VM 0b0t and CollabNet Guide: Difference between pages

From Computernewb Wiki
(Difference between pages)
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
Line 1: Line 1:
{{DISPLAYTITLE:Windows 9 (7 SP1) DiLshad Sys x64 (VM 0b0t) - ANARCHY VM}}
This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a VM (strongly recommended for several reasons), filter web traffic, and prevent access to your local network from the VMs.
{{Infobox VM
 
|title = Windows 9 (7 SP1) DiLshad Sys x64 (VM 0b0t) - ANARCHY VM
= Prerequisites =
|screenshot = VM0b0t_new27.png
* An hour or two of your time
|introduced = 10 May 2022
* A host running a Linux distribution
|os = [[Windows 7]]
* Basic computer and command line literacy. Nobody is going to hold your hand
|arch = x64
 
|node = vm0b0t
= Host Preparation =
|previous = Windows Vista<br>Windows 8.1<br>Windows 10<br>Windows 8<br>Windows 7<br>Windows Vista<br>Windows 2000<br>macOS Mojave
 
|next = [[VM1]]
== IP Forwarding ==
 
First, we're going to enable IP forwarding on your host. This will allow traffic from the VMs to be routed to and from the router. The following command will write this to the sysctl configuration.
{{code|<nowiki>
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/router.conf
</nowiki>}}
To apply, either reboot or run the following:
{{code|
sudo sysctl --system
}}
 
== Bridge configuration ==
 
Next, we'll set up a network bridge with multiple TAP interfaces. You can think of a TAP interface as a virtual Ethernet port connected to your VM, and the network bridge as a virtual Ethernet switch connecting them all together. The instructions to do this vary based on your network daemon. For this guide we'll assume (and recommend) you're using systemd-networkd, or netifrc on OpenRC.
 
We'll also be giving the <code>collabvm</code> group access to the TAPs. If you have yet to create a user for CollabVM, do so now.
 
=== Systemd ===
 
All network configuration is done in the <code>/etc/systemd/network</code> directory. We'll start by creating the bridge itself. The following simply creates a network bridge named <code>collabnet</code>
 
'''/etc/systemd/network/collabnet.netdev'''
{{code|<nowiki>
[NetDev]
Name=collabnet
Kind=bridge
</nowiki>}}
 
Next, we'll create a TAP for our router VM. The following creates a new TAP named <code>ktrouter</code>
 
'''/etc/systemd/network/ktrouter.netdev'''
{{code|<nowiki>
[NetDev]
Name=ktrouter
Kind=tap
 
[Tap]
Group=collabvm
</nowiki>}}
 
Now, you can create a TAP for each VM. The following adds a TAP named <code>ktvm1</code>. To add more, repeat the following, creating files named <code>ktvm2</code>, <code>ktvm3</code>, and so on. Make sure to also change the TAP name inside the file to match this.
 
'''/etc/systemd/network/ktvm1.netdev'''
{{code|<nowiki>
[NetDev]
Name=ktvm1
Kind=tap
 
[Tap]
Group=collabvm
</nowiki>}}
 
Finally, we connect all of our TAPs to the <code>collabnet</code> bridge.
 
'''/etc/systemd/network/collabnet.network'''
{{code|<nowiki>
[Match]
Name=kt*
 
[Network]
Bridge=collabnet
</nowiki>}}
 
Finally, you can either reboot or run the following to reload the network configuration
{{code|
sudo systemctl restart systemd-networkd
}}
}}


<div style="display:none">__NOTOC__</div>
=== OpenRC ===
'''VM 0b0t''' is the first VM and the oldest Anarchy VM in [[CollabVM]] (formerly the Mac OS VM and the Whitelist VM), the proud home of pure unadulterated Anarchy (formerly SWF projector shell trojans), unpatrolled, ungoverned and unregulated, free of judgment, the absolute worst of [[CollabVM]] culture, a mockery to all that is [[CollabNet|fair]] and [[Whitelister|good]], the bad future of [[CollabVM]], a malware paradise for [[Forkies|forkies]] to reign freely and eat away at fine culture, disrespecting it and destroying its integrity in the process, a place where [[Hildaboo|authority]] and [[DarkOK|prestige]] is meaningless, a place where [https://computernewb.com/collab-vm/rules human etiquette] and [https://computernewb.com/collab-vm/faq societal norms] are meaningless, a place where [[CollabVM#CollabVM:_the_Revengance/1.2.10|power and justice]] is meaningless, a place where [[Wikipedia:4chan|moderation is completely nonexistent]], a place where you can detach yourself from [[VM1|reality]] and take in a whole new dystopia where you will never thrive, a place where [[CollabVM_Discord|nothing ever changes]] and [[Andrej_Akan|no one ever learns]]... where horsefucking, and more recently, taking orders as a waiter holding numerous positions at various well-established restaurants part of the Papa Louie franchise, and even more recently, working as an Arstotzka border patrol agent stamping "Denied" on everyone's papers, and most possibly the most recent, running GandCrab and other ransomware through an autotyped bitsadmin Run command is the VM's, the [[VNC Resolver|GandCrab bot]]'s, [[Hildaboo|and the admin's]] favorite pastime. The name is a reference to the oldest Anarchy server in Minecraft, [[Wikipedia:2b2t|2b2t.org]].
 
TODO
 
= Setting up the router =
 
Now for the """fun""" part. We're going to set up a router VM, responsible for routing all traffic from the VMs. You'll want to give it '''two''' network adapters, one for the WAN (the internet) and another LAN (your VMs, the collabnet bridge).


It runs [https://crustywindo.ws/Windows_9_Pro Windows 9 Pro] (a [https://crustywindo.ws/Category:Bootlegs_based_on_Windows_7 Windows 7] bootleg you can get from Crustywindows) with a few custom programs added, which is running on a 75GB hard drive with 2 gigabytes of RAM. The idea for this VM came from [[CHOCOLATEMAN]], which emulates the 2016/2017 CollabVM experience, where there were less restrictions and more chaotic. Due to the nature of the VM, the various shortcuts on the desktop have weird and hilarious titles. Aside from [[VM3|the non-Windows VMs]] and the [[VM7|Install Any OS]] VMs, this VM is the only one to not have disk quotas in place.  
The router will be running Debian. You can either netboot it from within QEMU (Press Ctrl+B when prompted on boot, enter <code>dhcp && boot http://boot.netboot.xyz</code>) or download an ISO and mount it. Your choice.


The VM has the wallpaper set by default as [[:File:0b0tccp.png|a well-articulated CCP approved Duke Nukem wallpaper]]. [[VM 0b0t#Installed Programs & Games on VM 0b0t|There are several custom programs and games, and other things on the VM (ie the Chrome theme, extensions and bookmarks, custom pictures and more), which is contained in a list you can view here with this link.]]
Here is an example QEMU start command for the router VM. You'll need to create the disk image and adjust paths.
{{code|<nowiki>
sudo -u collabvm qemu-system-x86_64 \
-accel kvm \
-cpu host \
-m 2G \
-hda /srv/collabvm/router/router.qcow2 \
-netdev user,id=wan -device virtio-net,netdev=wan \
-netdev tap,id=lan,ifname=ktrouter,script=no,downscript=no -device virtio-net,netdev=lan \
-vnc 127.0.0.1:10
</nowiki>}}


The premise of the VM is that none of the [[CollabVM]] rules (except the first 4, due to an obligation to federal law and our server host) are enforced, effectively making it an Anarchy VM, as anyone can do whatever they please on the VM without restriction.
With this command, you can SSH forward and VNC to port 5910. When installing Debian, you can accept defaults, although I recommend not using a desktop environment on your router.


[[CollabNet|The CollabNet web filter]] and [[Whitelister]] have been disabled for the VM, meaning anyone can join with any VPN/Proxy/Tor node, and visit any website they please. This allows for a lot more freedom and flexibility compared to the regular VMs, which are restricted with AD system policies and normal system tools being replaced with customized ones to stop you from killing critical system processes, and have [[CollabNet]], [[Whitelister]] and Windows disk quotas in place to prevent you from accessing inappropriate/malicious websites, connecting with any proxies or VPNs and downloading large files such as Windows ISOs to fill up disk space.
== Initial configuration ==


However, since CollabNet is not enforced on the VM, anyone can open up just about anything, which may include NSFW content (pornography and others), which is why the VM thumbnail has a blur on it by default. The CollabVM administration team will still actively enforce the [[CollabVM]] and VM rules on the VM however.
Once you boot to a command line, the first thing we'll do is remove the builtin ifupdown network daemon and use systemd-networkd, as it's much easier to manage.


<s>This also marks the return of [[debianguy|Debianguy]] in 2 years, and seandc02 also came back to the site after like... a year or three?</s> <s>'''''HOLY FUCK FLUFFY'S BACK'''''</s> He got b&
{{code|
sudo apt-get purge -y ifupdown
sudo ip addr flush
sudo systemctl enable --now systemd-networkd
}}


== Prior Incarnations ==
We'll then disable systemd-resolved and set up a static DNS config
{| class="wikitable"
! Operating System !! Version !! Time Period
|-
| Windows 9 || [https://crustywindo.ws/Windows_9_Pro Windows 9 Pro] || 2023-02-14 - now
|-
| Windows Vista || [https://crustywindo.ws/Windows_2007 Windows 2007 - Build 6021] || 2023-02-05 - 2023-02-14
|-
| Windows 8.1 || [https://crustywindo.ws/Windows_8.1_Google_Chromium_Edition Windows 8.1 Google Chromium Edition] || 2022-12-26 - 2023-02-05
|-
| Windows 10 || [https://crustywindo.ws/Windows_10_Christmas_Magic_Pro Windows 10 Christmas Magic Pro] || 2022-11-23 - 2022-12-26
|-
| <s>Windows 7</s> || <s>[https://crustywindo.ws/Windows_7_Mac_Extreme_2015 Windows 7 Mac Extreme 2015]</s> || 2022-11-23 - 2022-11-23
|-
| Windows 7 || [https://crustywindo.ws/Windows_7_Christmas_Edition_2015 Windows 7 Christmas Edition 2015] || 2022-11-22 - 2022-11-23
|-
| Windows 7 || [https://crustywindo.ws/Windows_7_Pony_Edition_2015 Windows 7 Pony Edition 2015] || 2022-10-20 - 2022-11-22
|-
| Windows 7 || [https://crustywindo.ws/Windows_7_FaceBooK_Edition_2012 Windows 7 FaceBooK Edition] || 2022-08-09 - 2022-10-20
|-
| Windows 7 || [https://crustywindo.ws/Windows_7_Angry_Birds Windows 7 Angry Birds Edition] || 2022-05-23 - 2022-08-09
|-
| [https://crustywindo.ws/Category:Bootlegs_based_on_Windows_Vista Windows Vista] || SP2 - Extended Kernel || 2022-05-10 - 2022-05-23
|}


== Installed Programs & Games on VM 0b0t ==
{{code|
There are numerous programs and games installed on the VM along with some pretty interesting things hidden deep in the VM. This list is not guaranteed to be 100% accurate but it certainly is not complete either. This particular list includes (but is not limited to, sans the WPI default programs):
sudo systemctl disable --now systemd-resolved
sudo systemctl mask systemd-resolved
sudo rm /etc/resolv.conf # remove the symlink
sudo tee /etc/resolv.conf <<EOF
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF
}}


The programs on the VM are Chrome 109, Firefox 110, Dissenter Browser, 360 Extreme Explorer, 2Pacalypse 2.3, Dev-C++, Bing Chilling, Elf Bowling Holiday Pack, Rage Wars, Virus Petya, Papers Please, Breaking Bird Demo, Demolition City (2 and a hacked version of 2), Guns & Angel, the Papa Louie Trilogy, CollabVM Botter, CollabVM RAT, LimeWire, VM0 Technical Support, ICQ, Discord, Apple Giftcard Generator, RansomWare Builder 2015, "Oracle VM VirtualBox", Minecraft, Avast Antivirus, Lars of the Stars, The RansomWare Maker and Delphi 7.
Note that the internet will die on the router. This is because systemd-networkd is not configured by default. First, let's figure out our interface names using the command <code>ip a</code>. For me, the WAN interface was <code>ens3</code> and the LAN was <code>ens4</code>. This may vary however if you're using the QEMU command above the WAN interface will appear first in the list. For the rest of the guide I will be assuming the above interface names. Make sure to change them if yours are different.


=== Miscellaneous ===
Let's first configure the WAN interface to use DHCP.
A copy of Mesa for Windows in the Downloads directory.


== MOTD ==
'''/etc/systemd/network/wan.network'''
<pre>
{{code|<nowiki>
Welcome to VM0b0bt, the oldest Anarchy VM on CollabVM
[Match]
Rules:
Name=ens3


    ZOMG NONE!!!
[Network]
    Rules 1, 2, 3, and 4 still apply
DHCP=ipv4
    NO COLLABNET!!!!!111
</nowiki>}}


Good luck and may god have mercy on your souls
Then, we'll assign the LAN interface the static ip of <code>192.168.1.1</code>
</pre>


== Gallery ==
'''/etc/systemd/network/lan.network'''
=== Revisions ===
{{code|<nowiki>
the dates in the description dont reflect the dates on the actual VM dont listen to that its chinese propaganda trying to trick u
[Match]
Name=ens4


<gallery>
[Network]
File:Vm0b0t.png | Revision 0 (May 10th 2022, Vista)
Address=192.168.1.1/24
File:Vm0b0t_new.png | Revision 1 (May 24th, Angry Birds)
</nowiki>}}
File:Vm0b0t_new2.png | Revision 2 (May 26th)
File:Vm0b0t_new3.png | Revision 3 (June 12th)
File:Vm0b0t_new4.png | Revision 4 (August 5th)
File:Vm0b0t_new5.png | Revision 5 (August 9th)
File:Vm0b0t_new6.png | Revision 6 (August 9th, FaceBooK)
File:Vm0b0t_new7.png | Revision 7 (August 15th)
File:Vm0b0t_new8.png | Revision 8 (October 20th, Pony Edition)
File:Vm0b0t_new9.png | Revision 9 (November 22nd, Christmas Edition)
File:Vm0b0t_new10.png | Revision 10 (November 23rd)
File:Vm0b0t_new11.png | Revision 11 (Cut, November 23rd, Mac Extreme)
File:Vm0b0t_new11.1.png | Revision 11.1 (November 23rd, Christmas Magic)
File:Vm0b0t_new12.png | Revision 12 (November 26th)
File:Vm0b0t_new13.png | Revision 13 (December 8th)
File:Vm0b0t_new14.png | Revision 14 (December 26th, Google Chromium)
File:Vm0b0t_new15.png | Revision 15 (December 27th)
File:Vm0b0t_new16.png | Revision 16 (December 28th)
File:Vm0b0t_new17.png | Revision 17 (January 1st 2023)
File:Vm0b0t_new18.png | Revision 18 (January 15th)
File:Vm0b0t_new19.png | Revision 19 (January 22nd)
File:Vm0b0t_new20.png | Revision 20 (January 28th)
File:Vm0b0t_new21.png | Revision 21 (February 5th, Windows 2007 Build 6021)
File:Vm0b0t_new22.png | Revision 22 (February 7th)
File:Vm0b0t_new23.png | Revision 23 (February 14th, Windows 9 Pro)
File:Vm0b0t_new24.png | Revision 24 (February 15th)
File:VM0b0t_new25.png | Revision 25 (February 27th)
File:VM0b0t_new26.png | Revision 26 (March 1st)
File:VM0b0t_new27.png | Revision 27 (March 3rd)
</gallery>


=== Wallpapers ===
You can then reload the network configuration:
<gallery>
File:Vm0b0tw.jpg | The VM 0b0t Wallpaper
File:Vm0b0tw2.png | The New VM 0b0t Wallpaper
File:Vm0b0t_cw.png | The VM 0b0t Christmas wallpaper
File:Vm0b0t_cw2.png | The New VM 0b0t Christmas wallpaper
File:VM0b0t_nyw.png | The VM 0b0t New Years wallpaper
File:VM0b0t_nyw2.png | The New VM 0b0t New Years wallpaper
File:0b0tislamicstate.png | Halal VM 0b0t Wallpaper
File:0b0tccp.png | Chinese government approved VM 0b0t Wallpaper
</gallery>


=== Former Incarnations ===
{{code|
<gallery>
sudo systemctl restart systemd-networkd
File:VM0_14-11-2021.png | A screenshot of the pre-Anarchy macOS Mojave VM
}}
</gallery>
 
If all went well, you should be able to access the internet (test with <code>ping google.com</code>)
 
Lastly, set some sysctl values:
 
{{code|
<nowiki>sudo tee /etc/sysctl.d/router.conf </nowiki><<<nowiki>EOF
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1
EOF</nowiki>
}}
 
== nftables ==
Now, we can set up basic routing. First, install some required packages
{{code|
sudo apt-get install -y nftables dnsmasq curl
}}
 
Now, download our nftables config template. This sets up a simple router. We'll expand on it later.
 
{{code|
sudo curl 'https://computernewb.com/~elijah/nftables.conf' -o /etc/nftables.conf
}}
 
If your WAN and LAN IPs differ from the examples above, edit nftables.conf and change them at the top.
 
== dnsmasq ==
Next, copy our DNSMASQ config. DNSMASQ is responsible for DHCP and DNS.
 
{{code|
sudo curl 'https://computernewb.com/~elijah/dnsmasq.conf' -o /etc/dnsmasq.conf
}}
 
There are a few instances of ens4 you'll need to change if that's not your WAN interface. You can also change the instance of <code>collabnet.local</code> if you want to use a different hostname.
 
There are also some examples of static leases. You can either use the MAC addresses provided in the examples on your VMs, or change them. You need to add a static lease to dnsmasq.conf for each VM you have or it won't be able to connect to the internet.
 
== Start it up ==
 
The following commands should get all the router components up and running
{{code|
sudo systemctl enable --now dnsmasq nftables
sudo nft -f /etc/nftables.conf
}}
 
== Testing it all out ==
 
If all went well, you should now have a basic working router. To test this, start up one of your VMs on its TAP. You can do this by removing any <code>-net</code>, <code>-netdev</code>, or <code>-netdev</code> arguments from the QEMU command, and adding the following:
 
{{code|<nowiki>
-netdev tap,id=lan,ifname=ktvm1,script=no,downscript=no -device virtio-net,netdev=lan,mac=c0:11:ab:69:42:01
</nowiki>}}
 
Note that the ifname should correspond to the TAPs added earlier and should be unique per VM. The MAC address should be unique to each VM and MUST be given a static lease in dnsmasq.conf.
 
If everything went well, the VM should obtain an IP on boot and be able to access the internet. If not, you can try to troubleshoot or join our discord and create a post in #support, and we can try to help.
 
= Optional router configuration =
 
The following is not strictly required, however is recommended.
 
== VPN ==
If you don't want users to be able to make traffic from your IP address (you almost definitely do not), you should set up a VPN, for all your users' traffic to be run through. You'll need a VPN that supports wireguard (and additionally you'll want to make sure that this usecase is allowed by their Terms of Service). Here are a few:
 
* [https://mullvad.net/en Mullvad] ($5 a month)
* [https://protonvpn.com/ ProtonVPN] (Premium plan is $10 a month, however their free plan allows WireGuard making this one preferable if you don't want to spend money)
 
Once you have your VPN picked out, register an account and generate a WireGuard profile. This varies by VPN but its usually in the Downloads section or its own category. It should give you a wireguard configuration either as a downloadable file or to copy and paste.
 
Next, install wireguard into your router:
{{code|
sudo apt-get install wireguard-tools
}}
 
Once this is installed, paste the contents of your WireGuard configuration into <code>/etc/wireguard/wg.conf</code>. An example file looks like this:
{{code|<nowiki>
[Interface]
PrivateKey = ThisIsAnExampleDontActuallyUseThis=
Address = 10.65.2.87/32,fc00:bbbb:bbbb:bb01::2:256/128
DNS = 10.64.0.1
[Peer]
PublicKey = gH/ThisIsAnExampleDontActuallyUseThis=
Endpoint = 1.1.1.1:51820
AllowedIPs = 0.0.0.0/0, ::0/0
</nowiki>}}
 
With that all set, you can now enable the VPN with the following command:
{{code|
sudo systemctl enable --now wg-quick@wg
}}
If all went well, you should now be connected to the VPN:
{{code|<nowiki>
$ curl ipinfo.io/what-is-my-ip
{
  "ip": "143.244.47.86",
  "hostname": "unn-143-244-47-86.datapacket.com",
  "city": "Weehawken",
  "region": "New Jersey",
  "country": "US",
  "loc": "40.7696,-74.0204",
  "org": "AS212238 Datacamp Limited",
  "postal": "07086",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}
</nowiki>}}
The last step is to connect the VMs to the VPN. First, get your private IP on the vpn network:
{{code|<nowiki>
$ ip a
(...)
7: wg: </nowiki><<nowiki>POINTOPOINT,NOARP,UP,LOWER_UP</nowiki>><nowiki> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.65.2.87/32 </nowiki><<nowiki>---- THIS RIGHT HERE scope global wg
</nowiki>}}
As we can see, our private IP in this example is <code>10.65.2.87</code>. All we have to do is open nftables.conf and set <code>WAN</code> to <code>wg</code>, and <code>SNAT</code> to this private IP:
{{code|<nowiki>
/etc/nftables.conf
(...)
define SNAT = 10.65.2.87
(...)
define WAN = wg
</nowiki>}}
Reload your nftables configuration:
{{code|
sudo nft -f /etc/nftables.conf
}}
If all went well, your VMs should now be connected to the VPN
== E2Guardian ==
E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up.
=== Installation ===
First is to install e2guardian. A small issue is that the e2guardian packages have not been updated for Debian 12 and still use OpenSSL 1.1, which was removed in Debian 12. As a workaround we can install the libssl1.1 version from Debian 11. Note that usually installing packages from another Debian version is [https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian a bad idea], but in this case its fine since the package has no outside dependencies.
{{code|
wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb
sudo apt-get install ./libssl1.1_1.1.1w-0+deb11u1_amd64.deb
}}
You can then install e2guardian:
{{code|
wget https://e2guardian.numsys.eu/v5.5/e2debian_bullseye_V5.5.4r_20231113.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD
sudo apt-get install ./e2debian_bullseye_V5.5.4r_20231113.deb
}}
Install some other dependencies:
{{code|
sudo apt-get install git curl tar ftp
}}
=== Configuration ===
Now we need to do some configuration. The e2guardian config directory is not readable by a normal user, so shell in as root.
{{code|
$ sudo -i
# cd /etc/e2guardian
}}
Create a directory for generated certificates, and give e2guardian permissions:
{{code|
mkdir -p private/generatedcerts
chown e2guardian:e2guardian private/generatedcerts
}}
Generate the required keys and CA certificate for SSL MITM:
{{code|
openssl genrsa 4096 > private/ca.key
openssl genrsa 4096 > private/cert.key
openssl req -new -x509 -days 3650 -sha256 -key private/ca.key -out private/ca.pem
}}
The last command will ask for some information, you can leave most of it blank and fill what you want.
 
Next, some configuration. Open e2guardian.conf in an editor, then find and set the following values:
{{code|<nowiki>
transparenthttpsport = 8443
enablessl = on
sslcertificatepath = '/etc/ssl/certs'
useoriginalip = on
</nowiki>}}
Now open e2guardianf1.conf in an editor, then find and set the following values:
{{code|<nowiki>
## COMMENT OUT THESE LINES:
# storyboard = '/etc/e2guardian/examplef1.story'  # comment out for production
# .Define LISTDIR <nowiki><</nowiki>/etc/e2guardian/lists/example.group<nowiki>></nowiki>  # comment out for production
 
sslmitm = on
</nowiki>}}
Copy <code>examplef1.story</code> to <code>group1.story</code>:
{{code|
cp examplef1.story group1.story
}}
=== Filter lists ===
Now you can download the collabnet filter lists:
{{code|
cd lists
git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1
}}
Download the ut1 and oisd filter lists:
{{code|
cd group1
./getall.sh
}}
==== Updating the filter lists ====
Every once in a while, you'll want to update the filter lists with this command:
{{code|
$ sudo -i
# cd /etc/e2guardian/lists/group1
# git pull
# ./getall.sh
}}
=== Start it up ===
You should now be able to start e2guardian without error using the following command:
{{code|
sudo systemctl enable --now e2guardian
}}
You can confirm that it's working by seeing if it's listening on ports 8080 and 8443:
{{code|<nowiki>
$ sudo ss -tulnp
(...)
tcp  LISTEN 0      256                                  0.0.0.0:8080      0.0.0.0:*    users:(("e2guardian",pid=168580,fd=5))
tcp  LISTEN 0      256                                  0.0.0.0:8443      0.0.0.0:*    users:(("e2guardian",pid=168580,fd=7))
(...)
</nowiki>}}
=== Routing the VM traffic ===
We can now set a firewall rule to redirect all VM traffic through e2guardian. Open /etc/nftables.conf and uncomment the following lines near the end:
{{code|<nowiki>
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
</nowiki>}}
Reload nftables:
{{code|
sudo nft -f /etc/nftables.conf
}}
=== Test it out ===
First, put /etc/e2guardian/private/ca.pem onto one of your VMs. This is usually done through installing nginx onto the router and copying ca.pem into the webroot. Next, install ca.pem as a Trusted Root Certification Authority (on Windows, you need to change the file extension to .crt for it to be recognized.)


[[Category:Main_VMs]]
If all went well, you should be able to browse to websites and see that the SSL certificate was signed by your generated CA. Additionally, sites blocked in the filter list should show a block page (try something like anydesk.com)
=== Change the block page ===
You can create a custom block page by editing /usr/share/e2guardian/languages/ukenglish/template.html. For assets like images you'll need to install a webserver (usually nginx) on the router and host them that way.

Revision as of 20:53, 17 December 2023

This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a VM (strongly recommended for several reasons), filter web traffic, and prevent access to your local network from the VMs.

Prerequisites

  • An hour or two of your time
  • A host running a Linux distribution
  • Basic computer and command line literacy. Nobody is going to hold your hand

Host Preparation

IP Forwarding

First, we're going to enable IP forwarding on your host. This will allow traffic from the VMs to be routed to and from the router. The following command will write this to the sysctl configuration.

echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/router.conf

To apply, either reboot or run the following:

sudo sysctl --system

Bridge configuration

Next, we'll set up a network bridge with multiple TAP interfaces. You can think of a TAP interface as a virtual Ethernet port connected to your VM, and the network bridge as a virtual Ethernet switch connecting them all together. The instructions to do this vary based on your network daemon. For this guide we'll assume (and recommend) you're using systemd-networkd, or netifrc on OpenRC.

We'll also be giving the collabvm group access to the TAPs. If you have yet to create a user for CollabVM, do so now.

Systemd

All network configuration is done in the /etc/systemd/network directory. We'll start by creating the bridge itself. The following simply creates a network bridge named collabnet

/etc/systemd/network/collabnet.netdev

[NetDev]
Name=collabnet
Kind=bridge

Next, we'll create a TAP for our router VM. The following creates a new TAP named ktrouter

/etc/systemd/network/ktrouter.netdev

[NetDev]
Name=ktrouter
Kind=tap

[Tap]
Group=collabvm

Now, you can create a TAP for each VM. The following adds a TAP named ktvm1. To add more, repeat the following, creating files named ktvm2, ktvm3, and so on. Make sure to also change the TAP name inside the file to match this.

/etc/systemd/network/ktvm1.netdev

[NetDev]
Name=ktvm1
Kind=tap

[Tap]
Group=collabvm

Finally, we connect all of our TAPs to the collabnet bridge.

/etc/systemd/network/collabnet.network

[Match]
Name=kt*

[Network]
Bridge=collabnet

Finally, you can either reboot or run the following to reload the network configuration

sudo systemctl restart systemd-networkd

OpenRC

TODO

Setting up the router

Now for the """fun""" part. We're going to set up a router VM, responsible for routing all traffic from the VMs. You'll want to give it two network adapters, one for the WAN (the internet) and another LAN (your VMs, the collabnet bridge).

The router will be running Debian. You can either netboot it from within QEMU (Press Ctrl+B when prompted on boot, enter dhcp && boot http://boot.netboot.xyz) or download an ISO and mount it. Your choice.

Here is an example QEMU start command for the router VM. You'll need to create the disk image and adjust paths.

sudo -u collabvm qemu-system-x86_64 \
-accel kvm \
-cpu host \
-m 2G \
-hda /srv/collabvm/router/router.qcow2 \
-netdev user,id=wan -device virtio-net,netdev=wan \
-netdev tap,id=lan,ifname=ktrouter,script=no,downscript=no -device virtio-net,netdev=lan \
-vnc 127.0.0.1:10

With this command, you can SSH forward and VNC to port 5910. When installing Debian, you can accept defaults, although I recommend not using a desktop environment on your router.

Initial configuration

Once you boot to a command line, the first thing we'll do is remove the builtin ifupdown network daemon and use systemd-networkd, as it's much easier to manage.

sudo apt-get purge -y ifupdown
sudo ip addr flush
sudo systemctl enable --now systemd-networkd

We'll then disable systemd-resolved and set up a static DNS config

sudo systemctl disable --now systemd-resolved
sudo systemctl mask systemd-resolved
sudo rm /etc/resolv.conf # remove the symlink
sudo tee /etc/resolv.conf <<EOF
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF

Note that the internet will die on the router. This is because systemd-networkd is not configured by default. First, let's figure out our interface names using the command ip a. For me, the WAN interface was ens3 and the LAN was ens4. This may vary however if you're using the QEMU command above the WAN interface will appear first in the list. For the rest of the guide I will be assuming the above interface names. Make sure to change them if yours are different.

Let's first configure the WAN interface to use DHCP.

/etc/systemd/network/wan.network

[Match]
Name=ens3

[Network]
DHCP=ipv4

Then, we'll assign the LAN interface the static ip of 192.168.1.1

/etc/systemd/network/lan.network

[Match]
Name=ens4

[Network]
Address=192.168.1.1/24

You can then reload the network configuration:

sudo systemctl restart systemd-networkd

If all went well, you should be able to access the internet (test with ping google.com)

Lastly, set some sysctl values:

sudo tee /etc/sysctl.d/router.conf <<EOF
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1
EOF

nftables

Now, we can set up basic routing. First, install some required packages

sudo apt-get install -y nftables dnsmasq curl

Now, download our nftables config template. This sets up a simple router. We'll expand on it later.

sudo curl 'https://computernewb.com/~elijah/nftables.conf' -o /etc/nftables.conf

If your WAN and LAN IPs differ from the examples above, edit nftables.conf and change them at the top.

dnsmasq

Next, copy our DNSMASQ config. DNSMASQ is responsible for DHCP and DNS.

sudo curl 'https://computernewb.com/~elijah/dnsmasq.conf' -o /etc/dnsmasq.conf

There are a few instances of ens4 you'll need to change if that's not your WAN interface. You can also change the instance of collabnet.local if you want to use a different hostname.

There are also some examples of static leases. You can either use the MAC addresses provided in the examples on your VMs, or change them. You need to add a static lease to dnsmasq.conf for each VM you have or it won't be able to connect to the internet.

Start it up

The following commands should get all the router components up and running

sudo systemctl enable --now dnsmasq nftables
sudo nft -f /etc/nftables.conf

Testing it all out

If all went well, you should now have a basic working router. To test this, start up one of your VMs on its TAP. You can do this by removing any -net, -netdev, or -netdev arguments from the QEMU command, and adding the following:

-netdev tap,id=lan,ifname=ktvm1,script=no,downscript=no -device virtio-net,netdev=lan,mac=c0:11:ab:69:42:01

Note that the ifname should correspond to the TAPs added earlier and should be unique per VM. The MAC address should be unique to each VM and MUST be given a static lease in dnsmasq.conf.

If everything went well, the VM should obtain an IP on boot and be able to access the internet. If not, you can try to troubleshoot or join our discord and create a post in #support, and we can try to help.

Optional router configuration

The following is not strictly required, however is recommended.

VPN

If you don't want users to be able to make traffic from your IP address (you almost definitely do not), you should set up a VPN, for all your users' traffic to be run through. You'll need a VPN that supports wireguard (and additionally you'll want to make sure that this usecase is allowed by their Terms of Service). Here are a few:

  • Mullvad ($5 a month)
  • ProtonVPN (Premium plan is $10 a month, however their free plan allows WireGuard making this one preferable if you don't want to spend money)

Once you have your VPN picked out, register an account and generate a WireGuard profile. This varies by VPN but its usually in the Downloads section or its own category. It should give you a wireguard configuration either as a downloadable file or to copy and paste.

Next, install wireguard into your router:

sudo apt-get install wireguard-tools

Once this is installed, paste the contents of your WireGuard configuration into /etc/wireguard/wg.conf. An example file looks like this:

[Interface]
PrivateKey = ThisIsAnExampleDontActuallyUseThis=
Address = 10.65.2.87/32,fc00:bbbb:bbbb:bb01::2:256/128
DNS = 10.64.0.1
[Peer]
PublicKey = gH/ThisIsAnExampleDontActuallyUseThis=
Endpoint = 1.1.1.1:51820
AllowedIPs = 0.0.0.0/0, ::0/0

With that all set, you can now enable the VPN with the following command:

sudo systemctl enable --now wg-quick@wg

If all went well, you should now be connected to the VPN:

$ curl ipinfo.io/what-is-my-ip
{
  "ip": "143.244.47.86",
  "hostname": "unn-143-244-47-86.datapacket.com",
  "city": "Weehawken",
  "region": "New Jersey",
  "country": "US",
  "loc": "40.7696,-74.0204",
  "org": "AS212238 Datacamp Limited",
  "postal": "07086",
  "timezone": "America/New_York",
  "readme": "https://ipinfo.io/missingauth"
}

The last step is to connect the VMs to the VPN. First, get your private IP on the vpn network:

$ ip a
(...)
7: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.65.2.87/32 <---- THIS RIGHT HERE scope global wg

As we can see, our private IP in this example is 10.65.2.87. All we have to do is open nftables.conf and set WAN to wg, and SNAT to this private IP:

/etc/nftables.conf
(...)
define SNAT = 10.65.2.87
(...)
define WAN = wg

Reload your nftables configuration:

sudo nft -f /etc/nftables.conf

If all went well, your VMs should now be connected to the VPN

E2Guardian

E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up.

Installation

First is to install e2guardian. A small issue is that the e2guardian packages have not been updated for Debian 12 and still use OpenSSL 1.1, which was removed in Debian 12. As a workaround we can install the libssl1.1 version from Debian 11. Note that usually installing packages from another Debian version is a bad idea, but in this case its fine since the package has no outside dependencies.

wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb
sudo apt-get install ./libssl1.1_1.1.1w-0+deb11u1_amd64.deb

You can then install e2guardian:

wget https://e2guardian.numsys.eu/v5.5/e2debian_bullseye_V5.5.4r_20231113.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD
sudo apt-get install ./e2debian_bullseye_V5.5.4r_20231113.deb

Install some other dependencies:

sudo apt-get install git curl tar ftp

Configuration

Now we need to do some configuration. The e2guardian config directory is not readable by a normal user, so shell in as root.

$ sudo -i
# cd /etc/e2guardian

Create a directory for generated certificates, and give e2guardian permissions:

mkdir -p private/generatedcerts
chown e2guardian:e2guardian private/generatedcerts

Generate the required keys and CA certificate for SSL MITM:

openssl genrsa 4096 > private/ca.key
openssl genrsa 4096 > private/cert.key
openssl req -new -x509 -days 3650 -sha256 -key private/ca.key -out private/ca.pem

The last command will ask for some information, you can leave most of it blank and fill what you want.

Next, some configuration. Open e2guardian.conf in an editor, then find and set the following values:

transparenthttpsport = 8443
enablessl = on
sslcertificatepath = '/etc/ssl/certs'
useoriginalip = on

Now open e2guardianf1.conf in an editor, then find and set the following values:

{{{1}}}

Copy examplef1.story to group1.story:

cp examplef1.story group1.story

Filter lists

Now you can download the collabnet filter lists:

cd lists
git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1

Download the ut1 and oisd filter lists:

cd group1
./getall.sh

Updating the filter lists

Every once in a while, you'll want to update the filter lists with this command:

$ sudo -i
# cd /etc/e2guardian/lists/group1
# git pull
# ./getall.sh

Start it up

You should now be able to start e2guardian without error using the following command:

sudo systemctl enable --now e2guardian

You can confirm that it's working by seeing if it's listening on ports 8080 and 8443:

$ sudo ss -tulnp
(...)
tcp   LISTEN 0      256                                  0.0.0.0:8080       0.0.0.0:*    users:(("e2guardian",pid=168580,fd=5))
tcp   LISTEN 0      256                                  0.0.0.0:8443       0.0.0.0:*    users:(("e2guardian",pid=168580,fd=7))
(...)

Routing the VM traffic

We can now set a firewall rule to redirect all VM traffic through e2guardian. Open /etc/nftables.conf and uncomment the following lines near the end:

iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443

Reload nftables:

sudo nft -f /etc/nftables.conf

Test it out

First, put /etc/e2guardian/private/ca.pem onto one of your VMs. This is usually done through installing nginx onto the router and copying ca.pem into the webroot. Next, install ca.pem as a Trusted Root Certification Authority (on Windows, you need to change the file extension to .crt for it to be recognized.)

If all went well, you should be able to browse to websites and see that the SSL certificate was signed by your generated CA. Additionally, sites blocked in the filter list should show a block page (try something like anydesk.com)

Change the block page

You can create a custom block page by editing /usr/share/e2guardian/languages/ukenglish/template.html. For assets like images you'll need to install a webserver (usually nginx) on the router and host them that way.