Network architecture used in Bitscout
Written by Vitaly Kamluk
3 minute read
A running Bitscout instance uses multiple network interfaces and if you are an expert using it, you shall understand how the network communication is designed.
By default Bitscout exposes no ports to the local network. It will attempt to connect to the VPN server specified in the OpenVPN configuration (see config/openvpn/scout.conf.client
in the build directory). Once the VPN connection is established, TCP port 22 becomes available over the VPN link.
If you are using Bitscout inside your LAN or trying on a VM, you (in the role of system owner) may enable connections from the LAN using Bitscout management tool menu (Network -> Enable Access from LAN) like shown below:
If you are the owner or have absolute trust of the remote user, you may want to connect outside of the container via SSH. In this case you should enable connections to the Host via Bitscout management tool (Network -> Enable Host Control).
Unmodified Bitscout uses the following subnets by default:
For the expert’s convenience, Bitscout by default forwards a number of TCP ports via VPN link to the container. To better understand this scheme look at the diagram below:
Physical interfaces on the host system may include but are not limited with Ethernet and Wifi network cards, which are named by default as following:
If VPN connection is established you may see a virtual network interface tap0 on the host. This interface by default should have IP 10.1.0.2, which is assigned by the VPN server.
In addition there is a virtual interface that is used to communicate with the expert’s container:
Inside container you should see just one interface (excluding loopback lo): eth0 with IP 10.0.3.2. This interface is used to communicate with the host system. In fact the host system uses it to forward SSH connections (TCP port 22) from VPN link to the container, as well as few other reserved ports.
Default port forwarding is setup via iptables and is located in the following shell script file: /sbin/host-iptables. If you want to change it before it is integrated into the root filesystem, change it in your build directory at ./resources/sbin/host-iptables.
Currently the following ports are forwarded from VPN IP address (10.1.0.2) to the container (10.0.3.2):
tcp port 22 (VPN) => tcp port 22 (container)
tcp port 2000 (VPN) => tcp port 2000 (container)
tcp port 2001 (VPN) => tcp port 2001 (container)
…
tcp port 2009 (VPN) => tcp port 2009 (container)
The port 22 is used for SSH service, while ports 2000-2009 are reserved for other services, which the expert may use, such as network block device service or anything else.
Bitscout is mainly relying on iptables, which is setup during system startup via /sbin/host-iptables
script (./resources/sbin/host-iptables
in the Bitscout build directory). Feel free to modify the file to your needs.
If you find any bugs or problems with the project, please open an issue over on Github.
GithubFeel free to tweet at me if you have suggestions for Bitscout. Or if you just want to say hi.
Twitter