Monday, 3 November 2008

Add a DNS and DHCP server with dnsmasq

In order to better control the allocation of addresses to the various bits that are now on the local network, I've added a DNS and DHCP server to 'fileserver' with dnsmasq. First install it

fileserver:~# apt-get install dnsmasq

then edit the configuration file /etc/dnsmasq -

# Don't use /etc/resolv.conf or any other
# file, get servers from this file instead
no-resolv
server=192.168.2.1

#This is our home network domain name
domain=ourhouse.net

#Don't forward anything without a full domain name
domain-needed
#Don't try to do reverse lookups of private IP addresses
bogus-priv
#Don't forward these local domains
local=/ourhouse.net/
local=/azea.net/

#Start the DHCP server
dhcp-range=192.168.2.20,192.168.2.49,12h

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.2.1

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries

'fileserver' itself will have to have a static IP address now - since I will be turning off the DHCP server on the gateway router - therefore need to edit /etc/network/interfaces compared to the one used in the earlier post -

#This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 0.0.0.0

auto br0
iface br0 inet static
    address 192.168.2.18
    netmask 255.255.255.0       
    gateway 192.168.2.1
    bridge_ports eth0 tap0
    pre-up openvpn --mktun --dev tap0
    post-down openvpn --rmtun --dev tap0

/etc/resolv.conf must be edited to make dns lookups originating on 'fileserver' use the local DNS server -

nameserver 127.0.0.1

and /etc/hosts edited so that dns lookups will find the correct addresses for 'fileserver' and 'gateway' - the only devices on the network that will not get their addresses from the new DHCP server -

127.0.0.1       localhost
192.168.2.1     gateway
192.168.2.18    fileserver

dnsmasq writes it's DHCP lease in formation to /var/lib/misc/dnsmasq.leases -

1225776083 00:0e:a6:9f:04:e7 192.168.2.32 Playroom-Router 01:00:0e:a6:9f:04:e7
1225772336 00:1a:73:bf:97:0c 192.168.2.25 AndrewsPC 01:00:1a:73:bf:97:0c
1225748001 00:10:60:a1:3c:79 192.168.2.15 Will-PC 01:00:10:60:a1:3c:79

Now I can let all other devices get there IP addresses via DHCP and I can refer to them by their hostnames - for example pinging 'fileserver' from a Windows machine gives -

C:\Documents and Settings\andrew>ping fileserver

Pinging fileserver.ourhouse.net [192.168.2.18] with 32 bytes of data:

Reply from 192.168.2.18: bytes=32 time=1ms TTL=64
Reply from 192.168.2.18: bytes=32 time=2ms TTL=64
Reply from 192.168.2.18: bytes=32 time=3ms TTL=64
Reply from 192.168.2.18: bytes=32 time=3ms TTL=64

Ping statistics for 192.168.2.18:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
     Minimum = 1ms, Maximum = 3ms, Average = 2ms

and similarly pinging 'Playroom-Router' from a linux box -

box:~# ping Playroom-Router
PING Playroom-Router (192.168.2.32) 56(84) bytes of data.
64 bytes from Playroom-Router.ourhouse.net (192.168.2.32): icmp_seq=1 ttl=64 time=17.9 ms
64 bytes from Playroom-Router.ourhouse.net (192.168.2.32): icmp_seq=2 ttl=64 time=4.20 ms
64 bytes from Playroom-Router.ourhouse.net (192.168.2.32): icmp_seq=3 ttl=64 time=3.11 ms
64 bytes from Playroom-Router.ourhouse.net (192.168.2.32): icmp_seq=4 ttl=64 time=2.19 ms
64 bytes from Playroom-Router.ourhouse.net (192.168.2.32): icmp_seq=5 ttl=64 time=3.22 ms

--- Playroom-Router ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4039ms
rtt min/avg/max/mdev = 2.199/6.137/17.943/5.937 ms

Super!

Thursday, 23 October 2008

Install an OpenVPN server on the fileserver

I'm going to use an OpenVPN based Ethernet bridge to allow me to connect to my home LAN via the Internet when I'm away from home.

First install the openvpn, bridge-utils (for the Ethernet bridge) and openssl (to generate certificates) packages

fileserver:~# apt-get install openvpn bridge-utils openssl

The /etc/init.d/openvpn script that comes with the package is far to complicated for me to understand/need so I replaced it with a simpler one (copied the original one to /etc/init.d/openvpn.orig)

#! /bin/sh
# /etc/init.d/openvpn
#

# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting openvpn server"
    openvpn --config /etc/openvpn/simple.conf
    ;;
  stop)
    echo "Stopping openvpn server"
    killall openvpn
    ;;
  *)
    echo "Usage: /etc/init.d/openvpn {start|stop}"
    exit 1
    ;;
esac

exit 0

To use the killall command, I had to install the psutils package.

To make the bridge between the tap device and the physical ethernet port, I edited the edit /etc/network/interfaces to -

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
auto eth0
iface eth0 inet static
        address 0.0.0.0
        netmask 255.255.255.0

auto tap0
iface tap0 inet static
        address 0.0.0.0
        netmask 255.255.255.0
        pre-up /usr/sbin/openvpn --mktun --dev tap0

auto br0
iface br0 inet dhcp
        hostname fileserver
        bridge_ports eth0 tap0

Generating the required certificates is as described in openVPN HOWTOs. The easy-rsa directory was at /usr/share/doc/openvpn/examples/easy-rsa/2.0. I copied this to /etc/openvpn and worked there. At the end of the process I copied the files needed on the server to /etc/openvpn -

/etc/openvpn/ca.crt
/etc/openvpn/server.crt
/etc/openvpn/server.key
/etc/openvpn/dh1024.pem

The files needed on the client are -

ca.crt
client.crt
client.key

The openVPN server configuration file /etc/openvpn/simple.conf is -

dev tap0
server-bridge 192.168.2.1 255.255.255.0 192.168.2.101 192.168.2.110
user nobody
persist-key
persist-tun
proto udp
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
daemon

This will allow up to 10 clients to connect which will be given IP addresses from 192.168.2.101 to 192.168.2.110 on the home LAN. Note 192.168.2.1 is the IP address of the home LAN router.

Finally, I needed to forward TCP and UDP ports 1194 on the WAN side of my internet firewall to the fileserver IP address 192.168.1.18.

My first client is the my windows laptop running OpenVPN GUI for Windows. The client config file is -

client
dev tap
proto udp

remote flabby.is-a-geek.com 1194

nobind

persist-key
persist-tun

mute-replay-warnings

ns-cert-type server

verb 3

ca   "ca.crt"
key  "client.key"
cert "client.crt"

float

 

 

OK

Monday, 20 October 2008

Add dynamic DNS service updater

I'm going to be adding a VPN gateway to the fileserver so I can access it over the internet. I have an account at DynDNS that will map the WAN address of my router to my DynDNS domain name. I need a simple client on the LAN to update this account when the WAN address changes.

The simplest client recommened at DynDNS seems to be inadyn which I installed on the fileserver

fileserver:~# apt-get install inadyn

I generated the required config file automatically using the DynDNS tool and saved it on the fileserver at /etc/inadyn.conf.

fileserver:~# cat /etc/inadyn.conf
## inadyn configuration file
update_period_sec 600 # Check for a new IP every 600 seconds

# DynDNS username and password here
username xxxxxx
password xxxxxx

dyndns_system dyndns@dyndns.org

## Dynamic DNS hosts
alias flabby.is-a-geek.com

background

I tested the update process by running inadyn from the command line -

fileserver:~# inadyn
INADYN: Started 'INADYN version 1.96' - dynamic DNS updater.
I:INADYN: IP address for alias 'flabby.is-a-geek.com' needs update to '65.93.163.244'
I:INADYN: Alias 'flabby.is-a-geek.com' to IP '65.93.163.244' updated successful.

I added the line -

background

to the end of /etc/inadyn.conf which causes the process to run in the background and the output to be sent to syslog.

I then set up the required scripts to run inadyn correctly at boot time.

cp /etc/init.d/skeleton /etc/init.d/inadyn
chmod 755 /etc/init.d/inadyn

I changed only the line -

NAME=inadyn
and then tested with -
fileserver:~# /etc/init.d/inadyn start
fileserver:~# ps -ef | grep /etc/init.d/inadyn
root 3275 1 0 18:29 ? 00:00:00 /usr/sbin/inadyn
fileserver:~# tail -n 3 /var/log/syslog
Oct 20 18:29:21 fileserver INADYN[3275]: INADYN: Started 'INADYN version 1.96' - dynamic DNS updater.
Oct 20 18:29:22 fileserver INADYN[3275]: I:INADYN: IP address for alias 'flabby.is-a-geek.com' needs update to '65.93.163.244'
Oct 20 18:29:22 fileserver INADYN[3275]: I:INADYN: Alias 'flabby.is-a-geek.com' to IP '65.93.163.244' updated successful.
Then to make it permanent I did -
fileserver:# update-rc.d /etc/init.d/inadyn defaults
Adding system startup for /etc/init.d/inadyn...
/etc/rc0.d/K20inadyn -> ../init.d/inadyn
/etc/rc1.d/K20inadyn -> ../init.d/inadyn
/etc/rc6.d/K20inadyn -> ../init.d/inadyn
/etc/rc2.d/S20inadyn -> ../init.d/inadyn
/etc/rc3.d/S20inadyn -> ../init.d/inadyn
/etc/rc4.d/S20inadyn -> ../init.d/inadyn
/etc/rc5.d/S20inadyn -> ../init.d/inadyn

So it should run correctly on reboot now.