This device will give me access to any network I walk in, plug in ethernet or wifi, walk away and I'm in. It's my network now. And no, it's not VPN. We'll talk more about that. But first, why are we doing this? Two reasons. Number one, I am kind of the unofficial IT guy for my church. Now being in tech, that happens a lot in almost every situation. My parents, my friends, parents', friends, you can try and escape the help desk.
It'll always find you and lemme tell you, troubleshooting their issues, especially networking. Massive pain. So here's what I'm thinking. If I'm going to be their IT guy, I'm going to do it well. I'm going to take control. I'll need full access to their networks. I'm not playing around anymore. You want support, you're going to get it. Now, reason number two would be for pen testing. Think about this.
You drop this device in any network and you suddenly have access to everything, not just that. It'll tell you what network it's on. You don't have to already know that. It'll share this device's IP address with you and you can remote into this device and do stuff on that network. If that doesn't get you excited about this,
drink more coffee, come back and see me and let's do this. Okay, so here's the mission and we're going to do this together. I need remote access to my church, which as I say, that just sounds kind of fun. Well configure this. A raspberry pie. This is a four. It can be really anything. 5, 3 0. It could be a NAS computer, a laptop, whatever you have.
It'll probably work. It just needs to be something that we can place inside this network and something like this is all you'll need. And I wasn't kidding, we'll drive up, plug it in, power it up and then leave.
And hopefully when I get back to the studio, I'll be able to see what network it's on, what IP address that device has, and I'll have full access to that network, being able to do whatever I want. Run INAP scans, do some lateral movement, get access to other stuff, not for hacking, unless you want to do that ethically of course, don't you dare hack anymore. Hacking one without permission and so I can have support for the church and added a bonus is I'll be able to, from my studio and my data center, not only will me as a client be able to access my church's network, but I can give access to machines, to apps to programs to connect to this church network and monitor it. And again, this is not VPN, it's so much better. But then what is it? It's Twin Gate, a zero trust network access solution. What does that mean? It means magic. It's free for up to five users. It's wicked fast to set up and it just works.
You don't have to worry about firewall or CG mat or any kind of weird networking issues. You plug it in and you leave. Oh by the way, you may not be new to Twin Gate, but I am going to be showing you something new with this, a Python script using their API that will tell me whatever network my device ends up in. I'll show you that here in a moment. Now I've been using Twin Gate for a long time in my business, tried and tested, I love it. They're also the sponsor of this video and they've been sponsoring my channel for a minute.
I'm proud to partner with the product and company that I trust and use every day enough talking. Let's get it set up. Check the link below or go out to twin gate.com yourself with your own typing fingers and you're about to be amazed at how fast this is.
We'll click on sign in at the top right, we're setting up a new account, so we'll click on create a new Twin Gate network. Put in your email address. How do you plan to use it at home? And let's get started. I'll call it a home lab. How did I hear about it?
Let's say other type in network check. All of you do this now. I'm just kidding. I don't care what you pick, but if I had to care and you want me to choose for you, this one continue. So now we're at the point where it's going to create our Twin Gate network. You can change the name if you want. I like this one Reach.
It's the name of my church and now I'll click go to my network and we'll choose a sign end method and they have an identity provider for per pretty much anything. Pick your poison. I'm going to go with Google building my network and we're almost done. Little coffee break. By the way, have you hacked the YouTube algorithm today? Let's make sure you do hit that like button notification, bell comment, subscribe. You got to hack YouTube today ethically, of course I haven't said that in a while. It felt good. Anyways,
let's start the setup. You know what? I want to skip all this. We can do all this later. I'll click on skip to admin console. And just so you know right here is your network, it lives in the cloud.
Twin Gate handles it for you. And the whole point of this is so I can access a remote network. Let's configure one right now. Click on that remote networks and then we'll add a remote network by clicking on the plus remote network button location. It's going to be on premise and we'll call it whatever we want.
I'm going to call it the church and add remote network. So we've created the remote network for my church, but how do I get to it? It's with these right here connectors. That makes sense, right? A connector is going to connect us to this remote network.
Let's jump into this config right now and make one happen. I'll click on the church and our next step is going to be deploying a connector. Now what exactly is that? It's going to be this device here, the Raspberry Pyre, whatever device you have. Twin Gate software operating as a connector will live on this device and side the network you want to access. So real quick,
before you click on deploy connector, make sure your device is ready to go. So for me, I'm going to take out the SD card and re-flash it and I'll walk you through that real quick. So if you have a raspberry pie, perfect, 4, 5, 3, 0, whatever, walk with me real quick. We're going to take our SD card, put it into an SD card reader, so closeup and pop it into my computer.
I'll be right back. Now we're going to flash it or write a new operating system to the SD card using a tool called the Raspberry Pi imager. You can download it from the internet. I'll have it link below somewhere. Choose your device again,
I have the Raspberry Pi four, choose your os. I want a GUI that I can remote into with VNC, so I'm going to do the Raspberry Pi OS 64 bit right here. Choose our store to make sure you choose wisely. Don't overwrite something important. Like that guy right there that has some pictures for the church.
Actually I can't delete that. And then we'll click on next. Now here we have a chance to kind of pre-bake our raspberry pie. We'll click on edit settings. We can add things like the name remote reach instead of username and password, and then you can configure wifi. Keeping in mind, this will be the wifi for us right now to pre-configure the pie before we put it into the remote network. That's all I care about. Click on save.
I do want to apply these settings. Click on yes, yes and perfect time for a coffee break and mine is done. Continue. I'll grab my SD card. Got it. Plug that sucker back into my raspberry pie and try to find a power cable that I lost. I'll be right back.
That one you had one somewhere. Now by the way, we're doing this on a Raspberry Pi. Again, you could do this on pretty much any device. It's fully supported Twin Gate. When we click on Deploy connector, we'll go ahead and do that right now. Deploy connector, look at the options.
I think everything is supported except for Windows and even then you can deploy that on Docker on Windows with WSL. Anyways, I'm going to give this a moment to connect and at this point you could just connect a monitor keyboard and watch it come up. I'm going to wait for an IP address to register on my router and then I'll connect to that. So I'll jump into Unify real quick and see if we can find them. And there it is, remote reach. I'll grab the IP address,
launch my terminal and get logged in. First thing we always do in Linux is a pseudo a PT update, updating all our repos and then we'll go to Twin Gate once more for Raspberry Pi, I'm going to do a Linux-based deployment, so I'll select that and watch this. It's going to be so easy. We'll scroll down until we see generate tokens. Twin Gate is an enterprise class Zero trust network Access solution meaning that it's for big companies. And why I love companies like this is they say, you know what? Home Lab users, it's free for you guys because they know you're going to love it so much. You'll take it to your company but tokens and makes it super secure.
If you want to learn more about how the tokens work, they have documentation or I've got a video where I talk about it right here. Click on generate tokens. It's going to make you authenticate once more, authenticate in the same way you did before. I'm going to hide mine, but your tokens should be generated. You don't have to worry about them. They're just going to be sitting there and they should already be added to this command down here that you're going to copy. And this is our final step.
Click on copy command just like that. Go back to your terminal and paste that command in. That's going to look crazy. It's going to have my keys in it, so I'm going to hide a lot of this command and hit enter. That's going to take care of everything for you. Seriously. Take a sip of coffee, you're about to celebrate and that's it. It's done. How do we know it works? Let's go check Twin Gate.
Actually it already said you're good buddy. Refresh our page real quick. Just make sure everything's good. Yes, controller is connected, relay is connected. This is our connector right here. The beige nut hatch. I love their randomly generated names. If we go back to the church, you should always go back to the church.
We'll see that we have our on-premise remote network. We've got one connector connected. Yes, you can connect more than one connector to make it redundant. That's awesome.
And now the hard part is done, but you do have to make a choice real quick. When you plug in your device into your remote network, whatever it is, are you going to hardwire it connect via ethernet? This is definitely the easier option because you just have to walk in, literally plug it in and go away. Or are you going to use wifi? Now, if you're going to use wifi, that obviously means you'll need to know the wifi connection of the remote network you're connecting to. For most of us,
if we're using it for support for our families, parents' house or a church that we already manage their IT for, you'll probably know the wifi. Best case scenario though is that you connect via ethernet because the connection will just be more stable. You don't have to worry about it so much and 10 times out of 10 you want to do it that way. But there may be a scenario where you're shipping it to somebody, maybe your parents and friends or family don't live near you but they still need support. You can pre-configure the wifi,
ship it to them and all they have to do is open it up, plug it in, boom, you're in. Which is such a cool idea, right? Merry Christmas. I control your network to help you. Now to quickly add wifi to our raspberry pie, we can use this command and MTUI, I'm out of pseudo before that just in case the network manager and we'll select edit a connection and we'll scroll over to the right with our directional arrows and click on add or an I click on highlight add, hit enter DSL InfiniBand. Anyways, we're going to do wifi and you'll put in the wifi information.
You can leave profile name and device. Just default. You don't have to worry about that For SSID, obviously you'll need to put something here. You'll need to know the SSID and the password for the wifi. Do I have this for my church? Oh yeah, I found it. Okay, SS id. We'll keep the mode at client security. It uses, I should know this. I set it up.
It's going to be WPA two personal and they'll put in password and that should be all we need. IPP four config. We'll leave it automatic. We're not going to need that. Although you could put in the static IP address. If you already know the IP address scheme or network of the remote network, you may not know it. Hit okay and then we'll hit escape and tab over to. Okay, and that's it. And now that wifi will be searched for every time it boots up and it looks for a wifi network to connect to. Now time to drop it off at the church. Let's go. I'm going to unplug it. Grab the power cable and I'll meet you there.
Okay, I'm back. Fingers crossed. We'll have access. Let's test it out. Twin Gate kicked me out. It's a timeout. That's good. Let's good for security.
Let's get logged back in and look at that. Okay, so here we go. It's connected our connector, we moved it to a different network, a remote network. It's up. Cool. Now what? Well at this point, if you didn't already know the network of the remote network, so like the IP address range, you didn't know any hosts there. Whatcha going to do Python script. One thing that's really cool about Twin Game amongst a million things is they have a pretty killer API. Hey network check from the future here. Just so you know, you don't have to do all this fancy API stuff if you already know the network you're trying to connect to. So for example,
if you know that your parents' network is 1 9 2 1 6 8 1 0 slash 24 and the private a IP address of your raspberry pie that you manually set is 1 9 2 1 6 8 1 point 23. You can go into Twin Gate and manually add that resource. That's the best way to do it. But if you're like me and you don't know anything, this script using the API will auto discover that for you creating a resource based on the IP address, the private IP address of the Raspberry Pie that you had dropped in there. That's it. Not back to me. We're going to go there right now. So let's go to, I think it's settings and what you know, it's right there.
Let me hander on over to a p, I dunno what an API is. Essentially Twin Gate says here we have some stuff that you can talk to to find out about us or not really us about your networks. You can find out things and you can also change things. What am I talking about?
You're about to see. Okay, so first thing we'll do is generate API token right now. So go ahead and click on that button right there. We'll call this, I don't know, my token, just something permission. I'm going to go everything right now.
It will be provisioning a resource, the script. So go ahead and give it everything. Allowed ranges, everything. That's what this means. If you want to restrict that, you can click on generate. Here's my key. You can't see it, I'm not going to show you. Just make sure you copy that. Put it somewhere safe. And then on your computer,
this could be Windows, Linux, whatever, as long as you have Python installed. I'm going to do this on my Ubuntu machine here and WSL. I'll create a new Python script. I'll use nano Nano, I'll call it Twin Gate pi, just like this. And then I'll copy and paste this config or this script. I'll have all of this below in the description. I'll paste that right in here. Now a few things you'll want to change. We'll go to the very top here.
We got to custom fit this to your network. First thing is your A-P-I-U-R-L. This will be the URL of your network. So mine was reach dot twin gate.com. I'm going to change that right here. You have no idea how powerful this is what we're about to do reach. And then remember that API key we just created like three seconds ago. You're going to put that sucker right here between double quotes.
I'm going to grab mine, paste it right here. And then finally this field right here is the last thing we have to do. Your target network. That's going to be the network we just created.
I forgot what I named mine, so I'm going to have to look in a second. Like right now. What did I call it? Remote networks. Oh, I called it the church. You probably remembered I didn't. So we'll call it the church.
And what's going to happen here with the script is it's going to reach out with the twin gay, API to our controller of the brain. It's going to authenticate itself with the API key. This is our key. And then it's going to go, Hey, can you tell me the IP address of the connector, both the public IP address and the private IP address, giving us a ton of information about that network. Let's do this. So we'll hit control X, Y, enter to save. And then with Python, we're going to run the script. Python three, twin Gate pi. Ready? Set, please work. Oh, I forgot. There are some prerequisites we have to install.
I'm such a dummy. So here's what we'll do real quick. We're going to create a Python Virtual environment Command will be Python three dash m specifying module. And we're going to use the virtual environment module or the ENV and we'll call it Twin Gate something. And that's it.
Python Virtual Environment is like creating a little safe space for us to play around and not mess with anything else. And then we'll activate that environment by typing in source. Then twin Gate, something our virtual environment slash bin slash activate. Boom.
Our Python virtual environment is active. Now we'll install some prereqs real quick. We'll use PIP to install. I believe it's going to be GQL. Yes, that might be enough. Let's try and run our script right now. Nope, we need request PIP install requests. That's another Python module. Got it. Let's try it again. Request tool belt. Okay, we're almost there.
Request under School Tool Belt. Install that. Now let's try look at it. Go. Okay, I'm not going to show it here. At least I won't show the public ip. It found the public IP and then it found the private IP address right here of our Raspberry Pi, our connector. We deployed inside that network.
Now it didn't just find it, it created a resource. If I go to Twin Gate right now, I jump into, I'll jump the church. Let's go. Do you see that? I actually created a few resources. Why did it do that? I'll have to look at my script again.
But one of these private IP addresses is our connector. Let's try and connect to it. Now, the way Twin Gate works is you'll need a client, a twin Gate client to connect to anything. So you'll sign in with your Twin Gate client. You can install the client on any device. So Windows, Mac, Linux, iPhone,
Android, and then you'll use that to sign in and access the resources you have access to. So let's get logged in. I'm going to download Twin Gate. I think I already have it installed, actually. Lemme see. Oh I do. I do. Twin Gate. There you are. But as you can see here, I could just download it.
Twin Gate for Windows. Do the NSI installer if I wanted to. Oh, it downloaded it for me. It's got all the platforms. And now you'll have to switch over to my other monitor because it's looking at my bottom right tray to do this. Once an update,
I'm going to update it real quick. Make sure it all works. Actually, it'll look something like this When you first install it, it'll be reach dot twin gate.com. I'll join that network right now. It's going to take me to my second screen over here. I'll get logged in. Notice. Lots of logging in, lots of authentication. It's very, very secure whenever you do something serious, like accessing stuff.
Creating stuff. So now I'm authenticated. So I'm actually connected. Let me just right click my menu here. I'm connected, but it says zero resources. I have not given myself access to the church. Let's do that right now. So looking at our resources, we have these two private IP addresses. Again,
I'm not sure why it created two. Maybe just found two. Oh no, you know what? I bet it is. I bet it connected to wifi and the ethernet. So that's why there's two. I'm going to click on one and then I can click on add access.
I'll put it in the everyone group. Now notice by default it was like, okay, you created the resource. No one's getting access. That's the idea of least privilege, meaning we only give access to people who actually need it.
And the default policy is no one needs it unless you explicitly say so. So I'm going to grant access to everyone and my user account should be part of the everyone group. If I look at my Twin Gate client now, oh, there's the one resource. There it is. I'm just going to copy the address. I know I'm going to access it via SSH. Let's try it out. SSH Network. Chuck, I'm going to log into the Raspberry Pie now. It just worked and I'm inside the raspberry pie.
How insane is that? It just dropped me into the network. Now I can do things like install inmap, the network mapper. And while it's installing that, I want to show you something. This resource, we can actually make it very tight. So for example, maybe I only want users to access this resource on Port 22, the SSH port. I could click on edit and I can add port restrictions here.
So let's say only Port 22 and that's it. I can also do this at an alias. Call it connector reach. Rockwall Local. What did I just do? I created D-N-S-A-D-N-S entry that I can use right now. Let's try it out. So I'm going to exit get out of this connection.
Port 22 should be open for me and I'm going to SSH two connector. Reach Rockwall Local. Did you just see that S entry created out of thin air and the way twin gate treats DNS is so interesting. I have a full video on it here.
Let's do an in-app scan. What's my IP address again? So the network is slash 24. This is the network right here. Let's scan now while that's scanning, can we talk a little bit about this? Look at this. If I refresh the screen, I've got activity logs of who's been trying to access this. I can generate a report of who's been accessing this stuff over here on the access I granted to people. I can say, you know what, let's set a policy.
What does that mean? Well, if we go to policies, I can say any device can access. I can do only trusted devices based on trusted profiles. I can do custom and say, you know what? Only Mac users can access this resource. Is that not crazy? You can have minimum arrest requirements saying they have to have hard drive encryption, firewalls enabled. You can really put in some security here and this is all free for you right now.
You can restrict it based on the serial number of the device. This is so neat. Getting back to the network and looking at my resource. I can also restrict it and set expiration. Like, okay, you can access this for two hours. That's all you get, buddy.
Then you don't have any access anymore. I can auto lock after 30 days. Remove access, of course, so much you can do. And on my team over here, I can simply just add a user invite email to anyone. I can add them to groups, restrict their access based on so many different things. It's powerful. Now lemme see if my Nmap scan worked. Oh sure did. Look at all this. I think I found a Windows computer. Oh, found the iMac. Oh that was a printer.
iMac found the router. And for anything I find all I have to do is just add this as a resource. So for example, the printer here, what ports are open? HT TP. So let's grab this IP address. We'll get into our network, we'll create a resource, call it reach printer.
Add the IP address, we'll add an alias, make it really easy. Printer do reach rock wall, local and we'll restrict it to only port 80 and nothing else. And we'll give access to the everyone group. Cool. So now in theory, I should be able to go out to printer, reach Rockwall local. That's refusing connection. Maybe it just doesn't work. Lemme try the IP address instead. Port 80 was open. Maybe it was lying to me. What other ports were open? Oh, HT PS was open too.
Let's add that port. We'll update that resource and try that. Oh, there we go. And look at that. Access to the printer. Do you see how crazy powerful this is? So now think about this for your family, just get a bunch of little devices, raspberry pies, any kind of Linux device, whatever, and just drop them off at their houses. Remote support. You got 'em. You can log into the connector, the raspberry pie. Be like, you know what?
The network is up. Be quiet, Nana, you put your phone in airplane mode again. That's all that happened. And if you want to get really crazy, twin Gate has a way. If I go to team here, notice I have three options. We haven't talked about one. So we have users, groups,
and then we have services. What is that? Services gives us away. We add one real quick. The service account to monitor. It gives us a way to give an application just one server, like a headless client. It gives it the ability to log into the network and access the resources we give it access to. So I might generate a key, only make it last for a year. I would copy that, give it access to one resource the printer, make sure it stays up. And then I could install this on uptime Kuma. Uptime Kuma could be running inside my network, could be running inside a cloud instance and it could access this network without opening up any firewall rules or anything.
And make sure the printer's up, man, how cool is that? Lemme know if you're going to do this on the comments. I would love to know. That's Twin Gate. That's the video. I'll catch you guys next time.
2024-12-22