘80’ as that is the port exposed on the miner
  • ‘Access List’ we change to our Access list we created on initial setup, so we choose that, since the miner does not authenticate users and we do not wish to have this particular interface exposed on the internet for everybody to see
  • Click ‘Save’ to create this rule

You should now see this:

As you can see, we added the sensecap entry and it is going to 192.168.8.181 as we specified and it will authenticate using the access list we created, and we can see that nginx-proxy-manager does see this host as online!

Next - we need make this interface secure, so again we click ‘Edit’ on out sensecap entry we created:

Click on the ‘SSL’ tab and choose the exact same information as last time

NOTE: Ensure you click ‘Request a new SSL certificate’ we will not re-use your glinet certificate as that would cause failures

Click ‘Save’ to proceed

Now let’s browse to http://sensecap.mydomain.com

It should automatically redirect to https://sensecap.mydomain.com and…like magic we see the login page
miner9
r

NOTE: We used ‘Access List’ for the above generation so this example is applicable to all cases, however in this particular example (of Sensecap) authentication is required anyway (CPU ID and Password) and therefore the ‘double authentication’ is probably not strictly necessary :slight_smile:

Streaming a port (CG-NAT/LTE/etc)

Let’s use the same case above but assume we have a device which needs a particular port forwarded to the hosted device.
In this case, we want TCP port 44158 forwarded from our VPS to the Sensecap we have on 192.168.8.181 as per our example above, because our host is on a CG-NAT/LTE/Offgrid network

Stream configuration on nginx-proxy-manager)

First, login to your nginx-proxy-manager administration interface, and go to Hosts → Streams

It should look like this:

Now let’s click on ‘Add Stream’

Fill in the required details:
streams3

To explain each setting,

  • ‘Incoming Port’ is the port we are waiting for traffic on, in our case 44158
  • ‘Forward Host’ is where we are going to send this traffic to, of course this is our miner on 192.168.8.181
  • ‘Forward Port’ is the port we are sending the traffic to on the forward host, so this is sstill 44158
  • ‘TCP Forwarding’ needs to be enabled as this Helium’s port forwarding is TCP only

Click save and it should look like this:

Now, for security’s sake, when we intalled nging-proxy-manager with Docker we only gave access to the ports needed, so we need to quickly modify this configuration, edit the file /docker/docker-compose.yaml

Scroll down to the section that says:

    ports:
      - 80:80
      - 443:443
      - 9099:81 # Admin Web Port

And add the new last line:

    ports:
      - 80:80
      - 443:443
      - 9099:81 # Admin Web Port
      - 44158:44158 # 192.168.8.181:44158 port forward for Sensecap

Save and exit the file
Now let’s re-start nginx-proxy-manager with this configuration

# docker-compose -f /docker/docker-compose.yaml up -d nginx-proxy-manager
wireguard is up-to-date
Recreating nginx-proxy-manager ... done
#

And we’re done!

Let’s browse over to Open Port Check Tool - Test Port Forwarding on Your Router and test this:

image

  • Under ‘Remote Address’ fill in the domain name we used - in our example, wireguard.mydomain.com
  • Under ‘Port Number’ we enter ‘44158’ as configured above

Click on ‘Check’ and it should come back saying that Port 44158 is open, confirming that all is well!

FAQ

Frequently asked Questions & Answers

How do I exclude a client from the VPN?

Let’s say you want to exclude a particular device plugged into the ‘LAN’ (of WiFi) side of the GL.Inet.

You can do this by setting up the relevant policy on the Gl.Inet device, simply browse to VPN → VPN Policies

NOTE: At least on Gl.Inet firmware 3.211 there is a bug present where 'Do not use VPN for the following ’ breaks on any VPN re-connection - therefore we need to invert our logic and use ‘Only allow the following use VPN’

image

Then set the buttons as shown below:

  • And ensure you click on the relevant MAC address you want to include being routed through the VPN (and instead use your host’s Internet) instead
  • Click Apply

A note about Helium

Many might get to this guide wondering about Helium and if they should use this or not. Here’s my thoughts.

If you have miners at several hosts

  • You probably want to use your host’s Internet connection, which will lower latency
  • You will have the capabilities to configure/reach the host’s router for configuration if needed remotely and be able to reach your miner’s dashboard if they have one
  • Therefore - you should probably follow the ‘How do I exclude a client from the VPN?’ item above

If you have offgrid miners / miners on a LTE/CG-NAT connection

  • You should consider if you WANT to appear to be relayed or not - not being relayed has a SIGNIFICANT impact on bandwidth use, and therefore might incur extra cost or throttling of the connection
  • If you want to be relayed - you should exclude the MAC of the miner as mentioned above
  • If you DO NOT want to be relayed, you should not take any action as the default is to route everything through the VPS - which in turn will ‘sort out’ the relay’d issue

If you have multiple miners in one location

  • Then you are a bad boy, go away!

I want pingboot?

Or reboot-on-no-ping, etc.

Relatively simple, SSH to the router, make a file in /root called pingboot.sh and make it look something like this:

#!/bin/sh
#

dest=8.8.8.8

ping -c1 -W120 $dest >/dev/null 2>/dev/null
RC=$?

if [ $RC != 0 ] ; then
        echo Ping failed, rebooting
        /sbin/reboot
else
        echo Ping to $dest OK
fi

Mark the file as excutable:

chmod +x /root/pingboot.sh

Now run:

crontab -e

And insert:

*/15 * * * * /root/pingboot.sh

Which means it will run the script every 15 minutes.

This is too complex!

Appreciate the instructions and need help in doing it? Give me a shout on Discord and we can sort something out.

Happy customers incl:
– 619OTA
– Phayu94
– WeMountHotspots

3 Likes

Additional content reservation

Additional content reservation

Additional content reservation