|
|
| (12 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | ==Step by Step Articles== |
| | |
| All the setup involved for bespin, a Ubuntu 18.04 desktop server. | | All the setup involved for bespin, a Ubuntu 18.04 desktop server. |
|
| |
|
| =Inital Setup=
| | * [[Ubuntu/Bespin/Initial Setup]] - initial setup of the Ubuntu machine |
|
| |
|
| [[Ubuntu/Bespin/Initial Setup]] | | * [[Ubuntu/Bespin/Gnome Setup]] - setting up gnome on the Ubuntu machine |
|
| |
|
| =Gnome Setup=
| | * [[Ubuntu/Bespin/Ansible]] - setting up and running an Ansible role for the machine |
|
| |
|
| [[Ubuntu/Bespin/Gnome Setup]] | | * [[Ubuntu/Bespin/PIA]] - set up a [[PIA]] VPN tunnel using [[OpenVPN]] |
|
| |
|
| =Ansible Setup=
| | * [[Ubuntu/Bespin/DNS]] - removing the built-in DNS server on Ubuntu and replacing it with dnsmasq |
|
| |
|
| Note that it is easiest and safest to perform these steps on a local network (e.g., a wifi router network) that has internet connectivity but that won't expose the Ubuntu server to the public internet.
| | * [[Ubuntu/Bespin/PiHole]] - run an instance of PiHole, the DNS sinkhole, in a Docker container; install it between dnsmasq and the VPN tunnel, so all DNS queries will pass through the PiHole |
|
| |
|
| Now use https://github.com/charlesreid1-com/charlesreid1-ansible to run the provision and base plays against the server. Note that this requires root access via ssh, so you have to edit your ssh config file to include this line:
| | * [[Ubuntu/Bespin/Iptables]] - Update the iptables rules to allow better protection of the server and be less permissive |
|
| |
|
| <code>/etc/ssh/sshd_config</code>
| | * [[Ubuntu/Bespin/TIL]] - the summary of "today I learned" things that I learned while setting up Bespin |
|
| |
|
| <pre>
| | ==Related Articles== |
| PermitRootLogin yes
| |
| </pre>
| |
|
| |
|
| Now restart the ssh service:
| | * [[Ubuntu/OpenVPN Server]] - set up an OpenVPN server on a Ubuntu machine (not running on bespin) |
|
| |
|
| <pre>
| | ==Old Irrelevant Articles== |
| sudo service ssh restart
| |
| </pre>
| |
|
| |
|
| and test that you can log in as root without a password:
| | Articles that are no longer relevant to bespin but that may have useful information for some future project. |
|
| |
|
| <pre> | | * <s>[[Ubuntu/Bespin/Second AP Tunnel]]</s> - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond. |
| ssh root@<ip-for-bespin>
| |
| </pre>
| |
| | |
| ONLY ENABLE THIS WHILE YOU RUN ANSIBLE! DISABLE IT WHEN YOU ARE DONE!
| |
| | |
| Now run ansible from a different machine:
| |
| | |
| <pre>
| |
| # run this from a different machine!
| |
| git clone git@github.com:charlesreid1-com/charlesreid1-ansible.git ansible
| |
| cd ansible
| |
| | |
| # provision (python3 install)
| |
| ANSIBLE_CONFIG="local.cfg" ansible-playbook --extra-vars "machine_name=bespin" provision.yml
| |
| | |
| # set up with all the things
| |
| ANSIBLE_CONFIG="local.cfg" ansible-playbook --extra-vars "machine_name=bespin" --vault-password-file=.vault_secret base.yml
| |
| </pre>
| |
| | |
| Last, edit your ssh config to disable root login:
| |
| | |
| <code>/etc/ssh/sshd_config</code>
| |
| | |
| Remove this line!
| |
| | |
| <pre>
| |
| PermitRootLogin yes # REMOVE ME
| |
| </pre>
| |
| | |
| and replace with this one:
| |
| | |
| <pre>
| |
| PermitRootLogin no
| |
| </pre>
| |
| | |
| Now restart the ssh service:
| |
| | |
| <pre>
| |
| sudo service ssh restart
| |
| </pre>
| |
| | |
| =Wifi Access Point Setup=
| |
| | |
| [[Ubuntu/Bespin/Old/Wifi AP Setup]] | |
| | |
| =VPN Tunnel=
| |
| | |
| In this section we set up a VPN tunnel using OpenVPN and a pre-existing OpenVPN server. For this specific example we cover the use of Private Internet Access, a third-party VPN provider.
| |
| | |
| ==Install software==
| |
| | |
| <pre>
| |
| sudo apt-get -y install openvpn
| |
| </pre> | |
| | |
| ==Obtain OpenVPN profile==
| |
| | |
| For PIA:
| |
| | |
| <pre>
| |
| cd /tmp
| |
| wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
| |
| unzip -d openvpn openvpn.zip
| |
| cd openvpn
| |
| </pre>
| |
| | |
| This directory contains multiple OpenVPN profiles for each of PIA's server regions.
| |
| | |
| RUN THE FOLLOWING COMMANDS AS ROOT.
| |
| | |
| To use the openvpn profile, server cert, and client key:
| |
| | |
| <pre>
| |
| PROFILE="Belgium"
| |
| cp ca.rsa.2048.crt /etc/openvpn/.
| |
| cp crl.rsa.2048.pem /etc/openvpn/.
| |
| cp ${PROFILE}.ovpn /etc/openvpn/.
| |
| </pre>
| |
| | |
| Now add login credentials to a login file:
| |
| | |
| <pre>
| |
| touch /etc/openvpn/login
| |
| echo "USERNAME" >> /etc/openvpn/login
| |
| echo "PASSWORD" >> /etc/openvpn/login
| |
| </pre>
| |
| | |
| Modify the OpenVPN profile to use the credentials file we just made, and to point to the correct locations of the certificate and key.
| |
| | |
| Also modify the OpenVPN profile to name the tunnel device it will create. We will set the tunnel device name as <code>tun1</code>:
| |
| | |
| <pre>
| |
| sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
| |
| sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
| |
| sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
| |
| sed -i 's+dev tun$+dev tun1+' /etc/openvpn/${PROFILE}.ovpn
| |
| </pre>
| |
| | |
| ==Testing OpenVPN Tunnel==
| |
| | |
| Test the VPN connection by running <code>curl -4 icanhazip.com</code> before and after you bring the VPN up to verify your IP has changed:
| |
| | |
| <pre>
| |
| openvpn --config /etc/openvpn/${PROFILE}.ovpn
| |
| </pre>
| |
| | |
| Note that you may have a config file (.conf) instead, in which case, use the config file instead of the .ovpn file.
| |
| | |
| Use <code>curl -6 icanhazip.com</code> to test whether your IPv6 address has changed.
| |
| | |
| You can also run <code>ifconfig</code> and you should see a <code>tun1</code> device with an IP address like 10.X.Y.Z. This is the VPN connection. To run curl using specifically that network interface, use the <code>--interface</code> flag with curl:
| |
| | |
| <pre>
| |
| curl --interface 10.96.10.6 -4 icanhazip.com
| |
| </pre>
| |
| | |
| The VPN should be capturing and routing ALL traffic through the VPN tunnel. Double check by running this command, which should fail to do anything:
| |
| | |
| <pre>
| |
| curl --interface 192.168.0.199 -4 icanhazip.com
| |
| </pre>
| |
| | |
| where 192.168.0.199 is the IP address of bespin on the wifi network.
| |
| | |
| ==Modifying OpenVPN Service==
| |
| | |
| Before we can automatically start OpenVPN, we need to modify the startup service to look for .ovpn files instead of .conf files. Use this sed one-liner to do that:
| |
|
| |
|
| <pre> | | * <s>[[Ubuntu/Bespin/Wifi Repeater]]</s> - using bespin to run hostapd and make a wifi repeater |
| sed -i 's|\.conf|.ovpn|' /lib/systemd/system/openvpn@.service
| |
| </pre> | |
|
| |
|
| ==Enabling OpenVPN Service==
| | * <s>[[Ubuntu/Bespin/Old/Wifi AP Setup]]</s> set up a wireless AP to create/host a wifi hotspot on the machine |
|
| |
|
| To start the process automatically in the background, and on boot, enable the OpenVPN service. It will be called <code>openvpn@${PROFILE}</code>. So, to use the example of Belgium.ovpn,
| | * <s>[[Ubuntu/Bespin/Old/AP PIA Tunnel]]</s> - route traffic from a wireless AP to a PIA VPN tunnel |
|
| |
|
| <pre> | | * <s>[[Ubuntu/Bespin/Old/Iptables]]</s> - old iptables rules for things that aren't actually running on Bespin |
| sudo service openvpn@Belgium start
| |
| </pre> | |
|
| |
|
| This will look for a file named Belgium.ovpn and start an OpenVPN client process connecting to that server.
| |
|
| |
| Once again you can check your public IP with
| |
|
| |
| <pre>
| |
| curl -4 icanhazip.com
| |
| </pre>
| |
|
| |
| and look up the IP address location to determine whether your traffic is being routed properly through Belgium, or wherever you chose.
| |
|
| |
| =Connect AP to VPN Tunnel=
| |
|
| |
| The last step here is to provide an internet gateway for the AP, and to do it via the VPN tunnel.
| |
|
| |
| The current network setup is as follows:
| |
| * <code>wlan0</code> on 192.168.0.0/24 - provides internet connection
| |
| * <code>wlan1</code> on 192.168.10.0/24 - access point network
| |
| * <code>tun1</code> on 10.96.10.0/24 - private IP for VPN tunnel
| |
|
| |
| ===Bridged network vs routed network===
| |
|
| |
| There are (at least) two ways we can do this:
| |
|
| |
| * Bridged network - this uses a virtual network device called a bridge to allow two network interfaces to see traffic from each other. This can be thought of as connecting two network interfaces to a switch, done virtually on the local machine.
| |
| * Routed network - this keeps the two network interfaces separate, and uses iptables to forward traffic from one device to another. This uses masquerading, which means that the server takes packets destined for external networks and proxies them, sending them out over the VPN tunnel, and returning the result to the client when it arrives.
| |
|
| |
| Bridged networks are useful if you want clients on the AP to obtain IP addresses from the wifi router providing bespin with internet. In this scenario, clients would see the 192.168.0.0/24 network, just like bespin does, and would receive IP addresses on that network instead of 192.168.10.0/24.
| |
|
| |
| Routed networks keep the networks associated with each network interface isolated. Packets only pass from one network interface to another if iptables has a rule to do that.
| |
|
| |
| We will use a routed network for this setup.
| |
|
| |
| ===Creating the routed network===
| |
|
| |
| Start by installing the netfilter-persistent tool, which will make it easy to save the iptables configuration:
| |
|
| |
| <pre>
| |
| sudo apt-get -y install netfilter-persistent
| |
| </pre>
| |
|
| |
| Creating the routed network requires packet forwarding to be enabled (see AP setup for instructions). Set up the routed network by adding iptables rules with the following script:
| |
|
| |
| <pre>
| |
| #!/bin/bash
| |
| set -e
| |
|
| |
| ipt="sudo /sbin/iptables"
| |
|
| |
| # start by flushing all rules and setting defaults
| |
| $ipt -F
| |
| # should we do this?
| |
| #$ipt -P INPUT DROP
| |
| #$ipt -P FORWARD DROP
| |
| $ipt -P INPUT ACCEPT
| |
| $ipt -P FORWARD ACCEPT
| |
| $ipt -P OUTPUT ACCEPT
| |
| $ipt -t nat -F
| |
| $ipt -t mangle -F
| |
| $ipt -F
| |
| $ipt -X
| |
|
| |
| ##################################
| |
| # PIA VPN Tunnels
| |
|
| |
| # These are PIA tunnels that handle traffic from APs
| |
| PIA_AP_TUNNELS="tun1"
| |
| for TUN in TUNNELS; do
| |
| # Accept all traffic coming in from tunnel
| |
| $ipt -A INPUT -i ${TUN} -j ACCEPT
| |
| # Masquaerade outgoing traffic leaving via the tunnel
| |
| $ipt -t nat -A POSTROUTING -o ${TUN} -j MASQUERADE
| |
| done
| |
|
| |
| ##################################
| |
| # AP-PIA Tunneling
| |
|
| |
| # Forward outgoing traffic for APs through tunnel
| |
| AP="wlan1"
| |
| TUN="tun1"
| |
| # Allow traffic on the TUN interface.
| |
| $ipt -A INPUT -i ${TUN} -j ACCEPT
| |
| $ipt -A FORWARD -i ${TUN} -j ACCEPT
| |
| $ipt -A OUTPUT -o ${TUN} -j ACCEPT
| |
| # Allow forwarding traffic from the VPN
| |
| $ipt -A FORWARD -i ${TUN} -o ${AP} -j ACCEPT
| |
| $ipt -A FORWARD -i ${AP} -o ${TUN} -j ACCEPT
| |
|
| |
| # Make rules persistent
| |
| sudo netfilter-persistent save
| |
| </pre>
| |
|
| |
| hat tip:
| |
| * [https://serverfault.com/questions/431593/iptables-forwarding-between-two-interface]
| |
| * [https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md]
| |
| * [https://serverfault.com/questions/453254/routing-between-two-networks-on-linux]
| |
| * [https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules]
| |
|
| |
| This stores the iptables configuration in <code>/etc/iptables/</code>
| |
|
| |
| ==Testing Joining AP==
| |
|
| |
| Join the wifi network from another laptop or phone.
| |
|
| |
| Verify that you receive an IP address and that your device can be pinged from bespin.
| |
|
| |
| Check your IP address from the device (whatsmyip.org) to ensure it is coming from the PIA region specified.
| |
|
| |
| ===Troubleshooting EAPOL Timeout===
| |
|
| |
| If your test computer/laptop/phone connects to the network and authenticates okay but the EAPOL handshake step keeps timing out, it's a problem with the DNS server (dnsmasq) not being set up properly. You can see the EAPOL handshake timeout messages when you run hostapd in debug mode (<code>sudo hostapd -d /etc/hostapd/hostapd.conf</code>) and try to join the wifi network with another computer.
| |
|
| |
| ===Troubleshooting Joining Wifi===
| |
|
| |
| View the kernel IP routing table and review it to make sure things are wired up correctly:
| |
|
| |
| <pre>
| |
| netstat -rn
| |
| </pre>
| |
|
| |
| Check iptables rules with this command:
| |
|
| |
| <pre>
| |
| sudo iptables -S
| |
| # or
| |
| sudo iptables -L
| |
| </pre>
| |
|
| |
| To limit to input/output rules only, do this:
| |
|
| |
| <pre>
| |
| sudo iptables -L INPUT
| |
| sudo iptables -L OUTPUT
| |
| </pre>
| |
|
| |
| To check that traffic is flowing okay:
| |
|
| |
| On bespin, run <code>tcpdump -i tun1</code> (monitoring the openvpn tunnel) and <code>tcpdump -i wlan1</code> (monitoring traffic on the AP) in side by side windows. Then join the AP from the phone or device and try to access the internet.
| |
|
| |
| You should see packets related to the request that show up in both the tun1 and wlan1 traffic streams, which verifies that traffic is correctly being forwarded from the AP client through bespin and on to the final destination.
| |
|
| |
| The packets should also be going in '''both''' directions - to and from the AP client. If they are only going one direction (from the client to the destination) and none are returning, double-check the iptables rules.
| |
|
| |
| Help from here: [https://serverfault.com/questions/453254/routing-between-two-networks-on-linux]
| |
|
| |
| ===More Troubleshooting===
| |
|
| |
| If you restart the networking service on bespin, like this
| |
|
| |
| <pre>
| |
| sudo service networking restart
| |
| </pre>
| |
|
| |
| then you'll lose your wifi connection. This is because the networking interface reverts back to looking for the old network interface name (the one with the entire mac address in the name), instead of the renamed version.
| |
|
| |
| We specified the device name as part of udev, specifically the file <code>/etc/udev/rules.d/70-persistent-net.rules </code>
| |
|
| |
| So we need to reload udev:
| |
|
| |
| <pre>
| |
| sudo udevadm control --reload-rules && udevadm trigger
| |
| </pre>
| |
|
| |
| Well crap, that doesn't work. If you reload the networking service, wifi breaks because wpa_supplicant reverts to a stupid network interface scheme, and apparently you're hosed until you restart.
| |
|
| |
| =PiHole=
| |
|
| |
| Run PiHole in a Docker container, and install it between dnsmasq and the VPN tunnel (so that DNS queries will be filtered by the PiHole).
| |
|
| |
| * [[Ubuntu/Bespin/PiHole]]
| |
|
| |
| =OpenVPN Server=
| |
|
| |
| Real simple: just set up an OpenVPN server.
| |
|
| |
| * [[Ubuntu/Bespin/OpenVPN Server]]
| |
|
| |
| 47 pages later: man that was was intense
| |
|
| |
| =Brushup of dnsmasq Config=
| |
|
| |
| Updated the dnsmasq config file to the one shown here.
| |
|
| |
| Key changes:
| |
|
| |
| * Specifying the interfaces and listen addresses together (only need one or the other, but just to be sure)
| |
| * Using the expanded notation for the server keyword, and using it to specify which DNS nameserver to use for traffic from different sources. Now different LANs can use different DNS.
| |
|
| |
| <code>/etc/dnsmasq.conf</code>
| |
|
| |
| <pre>
| |
| # don't send external traffic that is missing a domain
| |
| domain-needed
| |
| # don't send external traffic that has bogus private ip
| |
| bogus-priv
| |
| ## set the local domain
| |
| #domain=anon
| |
| #local=/anon/
| |
| # listen on these interfaces and only these interfaces
| |
| interface=lo
| |
| listen-address=127.0.0.1
| |
| interface=wlan1
| |
| listen-address=192.168.10.1
| |
| bind-interfaces
| |
| # define range of IP addresses to hand out
| |
| dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h
| |
| # don't read /etc/resolv.conf
| |
| no-resolv
| |
| # define what to do if no name resolution
| |
| # the notation for server used here is
| |
| # <dest-ip>/<src-ip>
| |
| # local dns queries use pihole dns server
| |
| server=127.53.0.1/127.0.0.1
| |
| # lan10 dns queries use pihole dns server
| |
| server=127.53.0.1/192.168.10.1
| |
| ## lan20 dns queries use google
| |
| #server=8.8.8.8/192.168.20.1
| |
| # send dnsmasq logs to a single place
| |
| log-facility=/var/log/dnsmasq.log
| |
| </pre>
| |
|
| |
| =Iptables Reconfiguration=
| |
|
| |
| Update the iptables rules to allow better protection of the server and be less permissive:
| |
|
| |
| [[Ubuntu/Bespin/Iptables]]
| |
|
| |
| =Wifi Repeater=
| |
|
| |
| Eventually we abandoned the idea of running hostapd on bespin to create a wifi network that would tunnel traffic through a PIA VPN tunnel. That job was moved to Thing 1.
| |
|
| |
| We did have a new problem that hostapd could solve: Bespin and a few other computers are far from the wifi router. We want Bespin to provide a wifi repeater so that other computers can talk to Bespin faster than they can talk to the rest of the network. This doesn't make much of a difference, except if you're using services on Bespin, which we are.
| |
|
| |
| [[Ubuntu/Bespin/Wifi Repeater]]
| |
|
| |
| =Related Pages=
| |
|
| |
| * [[Ubuntu/Bespin/TIL]] - the summary of "today I learned" things that I learned while setting up Bespin
| |
|
| |
| * <s>[[Ubuntu/Bespin/Second AP Tunnel]]</s> - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond.
| |
|
| |
|
|
| |
|