Freya

IntraNet

Posted: 2023-09-28 Thu 14:09

IntraNet

So what is even a IntraNet? Well, it's an inernal network of computers contained from the outside network. They can be used to host services, software, applications, and more, but not give access to the outside world. If you can connect to a service from any public ip, we say thats on the public internet. Even if the application is secured, and it's open to the public going....

Hey i exist!!!!

...anyone can access it. We all have herd of the times when companies internal services were accidentally made publically available to the outside web, and then how they end up getting pwned (im looking at you hospitals).

But why would I want it?

Well the main reason is it seemed fun. I like to do new things at times, and It seemed like a cool project. Also I want very keen on keeping many of my internal services public. Yes they were secured by single sign, and ip whitelisted, but I really didnt feel like anyone should be able to send any http request to my nextcloud instance, or any other service im running. Also whitelisting IPs was very annoying. Ive already seen what can happen to mail servers (foreshadowing), so Id like to keep as much stuff internal that I possibly can.

Network Architecture and Design

Well how does it work?!

Well its fairly simple. I run a dual DNS setup, my own CA, and wireguard to add the ability to vpn into the network. First, I run Bind on my network which runs as my internal DNS server. This reroutes any domain name under "in.freya.cat" to the device on the network that is hosting that service. For example "cloud.in.freya.cat" is routed to my server that is running my internal Nextcloud instance. Now If I was right, you might of just tried to access my nextcloud, but instead you should of gotten something that says ACCESS DENIED!

You have been blocked! Haha. This is where the 2nd DNS comes in. Since my domain is registered through cloudflare, any DNS request gets routed to my Hetzner VPS which acts as a public sinkhole for my entire internal network. If you try accessing any of my services, you cant. Instead of getting the right ip, you get hetzner. And even if you knew the ip, it wouldn't matter since they are LAN ips and arent even port forwarded outside my network. This is also why I use wireguard, as It allows me to vpn into my network and access my services even while im away from home.

Network Routing

Ok so thats cool and all but how do you even route your traffic?

At first, I just created IPs using the wireguard configs, and then had /etc/local.d start scripts that would wg-quick up on computer startup. This worked, but it made routing traffic really hard. It was fine when I only had two servers, my VPS and my house, but as soon as I started to try to add more servers, everything fell apart. This is because in the Allowed IPs section of a config, you have to set what IPs are routed though that wireguard interface. So if one sever adds another server I can talk too, every other server has to manually update what they route to that server. For eaxample if Server A was talking to only Server B, but Server B could talk to Server C, Server A would have to put that Server B gets all traffic for Server B and C. So I needed a solution to automatically generate route, beacuse doing it manually wasnt going to cut it anymore.

OSPF

Ah, yes, the solution is OSPF. OSPF, or Open Shortest Path First, is a protocol designed for this very purpose. Its mostly seen in companies (like ISPs) that run their own ASN (autonomous system), because they have thousands of servers that all need to be able to route traffic to eachother. So the goal was to still use wireguard to pass the traffic though, but instead to run a OSPF daemon over those wireguard tunnels to route my traffic! The solution was a piece of software called bird. Bird can do more than OSPF, it can also route protocols such as BGP, but that is outside of the scope for this blog post. If bird is setup of every server that was a main routing hub for my internal network, all I would have to do is say what wireguard interfaces to route ontop of. This is beacuse bird can automatically detect the IPs that you controll on your network, meaning that once it has all the serveres it can talk to, it will automatically start asking the other servers what IPs they control, and those servers will do the same. This them cascaces over the entire connection tree, peering IP routes to anywhere on the network to every server. Once that is all done, bird just creates a iptables route and all is done! Woohoo!!!

Root CA?

You might of notices I briefly mentioned that I run my own Certificate Authority, but you may be asking why? Who does that? For what reason would you need to? And I totally agree with you. I'd rather not host it if I didn't need it, but I do have a reason. Since all my internal domains are routed to my hetzner, my internal network cant complete ACME challenges. Since it cannot complete ACME challenges, Lets Encrypt wont give me a certificate for my domain. So I decided to run my own cerficiate authority. Now I don't do anything crazy, I just run step-ca inside of docker. This is great because since I use Caddy for my reverse proxy, Caddy can auto request new certificates from StepCA, and everything is automated. The only thing I have to do is install my root certificate on my devices, for which I have three. And now I have https on my internal network!

Overview

Overall, this setup allows me to run many services I want to internally. I can run my plex server, nextcloud, photo hosting with immich, sso with authentik, irc, document hosting, file syncing with syncthing, and still more to list. And with my setup, no one besides me and who I let on my network can even deam about accessing my services. This increases my security, and really was just a ton of fun to figure out and setup.

Though make sure to setup wireguard to not nat every network device or theoretically it will break dockers ip routing, and theoretically it will cause containers to see all ips as internal, and theoretically services like mailcow, an email server, will not require authentication since its totally comming from mailcow, and theoretically your email server can become an open realy. Theoretically though.

Comments