Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

ChaosVPN:Netbsd NAT VPN router using chaosvpn and ipnat

From CCCHHWiki
Revision as of 23:06, 1 August 2013 by Othtim (talk | contribs)
Jump to: navigation, search

Basic setup after a vanilla install of NetBSD 5.2

If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you. The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT with a single, external (to the chaosvpn) IP address. This document will assume that addresses on the LAN computers are all staticly assigned (ie no DHCP).

Still a work in progress.

To do:

Stuff on Carp redundancy? pf?


Setup pkgsrc and networking

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 


Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0

Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user



Continue with the installation of ChaosVPN

Continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto




Recompile the kernel to add IPfilter and CARP support

Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.


Preparing to recompile the kernel

Make Directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src


Get the actual source

This does not have to be done as a root user. You can do this as the chaosvpn_user user that was created earlier.

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

Extract the files

$ for i in *.tgz
  do
  tar -xzf $i 
  done


After you realize youve extracted to the wrong directory

$ mv /usr/src/usr/src/* /usr/src


Copy config stuff

It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


Edit the configuration files

Edit the file /usr/src/sys/arch/i386/i686_CVPN_x300

Uncomment the following settings:

  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
  GATEWAY
  IPSEC
  IPSEC_ESP
  IPSEC_NAT_T
  pseudo-device carp


Optional Settings

I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.

Refer to: http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html

  CPUFLAGS="-march=pentium3m -mtune=pentium3m"


Building and Installing the kernel

Building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make


Installing the new kernel

Before overwriting the existing kernel, make a copy - just in case.

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /


Reboot using the new kernel.


IPfilter setup

IPfilter is installed by default on Netbsd 5.2.
No special packages are required.


Configure ipfilter startup settings

remove this next bit later if testing shows that statically linking in kernel actually works

Set ipfilter to run by default

Edit the file /etc/rc.conf

Append the following to the end of the file:

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


Set up ipfilter to log

For now, we want ipfilter to log

# touch /var/log/ipfilter.log

Edit the file /etc/syslog.conf

Append the following to the file:

local0.* /var/log/ipfilter.log


Set up IPNat rules

Edit the file /etc/ipnat.rules

Insert the following:


map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32






Other Setup

At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!


Optional: Install some convenience packages

# pkg_add lynx
# pkg_add nano
# pkg_add screen