Guardian

Mar 12, 2020

This document describes how to build Guardian, a switch, router, and firewall. Guardian runs on commodity router hardware and provides a number of features, including:

  • a wireless access point,
  • a switch comprised of a number of Gigabit Ethernet ports,
  • a firewall and NAT translator, and
  • a print service.

Guardian is made up of the following hardware components:

  • a Microtik RouterBoard 493G,
  • a Microtik RouterBoard R52n-M miniPCI wireless adapter,
  • a Microtik 5V USB power injector,
  • a RouterBoard 493G case with interior USB extension cable,
  • two whip antennas,
  • a Belkin USB-to-RS-232 adapter,
  • an RS-232 cable,
  • a null-modem adapter,
  • a GFP121U-0520 GME switching AC/DC power adapter, and
  • a USB printer.

I purchased my hardware from Baltic Networks.

Selecting the software for a Guardian image

This section describes how to gather and select the OpenWrt source code which makes up Guardian.

  1. Obtain the OpenWrt source tree using git clone https://git.openwrt.org/openwrt/openwrt.git.
  2. Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.
  3. Activate the necessary packages using:
./scripts/feeds install ca-certificates \
                        ddns-scripts \
                        freifunk-watchdog \
                        libustream-openssl \
                        openvpn \
                        p910nd \
                        rsync \
                        wget \
                        zoneinfo-core \
                        zoneinfo-northamerica
  1. Run make menuconfig and select:
  • Target System: Atheros ATH79 (DTS)
  • Subtarget: Mikrotik devices
  • Target Profile: MikroTik RouterBoard 493G
  • Target Images: ramdisk then tar.gz (Note that you need to build twice for the RB493G: (1) for a TFTP image and (2) for an installable rootfs image.)
  • Base system:
    • ca-certificates
    • Kernel Modules:
      • Netfilter Extensions: kmod-ipt-tee
      • Other modules: kmod-softdog
      • USB Support:
        • kmod-usb-ohci
        • kmod-usb-printer
        • kmod-usb2
      • Wireless Drivers: kmod-ath9k
  • LuCI: Freifunk: freifunk-watchdog
  • Network:
    • File Transfer:
      • rsync
      • wget
    • Firewall: iptables-mod-tee
    • IP Addresses and Names:
      • ddns-scripts
      • ddns-scripts_no-ip.com
    • Printing: p910nd
    • VPN:
      • openvpn-openssl
  • Utilities:
    • zoneinfo: zoneinfo-northamerica
  1. Create the directory files and populate it as described in the following sections.

Configuring the network interfaces

Aside from the standard loopback device, Guardian provides for four networks:

  1. a private LAN for workstations and internal servers (192.168.1.128/25),
  2. a public LAN for Internet-facing servers (192.168.1.0/25),
  3. a WAN (DHCP-assigned), and
  4. a network for use with OpenVPN (192.168.2.0/24).

Guardian splits its switch ports between the private and public LANs. Guardian also provides WiFi connectivity to its private and public LANs.

  1. /etc/config/network:
config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config switch
        option name switch0
        option enable 1
        option reset 1
        option enable_vlan 1

config switch
        option name switch1
        option enable 1
        option reset 1
        option enable_vlan 1

# Private:
config switch_vlan
        option device switch0
        option vlan 0
        option vid 100
        # 0: CPU, 1--4: phy. ports, 5 unused.
        # t indicates packets sent will be VLAN tagged; rec'd must match tag. 
        option ports "0t 1 2 3 4"

config interface privlan
        option ifname 'eth0.100 tap0' # Bridge in OpenVPN tap device.
        option type bridge
        option proto static
        option ipaddr 192.168.1.129
        option netmask 255.255.255.128

# Public:
config switch_vlan
        option device switch1
        option vlan 1
        option vid 200
        # 0: CPU, 1--4: phy. ports, 5 below.
        # t indicates packets sent will be VLAN tagged; rec'd must match tag. 
        option ports "0t 1 2 3 4"

config interface publan
        option ifname eth1.200
        option type bridge
        option proto static
        option ipaddr 192.168.1.1
        option netmask 255.255.255.128

# WAN:
config switch_vlan
        option device switch1
        option vlan 2
        option vid 300
        # t indicates packets sent will be VLAN tagged; rec'd must match tag. 
        option ports "0t 5"

config interface wan
        option ifname eth1.300
        option proto dhcp
        # Use OpenDNS (not ISP DNS) for content filter.                              
        option dns  "208.67.222.123 208.67.220.123"                                  
        option peerdns 0 

# OpenVPN:
config interface vpn
        option ifname tun0
        option proto none
  1. /etc/config/wireless (replace PCIPATH, ExampleCom, ExampleComGuest, KEY1, and KEY2):
config wifi-device radio0
        option type     mac80211
        option country  US
        option channel  11
        option hwmode   11ng
        option htmode   HT20
        option path     PCIPATH
        list ht_capab   SHORT-GI-40
        list ht_capab   TX-STBC
        list ht_capab   RX-STBC1
        list ht_capab   DSSS_CCK-40

config wifi-iface                  
        option device   radio0     
        option network  privlan    
        option mode     ap         
        option ssid     ExampleCom
        option encryption psk2       
        option key      KEY1

config wifi-iface                                                               
        option device   radio0                                                  
        option network  publan                                                  
        option mode     ap                                                      
        option ssid     ExampleComGuest
        option encryption psk2                                                  
        option key      KEY2

Configuring the firewall

Guardian’s firewall drops most incoming traffic destined for its private and OpenVPN LANs. Guardian also blocks outgoing DNS queries from its LANs which are destined to servers other than Guardian. Aside from this, Guardian allows:

  • connections from the private LAN to Guardian,
  • connections from the OpenVPN LAN to Guardian,
  • DHCP and DNS requests from the public LAN to Guardian,
  • and OpenVPN connections from anywhere to Guardian.

Guardian allows LDAPS and Kerberos traffic to flow from the public LAN to the private LAN because it assumes that the network’s authentication services exist on the private LAN.

Guardian redirects connections for the following services from the WAN to 192.168.1.5 on the public LAN:

  • SSH,
  • HTTP,
  • HTTPS,
  • SMTP,
  • XMPP client-to-server connections, and
  • XMPP server-to-server connections.

Guardian also provides a copy of all packets to 192.168.1.8 for analysis.

  1. /etc/config/firewall:
config include
        option path /etc/firewall.user

config defaults
        option drop_invalid 1
        option input DROP
        option output DROP
        option forward DROP

# WAN: NAT, drop incoming; accept outgoing; drop forward.
config zone
        option name wan
        option network wan
        option input DROP
        option output ACCEPT
        option forward DROP
        option masq 1

# Private LAN: drop incoming; accept outgoing; reject forward.
config zone
        option name privlan
        option network privlan
        option input DROP
        option output ACCEPT
        option forward REJECT

# Public (guest) LAN: drop incoming; accept outgoing; reject forward.
config zone
        option name publan
        option network publan
        option input DROP
        option output ACCEPT
        option forward REJECT

# OpenVPN LAN: drop incoming; accept outgoing; reject forward.
config zone
        option name vpn
        option network vpn
        option input DROP
        option output ACCEPT
        option forward REJECT

# Forward from private LAN to WAN.
config forwarding
        option src privlan
        option dest wan

# Forward from public LAN to WAN.
config forwarding
        option src publan
        option dest wan

# Forward from OpenVPN LAN to WAN.
config forwarding
        option src vpn
        option dest wan

# Forward from private LAN to public LAN.
config forwarding
        option src privlan
        option dest publan

# Forward from OpenVPN LAN to public LAN.
config forwarding
        option src vpn
        option dest publan

# Forward from OpenVPN LAN to private LAN.
config forwarding
        option src vpn
        option dest privlan

# Forward from private LAN to OpenVPN LAN.
config forwarding
        option src privlan
        option dest vpn

# Forbid DNS requests to outside servers unless from router.
config rule
        option target REJECT
        option src *
        option dest wan
        option dest_port 53
        option proto tcpudp

# Allow DNS requests from public LAN.
config rule
        option target ACCEPT
        option src publan
        option dest_port 53
        option proto tcpudp

# Allow ALL connections from private LAN to router.
config rule
        option target ACCEPT
        option src privlan
        option proto all

# Allow ALL connections from OpenVPN LAN to router.
config rule
        option target ACCEPT
        option src vpn
        option proto all

# Allow OpenVPN connections from anywhere to router.
config rule
        option target ACCEPT
        option src *
        option dest_port 1194
        option proto udp

# Allow DHCP requests from public LAN to router.
config rule
        option target ACCEPT
        option src publan
        option src_port 67-68
        option dest_port 67-68
        option proto udp

# Allow LDAPS requests from public LAN to private LAN.
config rule
        option target ACCEPT
        option src publan
        option dest privlan
        option dest_port 636
        option proto tcp

# Allow Kerberos requests from public LAN to private LAN.
config rule
        option target ACCEPT
        option src publan
        option dest privlan
        option dest_port 88
        option proto tcp

# Redirect HTTP to herald.
config redirect
        option target DNAT
        option src wan
        option proto tcp
        option src_dport 80
        option dest_ip 192.168.1.5
        option dest publan

# Redirect HTTPS to herald.
config redirect
        option target DNAT
        option src wan
        option proto tcp
        option src_dport 443
        option dest_ip 192.168.1.5
        option dest publan

# Redirect SMTP to herald.
config redirect
        option target DNAT
        option src wan
        option proto tcp
        option src_dport 25
        option dest_ip 192.168.1.5
        option dest publan

# Redirect Jabber client-to-server connections to herald.
config redirect
        option target DNAT
        option src wan
        option proto tcp
        option src_dport 5222
        option dest_ip 192.168.1.5
        option dest publan

# Redirect Jabber server-to-server connections to herald.
config redirect
        option target DNAT
        option src wan
        option proto tcp
        option src_dport 5269
        option dest_ip 192.168.1.5
        option dest publan
  1. /etc/firewall.user:
iptables -t mangle -A INPUT  ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A OUTPUT ! -d 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A FORWARD ! -d 192.168.1.8/32 ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8

Configure OpenVPN

Guardian accepts OpenVPN connections, allowing access to its private LAN from remote workstations.

/etc/config/openvpn (replace example.com):

package openvpn

config openvpn privlan
        option enable 1
        option port 1194
        option proto udp
        option dev tun0
        option txqueuelen 1000
        option tun-mtu 1500
        option mssfix 1300
        option ca /etc/openvpn/ca.cert
        option cert /etc/openvpn/example.com.cert
        option key /etc/openvpn/example.com.key
        option dh /etc/openvpn/dh2048.pem
        option ifconfig-pool-persist /tmp/ipp.txt
        option keepalive '10 120'
        option persist-key 1
        option persist-tun 1
        option status /var/log/openvpn-status.log
        option verb 3
        option server '192.168.2.0 255.255.255.0'
        option client-to-client 1
        option tls-version-min 1.2
        option tls ECDHE-RSA-AES256-GCM-SHA384
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.1.129'
        list push 'route 192.168.1.0   255.255.255.128'
        list push 'route 192.168.1.128 255.255.255.128'

## Configure basic system settings

1. `/etc/config/p910nd`:

config p910nd option device /dev/usb/lp0 option port 0 option bidirectional 1 option enabled 1

2. `/etc/config/system`:

config system option hostname guardian.example.com option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp list server 0.openwrt.pool.ntp.org list server 1.openwrt.pool.ntp.org list server 2.openwrt.pool.ntp.org list server 3.openwrt.pool.ntp.org option enabled 1 option enable_server 0

3 `/etc/config/ddns` (replace `examplecom`, `example.com`, `USERNAME`, and `PASSWORD`):

config service ’examplecom' option enabled ‘1’ option interface ‘wan’ option service_name ’no-ip.com' option lookup_host ‘www.example.com’ option domain ’example.com' option username ‘USERNAME’ option password ‘PASSWORD’ option use_https ‘1’ option cacert ‘/etc/ssl/certs’ option use_syslog ‘3’ 4. /etc/config/freifunk-watchdog:

config process
        option process dropbear 
        option initscript /etc/init.d/dropbear

config process
        option process crond
        option initscript '/etc/init.d/cron'
        
config process
        option process dnsmasq
        option initscript /etc/init.d/dnsmasq
        
config process
        option process p910nd
        option initscript /etc/init.d/p910nd
  1. /etc/config/dropbear:
config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port         '22'
  1. /etc/config/dhcp:
config dhcp privlan
        option interface    privlan
        option start        138 # Room for static at bottom.
        option limit        254 # Room for OpenVPN at top.
        option leasetime    24h
        # GW, DNS:
        list dhcp_option "3,192.168.1.129"
        list dhcp_option "6,192.168.1.129"

config dhcp publan
        option interface    publan
        option start        10
        option limit        126
        option leasetime    24h
        # GW, DNS:
        list dhcp_option "3,192.168.1.1"
        list dhcp_option "6,192.168.1.1"

config dnsmasq
        option leasefile   '/tmp/dhcp.leases'
        option resolvfile  '/tmp/resolv.conf.auto'
        option localise_queries 1

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config host
        option name 'host.example.com'
        option ip '192.168.1.2'
        option mac 'aa:bb:cc:dd:ee:ff'
  1. /etc/hosts (replace examplecom):
127.0.0.1 localhost
192.168.1.1 guardian.example.com
192.168.1.5 www.example.com example.com

Build software and perform installation

  1. Run make V=99.
  2. Install the image you just built onto your router. The instructions here require a computer running Linux, in addition to the Guardian device.
  • On the Linux computer:
    1. Install dhcp-server, tftp-server, minicom, mtd-utils, and mtd-utils-ubi. Configure minicom to emulate an 115,200-bps 8N1 terminal without hardware flow control and without software flow control.
    2. Temporarily disable the host’s firewall (or allow incoming TFTP requests).
    3. Run the tftp service with in.tftpd -v -s -p -L /var/lib/tftpboot/.
    4. Place openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin in /var/lib/tftpboot.
    5. Set the computer’s IP address to 192.168.1.3 using ip addr add 192.168.1.3/24 dev enp0s25. (You might have to do this repeatedly, because the Linux computer’s interface might drop its IP address when the router reboots.)
    6. Configure DHCP as shown below (replace XX:XX:XX:XX:XX:XX with your router’s MAC address (likely eth1), which you can discover using the router’s firmware utility), and start the DHCP server with systemctl start dhcpd.
allow booting;
allow bootp;

subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.3;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
}

group {
        host routerboard {
                hardware ethernet XX:XX:XX:XX:XX:XX;
                next-server 192.168.1.3;
                fixed-address 192.168.1.2;
                filename "openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin";
        }
}
  • On the router:
    1. At boot menu, use e to erase the existing OS firmware.
    2. Instruct the boot firmware to boot from the network (select o, e, and x). In order to boot the router over the network, it might be necessary to reset the Linux computer’s IP address (because the IP address might have been lost after the link momentarily went down). After the router boots, it might be necessary to wait while the router configures its network interfaces and generates its SSH keys; you might also need to deactivate the firewall’s router to permit SSH connections over its WAN interface.
    3. After booting, run passwd to set the root password.
    4. The router’s IP address should now be 192.168.1.2. Use scp to copy openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin to the router.
    5. Run sysupgrade -n openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin.
    6. Reboot the router, ensuring it boots from its internal flash.
  1. Finalize the router install:
  • Run passwd to set the root password.
  • Create the OpenVPN key material using:
    1. clean-all
    2. build-ca
    3. build-dh
    4. build-key-server example.com
    5. build-key client
  • Copy ca.cert, dh2048.pem, example.com.cert, and example.com.key to /etc/openvpn.
  • Copy ca.cert, dh2048.pem, client.cert, and client.key to the client’s /etc/openvpn.
  1. Configure OpenVPN on each client host.
  • Place the client’s certificate, the client’s private key, and the CA certificate in /etc/openvpn.
  • Option 1: Configuration using NetworkManager
    1. Create a new VPN connection using NetworkManager.
    2. Under AdvancedTLS Authentication:
    3. Set Subject Match to /CN=example.com.
    4. Select Verify peer (server) certificate usage signature and set to Server.
  • Option 2: Direct configuration of OpenVPN
    1. Copy /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up and client.down to /etc/openvpn.
    2. Set the scripts’ permissions with chmod +x client.up client.down.
    3. /etc/openvpn/example.conf (replace client.cert, client.key, and server.example.com):
dev tun
proto udp
verb 3
ca /etc/openvpn/ca.cert
cert /etc/openvpn/client.cert
key /etc/openvpn/client.key
dh /etc/openvpn/dh2048.pem
persist-tun
persist-key
client
remote-cert-tls server
remote server.example.com 1194
script-security 2
up /etc/openvpn/client.up
down /etc/openvpn/client.down

  4. `ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@example.service`
  5. `systemctl start openvpn@example.service`