Ubuntu/Bespin: Difference between revisions

From charlesreid1
 
(117 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Step by Step Articles==
All the setup involved for bespin, a Ubuntu 18.04 desktop server.
All the setup involved for bespin, a Ubuntu 18.04 desktop server.


=Inital Setup=
* [[Ubuntu/Bespin/Initial Setup]] - initial setup of the Ubuntu machine


==Aptitude update==
* [[Ubuntu/Bespin/Gnome Setup]] - setting up gnome on the Ubuntu machine


During installation, we allow setup to join the wifi network. On first boot, the network manager will be running and will be connected to the same wifi network. We will disable network manager eventually, but first get some software.
* [[Ubuntu/Bespin/Ansible]] - setting up and running an Ansible role for the machine


<pre>
* [[Ubuntu/Bespin/PIA]] - set up a [[PIA]] VPN tunnel using [[OpenVPN]]
sudo apt-get update
sudo apt-get -y install vim gnome-tweak-tool net-tools
</pre>


Set caps lock as a control key.
* [[Ubuntu/Bespin/DNS]] - removing the built-in DNS server on Ubuntu and replacing it with dnsmasq


==Allow sudo for user==
* [[Ubuntu/Bespin/PiHole]] - run an instance of PiHole, the DNS sinkhole, in a Docker container; install it between dnsmasq and the VPN tunnel, so all DNS queries will pass through the PiHole


Create wheel group:
* [[Ubuntu/Bespin/Iptables]] - Update the iptables rules to allow better protection of the server and be less permissive


<pre>
* [[Ubuntu/Bespin/TIL]] - the summary of "today I learned" things that I learned while setting up Bespin
sudo groupadd wheel
</pre>
 
Add user to group:
 
<pre>
sudo usermod -a -G wheel <your-username-here>
</pre>
 
Allow wheel group users passwordless sudo, first use visudo to edit the sudoers file:
 
<pre>
EDITOR=vi visudo
</pre>
 
Now add this line to the end:
 
<pre>
%wheel ALL=(ALL) NOPASSWD: ALL
</pre>
 
==Install ssh==
 
Install ssh and server:
 
<pre>
sudo apt-get install ssh
</pre>
 
Start the server:
 
<pre>
sudo service ssh start
</pre>
 
===Install trusted ssh key===
 
If you want, set up a machine to securely SSH into the Ubuntu server.
 
From the machine you want to SSH <b>FROM</b>:
 
<pre>
cat ~/.ssh/id_rsa.pub
</pre>
 
Copy this text. Now in another terminal, ssh into the Ubuntu server. Paste the output of the above command into the file:
 
<pre>
~/.ssh/authorized_keys
</pre>
 
Now verify that SSHing into the Ubuntu server will not ask you for a password.
 
==Configure WPA Supplicant==
 
We want to configure wifi manually, and disable the network manager. This requires some preparation to manually join a wifi network with wpa supplicant.
 
First set your wpa supplicant to join a wifi network.
 
<code>/etc/wpa_supplicant/wpa_supplicant.conf</code>
 
<pre>
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
 
network={
    ssid="yournetworkhere"
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP TKIP
    group=CCMP TKIP
    psk="yourpskhere"
}
</pre>
 
==Name Network Interfaces==
 
Ubuntu 18.04 does this annoying thing where the wifi interfaces are awful to type and impossible to remember because they contain the ENTIRE MAC ADDRESS OF THE DEVICE.
 
To fix this, rename the network devices. The following file will not exist on a fresh Ubuntu install, so create it with the following contents (one line per network device you want to rename):
 
<code>/etc/udev/rules.d/70-persistent-net.rules</code>
 
<pre>
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="02:01:02:03:04:05", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="wlan0"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="02:01:02:03:04:06", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="wlan1"
</pre>
 
==Configure Network Interfaces==
 
Next add the 2 usb wifi devices to network interfaces file.
 
* wlan0 will be joining an existing wifi network
* wlan1 will be in manual mode so it can be used as an AP
 
The following lines should be APPENDED to any existing network interfaces file:
 
<code>/etc/network/interfaces</code>
 
<pre>
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
 
allow-hotplug wlan1
iface wlan1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1
</pre>
 
==WPA Supplicant Startup Service==
 
Copy a wpa supplicant service template:
 
<pre>
sudo cp /lib/systemd/system/wpa_supplicant.service /etc/systemd/system/wpa_supplicant.service
</pre>
 
Edit the file
 
<pre>
sudo vim /etc/systemd/system/wpa_supplicant.service
</pre>
 
Change this line from this:
 
<pre>
ExecStart=/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
</pre>
 
to this:
 
<pre>
ExecStart=/sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0
</pre>
 
Also, remove the following line if it is present:
 
<pre>
Alias=dbus-fi.w1.wpa_supplicant1.service # DELETE ME!
</pre>
 
Now enable this service to start on boot:
 
<pre>
sudo systemctl enable wpa_supplicant.service
</pre>
 
==Dhclient on Startup==
 
The dhclient command must be run on startup after the wifi is set up so that bespin will get an IP address.
 
Create an rc.local startup service:
 
<code>/etc/systemd/system/rc-local.service</code>
 
<pre>
[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local
 
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
 
[Install]
WantedBy=multi-user.target
</pre>
 
Now add the dhclient command to rc.local:
 
<code>/etc/rc.local</code>
 
<pre>
#!/bin/bash
/sbin/dhclient
exit 0
</pre>
 
Make it executable:
 
<pre>
chmod 744 /etc/rc.local
</pre>
 
Now enable the rc-local service:
 
<pre>
sudo systemctl enable rc-local.service
</pre>
 
Verify it works okay:
 
<pre>
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service
</pre>
 
===Requesting Static IP===
 
If you want to request a static IP from the router, add this to the dhclient config file:
 
<code>/etc/dhcp/dhclient.conf</code>
 
<pre>
interface "wlan0" {
    send dhcp-requested-address 192.168.0.122;
}
</pre>
 
==Disable Network Manager==
 
Next step is to disable the network manager. It takes a lot of commands. Too many commands.
 
<pre>
sudo systemctl stop NetworkManager.service
sudo systemctl disable NetworkManager.service
 
and three more services:
 
sudo systemctl stop NetworkManager-wait-online.service
sudo systemctl disable NetworkManager-wait-online.service
 
sudo systemctl stop NetworkManager-dispatcher.service
sudo systemctl disable NetworkManager-dispatcher.service
 
sudo systemctl stop network-manager.service
sudo systemctl disable network-manager.service
</pre>
 
Don't uninstall it, though, because that will uninstall a bunch of other important gnome packages and you'll be left with a stupid broken ubuntu.
 
Now reboot
 
<pre>
sudo reboot now
</pre>
 
Run <code>sudo service --status-all</code> and verify network manager is not running.
 
==Test Wifi==
 
Test that everything is working as expected by running the ifconfig and iwconfig commands. ifconfig should show an IP address for the wlan0 interface that has the wpa supplicant defined in the network interfaces file. iwconfig should show the name of the wifi network that the wifi card is connected to.
 
===Troubleshooting===
 
If you don't have an IPv4 address, troubleshoot with the following commands:
 
Check if you can reach the internet:
 
<pre>
ping google.com
</pre>
 
Check logs from dhcp service started by rc.local (this gets an IP address from the router and is the most likely culprit):
 
<pre>
sudo service rc-local status
</pre>
 
Check logs from wpa supplicant:
 
<pre>
sudo service wpa_supplicant status
</pre>
 
=Gnome Setup=
 
Now time to tweak the Gnome theme/appearance. You already have Tweak tool installed (see above apt-get install line).
 
==Install Macbuntu Theme==
 
Set it up to look like a mac by installing the macbuntu theme - see http://www.linuxandubuntu.com/home/macbuntu-transform-ubuntu-1604-to-mac-os-x
 
First activate the PPA from noobslab and pull in the new packages:
 
<pre>
sudo add-apt-repository ppa:noobslab/macbuntu
sudo apt-get update
</pre>
 
Now install the macbuntu icons and themes:
 
<pre>
sudo apt-get -y install macbuntu-os-icons-v1804 macbuntu-os-ithemes-v1804
</pre>
 
==Pick Tweak Theme==
 
Now you can open the Tweak tool and pick the Macbuntu theme.
 
==Install Plank==
 
Plank is a dock replacement. To install it:
 
<pre>
sudo apt-get -y install plank
</pre>
 
Noobslab also provides a Macbuntu theme for Plank, to make it look more like the Mac dock. You will need the PPA from noobslab set up (see above add-apt-repository step).
 
<pre>
sudo apt-get -y install macbuntu-os-plank-theme-v1804
</pre>
 
Start it at boot by creating a file in <code>~/.config/autostart</code>.
 
First create the folder:
 
<pre>
mkdir -p ~/.config/autostart
</pre>
 
Now create a Plank startup script:
 
<code>~/.config/autostart/plank.desktop</code>
 
<pre>
[Desktop Entry]
Type=Application
Exec=plank
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Plank
</pre>
 
To open Plank preferences, right-click on the right or left side of the Plank dock and choose Preferences.
 
==Disable Launcher==
 
Run these commands to disable the ubuntu-provided launcher dock:
 
<pre>
cd /usr/share/gnome-shell/extensions/
sudo mv ubuntu-dock@ubuntu.com{,.bak}
</pre>
 
It will take effect when you log out or restart. If you can't wait to see it go, type Alt + F2, then enter the letter "r" in the input box. This will refresh gnome.
 
==Install Albert==
 
Albert is a spotlight/quicksilver replacement.
 
Install it like so:
 
<pre>
sudo add-apt-repository ppa:noobslab/macbuntu
sudo apt-get update
sudo apt-get -y install albert
</pre>
 
 
Start it at boot by creating the following file:
 
<code>~/.config/autostart/albert.desktop</code>
 
<pre>
[Desktop Entry]
Type=Application
Exec=albert
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Albert
</pre>
 
==Albert Shortcut==
 
We want to assign the shortcut Alt + Space to Albert, but this is currently occupied by a default system keyboard shortcut to open the window menu.
 
Let's remap that to Super + Space, then map Alt + Space to Albert.
 
Open Settings, then click Keyboard, and find the Windows section. Look for the Open Window Menu which is assigned the keyboard shortcut Alt + Space. Reassign it to Super + Space. By default this is assigned to something else, which can be disabled.
 
Now run albert from the command line: <code>albert</code>
 
Open the albert preferences. Assign Alt + Space to the Albert shortcut.
 
==Disable Super Key Shortcut==
 
Once you have Albert and Plank, you don't want the super key to open the Launcher because you don't need the launcher. Also, we disabled it.
 
Disable the Super key shortcut, where pressing Super by itself opens the launcher, by running this command:
 
<pre>
gsettings set org.gnome.mutter overlay-key 'Alt_R'
</pre>
 
This works immediately and will survive reboot.
 
Source: https://askubuntu.com/a/1037679
 
==Test with Restart==
 
Restart and test that the startup services start okay:
 
<pre>
sudo reboot now
</pre>
 
You should see:
* The Plank dock on the bottom of the screen
* No launcher on the left side
* The super key should not open the launcher
* (If you have set the Alt + Space shortcut for albert) Alt + Space should open albert
 
==Disable Crash Reporting==
 
===Apport===
 
Disable apport crash reporting:
 
<code>/etc/default/apport</code>
 
Change this:
 
<pre>
enabled=1
</pre>
 
to this:
 
<pre>
enabled=0
</pre>
 
Disable the service:
 
<pre>
sudo systemctl disable apport
sudo systemctl stop apport
</pre>
 
===Whoopsie===
 
Disable whoopsie crash reporting:
 
<code>/etc/default/whoopsie</code>
 
<pre>
report_crashes=false
</pre>
 
Disable the service:
 
<pre>
sudo systemctl disable whoopsie
sudo systemctl stop whoopsie
</pre>
 
=Ansible Setup=
 
Note that it is easiest and safest to perform these steps on a local network (e.g., a wifi router network) that has internet connectivity but that won't expose the Ubuntu server to the public internet.
 
Now use https://github.com/charlesreid1-com/charlesreid1-ansible to run the provision and base plays against the server. Note that this requires root access via ssh, so you have to edit your ssh config file to include this line:
 
<code>/etc/ssh/sshd_config</code>
 
<pre>
PermitRootLogin yes
</pre>
 
Now restart the ssh service:
 
<pre>
sudo service ssh restart
</pre>
 
and test that you can log in as root without a password:
 
<pre>
ssh root@<ip-for-bespin>
</pre>
 
ONLY ENABLE THIS WHILE YOU RUN ANSIBLE! DISABLE IT WHEN YOU ARE DONE!
 
Now run ansible from a different machine:
 
<pre>
# run this from a different machine!
git clone git@github.com:charlesreid1-com/charlesreid1-ansible.git ansible
cd ansible
 
# provision (python3 install)
ANSIBLE_CONFIG="local.cfg" ansible-playbook --extra-vars "machine_name=bespin" provision.yml
 
# set up with all the things
ANSIBLE_CONFIG="local.cfg" ansible-playbook --extra-vars "machine_name=bespin" --vault-password-file=.vault_secret base.yml
</pre>
 
Last, edit your ssh config to disable root login:
 
<code>/etc/ssh/sshd_config</code>
 
Remove this line!
 
<pre>
PermitRootLogin yes # REMOVE ME
</pre>
 
and replace with this one:
 
<pre>
PermitRootLogin no
</pre>
 
Now restart the ssh service:
 
<pre>
sudo service ssh restart
</pre>
 
=Wifi Access Point Setup=
 
In this section we set up Bespin to operate a wifi access point with hostapd. This involves the following:
 
* Install and configure hostapd
* Install and configure dnsmasq
* Configure access point network interface
* Start hostapd
* Create hostapd startup service
 
==Sysctl Changes==
 
Enable bespin to forward packets, a necessary role of an access point router, in the sysctl settings:
 
<code>/etc/sysctl.conf</code>
 
Add this line in the .conf file, it should be there but commented out, add it in:
 
<pre>
net.ipv4.ip_forward=1
</pre>
 
To reload sysctl, run this command:
 
<pre>
sysctl --system
</pre>
 
==Install hostapd==
 
Start by installing hostapd:
 
<pre>
sudo apt-get -y install hostapd
</pre>
 
Create the hostapd config file:
 
<code>/etc/hostapd/hostapd.conf</code>
 
<pre>
interface=wlan1
driver=nl80211
ssid=YOURNETWORKSSID
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=YOURWPAPASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
</pre>
 
Now set the hostapd configuration file:
 
<code>/etc/default/hostapd</code>
 
<pre>
DAEMON_CONF="/etc/hostapd/hostapd.conf"
</pre>
 
At this point you should be able to start hostapd with this command:
 
<pre>
sudo hostapd /etc/hostapd/hostapd.conf
</pre>
 
You will be able to see the wifi network, and clients will be able to authenticate, but they won't be able to join it because they won't get IP addresses.
 
===Side Note: Bridged Network with Shared DHCP===
 
If you want your AP (wlan1) to share a network with the existing wifi connection (wlan0), and offload the DHCP functionality to the DHCP server of the existing wifi network, you can use the network bridge that hostapd creates (that wlan1 is already attached to) and attach wlan0 to the bridge. This allows clients sending packets to wlan1 to have those packets seen by wlan0.
 
Here are the steps to bring up the bridge:
 
<pre>
sudo ifconfig wlan0 inet 0.0.0.0  # <-- is this necessary???
sudo brctl addif br0 wlan0
sudo ifconfig br0 up
sudo dhclient br0
</pre>
 
Breakdown:
* The bridge already exists, and is already connected to wlan1, so we add the wlan0 device to it
* We bring up the bridge
* We ask for an IP address for the bridge device
 
Here are the steps to bring down the bridge:
 
<pre>
sudo ifconfig br0 down
sudo brctl delif br0 wlan1
sudo brctl delif br0 wlan0
sudo ifconfig br0 down
sudo dhclient wlan0
</pre>
 
This is all you have to do, and you're done - no need for a DHCP server.
 
==dnsmasq for DHCP and DNS==
 
We are going to install dnsmasq to provide a DHCP and DNS service for the AP network.
 
Start by installing it with apt-get:
 
<pre>
sudo apt-get -y install dnsmasq
</pre>
 
This will try to start dnsmasq, but it will fail and print red text. This is fine - the system's built-in systemd-resolved is already listening on port 53 so we will need to disable this service. (But we need dnsmasq installed FIRST, because disabling systemd-resolved will cause DNS queries to fail, so the internet connection will break. We need dnsmasq ready to start and take over the DNS duties.)
 
<pre>
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
</pre>
 
Preserve the original dnsmasq config file, which has a lot of useful information:
 
<pre>
sudo mv /etc/dnsmasq.conf{,.orig}
</pre>
 
Now create the dnsmasq config file:
 
<code>/etc/dnsmasq.conf</code>


<pre>
==Related Articles==
interface=wlan1
dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h
</pre>


Now we are ready to start up dnsmasq:
* [[Ubuntu/OpenVPN Server]] - set up an OpenVPN server on a Ubuntu machine (not running on bespin)


<pre>
==Old Irrelevant Articles==
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
</pre>


===Set Preferred DNS Nameservers===
Articles that are no longer relevant to bespin but that may have useful information for some future project.


(Following instructions from [[RaspberryPi/Hotspot]])
* <s>[[Ubuntu/Bespin/Second AP Tunnel]]</s> - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond.


Remove the existing file at <code>/etc/resolv.conf</code> (a symlink to a network manager thing). Create a new version of the file that specifies preferred nameservers:
* <s>[[Ubuntu/Bespin/Wifi Repeater]]</s> - using bespin to run hostapd and make a wifi repeater


<pre>
* <s>[[Ubuntu/Bespin/Old/Wifi AP Setup]]</s> set up a wireless AP to create/host a wifi hotspot on the machine
nameserver 1.1.1.1
nameserver 8.8.8.8
</pre>


NOTE: this file will be overwritten at boot by Network Manager. If your DNS is broken and dnsmasq does not seem to be able to find a preferred nameserver, circle back and double-check that network manager has been disabled.
* <s>[[Ubuntu/Bespin/Old/AP PIA Tunnel]]</s> - route traffic from a wireless AP to a PIA VPN tunnel


===Improved Logging===
* <s>[[Ubuntu/Bespin/Old/Iptables]]</s> - old iptables rules for things that aren't actually running on Bespin


Dnsmasq configuration file has a log-facility option to control where logs go. Add this to the config file:


<pre>
log-facility=/var/log/dnsmasq.log
</pre>


==Testing the AP==
Before testing everything out, do a reboot and make sure that all services are running as expected (dnsmasq in paarticular) and that network interfaces are configured as expected.
To test the AP, we will run hostapd manually first. Checklist for testing if the access point works:
* is dnsmasq service running? (Yes)
* is hostapd service running? (No)
* is static ip set for the wifi card creating the AP in /etc/network/interfaces? (Yes, 192.168.10.1)
* does ifconfig show that IP? (Yes)
* can cients see to wifi network? (Yes)
* can clients connect to wifi network? (Yes)
* does handshake process succeed? (Yes)
* does client receive an IP? (Yes)
* can client access internet? (No)
Now run hostapd manually:
<pre>
sudo hostapd /etc/hostapd/hostapd.conf
</pre>
To add more debug info:
<pre>
sudo hostapd -d /etc/hostapd/hostapd.conf
</pre>
To log it to a file,
<pre>
sudo hostapd -d /etc/hostapd/hostapd.conf 2>&1 | tee hostapd.log
</pre>
From a phone or another computer, connect to the wireless network and verify you get an IP in the lease range specified in the dnsmasq config file.
=VPN Tunnel=
In this section we set up a VPN tunnel using OpenVPN and a pre-existing OpenVPN server. For this specific example we cover the use of Private Internet Access, a third-party VPN provider.
=Related Pages=
* [[Ubuntu/Bespin/TIL]] - the summary of "today I learned" things that I learned while setting up Bespin


[[Category:Ubuntu]]
[[Category:Ubuntu]]

Latest revision as of 05:38, 19 August 2020

Step by Step Articles

All the setup involved for bespin, a Ubuntu 18.04 desktop server.

  • Ubuntu/Bespin/DNS - removing the built-in DNS server on Ubuntu and replacing it with dnsmasq
  • Ubuntu/Bespin/PiHole - run an instance of PiHole, the DNS sinkhole, in a Docker container; install it between dnsmasq and the VPN tunnel, so all DNS queries will pass through the PiHole
  • Ubuntu/Bespin/Iptables - Update the iptables rules to allow better protection of the server and be less permissive
  • Ubuntu/Bespin/TIL - the summary of "today I learned" things that I learned while setting up Bespin

Related Articles

Old Irrelevant Articles

Articles that are no longer relevant to bespin but that may have useful information for some future project.

  • Ubuntu/Bespin/Second AP Tunnel - this ended in failure, twice. short version: you can't have multiple simultaneous PIA tunnels in OpenVPN without significant extra configuration, so no need to go this above and beyond.
Retrieved from "https://charlesreid1.com/w/index.php?title=Ubuntu/Bespin&oldid=28545"