Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
ChaosVPN:Netbsd NAT VPN router using chaosvpn and ipnat
Contents
Basic setup after a vanilla install of NetBSD 5.2
If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you. The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT with a single, external (to the chaosvpn) IP address. This document will assume that addresses on the LAN computers are all staticly assigned (ie no DHCP).
Still a work in progress.
To do:
Stuff on Carp redundancy? pf?
Setup pkgsrc and networking
Set up pkgsrc repository
Edit the file /root/.profile
Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
The file will be read-only, use :wq!
Set up network interfaces
Edit the file /etc/ifconfig.fxp0
This will the the external (wan) interface.
Insert the contents:
192.168.0.201 netmask 255.255.255.0
Edit the file /etc/ifconfig.fxp1
This will be the internal network (lan) interface.
Insert the contents:
10.100.44.1 netmask 255.255.255.0
Ensure IP forwarding is set up
Edit the file /etc/sysctl.conf
Insert the contents:
net.inet.ip.forwarding=1
Specify your DNS server
Edit the file /etc/resolv.conf
Insert the contents:
nameserver 64.59.184.13
Specify basic settings in rc.d to set up networking
Edit the file /etc/rc.conf
Append the following to the end of the file:
hostname=chaosvpn.440bx.net defaultroute=192.168.0.1 sshd=yes
Create a new user to do tasks that don't require root
# useradd -m -G wheel chaosvpn_user # passwd chaosvpn_user
Continue with the installation of ChaosVPN
Continue with the steps at:
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
Recompile the kernel to add IPfilter and CARP support
Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.
Preparing to recompile the kernel
Make Directories
# mkdir /usr/src # chown chaosvpn_user /usr/src
Get the actual source
This does not have to be done as a root user. You can do this as the chaosvpn_user user that was created earlier.
$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/ mget *.tgz
Extract the files
$ for i in *.tgz do tar -xzf $i done
After you realize youve extracted to the wrong directory
$ mv /usr/src/usr/src/* /usr/src
Copy config stuff
It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.
$ cd /usr/src/sys/arch/i386 $ cp GENERIC i686_CVPN_x300
Edit the configuration files
Edit the file /usr/src/sys/arch/i386/i686_CVPN_x300
Uncomment the following settings:
PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this) GATEWAY IPSEC IPSEC_ESP IPSEC_NAT_T pseudo-device carp
Optional Settings
I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.
Refer to: http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
CPUFLAGS="-march=pentium3m -mtune=pentium3m"
Building and Installing the kernel
Building the new kernel
$ config ./i686_CVPN_x300 $ cd ../compile/i686_CVPN_x300 $ make clean && make depend && make
Installing the new kernel
Before overwriting the existing kernel, make a copy - just in case.
$ su # cp /netbsd /netbsd.orig # cp netbsd /
Reboot using the new kernel.
IPfilter setup
IPfilter is installed by default on Netbsd 5.2.
No special packages are required.
Configure ipfilter startup settings
remove this next bit later if testing shows that statically linking in kernel actually works
Set ipfilter to run by default
Edit the file /etc/rc.conf
Append the following to the end of the file:
ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" gateway_enable="YES" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" . create the log file.
Set up ipfilter to log
For now, we want ipfilter to log
# touch /var/log/ipfilter.log
Edit the file /etc/syslog.conf
Append the following to the file:
local0.* /var/log/ipfilter.log
Set up IPNat rules
Edit the file /etc/ipnat.rules
Insert the following:
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000 map fxp1 10.100.0.0/16 -> 0.0.0.0/32
Other Setup
At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!
Optional: Install some convenience packages
# pkg_add lynx # pkg_add nano # pkg_add screen