This is a multi-part post that walks through the creation of what I consider to be "The Ultimate Linux Based Home Router". Of course, you're feelings on what is truly The Ultimate will likely differ from mine, however, since this is my blog, I'm defining.
My apologies for typos or bad grammar along the way. My secret real reason for putting this together is to ensure that I have a log of what I did. I have very little time to devote to blogging, so proof-reading has only been partially done.
DistributionI picked OpenSUSE: Tumbleweed. There are many Linux Router distributions like ClearOS and such that offer turn-key solutions. I tried them and didn't like that a lot of the features I was interested in were add-ons that cost money. These guys offer a clear advantage--they're really dead simple to setup and maintain. If you want easy, go that route. If you want free, and want to learn a bit along the way, follow along. My choice of openSUSE is purely because I'm comfortable with it. I've been working with OpenSUSE for about a decade.
Features - Work in Progress
- High performance routing and all of the features you'd expect from a home router, DHCP, DNS, etc.
- Active Directory without Windows Server
- NTP Server
- Certificate Server
- Authenticated transparent proxy with filtering for the children
- Advertisement filtering and privacy enhancing capabilities for every device on network
- Secure Shell with port forwarding
- Traffic shaping
- Intrusion Prevention
- Guest wireless access for children's wireless devices and other untrusted devices (these will be filtered the most aggressively, including an SSL interception/replay with a local certificate from our new CA)
- Home web server
But Why?Partly because I can. Mostly because this year I remarried and added two (amazing) children to my life. One of them is in second grade and is just starting to regularly use the internet. He also has an older friend across the street who has no internet access, so his phone is hooked up to my wireless. We're nuts in this house about adult supervision on the Internet (yes, we're those kinds of parents). At the same time, I know we won't be around all the time, so I want my children's (and their friend's) devices to be highly restricted. Filters suck. And I know there will be times when I will need to open up access to some things, so by adding authentication to the proxy, I or my lovely wife will be able to login with an account that is less restricted.
As far as wireless is concerned, I hate the idea of giving out my wireless password to devices I don't own. Google's Android, by default, uploads the wireless keys and stores them in a retrievable format, meaning Google essentially has the keys to everyone WiFi network any android device has connected to (there's an opt-out to this feature, but most people don't). We opt out on our main network with our devices. Any other devices that want access will have to go through our guest network, which includes an SSL intercepting firewall (don't worry, I'll make sure to document how to skip that feature).
HardwareI repurposed an old MiniITX media center PC. It's got a lot of hardware that is unnecessary, but it's powerful enough to fit the bill for a solid home router. The specs are:
- 2.4 GHz Intel Core(TM) i3 CPU M370
- 4GB onboard memory
- Built-in Ethernet and Wifi
- USB 3.0 External Ethernet
BIOS / Hardware PreparationThis is going to be different for everyone, so you'll have to hunt around, but here is what you want to configure. Depending on your hardware, some of these options may not be available. Don't worry, they are all optional.
- SATA should be in AHCI (not IDE) mode.
- Power on when power is lost.
- Decide what to do about HyperThreading
- Disable any hardware that you won't be using (Parallel ports, sound cards)
At this point, I do not have the USB Ethernet adapter even plugged into this machine. I also have an existing router in place that I do not want to disturb, yet (that way my other computer can continue to surf the internet while I'm building this new router). If you have more than one Ethernet adapter on board, make sure you only plug one cable in and make sure the cable is plugged into the ethernet adapter that you want to be your Internal/Non-internet facing adapter.
The GUI InstallationDownload the correct version of openSUSE 13.1 for the processor that your new router has installed. Burn it to a DVD or follow the instructions to make a thumb drive out of it. Boot!
Welcome ScreenSet your language and accept the license agreement (don't worry, you're not signing your life away!)
Installation Mode ScreenSelect New Installation. Deselect Use Automatic Configuration
Clock and Time ZoneSelect Hardware Clock Set to UTC. I'm not sure that this matters, but being a guy who does a lot of work with data, I take a hard line on the idea that UTC is the only way a date/time should ever be stored.
Select Change.... Hidden behind this menu is the NTP settings. Since we're going to be configuring this server with Samba 4.1 and Active Directory, time synchronization is very important.
Change Date and TimeSelect Synchronize with NTP Server. Select an NTP server and select Save NTP Configuration. I've always used us.pool.ntp.org.
Select Run NTP as daemon and finally Synchronize now for good measure.
Desktop SelectionI wanted the server to have as many resources available for actually serving things, so I went minimal here. You may decide you want the GUI, and if so, KDE is the default and I'd recommend sticking with that based on my past experiences with openSuSE.
Select Minimal Server Selection (Text Mode).
Suggested Partitioning - Reloading an existing Windows or Linux machine from scratchFirst things first, if you're reloading a machine that has a different operating system on it, you might miss the fact that the openSuSE installer is likely trying to preserve your existing partition. You also, likely, have different hardware than me so the partition strategy I used might not fit. Use common sense, or do what I did and prefer shiny new things. Since I'm writing this as much for me -- to track what I did -- as for you, here's what I did.
There are some important things to consider here. I'm running on one high-performance SSD and have no option to have a second disk installed internally due to the form factor of the case I am stuck with. If you have an SSD and an HDD, you may want to partition out areas of the drive that experience frequent changes (/var comes to mind). This ensures logging and such isn't constantly writing to your SSD and reducing its lifespan. Select Create Partition Setup....
Select 1: (your disk details here)
Select Use Entire Hard Disk
I select Propose Separate Home Partition primarily because that's, minimally, how I've always done it. I also selected Use Btrfs as Default File System because... shiny. You probably should stick with ext4 for everything.
Create New UserFill this out with values that are meaningful to you. If you're going to enable SSH and open it up to the world -- and allow password authentication via SSH, you'll want to select a miserably difficult password.
Select Use this password for system administrator.
Select Receive System Mail.
Deselect Automatic Login.
Installation SettingsWe're going to customize the software later, but a few things are worth setting up here.
Under Firewall and SSH, select enable and open next to SSH service will be disabled, SSH port will be blocked. The rest of our customization we're going to do remotely via SSH, so we want this turned on.
InstallationGet some coffee...
Text ModeIf you've followed this exactly, you're rebooted into a text-mode YaST2 installation @ linux screen. If you installed KDE, you have something different. The options will probably be similar, but since I've elected to skip the GUI, I can't confirm that. Set your hostname and domain name. I'm using the same domain name that my Active Directory domain name will use. It's also a domain I registered to myself on the internet. If you're using a domain name that can be valid on the Internet, make sure you register it because we're going to configure the DNS to be split-brain and if someone else registers that name, you'll be unable to access that domain. Believe it or not, this was a problem I had with my last installation. Alternatively, you can use something that ends in ".local" and hope that ICANN doesn't open that up for new registrations.
Network ConfiguraitonThe external network card I'm using is problematic. The default support for it in the Kernel uses a kernel module that is really flaky and will simply "forget" the card, requiring a reboot to find it again. The manufacturer provides a driver that I'll be compiling and installing later, so for now it's unplugged and I'll only be configuring the adapter that's on board.
I also have a WiFi card in this device and at a future point will be configuring this router to act as a very filtered guest network. The neighbor kids don't have internet service at home and since they visit frequently, they have my WiFi password on their phone. Google's Android default setting includes uploading that password to Google where it's stored in plain text (unless you explicitly disable that), I'd like to have a separate, isolated, WiFi network for my friends/family/neighbors and children's devices. This subnet will also have the most restricted settings as it pertains to proxy filtering. I'm happy to let my family/friends borrow my internet when they're here, but I'd prefer if you weren't using it to download porn.
That said, the default settings here are fine. We'll fuss with most of this later, right now we want a bootable box that we can SSH into.
Test Internet ConnectionHopefully this works for you! In 12.3, it didn't for me. 13.1 appears to be perfect.
The installer will download updated packages. Considering 13.1 was released only a few short weeks ago, I'm impressed at how much as already been superseded with new packages.
Online UpdateLet the update run now and select Accept when the list of packages requiring updates is displayed.
Final StepsAllow the system to reboot itself and you might also want to eject that CD at this point.
Release NotesDoes anybody really read these? Use your other computer and look the release notes up online if you really want to see them.
Click next and finish and say hello to your login prompt (it may take a second or two to come up).
Login with the user name and password you set during installation.
Setting up / Checking SSHI couldn't connect to the box via SSH despite selecting to enable SSH on the firewall at installation. Here are the steps I took to enable it via YaST2:
$ su (Enter your password) # yastHead over to Security and Users.
Select Allowed Services.
Select Service to Allow.
Choose "Secure Shell Server"
Hit F9 to quit. Run the following command:
# /etc/init.d/sshd start # chkconfig sshd on # ifconfig
That last command will show you the IP address that was assigned via DHCP. If you intend, like I do, on doing the rest of this installation on a remote windows box, it's time to download PuTTY. Open putty, put the IP address from above in the Host Name field and change the following settings (optional - this is how I like it). On the logging tab, set Logging to "Printable Output".
On the Window tab, set Columns to 160, Rows to 96 and Lines of Scrollback to 99999 (Because 100000 is one line too many).
On the Appearance tab, Change the font to Consolas 9-point and Font Quality to Default.
Stay tuned for Part II