Difference between pages "Joining" and "Netbsd vpn gateway basic setup"

From ENTS
(Difference between pages)
Jump to: navigation, search
 
(Edit the configuration files)
 
Line 1: Line 1:
= Becoming a member =
 
==How to apply==
 
New members should submit a completed [http://docum.ents.ca/PIF.pdf application form] to [mailto:directors@ents.ca Directors@ENTS.ca]<br /> You should receive a reply shortly inviting you by the space.
 
  
==Can I tour ENTS before joining?==
+
= Basic setup after a vanilla install of NetBSD 5.2 =
It can be difficult to visualize what ENTS is without seeing the space first hand. New members are encouraged to tour the space before joining. Bring a friend when you visit, ENTS is a social place for friends to hang out. It's almost certain you'll make new friends at ENTS, but it's nice to share projects with those who know you best. <br />
+
<br />
+
When should I come by?<br />
+
:'''HackTuesdays''' are our weekly project nights, this is not the only time members are at the space, but it's an excellent opportunity to experience the ENTS culture.<br />
+
:'''General meetings''' are monthly meetings where the membership discusses the current happenings of the space and decide on the future direction of the society.<br />
+
:'''Schedule a time''' with the directors if you're unable to make it on Tuesdays or Sundays. Just send us an email and let us know when you're free, we'll try our best to accommodate you.<br />
+
:'''If you know a member''', you can visit with them as a guest at any time.<br />
+
Scheduled events are listed in our [[Events|calendar]]
+
  
==ENTS membership==
+
If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you.
ENTS members enjoy 24 hour access to the ENTS space which is well stocked with tools, materials and consumables. Various types of member storage is available with everything from lockers to project storage.  
+
The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.  
  
==Friends of ENTS==
+
Still a work in progress.  
Many prospecting members love the ENTS concept and space, but simply don't have time to make full use of a membership. They still however want to keep up to date and be able to stop in from time to time and see what's going on. ENTS is happy to announce the Friends of ENTS membership.
+
Friends of ENTS pay a reduced membership in exchange for reduced access and features. Friends are not eligible for keys but may use the space during scheduled events. Voting rights and certain equipment is restricted to members.  
+
  
==What are membership costs?==
+
To do:
'''Monthly''' memberships are $50<br />
+
'''Starving Hacker''' memberships are available by request<br />
+
'''Yearly''' memberships are available for $500<br />
+
'''Friends of ENTS''' memberships are $10/month<br />
+
There is no requirement for ongoing membership, should you need to suspend your membership, let the directors know when to suspend and resume your membership.
+
  
==How to pay==
+
Stuff on Carp redundancy?
ENTS prefers that members pay their dues via recurring PayPal subscriptions, as it helps greatly with budgeting<br />
+
pf?
Members can however pay by single paypal payments, cash or cheque. <br />
+
ENTS does not offer an type of trading of labour, materials or tools for membership, sorry. <br />
+
<br />
+
  
[[File:Paypal_Logo.jpg|150px]]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=5GXCX49RSKUG4 ENTS Friend - Single - $10]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ZTNYU3LEYFVWE ENTS Friend - Recurring - $10]<br />
+
== Setup pkgsrc and networking ==
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7AMSHP7NMB7SY ENTS SuperFriend - Recurring - $25]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7WFDYE6RS8YCG ENTS Membership - Single - $50]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=63GJZSVPHWE3Y ENTS Membership - Recurring - $50]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=KTTAM3PHH9VMS ENTS Membership - Single - $500]<br />
+
=== Set up pkgsrc repository ===
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7MRWBBHKEEXMC ENTS Membership - Recurring - $500]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=KV8ZW9Q78KCP8 ENTS Membership - Single - $75]<br />
+
Edit the file  '''''/root/.profile'''''<br />
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=5ZGCDXQBSBR2E ENTS Membership - Recurring - $75]<br />
+
 
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VKS3RZB3APM28 ENTS Membership - Single - $750]<br />
+
Change the path for the pkgsrc repo to:<br />  
[https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8UBFKM5VZH96Q ENTS Membership - Recurring - $750]<br />
+
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
<br />
+
 
[[File:BitPayLarge.png|150px]]<br />
+
The file will be read-only, use ''':wq!'''
[https://bitpay.com/cart/add?itemId=K2jy6qwvA15Zu6K6Vb1LB ENTS Membership - Single - $75]<br>
+
 
[https://bitpay.com/cart/add?itemId=US1pLrebMLpBfLd5wsewGD ENTS Membership - Single - $750]<br>
+
 
<br>
+
=== Set up network interfaces ===
Please note: As ENTS is a non-profit with significant operating costs, all fees are non-refundable.
+
 
'''Do Not Leave Payment At ENTS For A Director To Pickup!'''<br />
+
Edit the file  '''''/etc/ifconfig.fxp0'''''
 +
 
 +
This will the the external (wan) interface.
 +
 
 +
Insert the contents:
 +
192.168.0.201 netmask 255.255.255.0
 +
 
 +
 
 +
Edit the file  '''''/etc/ifconfig.fxp1'''''
 +
 
 +
This will be the internal network (lan) interface.
 +
 
 +
Insert the contents:
 +
10.100.44.1 netmask 255.255.255.0
 +
 
 +
=== Ensure IP forwarding is set up ===
 +
 
 +
Edit the file  '''''/etc/sysctl.conf '''''
 +
 
 +
Insert the contents:
 +
 
 +
net.inet.ip.forwarding=1
 +
 
 +
 
 +
=== Specify your DNS server ===
 +
 
 +
 
 +
Edit the file  '''''/etc/resolv.conf'''''
 +
 
 +
Insert the contents:
 +
 
 +
nameserver 64.59.184.13
 +
 
 +
 
 +
=== Specify basic settings in rc.d to set up networking ===
 +
 
 +
Edit the file  '''''/etc/rc.conf'''''
 +
 
 +
Append the following to the end of the file:
 +
 
 +
hostname=chaosvpn.440bx.net
 +
defaultroute=192.168.0.1
 +
sshd=yes
 +
 
 +
 
 +
=== Create a new user to do tasks that don't require root ===
 +
 
 +
# useradd -m -G wheel chaosvpn_user
 +
# passwd chaosvpn_user
 +
 
 +
== Continue with the installation of ChaosVPN ==
 +
 
 +
Continue with the steps at:
 +
 
 +
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
 +
 
 +
= Recompile the kernel to add IPfilter and CARP support =
 +
 
 +
Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.
 +
 
 +
 
 +
 
 +
== Preparing to recompile the kernel ==
 +
 
 +
 
 +
=== Make Directories ===
 +
 
 +
# mkdir /usr/src
 +
# chown chaosvpn_user /usr/src
 +
 
 +
 
 +
=== Get the actual source ===
 +
 +
This does not have to be done as a root user. You can do this as the '''''chaosvpn_user''''' user that was created earlier.
 +
 
 +
$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
 +
  mget *.tgz
 +
 +
 
 +
=== Extract the files ===
 +
 
 +
$ for i in *.tgz
 +
  do
 +
  tar -xzf $i
 +
  done
 +
 
 +
 
 +
=== After you realize youve extracted to the wrong directory ===
 +
 
 +
$ mv /usr/src/usr/src/* /usr/src
 +
 
 +
 
 +
=== Copy config stuff ===
 +
 
 +
It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.
 +
 
 +
$ cd /usr/src/sys/arch/i386
 +
$ cp GENERIC i686_CVPN_x300
 +
 
 +
 
 +
=== Edit the configuration files ===
 +
 
 +
Edit the file '''''/usr/src/sys/arch/i386/conf/i686_CVPN_x300'''''
 +
 
 +
Uncomment the following settings:
 +
 
 +
  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
 +
  GATEWAY
 +
  IPSEC
 +
  IPSEC_ESP
 +
  IPSEC_NAT_T
 +
  pseudo-device carp
 +
 
 +
=== Optional Settings ===
 +
 
 +
I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.
 +
 
 +
Refer to:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
 +
 
 +
  CPUFLAGS="-march=pentium3m -mtune=pentium3m"
 +
 
 +
 
 +
 
 +
== Building and Installing the kernel ==
 +
 
 +
 
 +
=== Building the new kernel ===
 +
 
 +
$ config ./i686_CVPN_x300
 +
$ cd ../compile/i686_CVPN_x300
 +
$ make clean && make depend && make
 +
 
 +
 
 +
=== Installing the new kernel ===
 +
 
 +
Before overwriting the existing kernel, make a copy - just in case.
 +
 
 +
$ su
 +
# cp /netbsd /netbsd.orig
 +
# cp netbsd /
 +
 
 +
 
 +
Reboot using the new kernel.
 +
 
 +
 
 +
 
 +
= IPfilter setup =
 +
 
 +
 
 +
IPfilter is installed by default on Netbsd 5.2.<br />
 +
No special packages are required.
 +
 
 +
 
 +
== Configure ipfilter startup settings ==
 +
 
 +
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 +
 
 +
=== Set ipfilter to run by default ===
 +
 
 +
Edit the file '''''/etc/rc.conf'''''
 +
 
 +
Append the following to the end of the file:
 +
 
 +
ipfilter_enable="YES"
 +
ipfilter_rules="/etc/ipf.rules"
 +
ipmon_enable="YES"
 +
ipmon_flags="-Ds"
 +
gateway_enable="YES"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules" . create the log file.
 +
 
 +
 
 +
=== Set up ipfilter to log ===
 +
 
 +
For now, we want ipfilter to log
 +
 
 +
# touch /var/log/ipfilter.log
 +
 
 +
Edit the file '''''/etc/syslog.conf'''''
 +
 
 +
Append the following to the file:
 +
 
 +
local0.* /var/log/ipfilter.log
 +
 
 +
 
 +
 
 +
=== Set up IPNat rules ===
 +
 
 +
 
 +
Edit the file '''''/etc/ipnat.rules'''''
 +
 
 +
Insert the following:
 +
 
 +
 
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 +
 
 +
= Other Setup =
 +
 
 +
 
 +
At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!
 +
 
 +
 
 +
 
 +
== Optional: Install some convenience packages ==
 +
 
 +
# pkg_add lynx
 +
# pkg_add nano
 +
# pkg_add screen
 +
 
 +
 
 +
 
 +
= stuff =
 +
 
 +
misc
 +
 
 +
 
 +
== carp ==
 +
 
 +
edit /etc/sysctl.conf
 +
 
 +
net.inet.carp.allow=1

Revision as of 20:12, 11 December 2013

Contents

Basic setup after a vanilla install of NetBSD 5.2

If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you. The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.

Still a work in progress.

To do:

Stuff on Carp redundancy? pf?


Setup pkgsrc and networking

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 


Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0

Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user

Continue with the installation of ChaosVPN

Continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto

Recompile the kernel to add IPfilter and CARP support

Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.


Preparing to recompile the kernel

Make Directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src


Get the actual source

This does not have to be done as a root user. You can do this as the chaosvpn_user user that was created earlier.

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

Extract the files

$ for i in *.tgz
  do
  tar -xzf $i 
  done


After you realize youve extracted to the wrong directory

$ mv /usr/src/usr/src/* /usr/src


Copy config stuff

It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


Edit the configuration files

Edit the file /usr/src/sys/arch/i386/conf/i686_CVPN_x300

Uncomment the following settings:

  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
  GATEWAY
  IPSEC
  IPSEC_ESP
  IPSEC_NAT_T
  pseudo-device carp

Optional Settings

I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.

Refer to: http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html

  CPUFLAGS="-march=pentium3m -mtune=pentium3m"


Building and Installing the kernel

Building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make


Installing the new kernel

Before overwriting the existing kernel, make a copy - just in case.

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /


Reboot using the new kernel.


IPfilter setup

IPfilter is installed by default on Netbsd 5.2.
No special packages are required.


Configure ipfilter startup settings

remove this next bit later if testing shows that statically linking in kernel actually works

Set ipfilter to run by default

Edit the file /etc/rc.conf

Append the following to the end of the file:

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


Set up ipfilter to log

For now, we want ipfilter to log

# touch /var/log/ipfilter.log

Edit the file /etc/syslog.conf

Append the following to the file:

local0.* /var/log/ipfilter.log


Set up IPNat rules

Edit the file /etc/ipnat.rules

Insert the following:


map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32

Other Setup

At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!


Optional: Install some convenience packages

# pkg_add lynx
# pkg_add nano
# pkg_add screen


stuff

misc


carp

edit /etc/sysctl.conf

net.inet.carp.allow=1
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox