CollabNet Guide: Difference between revisions

From Computernewb Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 79: Line 79:


TODO
TODO

== Setting up the router ==

Now for the """fun""" part. We're going to set up a router VM, responsible for routing all traffic from the VMs. You'll want to give it '''two''' network adapters, one for the WAN (the internet) and another LAN (your VMs, the collabnet bridge).

The router will be running Debian. You can either netboot it from within QEMU (Press Ctrl+B when prompted on boot, enter <code>dhcp && boot http://boot.netboot.xyz</code>) or download an ISO and mount it. Your choice.

Here is an example QEMU start command for the router VM. You'll need to create the disk image and adjust paths.
{{code|<nowiki>
sudo -u collabvm qemu-system-x86_64 \
-accel kvm \
-cpu host \
-m 2G \
-hda /srv/collabvm/router/router.qcow2 \
-netdev user,id=wan -device virtio-net,netdev=wan \
-netdev tap,id=lan,ifname=ktrouter,script=no,downscript=no -device virtio-net,netdev=lan \
-vnc 127.0.0.1:10
</nowiki>}}

With this command, you can SSH forward and VNC to port 5910. When installing Debian, you can accept defaults, although I recommend not using a desktop environment on your router.

=== Initial configuration ===

Once you boot to a command line, the first thing we'll do is remove the builtin ifupdown network daemon and use systemd-networkd, as it's much easier to manage.

{{code|
sudo apt-get purge -y ifupdown
sudo ip addr flush
sudo systemctl enable --now systemd-networkd
}}

We'll then disable systemd-resolved and set up a static DNS config

{{code|
sudo systemctl disable --now systemd-resolved
sudo systemctl mask systemd-resolved
sudo rm /etc/resolv.conf # remove the symlink
sudo tee /etc/resolv.conf <<EOF
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF
}}

Note that the internet will die on the router. This is because systemd-networkd is not configured by default. First, let's figure out our interface names using the command <code>ip a</code>. For me, the WAN interface was <code>ens3</code> and the LAN was <code>ens4</code>. This may vary however if you're using the QEMU command above the WAN interface will appear first in the list. For the rest of the guide I will be assuming the above interface names. Make sure to change them if yours are different.

Let's first configure the WAN interface to use DHCP.

'''/etc/systemd/network/wan.network'''
{{code|<nowiki>
[Match]
Name=ens3

[Network]
DHCP=ipv4
</nowiki>}}

Then, we'll assign the LAN interface the static ip of <code>192.168.1.1</code>

'''/etc/systemd/network/lan.network'''
{{code|<nowiki>
[Match]
Name=ens4

[Network]
Address=192.168.1.1/24
</nowiki>}}

You can then reload the network configuration:

{{code|
sudo systemctl restart systemd-networkd
}}

If all went well, you should be able to access the internet (test with <code>ping google.com</code>)

Now, we can set up basic routing. First, install some required packages
{{code|
sudo apt-get install -y nftables dnsmasq curl
}}

Now, download our nftables config template. This sets up a simple router. We'll expand on it later.

{{code|
sudo curl 'https://computernewb.com/~elijah/nftables.conf' -o /etc/nftables.conf
}}

If your WAN and LAN IPs differ from the examples above, edit nftables.conf and change them at the top.

Revision as of 23:03, 9 June 2023

This guide will walk you through setting up a Virtual Network for your VMs. This will allow you to route your VM traffic behind a VM (strongly recommended for several reasons), filter web traffic, and prevent access to your local network from the VMs.

Prerequisites

  • A few hours of your time
  • A host running a Linux distribution
  • Basic computer and command line literacy. Nobody is going to hold your hand

Host Preparation

IP Forwarding

First, we're going to enable IP forwarding on your host. This will allow traffic from the VMs to be routed to and from the router. The following command will write this to the sysctl configuration.

echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/router.conf

To apply, either reboot or run the following:

sudo sysctl --system

Bridge configuration

Next, we'll set up a network bridge with multiple TAP interfaces. You can think of a TAP interface as a virtual Ethernet port connected to your VM, and the network bridge as a virtual Ethernet switch connecting them all together. The instructions to do this vary based on your network daemon. For this guide we'll assume (and recommend) you're using systemd-networkd, or netifrc on OpenRC.

We'll also be giving the collabvm group access to the TAPs. If you have yet to create a user for CollabVM, do so now.

Systemd

All network configuration is done in the /etc/systemd/network directory. We'll start by creating the bridge itself. The following simply creates a network bridge named collabnet

/etc/systemd/network/collabnet.netdev

[NetDev]
Name=collabnet
Kind=bridge

Next, we'll create a TAP for our router VM. The following creates a new TAP named ktrouter

/etc/systemd/network/ktrouter.netdev

[NetDev]
Name=ktrouter
Kind=tap

[Tap]
Group=collabvm

Now, you can create a TAP for each VM. The following adds a TAP named ktvm1. To add more, repeat the following, creating files named ktvm2, ktvm3, and so on. Make sure to also change the TAP name inside the file to match this.

/etc/systemd/network/ktvm1.netdev

[NetDev]
Name=ktvm1
Kind=tap

[Tap]
Group=collabvm

Finally, we connect all of our TAPs to the collabnet bridge.

/etc/systemd/network/collabnet.network

[Match]
Name=kt*

[Network]
Bridge=collabnet

Finally, you can either reboot or run the following to reload the network configuration

sudo systemctl restart systemd-networkd

OpenRC

TODO

Setting up the router

Now for the """fun""" part. We're going to set up a router VM, responsible for routing all traffic from the VMs. You'll want to give it two network adapters, one for the WAN (the internet) and another LAN (your VMs, the collabnet bridge).

The router will be running Debian. You can either netboot it from within QEMU (Press Ctrl+B when prompted on boot, enter dhcp && boot http://boot.netboot.xyz) or download an ISO and mount it. Your choice.

Here is an example QEMU start command for the router VM. You'll need to create the disk image and adjust paths.

sudo -u collabvm qemu-system-x86_64 \
-accel kvm \
-cpu host \
-m 2G \
-hda /srv/collabvm/router/router.qcow2 \
-netdev user,id=wan -device virtio-net,netdev=wan \
-netdev tap,id=lan,ifname=ktrouter,script=no,downscript=no -device virtio-net,netdev=lan \
-vnc 127.0.0.1:10

With this command, you can SSH forward and VNC to port 5910. When installing Debian, you can accept defaults, although I recommend not using a desktop environment on your router.

Initial configuration

Once you boot to a command line, the first thing we'll do is remove the builtin ifupdown network daemon and use systemd-networkd, as it's much easier to manage.

sudo apt-get purge -y ifupdown
sudo ip addr flush
sudo systemctl enable --now systemd-networkd

We'll then disable systemd-resolved and set up a static DNS config

sudo systemctl disable --now systemd-resolved
sudo systemctl mask systemd-resolved
sudo rm /etc/resolv.conf # remove the symlink
sudo tee /etc/resolv.conf <<EOF
nameserver 1.1.1.1
nameserver 1.0.0.1
EOF

Note that the internet will die on the router. This is because systemd-networkd is not configured by default. First, let's figure out our interface names using the command ip a. For me, the WAN interface was ens3 and the LAN was ens4. This may vary however if you're using the QEMU command above the WAN interface will appear first in the list. For the rest of the guide I will be assuming the above interface names. Make sure to change them if yours are different.

Let's first configure the WAN interface to use DHCP.

/etc/systemd/network/wan.network

[Match]
Name=ens3

[Network]
DHCP=ipv4

Then, we'll assign the LAN interface the static ip of 192.168.1.1

/etc/systemd/network/lan.network

[Match]
Name=ens4

[Network]
Address=192.168.1.1/24

You can then reload the network configuration:

sudo systemctl restart systemd-networkd

If all went well, you should be able to access the internet (test with ping google.com)

Now, we can set up basic routing. First, install some required packages

sudo apt-get install -y nftables dnsmasq curl

Now, download our nftables config template. This sets up a simple router. We'll expand on it later.

sudo curl 'https://computernewb.com/~elijah/nftables.conf' -o /etc/nftables.conf

If your WAN and LAN IPs differ from the examples above, edit nftables.conf and change them at the top.