{"componentChunkName":"component---src-pages-blog-index-js","path":"/blog/","result":{"data":{"allMarkdownRemark":{"edges":[{"node":{"frontmatter":{"title":"The best possible IIIT Internet setup","description":"Setting up smart VPN and hotspot, aimed towards IIIT students","slug":"/blog/IIIT-network-setup","date":"2020-05-19","tags":["IIIT","Network","Guides"],"draft":false},"html":"

Hello!

\n

In this post, I am going to explain how to set up a seamless internet experience if you are using IIIT network.

\n

We are going to cover the following things:

\n\n

PS: This post has more theory then needed and has some very simple tutorial steps,\nyou can skip to the steps to follow at the bottom.

\n

Advantages of using a VPN

\n

Using a VPN service allows you to hide your information from anyone trying to snoop on you.\nIt also allows you to access websites and services blocked on your network. You can also use VPNs to escape Geofencing.

\n\n

But a bonus for IIIT network is that it also protects you from frequent internet outages when the proxy server is overloaded.

\n
\n\"proxy-img\"\n
\n
Working of a Proxy Server
\n

When the proxy server is overloaded each time Alice wants to talk to Bob it has to wait for proxy to process its\nrequest. So each new request has to fight for resources and cause more congestion at the proxy.\nThis is often the case with the proxy server at IIIT, even after the Student SysAdmins have tried their best to make sure it works seamlessly.

\n

But what if we could make a connection with ONE request and use the same connection as a tunnel for all other requests?\nThis is where a VPN comes in.

\n
\n\"vpn-img\"\n
\n
Working of a VPN
\n

(PS: I use NordVPN, but virtually any VPN service works in the same way)

\n

When a VPN connection is started, a tunnel is set up between your machine and the VPN server.\nAll data flowing through this tunnel is encrypted.

\n

Since the VPN server has internet access with no restrictions on websites or services.\nIt can forward your requests to the internet and return the response.

\n

Any website you visit while connected to the VPN will see your IP as the VPN server IP and location as the server's location.

\n

This is all good and simple to set up. You just need the OpenVPN config file for the VPN server you want to connect to.\nMake sure to use a config which uses TCP port 443 ( or any other unblocked port )

\n

Using port 443 is your best bet as it is used to set up HTTPS for connection and thus will never be blocked.

\n

So now the VPN is set up and working.\nAll the websites you visit are routed through the VPN server giving you limitless freedom.

\n

But if you try to access any website on the IIIT intranet (like: Proxy Status, IIIT GitLab or Intranet Index ) it won't work.

\n

This is because these are hosted inside the IIIT network and are not available on the internet.

\n

Network interfaces and kernel magic

\n

Each laptop has one (or more) hardware network cards. These cards allow the machine to connect to networks. Usually, a laptop will contain an ethernet card and a wireless network card. So you can connect to both at once.\nThese cards only allow you to join one hardware network at a time, which is why you can connect to a wifi or use your device as a wifi hotspot but not do both at the same time.

\n

These cards are your physical network interfaces, but the kernel represents these as software network interfaces.

\n

To see all the network interfaces active right now on your machine you can run the following command

\n
$ ip link show
\n

This command will list all the network interfaces or links according to your kernel.

\n

For a ubuntu laptop, there will usually be 3 interfaces.

\n
    \n
  1. Loopback (lo)
    2. \n
  2. Ethernet (enp2s0 or similar)
    3. \n
  3. Wireless (wlp3s0 or similar)
    4. \n
\n

There may be more based on other services running on the machine and the hardware attached, for example, docker will setup the docker0 network interface. If you are interested in learning more about how docker networking works let me know in the comments!

\n

This is possible because it is not necessary for each software network interface to be attached to a network card. This allows us to set up virtual network interfaces. This is in fact how OpenVPN works. It makes a TUN/TAP and connects this to a Virtual Private Network.

\n

In this almost magical setup, the kernel treats this virtual TUN/TAP device as it would any other network device. It can send data through this interface even though the underlying piping goes through your hardware network via ethernet.

\n
\n\"openvpn-scheme\"\n
\n
OpenVPN TUN/TAP Piping
\n

Each interface may have one or more IP addresses associated with it that are valid in their corresponding network.

\n

If your machine (Machine A) is connected to IIIT network via ethernet and connected to a VPN, your eth/enp2s0 interface will have an IP address that is valid inside the IIIT network and your TUN/TAP interface will have an IP address valid inside your VPN.

\n

If another machine (Machine B) is connected to the same VPN, A & B can talk to each other using the respective VPN IP address.

\n

Fun Fact: The DHCP server of IIIT assigns IP addresses to you based on where you are on campus. If you are connected via the IIIT VPN you will get an IP that looks like 10.11.0.X.

\n

Routing Table

\nSo we now know what network interfaces are, but how does the kernel determine what packets to send on which interface?\n

Each device in a network has its own routing table which allows it to determine where to send the packet.

\n

To see the routing table for your machine run the following command.

\n
ip route show
\n
Example Output
\n
default via 192.168.1.1 dev wlp3s0 proto dhcp metric 600\n169.254.0.0/16 dev wlp3s0 proto kernel scope link metric 1000\n192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.22 metric 600
\n

Going over all the details of this routing table would be tedious, so we will focus on what matters here.\nThe format of each line is roughly

\n
<target IP range> dev <device or interface name> ..{other params}
\n

Whenever a packet is leaving from your machine, the routing table checks the destination of the packet and selects the route which matches the target IP range. Playing with the routing table allows us to select where to send packets depending on the destination!

\n

If no rule matches the destination the packet is sent through the default route which is the first line in the above example output.

\n

This means that we can set it up in such a way that if the packet is headed to the internet we send it through the TUN/TAP interface i.e. through the VPN, but if the packet destination is within the IIIT network we can send it directly to the ethernet interface.

\n

The ip command is very powerful and allows us to do a lot of things with the routing table. Look at the ip command man page for more intriguing usecases.

\n

We can add new routes using the ip route add {params} using a terminal or using the network settings. To keep things simple and to make sure that settings are persisted, I will make these changes in the network settings. This is detailed later in the post.

\n

If you are connected to a VPN your default route is set to TUN/TAP interface created by OpenVPN. To route all IIIT traffic to enp2s0 you can run the following command.

\n
sudo ip route add 10.0.0.0/8 via 10.1.34.1 dev enp2s0
\n

10.0.0.0/8 which is equivalent to 10.x.x.x which is the IP format for all devices on the IIIT network.\n10.1.34.1 is the default gateway address for my wing in OBH.\nand enp2s0 specifies the network interface to send the packet on.

\n

Creating a WiFi Hotspot with create_ap

\nWhen I am in the IIIT network connected via ethernet I like to use a hotspot created from my laptop to connect my phone to the internet. I do this mainly because the Airtel/Jio reception in my hostel room is absolutely horrendous.\n

For doing this my recommended tool is create_ap

\n

create_ap allows you to create an Access Point or Hotspot which other devices can connect to.\nInstalling the service is pretty straight forward and once you set up a persistent systemd service, you can set it up to start on boot. This means that whenever you start your laptop it will automatically set up an AP for your phone to connect to.

\n

If you face any issues with setting this up, let me know in the comments and I can write a more detailed post for the same. But here is the create_ap.conf which I use.

\n
create_ap.conf
\n
CHANNEL=default\nGATEWAY=110.0.0.1\nWPA_VERSION=2\nETC_HOSTS=0\nDHCP_DNS=110.0.0.1,10.4.20.222,10.4.20.204,8.8.8.8\nNO_DNS=0\nNO_DNSMASQ=0\nHIDDEN=0\nMAC_FILTER=0\nMAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept\nISOLATE_CLIENTS=0\nSHARE_METHOD=nat\nIEEE80211N=0\nIEEE80211AC=0\nHT_CAPAB=[HT40+]\nVHT_CAPAB=\nDRIVER=nl80211\nNO_VIRT=1\nCOUNTRY=\nFREQ_BAND=2.4\nNEW_MACADDR=\nDAEMONIZE=0\nNO_HAVEGED=0\nWIFI_IFACE=wlp3s0\nINTERNET_IFACE=enp2s0\nSSID=ViolentDelights\nPASSPHRASE=Vi0lent3nds\nUSE_PSK=0
\n

Here are the interesting parts:

\n
    \n
  1. DHCP_DNS specifies the DNS servers that all connected devices use for resolution. Here I have added 110.0.0.1 which is the dns server started by create_ap, 10.4.20.222 & 10.4.20.204 are the IIIT ns3 & ns4 servers respectively and 8.8.8.8 is a dns service by google for addresses on the internet.
    2. \n
  2. NO_VIRT tells create_ap to not create a virtual network interface and to use the WIFI_IFACE for networking.
    3. \n
  3. WIFI_IFACE specifies the interface to create the AP on & INTERNET_IFACE specifies the interface to forward the packets to. Here they are set to my WiFi IFACE and Ethernet IFACE respectively.
    4. \n
  4. If we set the INTERNET_IFACE to tun0 (created by OpenVPN) all packets received from the devices connected to the AP will be forwarded to the VPN! This is extremely useful as it allows the devices connected to the AP to bypass the entire IIIT network this means that any device which does not support proxy (PUBG on your phone, or the Xbox in your room) can connect to the internet with no issues whatsoever!
    5. \n
\n

Steps for Automating

\n

If you came to this blog post in hopes of quickly improving your network, the steps are below, but I really recommend that you go through the explanation above, this setup is not 100% stable and the above details will allow you to debug it if you ever need to. Also, it will broaden your understanding of networking in general.

\n

1. Connect to IIIT network via LAN

\n\n

2. Find the IP of your Default Gateway

\n\n

3. Setup your VPN

\n\n

4. Modify Hostel Auth network settings

\n
\n\"hostel-auth-network-settings\"\n
\n
Hostel Auth Settings will look similar to this
\n\n

5. Setup hotspot using create_ap service

\n\n
/usr/lib/systemd/system/create_ap.service
\n
[Unit]\nDescription=Create AP Service\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=/usr/bin/create_ap --config /etc/create_ap.conf\nKillSignal=SIGINT\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target
\n

6. PROFIT!

\n

Now whenever your machine starts it will

\n\n

BONUS: When to set proxy

\n

I use the above setup extensively, it allows me to access the internet via a VPN so I can access any service which might be blocked on IIIT network.

\n

It allows makes sure that all kinds of video calling applications work on my phone when it is connected to the hotspot and also that I don't have to change any settings when I try to open moodle or access the ada server.

\n

But some services don't like it when you connect to a VPN, for example, I had trouble getting Hotstar to work as it considered me to be in the Netherlands where its service is not available.

\n

To bypass this, I started using Hotstar in Firefox and set the proxy to proxy.iiit.ac.in inside the firefox settings. This ensures that all the traffic from firefox goes through the IIIT network and thus appears to Hotstar as a connection from within the country.

\n

Conclusion

\n

It is effective to play around with the various network settings available to you if you use Linux.\nIt shows how powerful, flexible, and most importantly fun a Linux machine can be.

\n

This is the first blog post I have written and it took a loooooong time for me to complete it, I am still learning and you - the reader - can be immensely helpful by sharing this with the rest of the IIIT janta.

\n

Drop any and all feedback in the comments below and let me know what I should write about next.\nIf you try the above setup and it does not work for you, or if you have any ideas how I can improve it, leave a comment or send me an email at blog-feedback@nemani.dev.

"}},{"node":{"frontmatter":{"title":"/sbin/init: Why this blog?","description":"Hello World.","slug":"/blog/sbin-init","date":"2020-04-26","tags":["Talk","Misc"],"draft":false},"html":"

I am Arjun Nemani, a computer science student at IIIT-H and this is my personal blog.

\n

I have been thinking about writing about my technical exploits for a long time.

\n

The thought started out as a desire to emulate my role models, but it has grown a lot.

\n
\n \n
\n

I now think that having a technical blog is essential for a person like me — someone who eats, breaths and sleeps tech.

\n

I feel that writing about your work allows you to think deeply and formalize the teachings of each day. Also, it is a great way of showcasing projects in depth.

\n

This will be a place for me to share my ideas, projects, and learnings from my various pursuits.\nWhile being mostly technical I will also share what I learned from organizing various events.

\n

Thank you for joining me on this journey of self-discovery and technology.

"}}]}},"pageContext":{}},"staticQueryHashes":["3115057458"]}