CollabNet Guide: Difference between revisions

← Older edit

CollabNet Guide (view source)

Revision as of 15:09, 25 April 2024

5,347 bytes added , 25 April

m

update e2g

VisualWikitext

MDMCK10

Bureaucrats, Check users, Interface administrators, Administrators

14

edits

Revision as of 19:50, 17 December 2023 (view source) Elijah (talk \| contribs) No edit summary ← Older edit		Latest revision as of 15:09, 25 April 2024 (view source) MDMCK10 (talk \| contribs) m (update e2g)
(18 intermediate revisions by 2 users not shown)
This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a VMVPN (strongly recommended for several reasons), filter web traffic, and prevent access to your local network from the VMs. = Prerequisites = === Systemd === All network configuration is done in the <code>/etc/systemd/network</code> directory. We'll start by ~~creating~~making ~~the~~sure ~~bridge~~systemd-networkd ~~itself.~~is ~~The~~enabled ~~following~~and ~~simply creates a network bridge named <code>collabnet</code>~~started. {{code\| sudo systemctl enable --now systemd-networkd }} Next, create the bridge. The following simply creates a network bridge named <code>collabnet</code> '''/etc/systemd/network/collabnet.netdev''' {{code\| sudo apt-get purge -y ifupdown ~~sudo ip addr flush~~ sudo systemctl enable --now systemd-networkd }} {{code\| # Systemd-resolved was removed in Debian 12, therefore if you are using Debian 12 or later you do not need to run this. sudo systemctl disable --now systemd-resolved sudo systemctl mask systemd-resolved EOF</nowiki> }} Apply them: {{code\|<nowiki> sudo sysctl --system </nowiki>}} == nftables == Now, we can set up basic routing. First, install some required packages {{code\| sudo apt-get install -y nftables dnsmasq curl resolvconf }} == E2Guardian == E2Guardian can be used to implement network filtering on your VM. It supports transparent HTTP and HTTPS filtering making it ideal for a setup like CollabVM where the client can't be trusted to always use a proxy or DNS server. Here's how to set it up. === Installation === First is to install e2guardian. Run the following command: {{code\| wget https://e2guardian.numsys.eu/v5.5/e2debian_bookworm_V5.5.5_20240422.deb # IF THERE'S A NEWER VERSION AVAILABLE AT https://e2guardian.numsys.eu/, USE THAT INSTEAD sudo apt-get install ./e2debian_bookworm_V5.5.5_20240209.deb }} Install some other dependencies: {{code\| sudo apt-get install git curl tar sed }} === Configuration === Now we need to do some configuration. The e2guardian config directory is not readable by a normal user, so shell in as root. {{code\| $ sudo -i # cd /etc/e2guardian }} Create a directory for generated certificates, and give e2guardian permissions: {{code\| mkdir -p private/generatedcerts chown e2guardian:e2guardian private/generatedcerts }} Generate the required keys and CA certificate for SSL MITM: {{code\| openssl genrsa 4096 > private/ca.key openssl genrsa 4096 > private/cert.key openssl req -new -x509 -days 3650 -sha256 -key private/ca.key -out private/ca.pem }} The last command will ask for some information, you can leave most of it blank and fill what you want. Next, some configuration. Open e2guardian.conf in an editor, then find and set the following values: {{code\|<nowiki> transparenthttpsport = 8443 enablessl = on sslcertificatepath = '/etc/ssl/certs' useoriginalip = on </nowiki>}} {{ombox \| type = speedy \| image = [[File:Ambox_important_red.svg\|40px]] \| text = If your router VM has 4GB of RAM or less, set the <code>httpworkers</code> option to <code>300</code> to avoid out-of-memory issues! }} Now open e2guardianf1.conf in an editor, then find and set the following values: {{code\|<nowiki> ## COMMENT OUT THESE LINES: # storyboard = '/etc/e2guardian/examplef1.story' # comment out for production # .Define LISTDIR </nowiki><<nowiki>/etc/e2guardian/lists/example.group</nowiki>><nowiki> # comment out for production sslmitm = on </nowiki>}} Copy <code>examplef1.story</code> to <code>group1.story</code>: {{code\| cp examplef1.story group1.story }} === Filter lists === Now you can download the collabnet filter lists: {{code\| cd /etc/e2guardian/lists git clone --depth 1 https://git.computernewb.com/collabvm/e2guardian.git group1 }} Download the ut1 and oisd filter lists: {{code\| cd group1 ./getall.sh }} ==== Updating the filter lists ==== To enable automatic updates of the filter lists, run <code>sudo crontab -e</code> and add the following to the bottom of the file: {{code\| 0 * * * * /etc/e2guardian/lists/group1/getall.sh >/dev/null 2>&1 }} This will check for filter list updates once an hour. === Start it up === You should now be able to start e2guardian without error using the following command: {{code\| sudo systemctl enable --now e2guardian }} You can confirm that it's working by seeing if it's listening on ports 8080 and 8443: {{code\|<nowiki> $ sudo ss -tulnp (...) tcp LISTEN 0 256 0.0.0.0:8080 0.0.0.0:* users:(("e2guardian",pid=168580,fd=5)) tcp LISTEN 0 256 0.0.0.0:8443 0.0.0.0:* users:(("e2guardian",pid=168580,fd=7)) (...) </nowiki>}} === Routing the VM traffic === We can now set a firewall rule to redirect all VM traffic through e2guardian. Open /etc/nftables.conf and uncomment the following lines near the end: {{code\|<nowiki> iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080 iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443 </nowiki>}} Reload nftables: {{code\| sudo nft -f /etc/nftables.conf }} === Test it out === First, put /etc/e2guardian/private/ca.pem onto one of your VMs. This is usually done through installing nginx onto the router and copying ca.pem into the webroot. Next, install ca.pem as a Trusted Root Certification Authority (on Windows, you need to change the file extension to .crt for it to be recognized.) If all went well, you should be able to browse to websites and see that the SSL certificate was signed by your generated CA. Additionally, sites blocked in the filter list should show a block page (try something like anydesk.com) === Change the block page === You can create a custom block page by editing /usr/share/e2guardian/languages/ukenglish/template.html. For assets like images you'll need to install a webserver (usually nginx) on the router and host them that way. == Application Blocking (DNS) == Some applications could still continue to work despite being blocked by E2Guardian, to solve this, DNS blocking can be used. In this example, the application we will be blocking is AnyDesk, but this can be done to any application that relies on DNS to find what servers to communicate with. Open {{code\|inline=y\|/etc/dnsmasq.conf}} and insert the following line at the end of the file: {{code\|lang=text\|<nowiki> address=/anydesk.com/0.0.0.0</nowiki> }} After saving the file, reload dnsmasq using {{code\|inline=y\|sudo systemctl restart dnsmasq}} If everything went well, the AnyDesk client should no longer be able to connect successfully ({{code\|inline=y\|anynet_no_dns_entry}}).