Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:Netbsd NAT VPN router using chaosvpn and ipnat"
m (→Get the actual source) |
|||
| (15 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | [[ChaosVPN|Back]] | ||
| + | |||
| + | {{Template:ChaosVPNBanner}} | ||
= Basic setup after a vanilla install of NetBSD 5.2 = | = Basic setup after a vanilla install of NetBSD 5.2 = | ||
| Line 48: | Line 51: | ||
Insert the contents: | Insert the contents: | ||
| − | 10.100.44. | + | 10.100.44.2 netmask 255.255.255.0 |
=== Ensure IP forwarding is set up === | === Ensure IP forwarding is set up === | ||
| Line 75: | Line 78: | ||
Append the following to the end of the file: | Append the following to the end of the file: | ||
| − | hostname= | + | hostname=yourhost.yourdomain.net |
| − | defaultroute= | + | defaultroute=some.ip.address.here |
sshd=yes | sshd=yes | ||
| − | |||
=== Create a new user to do tasks that don't require root === | === Create a new user to do tasks that don't require root === | ||
| Line 100: | Line 102: | ||
| + | <!-- | ||
= Recompile the kernel to add IPfilter and CARP support = | = Recompile the kernel to add IPfilter and CARP support = | ||
| Line 126: | Line 129: | ||
$ for i in *.tgz | $ for i in *.tgz | ||
| − | + | > do | |
| − | + | > tar -xzf $i | |
| − | + | > done | |
| − | |||
=== After you realize youve extracted to the wrong directory === | === After you realize youve extracted to the wrong directory === | ||
| Line 140: | Line 142: | ||
It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file. | It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file. | ||
| − | $ cd /usr/src/sys/arch/i386 | + | $ cd /usr/src/sys/arch/i386/conf |
$ cp GENERIC i686_CVPN_x300 | $ cp GENERIC i686_CVPN_x300 | ||
| − | |||
=== Edit the configuration files === | === Edit the configuration files === | ||
| Line 156: | Line 157: | ||
IPSEC_NAT_T | IPSEC_NAT_T | ||
pseudo-device carp | pseudo-device carp | ||
| − | + | pseudo-device pf | |
| + | pseudo-device pflog | ||
=== Optional Settings === | === Optional Settings === | ||
| Line 188: | Line 190: | ||
Reboot using the new kernel. | Reboot using the new kernel. | ||
| − | + | --> | |
| − | |||
= IPfilter setup = | = IPfilter setup = | ||
| Line 210: | Line 211: | ||
ipfilter_enable="YES" | ipfilter_enable="YES" | ||
ipfilter_rules="/etc/ipf.rules" | ipfilter_rules="/etc/ipf.rules" | ||
| + | |||
ipmon_enable="YES" | ipmon_enable="YES" | ||
ipmon_flags="-Ds" | ipmon_flags="-Ds" | ||
| + | |||
gateway_enable="YES" | gateway_enable="YES" | ||
| + | |||
ipnat_enable="YES" | ipnat_enable="YES" | ||
| − | + | ipnat_flags="CF" | |
| − | |||
=== Set up ipfilter to log === | === Set up ipfilter to log === | ||
| Line 236: | Line 239: | ||
Edit the file '''''/etc/ipnat.rules''''' | Edit the file '''''/etc/ipnat.rules''''' | ||
| − | + | If you wish to use NAT, insert the following: | |
| − | |||
| − | map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp | + | map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 10000:20000 |
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 | map fxp1 10.100.0.0/16 -> 0.0.0.0/32 | ||
| + | === IPF firewall rules === | ||
| − | + | At the very least you will need to allow output connections on port 80, and inbound and outbound connections on port 655 on your internet facing interface. | |
| − | |||
| + | Some simple sample firewall rules for IPF: | ||
| + | https://wiki.hamburg.ccc.de/Tims_ipf_conf | ||
= Other Setup = | = Other Setup = | ||
| Line 259: | Line 263: | ||
You should be able to browse chaosvpn from your local network ! | You should be able to browse chaosvpn from your local network ! | ||
| − | + | If you have questions about setting up chaosvpn for netbsd, you can often find me on the chaosvpn irc channel. Thanks. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Latest revision as of 21:34, 24 May 2016
Note:
ChaosVPN is a VPN to connect Hackers and Hackerspaces - it does NOT provide anonymous internet access!
For this look at tor or other similar services.
It will also not help you to reach domains like .rdos, .lll, .clos or any other strange things supposed to be available on the "dark web".
Alternative: If you prefer BGP, you can also connect via https://dn42.net/, we are interconnected.
Contents
Basic setup after a vanilla install of NetBSD 5.2
If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you. The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT with a single, external (to the chaosvpn) IP address. This document will assume that addresses on the LAN computers are all staticly assigned (ie no DHCP).
Note:
Your internal and external IP addresses will (hopefully) not be the same as the author's. Please substitute the correct ip addresses for your internal and external interfaces. Also your internet DNS server will also likely be different.
Still a work in progress.
To do:
Stuff on Carp redundancy? pf?
Setup pkgsrc and networking
Set up pkgsrc repository
Edit the file /root/.profile
Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
The file will be read-only, use :wq!
Set up network interfaces
Edit the file /etc/ifconfig.fxp0
This will the the external (wan) interface.
Insert the contents:
192.168.0.201 netmask 255.255.255.0
Edit the file /etc/ifconfig.fxp1
This will be the internal network (lan) interface.
Insert the contents:
10.100.44.2 netmask 255.255.255.0
Ensure IP forwarding is set up
Edit the file /etc/sysctl.conf
Insert the contents:
net.inet.ip.forwarding=1
Specify your DNS server
Edit the file /etc/resolv.conf
Insert the contents:
nameserver 64.59.184.13
Specify basic settings in rc.d to set up networking
Edit the file /etc/rc.conf
Append the following to the end of the file:
hostname=yourhost.yourdomain.net defaultroute=some.ip.address.here sshd=yes
Create a new user to do tasks that don't require root
# useradd -m -G wheel chaosvpn_user # passwd chaosvpn_user
Continue with the installation of ChaosVPN
Continue with the steps at:
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
IPfilter setup
IPfilter is installed by default on Netbsd 5.2.
No special packages are required.
Configure ipfilter startup settings
remove this next bit later if testing shows that statically linking in kernel actually works
Set ipfilter to run by default
Edit the file /etc/rc.conf
Append the following to the end of the file:
ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES" ipmon_flags="-Ds"
gateway_enable="YES"
ipnat_enable="YES" ipnat_flags="CF"
Set up ipfilter to log
For now, we want ipfilter to log
# touch /var/log/ipfilter.log
Edit the file /etc/syslog.conf
Append the following to the file:
local0.* /var/log/ipfilter.log
Set up IPNat rules
Edit the file /etc/ipnat.rules
If you wish to use NAT, insert the following:
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 10000:20000 map fxp1 10.100.0.0/16 -> 0.0.0.0/32
IPF firewall rules
At the very least you will need to allow output connections on port 80, and inbound and outbound connections on port 655 on your internet facing interface.
Some simple sample firewall rules for IPF:
https://wiki.hamburg.ccc.de/Tims_ipf_conf
Other Setup
At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" interface should be connected to your hub or switch for the internal network (ie, the stuff behind the NAT).
Set up the network machines with the gateway address 10.100.44.1.
You should be able to browse chaosvpn from your local network !
If you have questions about setting up chaosvpn for netbsd, you can often find me on the chaosvpn irc channel. Thanks.
