I had to rebuild my router, and these are my notes. Hopefully Iwon’t have to look all this up again, in the future. I really feel like I do this more then I should.
With two NICs, you’re gonna need to forward some traffic. Firstthing first, forward those packets:
sudo sysctl -w net.ipv4.ip_forward=1 sudo vi /etc/sysctl.d/99-sysctl.conf # put the 'net' in this file
Something I always seem to have to figure/google this.
Here is a template to edit:
TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="<interface>" DEVICE="<interface>" ONBOOT="yes" IPADDR=123.456.789.100 PREFIX=24 GATEWAY=123.456.789.1 DNS1=126.96.36.199
Being this is going to be in the internet, you should install fail2ban.
I have take these notes from here.
sudo dnf install -y epel-release fail2ban
Configure the local jail:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we need to make necessary changes in jail.local file to create ban rules. Editthis file in your favorite editor and make changes in [DEFAULT] section.
[DEFAULT] # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 192.168.1.0/24 # "bantime" is the number of seconds that a host is banned. bantime = 60m # A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below # settings, 2 minutes findtime = 5m # "maxretry" is the number of failures before a host get banned. maxretry = 5 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=22, protocol=tcp] sendmail-whois[name=SSH, dest=root, firstname.lastname@example.org, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 3
Then enable and start the service:
sudo systemctl start fail2ban.service sudo systemctl enable fail2ban.service
A lot of these steps were taken from here. Thank you for writing it.
My router is going to be my local DNS server and my DHCP server,there are a ton of options out there,
dnsmasq is the easiestto combine the two.
dnsmasq, enable and start it:
sudo dnf -y install dnsmasq sudo systemctl start dnsmasq sudo systemctl enable dnsmasq
Edit the configuration file:
sudo vi /etc/dnsmasq.conf
First thing you want to do is edit the listen address for
dnsmasq. My network is
172.16.10.0 so my
.1 is mymachine.
Next, you want to edit the interface.
expand-hosts to help with the machines thatcome and go. Also set your domain to your domain. :)
Define the upstream DNS servers:
This is how to get the DNS portion up, go ahead and get outof the file and run a sanity check:
sudo dnsmasq --test
dnsmasq uses your
resolv.conf as your upstream DNS and yourlocal
hosts file as your local DNS entry. Confirm they are setup correctly now.
If you need to make changes,
NetworkManager will override yourchanges, so you need to make the file immutable:
sudo chattr +i /etc/resolv.conf sudo chattr -i /etc/resolv.conf sudo vi /etc/resolv.conf sudo chattr +i /etc/resolv.conf sudo lsattr /etc/resolv.conf
Now that everything is set up, we should restart
dnsmasq and addthe firewall changes in:
sudo firewall-cmd --add-service=dns --permanent sudo firewall-cmd --add-service=dhcp --permanent sudo firewall-cmd --list-all
Now that we have a working
dnsmasq instance, lets set up the DHCP part.
dhcp-range in the
Next, edit the
dhcp-leasefile and make it authoritive by uncommenting:
dnsmasq and you should be good!
sudo systemctl restart dnsmasq
Now that you have DNS and DHCP running, you need to make sureyour router actually routes things.
You need to add masquerade to your
sudo firewall-cmd --add-masquerade --permanent sudo firewall-cmd --reload
Now that you have a working router, you probably want to VPNinto your network. Lets get OpenVPN up and running.
First thing you need to do is install
git and pull down
Nyr’s repofor automaticly configuring
cd ~ sudo dnf -y install git git clone https://github.com/Nyr/openvpn-install.git
Run the installer in the repository:
cd openvpn-install sudo chmod +x openvpn-install.sh ./openvpn-install.sh
Follow the prompts…
EDIT: It seems I couldn’t get “across” my network, so I had to edit the
/etc/openvpn/server/server.confwith the following:
push "route 172.16.10.0 255.255.255.0"
Now I can get to my internal network, which is what I was hoping for.
Congrats! You now have a working router/vpn machine!