CollabNet Guide: Difference between revisions

CollabNet Guide (view source)

Revision as of 21:10, 15 June 2024

145 bytes removed , 15 June

→‎VPN

VisualWikitext

Elijah

Bureaucrats, Check users, Interface administrators, Push subscription managers, Suppressors, Administrators

427

edits

Revision as of 17:47, 2 January 2024 (view source) Elijah (talk \| contribs) m (Protected "CollabNet Guide": Official page ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) ← Older edit		Revision as of 21:10, 15 June 2024 (view source) Elijah (talk \| contribs) (→‎VPN) Newer edit →
(13 intermediate revisions by 2 users not shown)
This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a VPN (strongly recommended for several reasons), filter web traffic, and prevent access to your local network from the VMs. https://computernewb.com/w/index.php?title=CollabNet_Guide&action=edit = Prerequisites = * An hour or two of your time === Systemd === All network configuration is done in the <code>/etc/systemd/network</code> directory. We'll start by ~~creating~~making ~~the~~sure ~~bridge~~systemd-networkd ~~itself.~~is ~~The~~enabled ~~following~~and ~~simply creates a network bridge named <code>collabnet</code>~~started. {{code\|▼ sudo systemctl ~~disable~~enable --now systemd-~~resolved~~networkd▼ }}▼ Next, create the bridge. The following simply creates a network bridge named <code>collabnet</code> '''/etc/systemd/network/collabnet.netdev''' {{code\| sudo systemctl restart systemd-networkd }} To make sure the bridge is started properly at system boot, run <code>sudo crontab -e</code> and add the following line to the bottom of the file that opens, then save it: {{code\|▼ @reboot sleep 10; ip link set collabnet up }} sudo apt-get purge -y ifupdown sudo systemctl enable --now systemd-networkd ▲}} ~~We'll then disable systemd-resolved and set up a static DNS config~~ ▲{{code\| ~~# Systemd-resolved was removed in Debian 12, therefore if you are using Debian 12 or later you do not need to run this.~~ ▲sudo systemctl disable --now systemd-resolved ~~sudo systemctl mask systemd-resolved~~ ~~sudo rm /etc/resolv.conf # remove the symlink~~ ~~sudo tee /etc/resolv.conf <<EOF~~ ~~nameserver 1.1.1.1~~ ~~nameserver 1.0.0.1~~ ~~EOF~~ }} Now, we can set up basic routing. First, install some required packages {{code\| sudo apt-get install -y nftables dnsmasq curl openresolv }} If you don't want users to be able to make traffic from your IP address (you almost definitely do not), you should set up a VPN, for all your users' traffic to be run through. You'll need a VPN that supports wireguard (and additionally you'll want to make sure that this usecase is allowed by their Terms of Service). Here are a few: * [https://protonvpn.com/ ProtonVPN] (Free plan allows WireGuard, premium plan $10/month) * CloudFlare WARP: You can use the [https://github.com/ViRb3/wgcf wgcf] third party CLI tool to generate a WireGuard profile. Mileage may vary. * [https://mullvad.net/en Mullvad] ($5 a month) * [https://protonvpn.com/ ProtonVPN] (Premium plan is $10 a month, however their free plan allows WireGuard making this one preferable if you don't want to spend money) Once you have your VPN picked out, register an account and generate a WireGuard profile. This varies by VPN but its usually in the Downloads section or its own category. It should give you a wireguard configuration either as a downloadable file or to copy and paste. }} If all went well, your VMs should now be connected to the VPN == E2Guardian == E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up. === Installation === ~~You~~First ~~can~~is ~~then~~to install e2guardian:.▼ First is to install e2guardian. A small issue is that the e2guardian packages have not been updated for Debian 12 and still use OpenSSL 1.1, which was removed in Debian 12. As a workaround we can install the libssl1.1 version from Debian 11. Note that usually installing packages from another Debian version is [https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian a bad idea], but in this case its fine since the package has no outside dependencies. Run the following command: {{code\| wget https://e2guardian.numsys.eu/v5.5/~~e2debian_bullseye_V5~~e2debian_bookworm_V5.5.~~4r_20231113~~5r_20240509.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD▼ ~~wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb~~ sudo apt-get install ./~~libssl1~~e2debian_bookworm_V5.~~1_1~~5.~~1.1w-0+deb11u1_amd64~~5_20240209.deb }} Set e2guardian to automatically restart in case something fails: ▲You can then install e2guardian: # Run <code>sudo systemctl edit e2guardian</code> ▲{{code\| # Add the following at the top of the file where indicated (read the comments!): {{code\|<nowiki> ▲wget https://e2guardian.numsys.eu/v5.5/e2debian_bullseye_V5.5.4r_20231113.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD [Service] ~~sudo apt-get install ./e2debian_bullseye_V5.5.4r_20231113.deb~~ Restart=always</nowiki> }} # Save the file Install some other dependencies: {{code\| useoriginalip = on </nowiki>}} Now open e2guardianf1.conf in an editor, then find and set the following values: {{code\|<nowiki> Copy <code>examplef1.story</code> to <code>group1.story</code>: {{code\| cp -p examplef1.story group1.story }} === Filter lists === Now you can download the collabnet filter lists: {{code\| cd /etc/e2guardian/lists git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1 }} }} ==== Updating the filter lists ==== To enable automatic updates of the filter lists, run <code>sudo crontab -e</code> and add the following to the bottom of the file: ~~Every once in a while, you'll want to update the filter lists with this command:~~ {{code\| #0 cd* * * * /etc/e2guardian/lists/group1/getall.sh >/dev/null 2>&1▼ ~~$ sudo -i~~ ▲# cd /etc/e2guardian/lists/group1 ~~# git pull~~ ~~# ./getall.sh~~ }} This will check for filter list updates once an hour. === Start it up === You should now be able to start e2guardian without error using the following command: