{"id":2200,"date":"2021-04-03T10:13:23","date_gmt":"2021-04-03T15:13:23","guid":{"rendered":"http:\/\/www.wildow.com\/blog\/?p=2200"},"modified":"2021-04-15T13:30:11","modified_gmt":"2021-04-15T18:30:11","slug":"reverse-vpn-turn-any-private-device-into-public-cloud-server-2","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=2200","title":{"rendered":"Reverse VPN: turn any private device into public cloud server"},"content":{"rendered":"
\n

Reverse VPN: turn any private device into public cloud server<\/a><\/h1>\n

Published<\/strong>\u00a02015-6-4<\/span>\u00a0Updated<\/strong>\u00a001:44pm 2015-6-15<\/span><\/p>\n<\/div>\n

\n
\n

NOTICE<\/strong>\u00a0there might still be some bugs and sparsely commented snippets in this document, but if you follow it, it\u00a0should<\/em>\u00a0work.<\/p>\n

Video Demo\u00a0https:\/\/youtu.be\/O7D7UkA3IKQ<\/a>\u00a0by ravallblog<\/p>\n

Typically when you think of a VPN, you think of a private office network behind a firewall that you want to securely access from home or another office.<\/p>\n

But what about when your home server hosting your blog and your business site is stuck behind an apartment firewall?<\/p>\n

Or what if you want to be able to take a device with you, attach it to any network, and begin using it’s web services immediately?<\/p>\n

Effectively, we’re turning the VPN inside out. A reverse VPN, if you will.<\/p>\n

Use a public VPS as the VPN server<\/h2>\n

Digital Ocean, ChunkHost, AWS, or a server (or Raspberry Pi) in your office, home, or a friend’s home – anything that you can get root access to and give a public network access (even if it’s with a dynamic dns service).<\/p>\n

Install some tools<\/strong><\/p>\n

NOTE<\/em>: You\u00a0must<\/em>\u00a0be using bash (the default shell \/ terminal) — not zsh or fish or anything fancy — legit\u00a0bash<\/em>.<\/p>\n

Log into your VPS (ssh user@example.com<\/code>) and then continue:<\/p>\n

Install the Tools<\/h3>\n
bash\r\nsudo apt-get install --yes openvpn\r\n<\/code><\/pre>\n
Switch to the root user<\/h3>\n
Be the root you know in your heart<\/strong>. You’re going to have to do pretty much everything as root from this point on, so it makes sense just to switch (if you aren’t root already).<\/p>\n
sudo su -\r\n<\/code><\/pre>\n
Get the easy-rsa 2.x tools from github<\/h3>\n
The new line of tools is 3.x, but I’m not familiar with those yet and these work, so these are what we will use. \ud83d\ude00<\/p>\n
# Install git<\/span>\r\nsudo apt-get install --yes git\r\n<\/code><\/pre>\n
# Copy all the files from the internet to your computer<\/span>\r\ngit clone<\/span> https:\/\/github.com\/OpenVPN\/easy-rsa.git ~\/easy-rsa\r\npushd<\/span> ~\/easy-rsa\/\r\ngit checkout 'release\/2.x'<\/span>\r\npopd<\/span>\r\n\r\n# Copy all the files into the right place<\/span>\r\nrsync -av ~\/easy-rsa\/easy-rsa\/2.0\/ \/etc\/openvpn\/easy-rsa\/\r\n<\/code><\/pre>\n
Next we update the config<\/h3>\n
# Push into the easy-rsa directory<\/span>\r\npushd<\/span> \/etc\/openvpn\/easy-rsa\/\r\n<\/code><\/pre>\n
# Then open the .\/vars file, which is a config file<\/span>\r\n# You'll need to take a look around and season to taste<\/span>\r\n# It's nothing fancy, just names and preferences<\/span>\r\nvim .\/vars\r\n<\/code><\/pre>\n
Note a few things that you probably should change:<\/p>\n
\/etc\/openvpn\/easy-rsa\/vars<\/code>:<\/p>\n
# change all of the things down at the bottom that look like these<\/span>\r\n# (these are given as an example for me, yours should be different)<\/span>\r\nexport<\/span> KEY_COUNTRY=\"US\"<\/span>\r\nexport<\/span> KEY_PROVINCE=\"Utah\"<\/span>\r\nexport<\/span> KEY_CITY=\"Provo\"<\/span>\r\nexport<\/span> KEY_ORG=\"AJ ONeal Tech LLC\"<\/span>\r\nexport<\/span> KEY_EMAIL=\"awesome@coolaj86.com\"<\/span>\r\nexport<\/span> KEY_CN=\"*.coolaj86.com\"<\/span>\r\nexport<\/span> KEY_NAME=\"AJ ONeal\"<\/span>\r\nexport<\/span> KEY_OU=\"Department of Docs & Blogging\"<\/span>\r\n<\/code><\/pre>\n
Now we’ll get to work<\/h3>\n
Then load all of the vars into your environment<\/p>\n
# load the variables<\/span>\r\nsource<\/span> .\/vars\r\n\r\n# delete any and all previous keys.<\/span>\r\n.\/clean-all\r\n\r\nmkdir -p .\/keys\r\nls -lah .\/keys\r\n\r\n# TODO (note to self) show the plain openssl commands (it's not that hard, y'know?)<\/span>\r\n\r\n# Build a certificate authority for your organization<\/span>\r\n.\/build-ca\r\n# NOTE:<\/span> answer the questions<\/span>\r\n\r\nsudo apt-get install --yes tree\r\ntree .\/keys\/\r\n# The out put will look like this:<\/span>\r\n# .\/keys\/<\/span>\r\n# \u251c\u2500\u2500 ca.crt<\/span>\r\n# \u251c\u2500\u2500 ca.key<\/span>\r\n# \u251c\u2500\u2500 index.txt<\/span>\r\n# \u2514\u2500\u2500 serial<\/span>\r\n\r\n# Inpsect the keys, just for fun<\/span>\r\nopenssl x509 -text -noout -in<\/span> .\/keys\/ca.crt\r\nopenssl x509 -text -noout -in<\/span> .\/keys\/ca.key\r\n\r\n# When prompted, enter the same CN as above - coolaj86.com in my case<\/span>\r\n# No Password<\/span>\r\n.\/build-key-server rvpn.coolaj86.com\r\n\r\ntree .\/keys\/\r\n# .\/keys\/<\/span>\r\n# \u251c\u2500\u2500 01.pem<\/span>\r\n# \u251c\u2500\u2500 ca.crt<\/span>\r\n# \u251c\u2500\u2500 ca.key<\/span>\r\n# \u251c\u2500\u2500 index.txt<\/span>\r\n# \u251c\u2500\u2500 index.txt.attr<\/span>\r\n# \u251c\u2500\u2500 index.txt.old<\/span>\r\n# \u251c\u2500\u2500 rvpn.coolaj86.com.crt<\/span>\r\n# \u251c\u2500\u2500 rvpn.coolaj86.com.csr<\/span>\r\n# \u251c\u2500\u2500 rvpn.coolaj86.com.key<\/span>\r\n# \u251c\u2500\u2500 serial<\/span>\r\n# \u2514\u2500\u2500 serial.old<\/span>\r\n<\/code><\/pre>\n
# The less you're doing with your computer, the longer this will take.<\/span>\r\n# If you're downloading a big file or something or https, it should only take a minute.<\/span>\r\n# Otherwise it could take several minutes<\/span>\r\n.\/build-dh\r\n<\/code><\/pre>\n
ProTipTM:<\/p>\n
If you use https, you can download a file over and over again (such as a large image) with curl and you’ll get a different set of bits each time because the random seed for the https connetion will be different. This will give you tons of entropy if you run it while generating keys.<\/p>\n
while<\/span> true<\/span>; do<\/span> sleep 1; curl 'https:\/\/pbs.twimg.com\/media\/A7hdDEnCYAA8oky.jpg:large'<\/span> > \/dev\/null; done<\/span>\r\n<\/code><\/pre>\n
openvpn --genkey --secret keys\/ta.key\r\n<\/code><\/pre>\n
curl -fssL https:\/\/gist.githubusercontent.com\/coolaj86\/18b92ee350b38f18fca6\/raw\/server.conf \\\r\n  -o \/etc\/openvpn\/server.conf\r\nvim \/etc\/openvpn\/server.conf \r\n<\/code><\/pre>\n
Configure the Server’s Network and Firewall settings<\/h3>\n
vim \/etc\/sysctl.conf\r\n<\/code><\/pre>\n
\/etc\/sysctl.conf<\/code>:<\/p>\n
# uncomment the following<\/span>\r\nnet.ipv4.ip_forward=1\r\nnet.ipv6.conf.all.forwarding=1\r\n<\/code><\/pre>\n
TODO: the router may need to be setup to forward 1194 to the pi<\/p>\n
sysctl -p\r\n\r\nufw status\r\nufw allow 1194\/udp\r\n\r\n# IMPORTANT change the 192.168.1.4 to your server's IP<\/span>\r\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j SNAT --to-source 192.168.1.4\r\n\r\ntouch \/etc\/firewall-openvpn-rules.sh\r\nchmod 700 \/etc\/firewall-openvpn-rules.sh\r\n\r\n# this will be open, you'll add the stuff below<\/span>\r\nvim \/etc\/firewall-openvpn-rules.sh\r\n<\/code><\/pre>\n
\/etc\/firewall-openvpn-rules.sh<\/code>:<\/p>\n
#!\/bin\/bash<\/span>\r\n# IMPORTANT change the 192.168.1.4 to your server's IP<\/span>\r\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j SNAT --to-source 192.168.1.4\r\n<\/code><\/pre>\n
Now we’ll make sure that this firewall rule is added on each boot<\/p>\n
vim \/etc\/network\/interfaces\r\n\r\n# You'll see a line that looks like this<\/span>\r\niface eth0 inet dhcp\r\n\r\n# underneath it you'll need to add this line<\/span>\r\n# (it shouldn't matter whether you use a tab or spaces)<\/span>\r\n        pre-up \/etc\/firewall-openvpn-rules.sh\r\n<\/code><\/pre>\n
And finally we’re ready to restart the openvpn service<\/p>\n
\/etc\/init.d\/openvpn stop<\/span>\r\n\/etc\/init.d\/openvpn start<\/span>\r\n<\/code><\/pre>\n
Use a private device as a Web Server<\/h2>\n
I must note that this\u00a0should<\/em>\u00a0be the process:<\/p>\n
    \n
  • create your client key on the client,<\/li>\n
  • create a client.CSR.PEM (certificate signing request)<\/li>\n
  • send the client.CSR.PEM to the server<\/li>\n
  • the server creates a client.CRT.PEM from the client.CSR.PEM<\/li>\n<\/ul>\n
    However, if the server is compromised then the server private key and certificate are compromised which means that every certificate the server has signed are now invalid.<\/p>\n
    On the SERVER<\/h3>\n
    We’re going to create the client’s keys and OVPN file.<\/p>\n
    # For example<\/span>\r\n.\/build-key client-xyz.example.com\r\n<\/code><\/pre>\n
    Generating Client Keys<\/h4>\n
    Each device will need its own keys.<\/p>\n
    Use\u00a0.\/build-key<\/code>\u00a0if the device is meant to be always-on and not require user interaction, like a raspberry pi home server.<\/p>\n
    # Example<\/span>\r\n# this will NOT require a passphrase<\/span>\r\n.\/build-key<\/span> homeserver.coolaj86.com<\/span>\r\n\r\n# just showing the new files (omitting *.old backups)<\/span>\r\ntree<\/span> .\/keys\/<\/span>\r\n# .\/keys\/<\/span>\r\n# \u251c\u2500\u2500 02.pem<\/span>\r\n# \u251c\u2500\u2500 homeserver.coolaj86.com.crt<\/span>\r\n# \u251c\u2500\u2500 homeserver.coolaj86.com.csr<\/span>\r\n# \u2514\u2500\u2500 homeserver.coolaj86.com.key<\/span>\r\n<\/code><\/pre>\n
    Use\u00a0.\/build-key-pass<\/code>\u00a0if the device is something you log into, such as your laptop.<\/p>\n
    # Example<\/span>\r\n# this WILL require a passphrase<\/span>\r\n.\/build-key-pass<\/span> macbook.coolaj86.com<\/span>\r\n\r\n# just showing the new files (omitting *.old backups)<\/span>\r\ntree<\/span> .\/keys\/<\/span>\r\n# .\/keys\/<\/span>\r\n# \u251c\u2500\u2500 03.pem<\/span>\r\n# \u251c\u2500\u2500 macbook.coolaj86.com.crt<\/span>\r\n# \u251c\u2500\u2500 macbook.coolaj86.com.csr<\/span>\r\n# \u2514\u2500\u2500 macbook.coolaj86.com.key<\/span>\r\n<\/code><\/pre>\n
    Some devices (iOS, Android, Macbook(?)) need a des3 version of the key, might as well do that now:<\/p>\n
    # this will require your previous<\/span> passphrase, and<\/span> to<\/span> create a<\/span> passphrase (it can be<\/span> the same)\r\nopenssl rsa -in .\/keys<\/span>\/macbook.coolaj86.com<\/span>.key -des3 -out .\/keys<\/span>\/macbook.coolaj86.com<\/span>.3<\/span>des.key\r\n<\/code><\/pre>\n
    curl http:\/\/checkip.dyndns.org\r\ncurl https:\/\/coolaj86.com\/services\/whatsmyip\r\n\r\nvim \/etc\/openvpn\/easy-rsa\/keys\/Default.txt\r\n<\/code><\/pre>\n
    \/etc\/openvpn\/easy-rsa\/keys\/Default.txt<\/code>:<\/p>\n
    client<\/span> \r\ndev<\/span> tun <\/span>\r\nproto<\/span> udp <\/span>\r\nremote<\/span> coolaj86.com 1194 <\/span>\r\nresolv-retry<\/span> infinite <\/span>\r\nnobind<\/span> \r\npersist-key<\/span> \r\npersist-tun<\/span> \r\nmute-replay-warnings<\/span> \r\nns-cert-type<\/span> server <\/span>\r\nkey-direction<\/span> 1 <\/span>\r\ncipher<\/span> AES-128-CBC <\/span>\r\ncomp-lzo<\/span> \r\nverb<\/span> 1 <\/span>\r\nmute<\/span> 20 <\/span>\r\n<\/code><\/pre>\n
    MakeOVPN.sh:<\/code><\/p>\n
    #!\/bin\/bash \r\n <\/span>\r\n# Default Variable Declarations <\/span>\r\nDEFAULT=\"Default.txt\"<\/span> \r\nFILEEXT=\".ovpn\"<\/span> \r\nCRT=\".crt\"<\/span> \r\nKEY=\".3des.key\"<\/span> \r\nCA=\"ca.crt\"<\/span> \r\nTA=\"ta.key\"<\/span> \r\nNAME=\"${1}<\/span>\"<\/span>\r\n \r\nif<\/span> [ -z \"${NAME}<\/span>\"<\/span> ]; then<\/span>\r\n  #Ask for a Client name <\/span>\r\n  echo<\/span> \"Please enter an existing Client Name:\"<\/span>\r\n  read<\/span> NAME \r\nfi<\/span>\r\n \r\n \r\n#1st Verify that client\u2019s Public Key Exists <\/span>\r\nif<\/span> [ ! -f $NAME<\/span>$CRT<\/span> ]; then<\/span> \r\n echo<\/span> \"[ERROR]: Client Public Key Certificate not found: $NAME<\/span>$CRT<\/span>\"<\/span> \r\n exit<\/span> \r\nfi<\/span> \r\necho<\/span> \"Client\u2019s cert found: $NAME<\/span>$CR<\/span>\"<\/span> \r\n \r\n \r\n#Then, verify that there is a private key for that client <\/span>\r\nif<\/span> [ ! -f $NAME<\/span>$KEY<\/span> ]; then<\/span> \r\n echo<\/span> \"[ERROR]: Client 3des Private Key not found: $NAME<\/span>$KEY<\/span>\"<\/span> \r\n exit<\/span> \r\nfi<\/span> \r\necho<\/span> \"Client\u2019s Private Key found: $NAME<\/span>$KEY<\/span>\"<\/span>\r\n \r\n#Confirm the CA public key exists <\/span>\r\nif<\/span> [ ! -f $CA<\/span> ]; then<\/span> \r\n echo<\/span> \"[ERROR]: CA Public Key not found: $CA<\/span>\"<\/span> \r\n exit<\/span> \r\nfi<\/span> \r\necho<\/span> \"CA public Key found: $CA<\/span>\"<\/span> \r\n \r\n#Confirm the tls-auth ta key file exists <\/span>\r\nif<\/span> [ ! -f $TA<\/span> ]; then<\/span> \r\n echo<\/span> \"[ERROR]: tls-auth Key not found: $TA<\/span>\"<\/span> \r\n exit<\/span> \r\nfi<\/span> \r\necho<\/span> \"tls-auth Private Key found: $TA<\/span>\"<\/span> \r\n \r\n#Ready to make a new .opvn file - Start by populating with the default file <\/span>\r\ncat $DEFAULT<\/span> > $NAME<\/span>$FILEEXT<\/span> \r\n \r\n#Now, append the CA Public Cert <\/span>\r\necho<\/span> \"<ca>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\ncat $CA<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\necho<\/span> \"<\/ca>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span>\r\n \r\n#Next append the client Public Cert <\/span>\r\necho<\/span> \"<cert>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\ncat $NAME<\/span>$CRT<\/span> | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\necho<\/span> \"<\/cert>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\n \r\n#Then, append the client Private Key <\/span>\r\necho<\/span> \"<key>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\ncat $NAME<\/span>$KEY<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\necho<\/span> \"<\/key>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\n \r\n#Finally, append the TA Private Key <\/span>\r\necho<\/span> \"<tls-auth>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\ncat $TA<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\necho<\/span> \"<\/tls-auth>\"<\/span> >> $NAME<\/span>$FILEEXT<\/span> \r\n \r\necho<\/span> \"Done! $NAME<\/span>$FILEEXT<\/span> Successfully Created.\"<\/span>\r\n \r\n#Script written by Eric Jodoin<\/span>\r\n<\/code><\/pre>\n
    pushd<\/span> \/etc\/openvpn\/easy-rsa\/keys\r\n.\/MakeOVPN.sh client-xyz.example.com\r\n\r\n\r\n# copy this and paste it on the client<\/span>\r\ncat client-xyz.example.com.ovpn\r\n<\/code><\/pre>\n
    On the Client<\/h3>\n
    You’ve just got to paste that config onto the client and start the connection.<\/p>\n
    sudo apt-get install --yes openvpn\r\n# note it's important to use '&' rather than ';' or '&&', even though it's a daemon<\/span>\r\nOVPN_CLIENT=\"client-xyz\"<\/span>\r\nsudo kill --signal TERM $(cat \/var\/run<\/span>\/ovpn.\"${OVPN_CLIENT}<\/span>\"<\/span>.pid)<\/span>\r\nsleep 0.5<\/span>\r\nsudo kill --signal KILL $(cat \/var\/run<\/span>\/ovpn.\"${OVPN_CLIENT}<\/span>\"<\/span>.pid)<\/span>\r\nsudo openvpn --config \"${OVPN_CLIENT}\"<\/span>.ovpn --daemon --writepid \/var\/run<\/span>\/ovpn.\"${OVPN_CLIENT}<\/span>\"<\/span>.pid<\/span>\r\n# you can later kill the process with<\/span>\r\n# sudo bash -c 'kill $(cat \/var\/run\/client-xyz.pid)'<\/span>\r\n<\/code><\/pre>\n
    Check if you were successful.<\/p>\n
    ifconfig<\/span>\r\nping<\/span> -c<\/span> 1 10.8<\/span>.0<\/span>.1<\/span>\r\n<\/code><\/pre>\n
    If you were successful you’ll see a\u00a0tun0<\/code>\u00a0device with an IP address and you should be able to ping the VPN server.<\/p>\n
    Connect on Startup<\/h4>\n
    If you’re lucky the openvpn service was already configured to start on boot and all you have to do is move your config file to the correct directory and change the config file to say that it will be loaded<\/p>\n
    sudo<\/span> mv client-xyz.example.com.ovpn \/etc\/openvpn\/client-xyz.conf<\/span>\r\nsudo<\/span> vim \/etc\/default\/openvpn<\/span>\r\n# uncomment the following<\/span>\r\n# AUTOSTART=\"client-xyz\"<\/span>\r\n<\/code><\/pre>\n
    upstart<\/strong><\/p>\n
    vim<\/span> \/etc\/init\/myopenvpn<\/span>\r\n<\/code><\/pre>\n
    # OpenVPN autostart on<\/span> boot upstart job\r\n\r\nstart on<\/span> runlevel [2345<\/span>]\r\nstop<\/span> on<\/span> runlevel [!2345<\/span>]\r\n\r\nrespawn\r\n\r\nexec \/usr\/sbin\/openvpn --status \/var\/run\/openvpn.client.status 10<\/span> --cd<\/span> \/etc\/openvpn --config \/etc\/openvpn\/client.conf<\/span> --syslog openvpn\r\n<\/code><\/pre>\n
    By AJ ONeal<\/p>\n
    \n
    If you loved this and want more like it, sign up!<\/p>\n<\/form>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
    Reverse VPN: turn any private device into public cloud server Published\u00a02015-6-4\u00a0Updated\u00a001:44pm 2015-6-15 NOTICE\u00a0there might still be some bugs and sparsely commented snippets in this document, but if you follow it, it\u00a0should\u00a0work. Video Demo\u00a0https:\/\/youtu.be\/O7D7UkA3IKQ\u00a0by ravallblog Typically when you think of a … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-2200","post","type-post","status-publish","format-standard","hentry","category-vpn"],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2200"}],"version-history":[{"count":2,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2200\/revisions"}],"predecessor-version":[{"id":2202,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2200\/revisions\/2202"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2200"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}