Difference between revisions of "Netbsd vpn gateway basic setup"

From ENTS
Jump to: navigation, search
m (ipfilter setup)
m (Set up pkgsrc repository)
(12 intermediate revisions by one user not shown)
Line 4: Line 4:
 
---
 
---
  
  vi /root/.profile
+
==== Set up pkgsrc repository ====
  
change the path for the pkgsrc repo to:<br />
+
Edit the file '''''/root/.profile'''''<br />
  ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
+
  
convenience packages
+
Change the path for the pkgsrc repo to:<br />
 +
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
  
pkg_add lynx
+
The file will be read-only, use ''':wq!'''
pkg_add pico
+
pkg_add screen
+
  
---
+
==== Set up network interfaces ====
  
vi /etc/ifconfig.fxp0
+
Edit the file  ''/etc/ifconfig.fxp0''<br />
 +
Insert the contents:
  
 
  192.168.0.20{1,2} netmask 255.255.255.0  
 
  192.168.0.20{1,2} netmask 255.255.255.0  
Line 124: Line 123:
  
  
===ipfilter setup===
+
===ipfilter setup. routery stuff.===
  
  
Line 132: Line 131:
 
---
 
---
  
#remove this later if testing shows that statically linking in kernel actually works
+
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 
Set ipfilter to run by default
 
Set ipfilter to run by default
  
 
vi /etc/rc.conf
 
vi /etc/rc.conf
  
  ipfilter_enable=yes
+
  ipfilter_enable="YES"
 +
#ipfilter_rules="/etc/ipf.rules"
 +
ipmon_enable="YES"
 +
ipmon_flags="-Ds"
 +
gateway_enable="YES"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules" . create the log file.
 +
 
  
 
---
 
---
 +
 +
 +
for now, we want ipfilter to log
 +
 +
# touch /var/log/ipfilter.log
 +
 +
vi /etc/syslog.conf
 +
 +
local0.* /var/log/ipfilter.log
 +
 +
---
 +
 +
 +
vi /etc/ipnat.rules
 +
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 +
 +
 +
===Misc Non-essential Setup===
 +
 +
 +
====Optional: Install some convenience packages====
 +
 +
# pkg_add lynx
 +
# pkg_add pico
 +
# pkg_add screen

Revision as of 13:22, 1 August 2013

Contents

basic setup after vanilla install

---

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!

Set up network interfaces

Edit the file /etc/ifconfig.fxp0
Insert the contents:

192.168.0.20{1,2} netmask 255.255.255.0 

---

vi /etc/sysctl.conf

net.inet.ip.forwarding=1

---

vi /etc/resolv.conf

nameserver 64.59.184.13

---

vi /etc/rc.conf

hostname=chaosvpn{1,2}.440bx.net
defaultroute=192.168.0.1
sshd=yes

---

useradd -m -G wheel chaosvpn_user
passwd chaosvpn_user

---

continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto


---

Recompile the kernel

make directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src

get the actual source

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

extract

$ for i in *.tgz
  do
  tar -xzf $i 
  done

after you realize youve extracted to the wrong dir

$ mv /usr/src/usr/src/* /usr/src

copy config stuff

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


vi ./i686_CVPN_x300

CFLAGS:

   #use whatever is applicable
   #see:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
   #
   CPUFLAGS="-march=pentium3m -mtune=pentium3m"

Uncommented:

   PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
   GATEWAY
   IPSEC
   IPSEC_ESP
   IPSEC_NAT_T
   pseudo-device carp
   pseudo-device pf
   pseudo-device pflog

Might dig more into "tuning" later.

Time to start building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make

And install

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /

Reboot using the new kernel.


ipfilter setup. routery stuff.

ipfilter is installed by default on Netbsd 5.2 No special packages are required.

---

remove this next bit later if testing shows that statically linking in kernel actually works
Set ipfilter to run by default

vi /etc/rc.conf

ipfilter_enable="YES"
#ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


---


for now, we want ipfilter to log

# touch /var/log/ipfilter.log

vi /etc/syslog.conf

local0.* /var/log/ipfilter.log

---


vi /etc/ipnat.rules

map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32


Misc Non-essential Setup

Optional: Install some convenience packages

# pkg_add lynx
# pkg_add pico
# pkg_add screen
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox