Difference between pages "Projects/RFIDpop" and "Netbsd vpn gateway basic setup"

From ENTS
(Difference between pages)
Jump to: navigation, search
(V1)
 
 
Line 1: Line 1:
  
== RFID Enabled Pop Machine AKA Project "Pop-pi"==  
+
= Basic setup after a vanilla install of NetBSD 5.2 =
  
 +
If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you.
 +
The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.
  
== History ==
+
Still a work in progress.
  
After the kind donation of a 70'sish Coca-Cola Vending machine, we started tearing into it to get it working.  While there were a few issues off the start, it's in good mechanical order and tests showed it's power consumption was >50% less than the existing smaller pop machine in the space.
+
To do:
  
One major problem was that the coin mechanism would not accept newer loonies and toonies.  A replacement mechanism would be $200 or more.  A bit pricy for a starving hackerspace, so we are doing what all good hackers do, overengineer a solution with parts at hand.  In this case, utilize the door RFID tags the members have anyways and use them to debit from a pre paid pop account.
+
Stuff on Carp redundancy?
 +
pf?
  
== Help Wanted ==
 
  
Want to help out? Interested in learning something new and expanding your skill set? Have a cool idea you want to include into the project?
 
  
Join the Pop-PI project!
+
== Setup pkgsrc and networking ==
Do you know PHP, would you like to learn PHP?
+
  
We are looking for people with an interest in helping out with the following phases of the project. We will offer assistance and training for any piece involved.
 
  
*Display Design - ART - Replace the coke sign with a plexiglass version, needs to be able to show a screen.
 
*Screen Saver - Screen saver that would display fake ad's
 
*Screen mount - Mount a monitor to the outer door
 
*Outer Shell Design - self explanatory
 
*PHP Web Interface - only needs to interface with Pay Pal and save transaction records in the database
 
  
== Mechanics ==
+
=== Set up pkgsrc repository ===
  
The machine is a Vendo V384. [http://soda-machines.com/index.php?option=com_content&task=view&id=554&Itemid=14 Soda-Machines.com]
+
Edit the file  '''''/root/.profile'''''<br />
  
Orcinus did much of the work to figure out the mechanics of the machine and how to bypass the coin mech to allow us to dispense product. It's actually very easy. On the connector to the coin mech, short pins 1-7 together (all the time) and then momentarily contact pins 1-3 and then make your selection.
+
Change the path for the pkgsrc repo to:<br />
 +
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
  
The original coke sign is a plexiglass insert, easily replaced.  Behind it <strike>is</strike> was a florecent ballast with a 120v supply line running to it, now that line is powering the Pi and all the rest.
+
The file will be read-only, use ''':wq!'''
  
As of 9/26/13:
 
* The mechanical components have been de-greased and lubricated.
 
* Column #2 was fully rebuilt after it was found jammed.
 
* All column dispensing mechanisms are working in an empty state.
 
* 3 columns were stocked with 12+ cans each and dispensed properly.
 
* Proper loading configuration was figured out and will be documented
 
* Plastic exit chute was found to be stuck shut from a long ago exploded can.  Removed and thougholy washed
 
* Monitor has been mounted, though mounting scheme may change in the future
 
* Pi and other components installed and a first run of RFID enabled dispensing is available
 
  
To-Do:
+
=== Set up network interfaces ===
* Clean all surfaces, particularly the compressor compartment.
+
* Clean and measure outside surfaces for painting/decals
+
* Paint trim areas and fix chipping
+
  
'''Photo's:'''
+
Edit the file  '''''/etc/ifconfig.fxp0'''''
  
Photo of the internal electromechanical schematic:
+
This will the the external (wan) interface.
[[Media:RFIDpop_mech_schematic.jpg]]
+
  
Photo of the Prototype system in it's first live test on the machine (it worked!)
+
Insert the contents:
[[Media:Pop-Pi_first_test.jpg]]
+
192.168.0.201 netmask 255.255.255.0
  
Photo of the replacement Plexiglass sign in it's test fit (note the blue protective plastic is still in place)
 
[[Media:Pop-Pi_Plex_Test_fit.jpg]]
 
  
Photo of Orcinus playing around
+
Edit the file  '''''/etc/ifconfig.fxp1'''''
[[Media:Pop-Pi_Orc_face.jpg]]
+
  
== Goal ==
+
This will be the internal network (lan) interface.
  
With the participation and collaboration of the ents membership, bring the donated Pop machine back into service.  
+
Insert the contents:
 +
10.100.44.1 netmask 255.255.255.0
  
To provide a project for multiple members to collaborate together to create a near 0 administration pop machine/pop account tracking system.
+
=== Ensure IP forwarding is set up ===
  
To create a low hassle method of buying caffeine.
+
Edit the file  '''''/etc/sysctl.conf '''''
  
To promote more collaborative team building projects within the membership that cross disciplines and foster education and participation.
+
Insert the contents:
  
== Feature Roadmap ==
+
net.inet.ip.forwarding=1
  
Planned and Implemented features, if you would like to participate or learn about any of the features contact the people who are associated with the feature or talk to one of us.
 
  
 +
=== Specify your DNS server ===
  
   
 
<table border = 1 width = 100%>
 
    <tr>
 
        <th>Feature
 
        </th>
 
        <th>Description
 
        </th>
 
        <th>Version
 
        </th>
 
        <th>Complete
 
        </th>
 
        <th></th>
 
    </tr>
 
    <tr>
 
        <td>Read RFID
 
        </td>
 
        <td>
 
            Ability to read members&#39;s RFID tag</td>
 
        <td>1
 
        </td>
 
        <td>Yes
 
        </td>
 
      <td>Render, Colin
 
        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Credit Vending Machine</td>
 
        <td>
 
            Ability to credit the vending machine to allow the dispencing of caffeene</td>
 
        <td>1</td>
 
        <td>Yes</td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Track Member Account</td>
 
        <td>
 
            Ability to track member&#39;s pop account balance</td>
 
        <td>1</td>
 
        <td>Yes</td>
 
<td>Colin
 
        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Deduct From Member Account</td>
 
        <td>
 
            Ability to deduct a credit from a members&#39;s account balance</td>
 
        <td>1</td>
 
        <td>Yes</td>
 
<td> Colin
 
        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Email Balance to Member</td>
 
        <td>
 
            Ability to email a balance to a member&#39;s account from pop.pi@ents.ca</td>
 
        <td>2</td>
 
        <td>No</td>
 
<td>Render, Colin
 
        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Member Account Top Up</td>
 
        <td>
 
            Ability to top up a members account.</td>
 
        <td>2</td>
 
        <td>No</td>
 
<td>Colin
 
        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Pay Pal Top Up</td>
 
        <td>
 
            Ability to top up a members account from paypal payment</td>
 
        <td>TBD</td>
 
        <td>No</td>
 
<td>        </td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Video Display Balance</td>
 
        <td>
 
            Video display member balance information</td>
 
        <td>3</td>
 
        <td>No</td>
 
<td></td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Video Advertizing</td>
 
        <td>
 
            Make use of the video monitor for displaying ad&#39;s</td>
 
        <td>4</td>
 
        <td>No</td>
 
<td></td>
 
    </tr>
 
 
 
    <tr>
 
        <td>Mounting Brackets</td>
 
        <td>3D Printed Mounting Brackets Modeled to hold the PI and Relay</td>
 
        <td>2</td>
 
        <td>No</td>
 
<td></td>
 
    </tr>
 
    <tr>
 
        <td>RFID Mounting</td>
 
        <td>3D Printed Mounting Brackets Modeled to hold the RFID where the Change was inserted.</td>
 
        <td>3</td>
 
        <td>No</td>
 
<td></td>
 
    </tr> 
 
    <tr>
 
        <td>Bitcoin Payments</td>
 
        <td>Have the ability to take bitcoin payments.</td>
 
        <td>TBD</td>
 
        <td>No</td>
 
<td></td>
 
</tr>
 
    <tr>
 
        <td>Speaker Feedback</td>
 
        <td>Make use of the audio jack on the pi to output auditory feedback on payment.</br>
 
Sounds to be determined.
 
(Lottery Machine noises, Portal Sounds)
 
</td>
 
        <td>TBD</td>
 
        <td>No</td>
 
<td></td>
 
  
    </tr>
+
Edit the file  '''''/etc/resolv.conf'''''
    <tr>
+
        <td>Motion Detector</td>
+
        <td>Make use of a motion detector as a type of Occupancy sensor for the display screen as well as feedback on when to enable/disable the rfid reader.</td>
+
        <td>TBD</td>
+
        <td>No</td>
+
<td></td>
+
    </tr>
+
</table>
+
  
API to interface to paypapal.
+
Insert the contents:
  
3D Printed mount for the RFID reader.
+
nameserver 64.59.184.13
  
Pop Level Management.
 
  
Include a web cam to be hosted on live hacker spaces. "Live from the pop machine!"
+
=== Specify basic settings in rc.d to set up networking ===
  
== PI Pinout Assignments ==
+
Edit the file  '''''/etc/rc.conf'''''
  
In Progress.
+
Append the following to the end of the file:
<Table>
+
<tr>
+
<th>Assignment</th>
+
<th>Pin</th>
+
<th>Pin</th>
+
<th>Assignment</th>
+
</tr>
+
<tr>
+
<td>3v3 to LV on Logic Converter</td><td>1</td><td>2</td><td>5V to HV on logic converter</td>
+
</tr>
+
<tr>
+
<td></td><td>3</td><td>4</td><td>5V to + on Relay</td>
+
</tr>
+
<tr>
+
<td></td><td>5</td><td>6</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>7</td><td>8</td><td>GND to Logic Converter</td>
+
</tr>
+
<tr>
+
<td></td><td>9</td><td>10</td><td>To A1 on level shifter pass through to TX on RFID reader</td>
+
</tr>
+
<tr>
+
<td></td><td>11</td><td>12</td><td>To A2 on level shifter pass through to Enable on RFID reader</td>
+
</tr>
+
<tr>
+
<td></td><td>13</td><td>14</td><td>To S on Relay</td>
+
</tr>
+
<tr>
+
<td></td><td>15</td><td>16</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>17</td><td>18</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>19</td><td>20</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>21</td><td>22</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>23</td><td>24</td><td></td>
+
</tr>
+
<tr>
+
<td></td><td>25</td><td>26</td><td></td>
+
</tr>
+
</table>
+
  
== Database ==
+
hostname=chaosvpn.440bx.net
 +
defaultroute=192.168.0.1
 +
sshd=yes
  
Table: MemberAccount
 
<table>
 
<tr>
 
<th>Column</th>
 
<th>DataType</th>
 
<th>Description</th>
 
</tr>
 
<tr>
 
<td>Id</td>
 
<td>int</td>
 
<td>auto increment id for the account table</td>
 
</tr>
 
<tr>
 
<td>RFID</td>
 
<td>varchar</td>
 
<td>decimal value of the member's rfid</td>
 
</tr>
 
<tr>
 
<td>Account</td>
 
<td>int</td>
 
<td>account balance</td>
 
</tr>
 
<tr>
 
<td>Email</td>
 
<td>varchar</td>
 
<td>used to email users when their account is low</td>
 
</tr>
 
</table>
 
  
== Fritzing Schematic ==
+
=== Create a new user to do tasks that don't require root ===
Fritzing can be found at http://fritzing.org/download/
+
  
 +
# useradd -m -G wheel chaosvpn_user
 +
# passwd chaosvpn_user
  
 +
== Continue with the installation of ChaosVPN ==
  
 +
Continue with the steps at:
  
* [[File:popPi.zip]] popPi Fritzing schematic
+
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
  
 +
= Recompile the kernel to add IPfilter and CARP support =
  
https://github.com/adafruit/Fritzing-Library
+
Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.
  
== V1 ==
 
  
Version 1 is to basically setup the nessecary hardware to replace the coin mech and to use the RFID tags to debit from an account with little or no modification to the existing electro mechanical dispensing system.  Various options were considered but parts on hand and flexibility came together in the following:
 
  
*Raspberry Pi running Raspian 2013-09-25 (Render)
+
== Preparing to recompile the kernel ==
*Parallax Serial RFID Reader (Render)
+
*TTL level shifter for 5v RFID reader to talk to 3.3v Pi serial gpio pins (Colin)
+
*Solid state relay board (on order)
+
*HDMI to DVI Adapter (Render)
+
*Random LCD monitor from around the space
+
*Powered USB hub (Render)
+
  
  
Current goals: Users provide cash or paypal to director who adds to account for thier tag via web interface or 'credit' tags on the pi.
+
=== Make Directories ===
  
On scan, Pi checks database for balance. If sufficient balance, deduct $1 and dispense product. If insufficent balance, then display an unhappy message .  Once product is dispensed display the username and balance remaining for 15 seconds.  When 'idle' the screen will goto a slide show of comical and ficticious beverages (Duff, Slurm, Nukacola, etc)
+
  # mkdir /usr/src
 +
  # chown chaosvpn_user /usr/src
  
Curent Status: In prototype:  Replacement plexiglass for front obtained, monitor stripped to bare minimum and test fit.  3d printed mount made for all computer hardware, first test on the actual pop machine with prototype Pi setup was a success! Now running with test code for dispensing.
 
  
<strike>RFID via GPIO working. GPIO relay control working. Rough software proof of concept working.</strike>
+
=== Get the actual source ===
 +
   
 +
This does not have to be done as a root user. You can do this as the '''''chaosvpn_user''''' user that was created earlier.
  
To-Do:
+
$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
*<strike>Clean machine mechanics. Lube everything inside. Test all mechanics</strike> Done, see Mechanics section
+
  mget *.tgz
*Paypal integration (Noel?)
+
*Web Front End for manual account balance adjustment (Noel?)
+
*Custom graphics for sides, front (Karley, others)
+
*Custom made circut boards for sturdy integration
+
*<strike>3d print mounting brackets once layout confirmed</strike> Printed and installed
+
  
== V2 ==
+
=== Extract the files ===
  
Feature requests/ideas:
+
$ for i in *.tgz
 +
  do
 +
  tar -xzf $i
 +
  done
  
*Product remaining display
 
*Tie in with mastercontrol
 
*Ability to paypal monies directly to the pi to increase balance (or user added code via web interface)
 
*Random dispense mode (slot machine)
 
*Ability to dispense products at different prices (water $.25, beer $5)
 
*Consumption graphs
 
  
 +
=== After you realize youve extracted to the wrong directory ===
  
== Useful Links ==
+
$ mv /usr/src/usr/src/* /usr/src
  
[http://www.susa.net/wordpress/2012/06/raspberry-pi-relay-using-gpio/ http://www.susa.net/wordpress/2012/06/raspberry-pi-relay-using-gpio/]
 
  
[http://soda-machines.com/index.php?option=com_content&task=view&id=554&Itemid=14 http://soda-machines.com/index.php?option=com_content&task=view&id=554&Itemid=14]
+
=== Copy config stuff ===
  
[http://stackoverflow.com/questions/372885/how-do-i-connect-to-a-mysql-database-in-python http://stackoverflow.com/questions/372885/how-do-i-connect-to-a-mysql-database-in-python]
+
It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.
  
[http://www.sundh.com/blog/2013/09/connect-parallax-rfid-to-raspberry-pi/ http://www.sundh.com/blog/2013/09/connect-parallax-rfid-to-raspberry-pi/]
+
$ cd /usr/src/sys/arch/i386
 +
$ cp GENERIC i686_CVPN_x300
  
[http://zetcode.com/db/mysqlpython/ http://zetcode.com/db/mysqlpython/]
 
  
[http://openmicros.org/index.php/articles/94-ciseco-product-documentation/raspberry-pi/217-getting-started-with-raspberry-pi-gpio-and-python http://openmicros.org/index.php/articles/94-ciseco-product-documentation/raspberry-pi/217-getting-started-with-raspberry-pi-gpio-and-python]
+
=== Edit the configuration files ===
  
[https://developer.paypal.com/ https://developer.paypal.com/]
+
Edit the file '''''/usr/src/sys/arch/i386/i686_CVPN_x300'''''
  
[http://www.learn2crack.com/2013/10/setup-apache-web-server-php-mysql-raspberry-pi.html http://www.learn2crack.com/2013/10/setup-apache-web-server-php-mysql-raspberry-pi.html]
+
Uncomment the following settings:
  
 +
  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
 +
  GATEWAY
 +
  IPSEC
 +
  IPSEC_ESP
 +
  IPSEC_NAT_T
 +
  pseudo-device carp
  
[http://www.adafruit.com/blog/2013/09/05/pool-table-accepts-bitcoin-with-help-from-raspberry-pi/ http://www.adafruit.com/blog/2013/09/05/pool-table-accepts-bitcoin-with-help-from-raspberry-pi/]
 
  
[http://www.vendoco.com/Documents/Super%20Stack%20Service_WHOLE.pdf http://www.vendoco.com/Documents/Super%20Stack%20Service_WHOLE.pdf]
+
=== Optional Settings ===
  
[http://www.vendoco.com/Documents.aspx?ID=14 http://www.vendoco.com/Documents.aspx?ID=14]
+
I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.
  
[http://www.vendoco.com/Documents/Superstack%20Parts%20Manual.pdf http://www.vendoco.com/Documents/Superstack%20Parts%20Manual.pdf]
+
Refer to:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
  
[http://soda-machines.com/discussions/index.php?PHPSESSID=iqh2425abe8gmpkv38e6j6i717&topic=13985.10 http://soda-machines.com/discussions/index.php?PHPSESSID=iqh2425abe8gmpkv38e6j6i717&topic=13985.10]
+
  CPUFLAGS="-march=pentium3m -mtune=pentium3m"
  
== Notes ==
 
  
Power is no problem.  The existing light ballast for the original backlight is 120v line that is perfectly placed to power everything.
 
  
There is lots of room to mount everything behind plexiglass on the outer door or against the inner door.  Approximatly 4" depth is available
+
== Building and Installing the kernel ==
  
<strike> Need to also write up how to properly load product or else bad things happen </strike> The mechanics need to be advanced via a couple dispense attempts while empty until the 'bar' is in it's high spot.  Cans are started loading on top of this bar, and not the dispensing 'hopper'area below.  Loading 8-10 cans, advancing two more cycles of dispensing will load the 'hopper' and it will be ready to go.  The machine will trigger 'empty' while there are still 6-8 cans in it.  This prevents having to go through this process again and leaves things 'primed' so one just has to stack more on top.  Do not empty the column completely unless absolutely nessecary.
 
  
A video of the loading procedure will be made and uploaded to ensure it is done properly.
+
=== Building the new kernel ===
  
A large number of vending machines use the same interface for the 'credit' function. This project can be easily adapted to other models of vending machinesCould be useful for other hackerspaces.
+
  $ config ./i686_CVPN_x300
 +
  $ cd ../compile/i686_CVPN_x300
 +
$ make clean && make depend && make
  
== Code Repository ==
 
  
Code is GPLv2 and available on Github at [https://github.com/renderlab/ENTS-Pop-Pi https://github.com/renderlab/ENTS-Pop-Pi]
+
=== Installing the new kernel ===
 +
 
 +
Before overwriting the existing kernel, make a copy - just in case.
 +
 
 +
$ su
 +
# cp /netbsd /netbsd.orig
 +
# cp netbsd /
 +
 
 +
 
 +
Reboot using the new kernel.
 +
 
 +
 
 +
 
 +
= IPfilter setup =
 +
 
 +
 
 +
IPfilter is installed by default on Netbsd 5.2.<br />
 +
No special packages are required.
 +
 
 +
 
 +
== Configure ipfilter startup settings ==
 +
 
 +
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 +
 
 +
=== Set ipfilter to run by default ===
 +
 
 +
Edit the file '''''/etc/rc.conf'''''
 +
 
 +
Append the following to the end of the file:
 +
 
 +
ipfilter_enable="YES"
 +
ipfilter_rules="/etc/ipf.rules"
 +
ipmon_enable="YES"
 +
ipmon_flags="-Ds"
 +
gateway_enable="YES"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules" . create the log file.
 +
 
 +
 
 +
=== Set up ipfilter to log ===
 +
 
 +
For now, we want ipfilter to log
 +
 
 +
# touch /var/log/ipfilter.log
 +
 
 +
Edit the file '''''/etc/syslog.conf'''''
 +
 
 +
Append the following to the file:
 +
 
 +
local0.* /var/log/ipfilter.log
 +
 
 +
 
 +
 
 +
=== Set up IPNat rules ===
 +
 
 +
 
 +
Edit the file '''''/etc/ipnat.rules'''''
 +
 
 +
Insert the following:
 +
 
 +
 
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 +
 
 +
= Other Setup =
 +
 
 +
 
 +
At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!
 +
 
 +
 
 +
 
 +
== Optional: Install some convenience packages ==
 +
 
 +
# pkg_add lynx
 +
# pkg_add nano
 +
# pkg_add screen
 +
 
 +
 
 +
 
 +
= stuff =
 +
 
 +
misc
 +
 
 +
 
 +
== carp ==
 +
 
 +
edit /etc/sysctl.conf
 +
 
 +
net.inet.carp.allow=1

Revision as of 20:26, 9 December 2013

Contents

Basic setup after a vanilla install of NetBSD 5.2

If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you. The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.

Still a work in progress.

To do:

Stuff on Carp redundancy? pf?


Setup pkgsrc and networking

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 


Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0

Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user

Continue with the installation of ChaosVPN

Continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto

Recompile the kernel to add IPfilter and CARP support

Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.


Preparing to recompile the kernel

Make Directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src


Get the actual source

This does not have to be done as a root user. You can do this as the chaosvpn_user user that was created earlier.

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

Extract the files

$ for i in *.tgz
  do
  tar -xzf $i 
  done


After you realize youve extracted to the wrong directory

$ mv /usr/src/usr/src/* /usr/src


Copy config stuff

It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


Edit the configuration files

Edit the file /usr/src/sys/arch/i386/i686_CVPN_x300

Uncomment the following settings:

  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
  GATEWAY
  IPSEC
  IPSEC_ESP
  IPSEC_NAT_T
  pseudo-device carp


Optional Settings

I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.

Refer to: http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html

  CPUFLAGS="-march=pentium3m -mtune=pentium3m"


Building and Installing the kernel

Building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make


Installing the new kernel

Before overwriting the existing kernel, make a copy - just in case.

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /


Reboot using the new kernel.


IPfilter setup

IPfilter is installed by default on Netbsd 5.2.
No special packages are required.


Configure ipfilter startup settings

remove this next bit later if testing shows that statically linking in kernel actually works

Set ipfilter to run by default

Edit the file /etc/rc.conf

Append the following to the end of the file:

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


Set up ipfilter to log

For now, we want ipfilter to log

# touch /var/log/ipfilter.log

Edit the file /etc/syslog.conf

Append the following to the file:

local0.* /var/log/ipfilter.log


Set up IPNat rules

Edit the file /etc/ipnat.rules

Insert the following:


map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32

Other Setup

At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!


Optional: Install some convenience packages

# pkg_add lynx
# pkg_add nano
# pkg_add screen


stuff

misc


carp

edit /etc/sysctl.conf

net.inet.carp.allow=1
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox