OpenHazuki (the network for the people, by the people)

Documentation :: Node Setup

Setting Up/Installing a Node

  1. Find adequate hardware and prepare

    Here at OpenHazuki, we need a platform that can handle a decent amount of dynamic routes and have enough routing ability to use the full available throughput of whatever conduit we're working with. That is to say, the router node in question should be able to do at least 50mbps, and a lot of systems fall under that, even Pentiums, but nothing with an ISA bus.

    So far we've had good experience with Linksys WRT54G's. They're cheap, and have all the capability we need. And in order to access that capability, we install OpenWRT; it gives us the ability to have full access to the router's innards.

    This is guide is for setting up WRT54G's, specifically. With other routers, you'll probably need to do a little tweaking, especially with the interface names.

    Before you install anything though, you should probably ask cyanoacry for an address allocation.

  2. Install OpenWRT on whatever hardware you have

    The OpenWRT install guide is here.

    The install should be pretty easy. Here's a page you can use to manipulate the router variables (such as enable boot_wait) before you actually install OpenWRT.

  3. Basic Customization

    At this point, you'll have a fully functional OpenWRT system on your hands. What we need to do now is get some basic connectivity up and install some packages.

    Because we're doing the package installs before the networking reconfiguration, you'll need some basic connectivity. Reconnect your router to the LAN you're on, and telnet into your router. After that, execute the following command to make sure that your router picks up an internet address that you can use:

    root@OpenWrt:~# nvram set wan_proto=dhcp
    root@OpenWrt:~# nvram commit

    At this point you can safely powercycle the router. You'll need to edit /etc/resolv.conf to set nameservers so that you can look up hostnames; ipkg needs this.

    It's probably best to update the ipkg package list right now, so that you get the latest versions of the packages:

    root@OpenWrt:/etc# ipkg update

    We need the following packages:

    • nas — allows us to configure WEP/WPA
    • quagga — the base of our routing suite
    • quagga-bgpd — the central routing protocol we're using
    • quagga-ripd — optional (only necessary if it's a node that needs to be synced to another network)

    You can install these using the command:

    root@OpenWrt:/etc# ipkg install <package>

    After the necessary packages are in place, it's time to set the hostname. Here, you've got a chance to leave your impression on the network—name the router whatever you'd like, and as long as it isn't offending, nobody will really care what it is.

    root@OpenWrt:~# nvram set wan_hostname=<hostname>
    root@OpenWrt:~# nvram commit

    You can, and probably should, stick a label on the router in a plainly visible place indicating its name and owner. I like to stick a label on the faceplate with the hostname and my e-mail address.

    We can setup the password for the root account now and disable telnet:

    root@OpenWrt:~# passwd
    Changing password for root
    Enter the new password (minimum of 5, maximum of 8 characters)
    Please use a combination of upper and lower case letters and numbers.
    Enter new password: 
    Re-enter new password:
    Password changed.
    root@OpenWrt:~# rm /etc/init.d/S50telnet
    root@OpenWrt:~# reboot

    You can now reconnect using ssh with the root account.

  4. Configure Network Hardware

    We need to reconfigure the network defaults, as we can't use the interfaces as they are now.

    1. Remove the bridge

      The default OpenWRT configuration is for a bridged LAN/WiFi network—not exactly what we want. To disable it, all we need to do is tell the startup scripts that the bridge isn't the LAN interface.

      Note: This is probably specific to the WRT54G. You'll need to change the interface name if using another router.

      root@OpenWrt:~# nvram set lan_ifname=vlan0
      root@OpenWrt:~# nvram commit
    2. Assign new addresses

      Now we need to actually assign the router the addresses needed. You'll have received the following information from cyanoacry:

      • Router Client Network
      • Link Network
      • Wireless Info
        • SSID
        • Channel
        • Encryption things (node mode, key, etc.)

      To address the router client network:

      root@OpenWrt:~# nvram set lan_proto=static
      root@OpenWrt:~# nvram set lan_ifname=vlan0
      root@OpenWrt:~# nvram set lan_ipaddr=<address>
      root@OpenWrt:~# nvram set lan_netmask=<netmask>
      root@OpenWrt:~# nvram commit

      You'll have to connect a system and be on that given network in order for you to access the router again, if you reboot at this point.

      To address the wireless link:

      root@OpenWrt:~# nvram set wifi_proto=static
      root@OpenWrt:~# nvram set wifi_ifname=eth1
      root@OpenWrt:~# nvram set wifi_ipaddr=<address>
      root@OpenWrt:~# nvram set wifi_netmask=<netmask>
      root@OpenWrt:~# nvram commit

      Note that this just assigns a network address to the interface; we'll setup the actual wireless parameters later.

      At this point, we've taken care of two of the three interfaces—the LAN interface and the wireless interface. The WAN interface is going to be unused for now, so we'll disable that:

      root@OpenWrt:~# nvram set wan_proto=none
      root@OpenWrt:~# nvram set wan_ifname=vlan1
      root@OpenWrt:~# nvram commit
    3. Configure the wireless

      We're basically setting up the SSID/channel and encryption here:

      root@OpenWrt:~# nvram set wl0_ssid='<ssid>'
      root@OpenWrt:~# nvram set wl0_channel=<channel>
      root@OpenWrt:~# nvram set wl0_infra=1
      root@OpenWrt:~# nvram set wl0_closed=1
      root@OpenWrt:~# nvram set wl0_mode=<node mode>
      root@OpenWrt:~# nvram set wl0_akm=psk2
      root@OpenWrt:~# nvram set wl0_crypto=aes
      root@OpenWrt:~# nvram set wl0_wpa_psk='<encryption key>'
      root@OpenWrt:~# nvram commit

      wl0_ssid defines the SSID to associate with. It's the link id.

      wl0_channel defines the channel that the node is on, and depending on the circumstances, the channel assignment may change, but likely values are 1, 5, or 11.

      wl0_infra defines the infrastructure mode: AP/client or ad-hoc. For OpenHazuki, we'll set all the links to be AP/client due to the fact that WPA works with that methodology (I don't believe there's an equivalent protection scheme for ad-hoc networks.)

      wl0_akm, wl0_crypto, wl0_mode, and wl0_wpa_psk all pertain to the encryption used on the wireless link. In this case, we're using WPA/PSK2 (PreShared Key) authentication with AES encryption, which is the best encryption that the WRT54G can muster. wl0_wpa_psk defines the preshared key that's needed for one node to recognize another—basically a password for the link.

      wl0_closed defines whether or not the SSID is broadcast, and we don't want it to be, as it'd make it easier for people to find our links (not something we particularly want).

  5. Configure Network Software

    1. Stop unnecessary daemons

      By default, OpenWRT comes with a small webserver and DHCP server running. We don't need those in this enviroment.

      root@OpenWrt:~# rm /etc/init.d/S50dnsmasq
      root@OpenWrt:~# rm /etc/init.d/S50httpd
    2. Configure the firewall/iptables

      According to this policy, we'll structure our firewall rules. Basically, all traffic passes through unaltered, while access to the router itself is restricted.

      We'll modify /etc/init.d/S45firewall even though OpenWRT tells us not to (it's important not to mess up or else you could find yourself locked out). It'll be the core of the policy, while the file /etc/firewall.user lists the various exceptions to the rule.

      First, though, we need to copy over those two files (/etc/firewall.user and /etc/init.d/S45firewall) to the real root in order to make them editable:

      root@OpenWrt:~# rm /etc/init.d/S45firewall; cp /rom/etc/init.d/S45firewall /etc/init.d/
      root@OpenWrt:~# rm /etc/firewall.user; cp /rom/etc/firewall.user /etc/

      (In case anybody wants to read the consise version, the patch is here.)

      Input Rules

      This chain basically dictates the acceptance/denial/mangling of any packet destined toward the router itself. As such, it'll be restricted.

      Open up /etc/inet.d/S45firewall and look for these lines in the INPUT section:

      iptables -A INPUT -i \! $WAN        -j ACCEPT       # allow from lan/wifi interfaces 
      iptables -A INPUT -p gre     -j ACCEPT       # allow GRE

      Remove them.

      Now, look for the following lines:

      iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
      iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

      And replace it with this one:

      iptables -A INPUT -j DROP

      Essentially, all that did was limit access to the router to only icmp. Not even things plugged in directly will be able to access it at this point, and it'll appear as a black hole for security purposes.

      Now, though, we can allow some things in. Edit /etc/firewall.user and add the following lines underneath the BIG FAT DISCLAIMER:

      iptables -A input_rule -p tcp --dport 22 -j ACCEPT
      iptables -A input_rule -p tcp --dport 179 -j ACCEPT
      iptables -A input_rule -d -p tcp --dport 2601 -j ACCEPT
      iptables -A input_rule -d -p tcp --dport 2605 -j ACCEPT

      This allows SSH (port 22) and BGP (port 179) in so that we can administer it. The latter two rules allow someone already inside to telnet to localhost and twiddle with the routing software (port 2601 is the zebra configuration socket, and port 2605 is the BGP daemon config socket).

      Output Rules

      The router should pretty much have free reign on its outgoing connections, and this is how it comes by default. No need to change anything for this.

      Forwarding Rules

      Again, with the open routing policy, packets should be able to flow from one computer through another freely (open forwarding). This is almost how it is in the default configuration, but we'll add another rule to accept anything and everything.

      In /etc/init.d/S45firewall:

      iptables -A FORWARD -j ACCEPT

      Add that after the following line:

      iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
      Masquerade Rules

      We aren't changing any IP addresses on any of the packets we're processing, and ideally everybody should be reachable end-to-end without having a need for NAT on this network. We'll disable masquerading for the time being.

      Delete the following line from /etc/init.d/S45firewall:

      iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

      All done here!

    3. Configure Quagga

      Quagga's got a base daemon that manages all of the actual routing daemons. To make it run, all it needs is a very basic configuration file in /etc/quagga/zebra.conf .

      The file looks something like this:

      hostname <hostname>
      password testing
      enable password testing

      You can now start up and telnet into the zebra daemon and change the password to something realistic:

      root@OpenWrt:~# /etc/init.d/quagga start
      quagga: Starting zebra ... done.
      quagga: Starting watchquagga ... done.
      root@OpenWrt:~# telnet localhost 2601
      ...things ommitted...
      User Access Verification
      OpenWrt> enable
      OpenWrt# configure terminal
      OpenWrt(config)# service password-encryption
      OpenWrt(config)# password yourpasswordhere
      OpenWrt(config)# enable password yourpasswordhere
      OpenWrt(config)# quit
      OpenWrt# copy running-config startup-config
      Configuration saved to /etc/quagga/zebra.conf
      OpenWrt# quit
      Connection closed by foreign host.

      Basically, you logged in, then went into the enable configuration mode (which is really nifty, you can change the configuration on the fly), then enabled password encryption. You then set the passwords, and copied the configuration in memory out to the file on the drive.

      That's it for the base daemon.

    4. Configure BGPd

      This configuration tends to be really situation dependent, so I'll hold off on writing a template example file for now. Contact cyanoacry and he'll help you set it up and answer any questions you might have.