Follow up from https://lemmy.world/post/37310527
We did it gang, and we went even further to be able to enter the LUKS password from anywhere via Tailscale.
The general Dropbear info from the Debian wiki seems accurate though it included dropbearconvert usage that wasn’t mentioned elsewhere. Unsure if that was needed or not but I did it anyway.
I also referenced this guide. I especially enjoyed the -c cryptroot-unlock param to Dropbear so it automatically prompts me for the password on login.
I’ve been getting familiar with Tailscale over the past few weeks and also just replaced my home router (immediately flashed with OpenWRT). Turns out you can run Tailscale on OpenWRT and cajigger it in a way that you can use the router as an exit node while allowing LAN access. So, I did that. Now, with Dropbear, the static IP in my initramfs, and Tailscale, if the server reboots while I’m away from home I can SSH via my phone and enter the LUKS password to allow it to boot.
… mostly it’s just going to be when I don’t want to dig behind my desk to plug in a keyboard, but the truly remote option is nice too.
Thanks for all the input.
Did you run into any issues setting up dropbear or did you get it working on the first try?
I’m attempting to follow the same guide that you linked to, the only difference being that I haven’t configured a static IP (I don’t think this step is required). Every other instruction, I believe I’ve followed to the letter (for the new version).
Where I’m stuck is after copying the client’s public key to the server, updating initrd, rebooting, waiting for the disk encryption prompt, and issuing
ping <server-ip>on the client (replacing<server-ip>and<port-number>with the actual IP and port number):myuser@client:~$ ping <server-ip> PING <server-ip> (<server-ip>) 56(84) bytes of data. From <server-ip> icmp_seq=10 Destination Host Unreachable From <server-ip> icmp_seq=11 Destination Host UnreachableUnsurprisingly, I’m unable to ssh in from the client:
myuser@client:~$ ssh -i ~/.ssh/dropbear -p <port-number> -o "HostKeyAlgorithms ssh-rsa" root@<server-ip> ssh: connect to host <server-ip> port <port-number>: No route to hostSince the server is a laptop, I can physically enter the decryption key on the server itself, and then go back to the client and ping the server successfully.
I have not attempted the steps described on the Debian wiki (networking setup or converting the public keys to PEM). Should I add
IP=:::::eth0:dhcptoinitramfs.conf? Any pointers on what I should check?EDIT: I’m attempting all of this over wifi, in case that matters (I have a feeling it matters, but I’m not sure what I’m supposed to do differently).
EDIT 2: I found a guide from 2017 by Marc Fargas (Enable Wireless networks in Debian Initramfs). Also found this thread from 2021 on StackExchange (How can I enable wireless for a dropbear-initramfs), wherein somebody links to this GH gist (Sample files to enable wireless on Debian initramfs ). I’ll attempt to follow these guides and report back.
Hey bud - for the most part it worked great following the guide. The static IP was very important because dropbear is active before DNS (at least in my config) so you have to configure it in a way that you can definitively find it - and a static IP was the way. I just gave it an easy to remember one at 10.0.0.3 since I already have important things at *.1 and *.2.
Another thing that tripped me up originally is that you need to SSH as the
rootuser. That doesn’t seem to be your problem since you’re not getting there over the network, but FYI for when you fix it.That’s definitely a network problem. Maybe fire it up and then check your router for active IP leases and see which one it took?
It probably shouldn’t matter in any super meaningful way, but I do have mine hardwired with cat6 so that could definitely be a difference.
Definitely let us know how it goes - you’re adding to the knowledge pool and that’s awesome.
EDIT : Make sure you can find it on the network first, then work backwards from there. At the moment, it seems like you aren’t getting network connectivity.