Bureaucrats, Check users, Interface administrators, Push subscription managers, Suppressors, Administrators
478
edits
No edit summary |
(add e2g) |
||
== E2Guardian ==
E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up.
=== Installation ===
First is to install e2guardian. A small issue is that the e2guardian packages have not been updated for Debian 12 and still use OpenSSL 1.1, which was removed in Debian 12. As a workaround we can install the libssl1.1 version from Debian 11. Note that usually installing packages from another Debian version is [https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian a bad idea], but in this case its fine since the package has no outside dependencies.
{{code|
wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb
sudo apt-get install ./libssl1.1_1.1.1w-0+deb11u1_amd64.deb
}}
You can then install e2guardian:
{{code|
wget https://e2guardian.numsys.eu/v5.5/e2debian_bullseye_V5.5.4r_20231113.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD
sudo apt-get install ./e2debian_bullseye_V5.5.4r_20231113.deb
}}
Install some other dependencies:
{{code|
sudo apt-get install git curl tar ftp
}}
=== Configuration ===
Now we need to do some configuration. The e2guardian config directory is not readable by a normal user, so shell in as root.
{{code|
$ sudo -i
# cd /etc/e2guardian
}}
Create a directory for generated certificates, and give e2guardian permissions:
{{code|
mkdir -p private/generatedcerts
chown e2guardian:e2guardian private/generatedcerts
}}
Generate the required keys and CA certificate for SSL MITM:
{{code|
openssl genrsa 4096 > private/ca.key
openssl genrsa 4096 > private/cert.key
openssl req -new -x509 -days 3650 -sha256 -key private/ca.key -out private/ca.pem
}}
The last command will ask for some information, you can leave most of it blank and fill what you want.
Next, some configuration. Open e2guardian.conf in an editor, then find and set the following values:
{{code|<nowiki>
transparenthttpsport = 8443
enablessl = on
sslcertificatepath = '/etc/ssl/certs'
useoriginalip = on
</nowiki>}}
Now open e2guardianf1.conf in an editor, then find and set the following values:
{{code|<nowiki>
## COMMENT OUT THESE LINES:
# storyboard = '/etc/e2guardian/examplef1.story' # comment out for production
# .Define LISTDIR </etc/e2guardian/lists/example.group> # comment out for production
sslmitm = on
</nowiki>}}
Copy <code>examplef1.story</code> to <code>group1.story</code>:
{{code|
cp examplef1.story group1.story
}}
=== Filter lists ===
Now you can download the collabnet filter lists:
{{code|
cd lists
git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1
}}
Download the ut1 and oisd filter lists:
{{code|
cd group1
./getall.sh
}}
==== Updating the filter lists ====
Every once in a while, you'll want to update the filter lists with this command:
{{code|
$ sudo -i
# cd /etc/e2guardian/lists/group1
# git pull
# ./getall.sh
}}
=== Start it up ===
You should now be able to start e2guardian without error using the following command:
{{code|
sudo systemctl enable --now e2guardian
}}
You can confirm that it's working by seeing if it's listening on ports 8080 and 8443:
{{code|<nowiki>
$ sudo ss -tulnp
(...)
tcp LISTEN 0 256 0.0.0.0:8080 0.0.0.0:* users:(("e2guardian",pid=168580,fd=5))
tcp LISTEN 0 256 0.0.0.0:8443 0.0.0.0:* users:(("e2guardian",pid=168580,fd=7))
(...)
</nowiki>}}
=== Routing the VM traffic ===
We can now set a firewall rule to redirect all VM traffic through e2guardian. Open /etc/nftables.conf and uncomment the following lines near the end:
{{code|<nowiki>
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
</nowiki>}}
Reload nftables:
{{code|
sudo nft -f /etc/nftables.conf
}}
=== Test it out ===
First, put /etc/e2guardian/private/ca.pem onto one of your VMs. This is usually done through installing nginx onto the router and copying ca.pem into the webroot. Next, install ca.pem as a Trusted Root Certification Authority (on Windows, you need to change the file extension to .crt for it to be recognized.)
If all went well, you should be able to browse to websites and see that the SSL certificate was signed by your generated CA. Additionally, sites blocked in the filter list should show a block page (try something like anydesk.com)
=== Change the block page ===
You can create a custom block page by editing /usr/share/e2guardian/languages/ukenglish/template.html. For assets like images you'll need to install a webserver (usually nginx) on the router and host them that way.
|