14
edits
CollabNet Guide: Difference between revisions
m
update e2g
No edit summary |
m (update e2g) |
||
| (23 intermediate revisions by 2 users not shown) | |||
|
This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a
= Prerequisites =
*
* A host running a Linux distribution
* Basic computer and command line literacy. Nobody is going to hold your hand
=== Systemd ===
All network configuration is done in the <code>/etc/systemd/network</code> directory. We'll start by
{{code|
sudo systemctl enable --now systemd-networkd
}}
Next, create the bridge. The following simply creates a network bridge named <code>collabnet</code>
'''/etc/systemd/network/collabnet.netdev'''
TODO
Now for the """fun""" part. We're going to set up a router VM, responsible for routing all traffic from the VMs. You'll want to give it '''two''' network adapters, one for the WAN (the internet) and another LAN (your VMs, the collabnet bridge).
With this command, you can SSH forward and VNC to port 5910. When installing Debian, you can accept defaults, although I recommend not using a desktop environment on your router.
Once you boot to a command line, the first thing we'll do is remove the builtin ifupdown network daemon and use systemd-networkd, as it's much easier to manage.
{{code|
sudo apt-get purge -y ifupdown
sudo systemctl enable --now systemd-networkd
}}
We'll then disable systemd-resolved and set up a static DNS config
{{code|
# Systemd-resolved was removed in Debian 12, therefore if you are using Debian 12 or later you do not need to run this.
sudo systemctl disable --now systemd-resolved
sudo systemctl mask systemd-resolved
nameserver 1.0.0.1
EOF
}}
Note that the internet will die on the router. This is because systemd-networkd is not configured by default. First, let's figure out our interface names using the command <code>ip a</code>. For me, the WAN interface was <code>ens3</code> and the LAN was <code>ens4</code>. This may vary however if you're using the QEMU command above the WAN interface will appear first in the list. For the rest of the guide I will be assuming the above interface names. Make sure to change them if yours are different.
Lastly, set some sysctl values:
{{code|
<nowiki>sudo tee /etc/sysctl.d/router.conf </nowiki><<<nowiki>EOF
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1
EOF</nowiki>
}}
Apply them:
{{code|<nowiki>
sudo sysctl --system
</nowiki>}}
Now, we can set up basic routing. First, install some required packages
{{code|
sudo apt-get install -y nftables dnsmasq curl resolvconf
}}
If your WAN and LAN IPs differ from the examples above, edit nftables.conf and change them at the top.
Next, copy our DNSMASQ config. DNSMASQ is responsible for DHCP and DNS.
There are also some examples of static leases. You can either use the MAC addresses provided in the examples on your VMs, or change them. You need to add a static lease to dnsmasq.conf for each VM you have or it won't be able to connect to the internet.
The following commands should get all the router components up and running
}}
If all went well, you should now have a basic working router. To test this, start up one of your VMs on its TAP. You can do this by removing any <code>-net</code>, <code>-netdev</code>, or <code>-netdev</code> arguments from the QEMU command, and adding the following:
If everything went well, the VM should obtain an IP on boot and be able to access the internet. If not, you can try to troubleshoot or join our discord and create a post in #support, and we can try to help.
The following is not strictly required, however is recommended.
If you don't want users to be able to make traffic from your IP address (you almost definitely do not), you should set up a VPN, for all your users' traffic to be run through. You'll need a VPN that supports wireguard (and additionally you'll want to make sure that this usecase is allowed by their Terms of Service). Here are a few:
* [https://mullvad.net/en Mullvad] ($5 a month)
* [https://protonvpn.com/ ProtonVPN] (Premium plan is $10 a month, however their free plan allows WireGuard making this one preferable if you don't want to spend money)
Once you have your VPN picked out, register an account and generate a WireGuard profile. This varies by VPN but its usually in the Downloads section or its own category. It should give you a wireguard configuration either as a downloadable file or to copy and paste.
Next, install wireguard into your router:
{{code|
sudo apt-get install wireguard-tools
}}
Once this is installed, paste the contents of your WireGuard configuration into <code>/etc/wireguard/wg.conf</code>. An example file looks like this:
{{code|<nowiki>
[Interface]
PrivateKey = ThisIsAnExampleDontActuallyUseThis=
Address = 10.65.2.87/32,fc00:bbbb:bbbb:bb01::2:256/128
DNS = 10.64.0.1
[Peer]
PublicKey = gH/ThisIsAnExampleDontActuallyUseThis=
Endpoint = 1.1.1.1:51820
AllowedIPs = 0.0.0.0/0, ::0/0
</nowiki>}}
With that all set, you can now enable the VPN with the following command:
{{code|
sudo systemctl enable --now wg-quick@wg
}}
If all went well, you should now be connected to the VPN:
{{code|<nowiki>
$ curl ipinfo.io/what-is-my-ip
{
"ip": "143.244.47.86",
"hostname": "unn-143-244-47-86.datapacket.com",
"city": "Weehawken",
"region": "New Jersey",
"country": "US",
"loc": "40.7696,-74.0204",
"org": "AS212238 Datacamp Limited",
"postal": "07086",
"timezone": "America/New_York",
"readme": "https://ipinfo.io/missingauth"
}
</nowiki>}}
The last step is to connect the VMs to the VPN. First, get your private IP on the vpn network:
{{code|<nowiki>
$ ip a
(...)
7: wg: </nowiki><<nowiki>POINTOPOINT,NOARP,UP,LOWER_UP</nowiki>><nowiki> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.65.2.87/32 </nowiki><<nowiki>---- THIS RIGHT HERE scope global wg
</nowiki>}}
As we can see, our private IP in this example is <code>10.65.2.87</code>. All we have to do is open nftables.conf and set <code>WAN</code> to <code>wg</code>, and <code>SNAT</code> to this private IP:
{{code|<nowiki>
/etc/nftables.conf
(...)
define SNAT = 10.65.2.87
(...)
define WAN = wg
</nowiki>}}
Reload your nftables configuration:
{{code|
sudo nft -f /etc/nftables.conf
}}
If all went well, your VMs should now be connected to the VPN
== E2Guardian ==
E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up.
=== Installation ===
First is to install e2guardian.
Run the following command:
{{code|
wget https://e2guardian.numsys.eu/v5.5/e2debian_bookworm_V5.5.5_20240422.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD
sudo apt-get install ./e2debian_bookworm_V5.5.5_20240209.deb
}}
Install some other dependencies:
{{code|
sudo apt-get install git curl tar sed
}}
=== Configuration ===
Now we need to do some configuration. The e2guardian config directory is not readable by a normal user, so shell in as root.
{{code|
$ sudo -i
# cd /etc/e2guardian
}}
Create a directory for generated certificates, and give e2guardian permissions:
{{code|
mkdir -p private/generatedcerts
chown e2guardian:e2guardian private/generatedcerts
}}
Generate the required keys and CA certificate for SSL MITM:
{{code|
openssl genrsa 4096 > private/ca.key
openssl genrsa 4096 > private/cert.key
openssl req -new -x509 -days 3650 -sha256 -key private/ca.key -out private/ca.pem
}}
The last command will ask for some information, you can leave most of it blank and fill what you want.
Next, some configuration. Open e2guardian.conf in an editor, then find and set the following values:
{{code|<nowiki>
transparenthttpsport = 8443
enablessl = on
sslcertificatepath = '/etc/ssl/certs'
useoriginalip = on
</nowiki>}}
{{ombox
| type = speedy
| image = [[File:Ambox_important_red.svg|40px]]
| text = If your router VM has 4GB of RAM or less, set the <code>httpworkers</code> option to <code>300</code> to avoid out-of-memory issues!
}}
Now open e2guardianf1.conf in an editor, then find and set the following values:
{{code|<nowiki>
## COMMENT OUT THESE LINES:
# storyboard = '/etc/e2guardian/examplef1.story' # comment out for production
# .Define LISTDIR </nowiki><<nowiki>/etc/e2guardian/lists/example.group</nowiki>><nowiki> # comment out for production
sslmitm = on
</nowiki>}}
Copy <code>examplef1.story</code> to <code>group1.story</code>:
{{code|
cp examplef1.story group1.story
}}
=== Filter lists ===
Now you can download the collabnet filter lists:
{{code|
cd /etc/e2guardian/lists
git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1
}}
Download the ut1 and oisd filter lists:
{{code|
cd group1
./getall.sh
}}
==== Updating the filter lists ====
To enable automatic updates of the filter lists, run <code>sudo crontab -e</code> and add the following to the bottom of the file:
{{code|
0 * * * * /etc/e2guardian/lists/group1/getall.sh >/dev/null 2>&1
}}
This will check for filter list updates once an hour.
=== Start it up ===
You should now be able to start e2guardian without error using the following command:
{{code|
sudo systemctl enable --now e2guardian
}}
You can confirm that it's working by seeing if it's listening on ports 8080 and 8443:
{{code|<nowiki>
$ sudo ss -tulnp
(...)
tcp LISTEN 0 256 0.0.0.0:8080 0.0.0.0:* users:(("e2guardian",pid=168580,fd=5))
tcp LISTEN 0 256 0.0.0.0:8443 0.0.0.0:* users:(("e2guardian",pid=168580,fd=7))
(...)
</nowiki>}}
=== Routing the VM traffic ===
We can now set a firewall rule to redirect all VM traffic through e2guardian. Open /etc/nftables.conf and uncomment the following lines near the end:
{{code|<nowiki>
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
</nowiki>}}
Reload nftables:
{{code|
sudo nft -f /etc/nftables.conf
}}
=== Test it out ===
First, put /etc/e2guardian/private/ca.pem onto one of your VMs. This is usually done through installing nginx onto the router and copying ca.pem into the webroot. Next, install ca.pem as a Trusted Root Certification Authority (on Windows, you need to change the file extension to .crt for it to be recognized.)
If all went well, you should be able to browse to websites and see that the SSL certificate was signed by your generated CA. Additionally, sites blocked in the filter list should show a block page (try something like anydesk.com)
=== Change the block page ===
You can create a custom block page by editing /usr/share/e2guardian/languages/ukenglish/template.html. For assets like images you'll need to install a webserver (usually nginx) on the router and host them that way.
== Application Blocking (DNS) ==
Some applications could still continue to work despite being blocked by E2Guardian, to solve this, DNS blocking can be used.
In this example, the application we will be blocking is AnyDesk, but this can be done to any application that relies on DNS to find what servers to communicate with.
Open {{code|inline=y|/etc/dnsmasq.conf}} and insert the following line at the end of the file:
{{code|lang=text|<nowiki>
address=/anydesk.com/0.0.0.0</nowiki>
}}
After saving the file, reload dnsmasq using {{code|inline=y|sudo systemctl restart dnsmasq}}
If everything went well, the AnyDesk client should no longer be able to connect successfully ({{code|inline=y|anynet_no_dns_entry}}).
| |||