-
Notifications
You must be signed in to change notification settings - Fork 0
/
APU as a router.page
399 lines (275 loc) · 8.7 KB
/
APU as a router.page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
## Installation
Notes:
- Make sure you always restart/reload a service after you have changed its
config files. Alternatively, follow this howto and do a clean boot at the very
end.
- All commands in this howto need to be executed by root (or via sudo).
### System
Install a regular Debian amd64.
### Boot Loader
The APU doesn't come with a VGA or HDMI output, so for emergency debugging we
want to enable the serial console.
Edit `/etc/default/grub` and add/change the following values:
```
GRUB_CMDLINE_LINUX_DEFAULT="verbose console=ttyS0,115200n8 reboot=bios"
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200"
GRUB_TERMINAL=serial
```
Now we'll have to write grub to the MBR again:
```
update-grub
```
We'll also add a system service that provides a tty over the serial port.
Create `/etc/init/ttyS0.conf` and write the following to it:
```
# ttyS0 - getty
start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]
respawn
exec /sbin/getty -8 115200 -L ttyS0
```
Once you reboot the system you should now be able to watch it boot via the serial
console and login once it's done.
### Basic packages
Let's install a bunch of common and useful packages:
```
apt install apt-transport-https build-essential curl git htop net-tools nmap tmux unzip
```
## Configuration
### /etc/fstab
Edit `/etc/fstab` and add `noatime` to the root filesystem's options. This prevents
unnecessary disk writes.
### Unattended Upgrades
We want to enable unattended-upgrades (at least) for security updates:
```
apt install unattended-upgrades apt-listchanges
```
Edit `/etc/apt/apt.conf.d/50unattended-upgrades` and set an email address to be
notified with `Unattended-Upgrade::Mail`.
Also check `/etc/apt/apt.conf.d/20auto-upgrades` to make sure unatteded upgrades
are really enabled. Find more info in the [Debian Wiki](https://wiki.debian.org/UnattendedUpgrades).
### sudo
Add the user `openlab` to the `sudo` group. Edit `/etc/sudoers` and let users
in this group run sudo without password verification:
```
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
```
Everyone with access to this system will have to add their pub-key to `/home/openlab/.ssh/authorized_keys`.
### Network
The APU has three ethernet interfaces (from left to right: `enp1s0`, `enp2s0` and `enp3s0`).
- `enp1s0` is physically connected to the LAN
- `enp2s0` is physically connected to the Ubiquiti radio-link to [gamambel](Mensch_mo)
- `enp3s0` is currently unused
Edit `/etc/network/interfaces` and add these interfaces:
```
# Local lab network
auto enp1s0
iface enp1s0 inet static
address 172.16.0.1
netmask 255.255.0.0
# Link to gamambel
auto enp2s0
iface enp2s0 inet static
address 192.168.0.251
netmask 255.255.0.0
up route add -host 1.2.3.4 gw 192.168.0.1
```
The static host route is the only route available on startup. It allows us to
connect to a VPN server with openvpn, which in turn sets up our default route
to the Internet. Make sure the IP matches the VPN server's address. See the
next paragraph for more information.
### VPN connection
We don't want to connect to the Internet via our ISP directly, so we will setup
a VPN connection, which all traffic will be routed through.
Install `openvpn`:
```
apt install openvpn ca-certificates
```
Copy the VPN configuration to `/etc/openvpn/labvpn.conf`. Now edit `/etc/default/openvpn`:
```
AUTOSTART="labvpn"
```
### VPN connection via frivpn (alternative multi-threaded VPN client)
Install `frivpn`:
```
apt install cmake lua5.2 lua5.2-dev lua-posix lua-luaossl lua-cqueues libssl-dev liblzo2-dev
cd $HOME/src
git clone https://github.com/znuh/frivpn.git
mkdir frivpn/build ; cd frivpn/build
cmake ..
make
```
Now you can start frivpn like this:
```
./frivpn_client.lua config/ipredator
```
### Firewall
We want to forward packages between ethernet interfaces, but only allow incoming
connections on specific ports. All outgoing traffic is allowed to pass through.
Install `ufw`:
```
apt install ufw
ufw enable
ufw default deny incoming
ufw default allow outgoing
ufw default allow forward
ufw allow ssh
```
Add NAT/masquerading to the top of `/etc/ufw/before.rules`:
```
# NAT over tun0
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.0.0/16 -o tun0 -j MASQUERADE
COMMIT
```
Enable IPv4 forwarding by editing `/etc/ufw/sysctl.conf`:
```
net/ipv4/ip_forward=1
```
### DHCP server
LAN-guests will receive a dynamically allocated IP address, within the range of
172.16.0.100 through 172.16.0.249, via DHCP.
Install `isc-dhcp-server` and tools:
```
apt install isc-dhcp-server dhcpd-pools
systemctl enable isc-dhcp-server
```
Edit `/etc/default/isc-dhcp-server` and configure the interfaces:
```
INTERFACESv4="enp1s0"
```
Edit `/etc/dhcp/dhcpd.conf` for all other settings:
```
#option domain-name;
#option domain-name-servers;
default-lease-time 3600;
max-lease-time 14400;
authoritative;
class "guests" {
match if substring (hardware, 1, 3) = 00:01:02;
}
subnet 172.16.0.0 netmask 255.255.0.0 {
pool {
deny members of "guests";
range 172.16.0.100 172.16.0.249;
}
pool {
allow members of "guests";
range 172.16.1.200 172.16.1.249;
}
option routers 172.16.0.1;
option domain-name "lab";
option domain-name-servers 172.16.0.1, 8.8.8.8, 8.8.4.4;
}
```
Download `http://standards.ieee.org/regauth/oui/oui.txt` to
`/usr/local/etc/oui.txt` to enable MAC => manufacturer resolving.
### DNS server
We run a DNS server so local OpenLab services can be resolved by name.
Install `dnsmasq`:
```
apt install dnsmasq
ufw allow dns
```
Edit `/etc/dnsmasq.conf` and change the following values:
```
domain-needed
bogus-priv
interface=enp1s0
```
Add all machines with a static IP to `/etc/hosts`, as `dnsmasq` will parse this
file for DNS requests.
### Prometheus
Install `prometheus`:
```
apt install prometheus prometheus-node-exporter
systemctl enable prometheus-node-exporter
systemctl enable prometheus
```
Edit `/etc/prometheus/prometheus.yml` and change the following values:
```
external_labels:
monitor: 'lab'
...
- job_name: 'lab'
scrape_interval: 10s
scrape_timeout: 10s
static_configs:
- targets: ['localhost:9100']
```
Next we'll install `grafana` as a frontend for prometheus. Since it's not in the
official repos yet, we'll add a new APT source. Edit `/etc/apt/sources.list` and
add:
```
deb https://packagecloud.io/grafana/stable/debian/ stretch main
```
Now we can install the package:
```
curl https://packagecloud.io/gpg.key | sudo apt-key add -
apt update
apt install grafana
systemctl enable grafana-server
ufw allow 3000
```
#### Additional stats & scrapers
Install `https://github.com/atonkyra/dhcp-stats-prometheus` and its dependencies:
```
apt install dhcpd-pools python3-bottle
```
### Traffic shaping
Install `tc` (part of `iproute2`):
```
apt install iproute2
```
Create a new bash script called `/usr/local/bin/tcsetup.sh` with the following content:
```
#!/bin/sh
# setup qdisc
tc qdisc del dev enp1s0 root handle 1: htb
tc qdisc add dev enp1s0 root handle 1: htb default 5
# define classes
# never use more than 50mbit/s total
tc class add dev enp1s0 parent 1: classid 1:1 htb rate 50mbit ceil 50mbit
# preferred class
tc class add dev enp1s0 parent 1:1 classid 1:4 htb rate 8mbit ceil 40mbit
# standard lab user
tc class add dev enp1s0 parent 1:1 classid 1:5 htb rate 4mbit ceil 40mbit
# external guests
tc class add dev enp1s0 parent 1:1 classid 1:6 htb rate 512kbit ceil 4mbit
# prefer DNS, SSH
tc filter add dev enp1s0 protocol ip parent 1:0 prio 0 u32 match ip sport 53 0xffff flowid 1:4
tc filter add dev enp1s0 protocol ip parent 1:0 prio 0 u32 match ip dport 53 0xffff flowid 1:4
tc filter add dev enp1s0 protocol ip parent 1:0 prio 0 u32 match ip sport 22 0xffff flowid 1:4
tc filter add dev enp1s0 protocol ip parent 1:0 prio 0 u32 match ip dport 22 0xffff flowid 1:4
# de-prioritize external guests
tc filter add dev enp1s0 protocol ip parent 1:0 prio 5 u32 match ip src 172.16.1.0/24 flowid 1:6
tc filter add dev enp1s0 protocol ip parent 1:0 prio 5 u32 match ip dst 172.16.1.0/24 flowid 1:6
```
Now make the script executable:
```
chmod +x /usr/local/bin/tcsetup.sh
```
Edit `/etc/network/interfaces` and amend the following section:
```
# Local lab network
auto enp1s0
iface enp1s0 inet static
address 172.16.0.1
netmask 255.255.0.0
up /usr/local/bin/tcsetup.sh
```
### Beehive
We'll need to install Go in order to compile `beehive`:
```
apt install golang
```
### SNMP
To be done.
### Backup
To be done.
## HowTo
### Assign a static IP to a DHCP client
Edit `/etc/dhcp/dhcpd.conf` and add a new host. Restart `isc-dhcp-server`.
### Add a host to the DNS
Edit `/etc/hosts` and add the host. Restart `dnsmasq`.