Difference between revisions of "Netbsd vpn gateway basic setup"

From ENTS
Jump to: navigation, search
(IPfilter setup)
(Misc Non-essential Setup)
(One intermediate revision by one user not shown)
Line 178: Line 178:
 
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
  
Set ipfilter to run by default.
+
=== Set ipfilter to run by default ===
  
 
Edit the file '''''/etc/rc.conf'''''
 
Edit the file '''''/etc/rc.conf'''''
Line 218: Line 218:
 
  map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 
  map fxp1 10.100.0.0/16 -> 0.0.0.0/32
  
==Misc Non-essential Setup==
+
= Misc Non-essential Setup =
  
  
===Optional: Install some convenience packages===
+
== Optional: Install some convenience packages ==
  
 
  # pkg_add lynx
 
  # pkg_add lynx
 
  # pkg_add pico
 
  # pkg_add pico
 
  # pkg_add screen
 
  # pkg_add screen

Revision as of 13:47, 1 August 2013

Contents

Basic setup after a vanilla install of NetBSD 5.2

Setup pkgsrc and networking

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 


Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0

Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user

Continue with the installation of ChaosVPN

Continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto


Recompile the kernel to add IPfilter and CARP support

Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.


Preparing to recompile the kernel

Make Directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src


Get the actual source

This does not have to be done as a root user. You can do this as the chaosvpn_user user that was created earlier.

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

Extract the files

$ for i in *.tgz
  do
  tar -xzf $i 
  done


After you realize youve extracted to the wrong directory

$ mv /usr/src/usr/src/* /usr/src


Copy config stuff

It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


Edit the configuration files

Edit the file /usr/src/sys/arch/i386/i686_CVPN_x300

Uncomment the following settings:

  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
  GATEWAY
  IPSEC
  IPSEC_ESP
  IPSEC_NAT_T
  pseudo-device carp


Optional Settings

I made the following changes to my CPUFLAGS variable in the configuration. Use whatever is applicable for your processor and architecture.

Refer to: http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html

  CPUFLAGS="-march=pentium3m -mtune=pentium3m"


Building and Installing the kernel

Building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make


Installing the new kernel

Before overwriting the existing kernel, make a copy - just in case.

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /


Reboot using the new kernel.


IPfilter setup

IPfilter is installed by default on Netbsd 5.2.
No special packages are required.


Configure ipfilter startup settings

remove this next bit later if testing shows that statically linking in kernel actually works

Set ipfilter to run by default

Edit the file /etc/rc.conf

Append the following to the end of the file:

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


Set up ipfilter to log

For now, we want ipfilter to log

# touch /var/log/ipfilter.log

Edit the file /etc/syslog.conf

Append the following to the file:

local0.* /var/log/ipfilter.log


Set up IPNat rules

Edit the file /etc/ipnat.rules

Insert the following:


map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32

Misc Non-essential Setup

Optional: Install some convenience packages

# pkg_add lynx
# pkg_add pico
# pkg_add screen
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox