Difference between pages "Tool Fund" and "Netbsd vpn gateway basic setup"

From ENTS
(Difference between pages)
Jump to: navigation, search
(Created page with "ENTS members have decided to band together to buy tools for the space. Hov's brainchild is the Tool Fund, where member contribute money ideally monthly, but one-off contributi...")
 
 
Line 1: Line 1:
ENTS members have decided to band together to buy tools for the space. Hov's brainchild is the Tool Fund, where member contribute money ideally monthly, but one-off contributions are accepted as well. The idea is the for every $25 donated, the donor receives 1 vote. Voting happens monthly and donors can either vote to buy tool/s, supplies or to keep the fund for another month, either to save more or to wait for a better purchase need to appear.
 
  
Q: What will the money be used for?
+
=== Basic setup after a vanilla install of NetBSD 5.2===
A: Primarily tools and the maintenance of tools. It's impossible to say with certainty, since donors decide what will be purchased. The idea at inception was that bigger ticket items be the primary goal and some smaller ticket items.  
+
  
Q: Who decides what to buy?
+
---
A: Donors will, those who have invested in the fund get a say in how the money is spent.
+
  
Q: Is a group buy right? Will members own a portion of what is bought?
+
==== Set up pkgsrc repository ====
A: No. ENTS will own anything purchased from the tool fund. Money donated to the tool fund is exactly that, a donation.
+
  
Q: How will the tools and equipment be maintained once purchased?
+
Edit the file  '''''/root/.profile'''''<br />
A: This will also be a portion of the Tool Fund's responsibility.  
+
  
Q: How do we decide on what gets purchased?
+
Change the path for the pkgsrc repo to:<br />
A: After the end of the month a post will be placed in the forums saying what we have and what we could buy. Those that donated will be able to vote on what to do. That could be spend some on small stuff or wait and spend on big stuff or a combination of both. The post will be a rundown of all those that participated and how many votes they have. There will be a clear cut-off date and target for purchase as well as infomation on who's making the purchase etc. Some purchases will be very specific (such as models/sources etc. etc.) and some could be "let's spend 100-150 on a grappel gromet machine and save the rest to buy a chumyodler!
+
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
  
Q: How do we know how it's going?
+
The file will be read-only, use ''':wq!'''
A: The Tool Fund's balance and recent decisions will be reported on at monthly meetings. Tool Fund discussions will happen separately, this is to ensure that the monthly meetings stay on topic. Donors will meet otherwise to decide how to administer the Tool Fund.
+
  
Q: What about training and all that other stuff?
 
A: Depending on the tool/item we'll figure that out. Some won't need any and some will need a lot.
 
  
Q: You're going to buy nothing but Garage Stuff or Electronics Stuff or or or right?
+
==== Set up network interfaces ====
A: No. The idea would be to spend the money on things for the garage and things for electronics or prototyping or computers or software or or or. We'll be trying to spread the money around and get the biggest bang for the buck.
+
  
Q: Who is in charge of the Tool Fund?
+
Edit the file  '''''/etc/ifconfig.fxp0'''''
A: Grelli will be taking care of the accounting and bookkeeping. Hov will be organizing/moderating the forums and such. Depending on the purchases there will be others involved for specific items.
+
 
 +
This will the the external (wan) interface.
 +
 
 +
Insert the contents:
 +
192.168.0.201 netmask 255.255.255.0
 +
 
 +
---
 +
 
 +
Edit the file  '''''/etc/ifconfig.fxp1'''''
 +
 
 +
This will be the internal network (lan) interface.
 +
 
 +
Insert the contents:
 +
10.100.44.1 netmask 255.255.255.0
 +
 
 +
 
 +
==== Ensure IP forwarding is set up ====
 +
 
 +
Edit the file  '''''/etc/sysctl.conf '''''
 +
 
 +
Insert the contents:
 +
 
 +
net.inet.ip.forwarding=1
 +
 
 +
 
 +
==== Specify your DNS server ====
 +
 
 +
 
 +
Edit the file  '''''/etc/resolv.conf'''''
 +
 
 +
Insert the contents:
 +
 
 +
nameserver 64.59.184.13
 +
 
 +
 
 +
==== Specify basic settings in rc.d to set up networking ====
 +
 
 +
Edit the file  '''''/etc/rc.conf'''''
 +
 
 +
Append the following to the end of the file:
 +
 
 +
hostname=chaosvpn.440bx.net
 +
defaultroute=192.168.0.1
 +
sshd=yes
 +
 
 +
 
 +
==== Create a new user to do tasks that don't require root ====
 +
 
 +
# useradd -m -G wheel chaosvpn_user
 +
# passwd chaosvpn_user
 +
 
 +
 
 +
==== Continue with the installation of ChaosVPN ====
 +
 
 +
continue with the steps at:
 +
 
 +
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
 +
 
 +
 
 +
---
 +
 
 +
===Recompile the kernel===
 +
 
 +
make directories
 +
 
 +
# mkdir /usr/src
 +
# chown chaosvpn_user /usr/src
 +
 
 +
get the actual source
 +
 +
$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
 +
  mget *.tgz
 +
 +
extract
 +
 
 +
$ for i in *.tgz
 +
  do
 +
  tar -xzf $i
 +
  done
 +
 
 +
after you realize youve extracted to the wrong dir
 +
 
 +
$ mv /usr/src/usr/src/* /usr/src
 +
 
 +
copy config stuff
 +
 
 +
$ cd /usr/src/sys/arch/i386
 +
$ cp GENERIC i686_CVPN_x300
 +
 
 +
 
 +
vi ./i686_CVPN_x300
 +
 
 +
<pre>
 +
CFLAGS:
 +
 
 +
  #use whatever is applicable
 +
  #see:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
 +
  #
 +
  CPUFLAGS="-march=pentium3m -mtune=pentium3m"
 +
 
 +
Uncommented:
 +
 
 +
  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
 +
  GATEWAY
 +
  IPSEC
 +
  IPSEC_ESP
 +
  IPSEC_NAT_T
 +
  pseudo-device carp
 +
  pseudo-device pf
 +
  pseudo-device pflog
 +
</pre>
 +
 
 +
Might dig more into "tuning" later.
 +
 
 +
Time to start building the new kernel
 +
 
 +
$ config ./i686_CVPN_x300
 +
$ cd ../compile/i686_CVPN_x300
 +
$ make clean && make depend && make
 +
 
 +
And install
 +
 
 +
$ su
 +
# cp /netbsd /netbsd.orig
 +
# cp netbsd /
 +
 
 +
Reboot using the new kernel.
 +
 
 +
 
 +
 
 +
===ipfilter setup. routery stuff.===
 +
 
 +
 
 +
 
 +
ipfilter is installed by default on Netbsd 5.2 No special packages are required.
 +
 
 +
---
 +
 
 +
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 +
Set ipfilter to run by default
 +
 
 +
vi /etc/rc.conf
 +
 
 +
ipfilter_enable="YES"
 +
#ipfilter_rules="/etc/ipf.rules"
 +
ipmon_enable="YES"
 +
ipmon_flags="-Ds"
 +
gateway_enable="YES"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules" . create the log file.
 +
 
 +
 
 +
---
 +
 
 +
 
 +
for now, we want ipfilter to log
 +
 
 +
# touch /var/log/ipfilter.log
 +
 
 +
vi /etc/syslog.conf
 +
 
 +
local0.* /var/log/ipfilter.log
 +
 
 +
---
 +
 
 +
 
 +
vi /etc/ipnat.rules
 +
 
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 +
 
 +
 
 +
===Misc Non-essential Setup===
 +
 
 +
 
 +
====Optional: Install some convenience packages====
 +
 
 +
# pkg_add lynx
 +
# pkg_add pico
 +
# pkg_add screen

Revision as of 13:29, 1 August 2013

Contents

Basic setup after a vanilla install of NetBSD 5.2

---

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 

---

Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0 


Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user


Continue with the installation of ChaosVPN

continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto


---

Recompile the kernel

make directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src

get the actual source

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

extract

$ for i in *.tgz
  do
  tar -xzf $i 
  done

after you realize youve extracted to the wrong dir

$ mv /usr/src/usr/src/* /usr/src

copy config stuff

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


vi ./i686_CVPN_x300

CFLAGS:

   #use whatever is applicable
   #see:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
   #
   CPUFLAGS="-march=pentium3m -mtune=pentium3m"

Uncommented:

   PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
   GATEWAY
   IPSEC
   IPSEC_ESP
   IPSEC_NAT_T
   pseudo-device carp
   pseudo-device pf
   pseudo-device pflog

Might dig more into "tuning" later.

Time to start building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make

And install

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /

Reboot using the new kernel.


ipfilter setup. routery stuff.

ipfilter is installed by default on Netbsd 5.2 No special packages are required.

---

remove this next bit later if testing shows that statically linking in kernel actually works
Set ipfilter to run by default

vi /etc/rc.conf

ipfilter_enable="YES"
#ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


---


for now, we want ipfilter to log

# touch /var/log/ipfilter.log

vi /etc/syslog.conf

local0.* /var/log/ipfilter.log

---


vi /etc/ipnat.rules

map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32


Misc Non-essential Setup

Optional: Install some convenience packages

# pkg_add lynx
# pkg_add pico
# pkg_add screen
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox