Friday, December 20, 2013

Part I - The Ultimate Linux Home (and possibly Small Business) Router based on openSUSE

Introduction


This is a multi-part post that walks through the creation of what I consider to be "The Ultimate Linux Based Home Router". Of course, you're feelings on what is truly The Ultimate will likely differ from mine, however, since this is my blog, I'm defining.
My apologies for typos or bad grammar along the way. My secret real reason for putting this together is to ensure that I have a log of what I did. I have very little time to devote to blogging, so proof-reading has only been partially done.

Distribution

I picked OpenSUSE: Tumbleweed. There are many Linux Router distributions like ClearOS and such that offer turn-key solutions. I tried them and didn't like that a lot of the features I was interested in were add-ons that cost money. These guys offer a clear advantage--they're really dead simple to setup and maintain. If you want easy, go that route. If you want free, and want to learn a bit along the way, follow along. My choice of openSUSE is purely because I'm comfortable with it. I've been working with OpenSUSE for about a decade.

Features - Work in Progress

  • High performance routing and all of the features you'd expect from a home router, DHCP, DNS, etc.
  • Active Directory without Windows Server
  • NTP Server
  • Certificate Server
  • Authenticated transparent proxy with filtering for the children
  • Advertisement filtering and privacy enhancing capabilities for every device on network
  • Secure Shell with port forwarding
  • Traffic shaping
  • Intrusion Prevention
  • Guest wireless access for children's wireless devices and other untrusted devices (these will be filtered the most aggressively, including an SSL interception/replay with a local certificate from our new CA)
  • Home web server
At the time this was published, advertisement filtering, secure shelling, NTP and Active Directory are completed. I ran into some issues with being double NATed that have to wait until Comcast is open so I can have a static IP provisioned. I'll publish the remaining steps as I get them completed.

But Why?

Partly because I can. Mostly because this year I remarried and added two (amazing) children to my life. One of them is in second grade and is just starting to regularly use the internet. He also has an older friend across the street who has no internet access, so his phone is hooked up to my wireless. We're nuts in this house about adult supervision on the Internet (yes, we're those kinds of parents). At the same time, I know we won't be around all the time, so I want my children's (and their friend's) devices to be highly restricted. Filters suck. And I know there will be times when I will need to open up access to some things, so by adding authentication to the proxy, I or my lovely wife will be able to login with an account that is less restricted.
As far as wireless is concerned, I hate the idea of giving out my wireless password to devices I don't own. Google's Android, by default, uploads the wireless keys and stores them in a retrievable format, meaning Google essentially has the keys to everyone WiFi network any android device has connected to (there's an opt-out to this feature, but most people don't). We opt out on our main network with our devices. Any other devices that want access will have to go through our guest network, which includes an SSL intercepting firewall (don't worry, I'll make sure to document how to skip that feature).

Hardware

I repurposed an old MiniITX media center PC. It's got a lot of hardware that is unnecessary, but it's powerful enough to fit the bill for a solid home router. The specs are:
  • 2.4 GHz Intel Core(TM) i3 CPU M370
  • 4GB onboard memory
  • Built-in Ethernet and Wifi
  • USB 3.0 External Ethernet

BIOS / Hardware Preparation

This is going to be different for everyone, so you'll have to hunt around, but here is what you want to configure. Depending on your hardware, some of these options may not be available. Don't worry, they are all optional.
  • SATA should be in AHCI (not IDE) mode.
  • Power on when power is lost.
  • Decide what to do about HyperThreading
  • Disable any hardware that you won't be using (Parallel ports, sound cards)
If you can't switch SATA to AHCI, later in this document when I'm referring to the main hard drive, I'll be calling it 'sda'. This may show up as 'hda' for you. Just switch it around. With regards to HyperThreading, most of the recommendations for Linux Routers advise to disable it. On my previous home-grown router (on much less powerful hardware), I ended up enabling it because it routinely fell over with too much traffic when it was disabled. I am disabling it on this hardware.
At this point, I do not have the USB Ethernet adapter even plugged into this machine. I also have an existing router in place that I do not want to disturb, yet (that way my other computer can continue to surf the internet while I'm building this new router). If you have more than one Ethernet adapter on board, make sure you only plug one cable in and make sure the cable is plugged into the ethernet adapter that you want to be your Internal/Non-internet facing adapter.

The GUI Installation

Download the correct version of openSUSE 13.1 for the processor that your new router has installed. Burn it to a DVD or follow the instructions to make a thumb drive out of it. Boot!

Welcome Screen

Set your language and accept the license agreement (don't worry, you're not signing your life away!)

Installation Mode Screen

Select New Installation. Deselect Use Automatic Configuration

Clock and Time Zone

Select Hardware Clock Set to UTC. I'm not sure that this matters, but being a guy who does a lot of work with data, I take a hard line on the idea that UTC is the only way a date/time should ever be stored.
Select Change.... Hidden behind this menu is the NTP settings. Since we're going to be configuring this server with Samba 4.1 and Active Directory, time synchronization is very important.

Change Date and Time

Select Synchronize with NTP Server. Select an NTP server and select Save NTP Configuration. I've always used us.pool.ntp.org.
Select Run NTP as daemon and finally Synchronize now for good measure.
Select Accept

Desktop Selection

I wanted the server to have as many resources available for actually serving things, so I went minimal here. You may decide you want the GUI, and if so, KDE is the default and I'd recommend sticking with that based on my past experiences with openSuSE.
Select Other.
Select Minimal Server Selection (Text Mode).

Suggested Partitioning - Reloading an existing Windows or Linux machine from scratch

First things first, if you're reloading a machine that has a different operating system on it, you might miss the fact that the openSuSE installer is likely trying to preserve your existing partition. You also, likely, have different hardware than me so the partition strategy I used might not fit. Use common sense, or do what I did and prefer shiny new things. Since I'm writing this as much for me -- to track what I did -- as for you, here's what I did.
There are some important things to consider here. I'm running on one high-performance SSD and have no option to have a second disk installed internally due to the form factor of the case I am stuck with. If you have an SSD and an HDD, you may want to partition out areas of the drive that experience frequent changes (/var comes to mind). This ensures logging and such isn't constantly writing to your SSD and reducing its lifespan. Select Create Partition Setup....
Select 1: (your disk details here)
Select Use Entire Hard Disk
I select Propose Separate Home Partition primarily because that's, minimally, how I've always done it. I also selected Use Btrfs as Default File System because... shiny. You probably should stick with ext4 for everything.

Create New User

Fill this out with values that are meaningful to you. If you're going to enable SSH and open it up to the world -- and allow password authentication via SSH, you'll want to select a miserably difficult password.
Select Use this password for system administrator.
Select Receive System Mail.
Deselect Automatic Login.

Installation Settings

We're going to customize the software later, but a few things are worth setting up here.
Under Firewall and SSH, select enable and open next to SSH service will be disabled, SSH port will be blocked. The rest of our customization we're going to do remotely via SSH, so we want this turned on.

Installation

Get some coffee...


Text Mode

If you've followed this exactly, you're rebooted into a text-mode YaST2 installation @ linux screen. If you installed KDE, you have something different. The options will probably be similar, but since I've elected to skip the GUI, I can't confirm that. Set your hostname and domain name. I'm using the same domain name that my Active Directory domain name will use. It's also a domain I registered to myself on the internet. If you're using a domain name that can be valid on the Internet, make sure you register it because we're going to configure the DNS to be split-brain and if someone else registers that name, you'll be unable to access that domain. Believe it or not, this was a problem I had with my last installation. Alternatively, you can use something that ends in ".local" and hope that ICANN doesn't open that up for new registrations.

Network Configuraiton

The external network card I'm using is problematic. The default support for it in the Kernel uses a kernel module that is really flaky and will simply "forget" the card, requiring a reboot to find it again. The manufacturer provides a driver that I'll be compiling and installing later, so for now it's unplugged and I'll only be configuring the adapter that's on board.
I also have a WiFi card in this device and at a future point will be configuring this router to act as a very filtered guest network. The neighbor kids don't have internet service at home and since they visit frequently, they have my WiFi password on their phone. Google's Android default setting includes uploading that password to Google where it's stored in plain text (unless you explicitly disable that), I'd like to have a separate, isolated, WiFi network for my friends/family/neighbors and children's devices. This subnet will also have the most restricted settings as it pertains to proxy filtering. I'm happy to let my family/friends borrow my internet when they're here, but I'd prefer if you weren't using it to download porn.
That said, the default settings here are fine. We'll fuss with most of this later, right now we want a bootable box that we can SSH into.

Test Internet Connection

Hopefully this works for you! In 12.3, it didn't for me. 13.1 appears to be perfect.
The installer will download updated packages. Considering 13.1 was released only a few short weeks ago, I'm impressed at how much as already been superseded with new packages.

Online Update

Let the update run now and select Accept when the list of packages requiring updates is displayed.

Final Steps

Allow the system to reboot itself and you might also want to eject that CD at this point.

Release Notes

Does anybody really read these? Use your other computer and look the release notes up online if you really want to see them.
Click next and finish and say hello to your login prompt (it may take a second or two to come up).
Login with the user name and password you set during installation.

Setting up / Checking SSH

I couldn't connect to the box via SSH despite selecting to enable SSH on the firewall at installation. Here are the steps I took to enable it via YaST2: $ su (Enter your password) # yast Head over to Security and Users.
Select Firewall.
Select Allowed Services.
Select Service to Allow.
Choose "Secure Shell Server"
Select Add
Select Next
Hit F9 to quit. Run the following command:
# /etc/init.d/sshd start
# chkconfig sshd on
# ifconfig

That last command will show you the IP address that was assigned via DHCP. If you intend, like I do, on doing the rest of this installation on a remote windows box, it's time to download PuTTY. Open putty, put the IP address from above in the Host Name field and change the following settings (optional - this is how I like it). On the logging tab, set Logging to "Printable Output".
On the Window tab, set Columns to 160, Rows to 96 and Lines of Scrollback to 99999 (Because 100000 is one line too many).
On the Appearance tab, Change the font to Consolas 9-point and Font Quality to Default.
Stay tuned for Part II

No comments: