Secure Internet Appliance for Small Office / Home Office HOWTO

Firewall, VPN Server and Wireless Access Point on a SBC, version 3.3

ing. C.J.S. Vonk

    Coert (dot) Vonk (at) gmail (dot) com

Legal Notice

1. Key Features
2. Why start from scratch?
3. Audience
4. Tar ball and new versions of this document
5. Revision History
6. Contributions
7. Feedback
8. Organization of this document
1. The nuts and bolts
1.1. Compile host
1.2. Single Board Computer
1.3. Wireless Network Interface Card
1.4. Cost to Build
1.4.1. Alternatives
2. Toolchain and libraries
2.1. Environment Variables
2.2. GCC with uClibc library
2.3. Libraries
2.3.1. Data compression (zlib)
2.3.2. Crypto (openssl)
2.3.3. Lexical (flex)
2.3.4. Wireless Configuration (wireless_tools)
2.3.5. IP Routing Configuration (iproute2)
3. Kernel, Coreutils and Boot Loader
3.1. Kernel - linux
3.2. Coreutils - busybox
3.2.1. Boot sequence
3.3. Prepare the CF card
3.3.1. Partition table
3.3.2. Boot Loader
3.4. Create compressed Root File System (rootfs.gz)
3.5. Make the kernel and rootfs.gz available
3.5.1. Boot from CF copy kernel and rootfs.gz
3.5.2. Boot from PXE server etherboot pxelinux copy kernel and rootfs.gz
3.6. First boot
4. Daemons and Drivers
4.1. Secure Shell (SSH)
4.1.1. Public Key Authentication
4.1.2. Password Authentication (optional)
4.2. Firewall (iptables)
4.3. Dynamic Host Configuration Protocol (DHCP)
4.4. Domain Name Forwarder (DNS)
4.5. Network Time Protocol (NTP)
4.6. Hyper Text Transfer Protocol (HTTP) (optional)
4.7. IP Security (IPsec)
4.8. Layer 2 Tunneling Protocol (L2TP)
4.9. Point-to-Point Protocol (PPP)
4.10. Wireless Driver (madwifi)
4.11. Wireless Authenticator and Authentication Server (hostapd)
4.12. Domain name with dynamic IP (IN PROGRESS)
5. Network Configuration
5.1. Internal Network Configuration
5.1.1. Hostname
5.1.2. Interface configuration
5.1.3. DHCP Server and DNS Forwarder configuration
5.2. External Network Configuration
5.2.1. Static configuration
5.2.2. Dynamic Host Configuration Protocol (DHCP)
5.2.3. Point-to-Point Protocol over Ethernet (PPPoE)
5.3. Firewall Configuration
5.3.1. Policies NAT and IPsec
5.3.2. Firewall Builder Tweak for SISO
5.4. Traffic Control
5.4.1. Requirements
5.4.2. Implementation
5.5. Keeping an eye on things (logwatch)
6. Virtual Private Network Server
6.1. Certificates
6.1.1. Root CA certificate
6.1.2. Create the certificates
6.2. Server Configuration
6.2.1. Import Certificates
6.2.2. IPsec
6.2.3. L2TP (for Windows/XP clients)
6.2.4. PPP (for Windows/XP clients)
6.2.5. MPPC (for Windows/XP clients)
6.3. Linux Client (FC3)
6.3.1. Authentication
6.3.2. Encryption keys and authentication policies
6.3.3. Encryption policy
6.3.4. Succesfull connection
6.4. Windows/XP Client
6.4.1. Import Certificates
6.4.2. Setting up the VPN
6.4.3. Succesfull connection
6.5. Debugging Tips
6.6. Other resources
7. Secure Wireless
7.1. Methods
7.1.1. Wired Equivalent Privacy (WEP)
7.1.2. WiFi Protected Access (WPA) and IEEE 802.11i (RSN)
7.2. Certificates
7.2.1. Root CA certificate
7.2.2. Create the certificates
7.3. Authenticator and Authentication Server
7.3.1. Import Certificates
7.3.2. Configuration
7.4. Linux Supplicant
7.4.1. Wireless Tools
7.4.2. Install WiFi driver
7.4.3. Configure WiFi driver
7.4.4. Import Certificates
7.4.5. Install supplicant deamon
7.4.6. Authenticate using certificates (EAP-TLS)
7.5. Windows/XP with build-in Supplicant
7.5.1. Import Certificates
7.5.2. Authenticate using certificates (EAP-TLS)
7.5.3. Authenticate using username/password (EAP-PEAP)
7.6. Windows/XP with Intel PROSet Supplicant
7.6.1. Import Certificates
7.6.2. Authenticate using certificates (EAP-TLS)
7.6.3. Authenticate using username/password (EAP-PEAP)
A. APPENDIX: Buildroot, kernel and Busybox .config
A.1. buildroot .config
A.2. binutils-
A.3. linux-2.6.24 .config
A.4. busybox .config
B. APPENDIX: Configuration Files for Kernel, Coreutils and Boot Loader
B.1. /etc/passwd
B.2. /etc/group
B.3. /etc/shells
B.4. /etc/services
B.5. /etc/fstab
B.6. /etc/hosts
B.7. /etc/resolv.conf
B.8. /root/.profile
B.9. /etc/inittab
B.10. /etc/rc.d/rc.sysinit
B.11. /etc/rc.d/rc.shutdown
B.12. /etc/init.d/functions
B.13. /etc/init.d/syslogd
B.14. /etc/sysconfig/syslogd.conf
B.15. /etc/init.d/watchdog
B.16. /etc/sysconfig/watchdog.conf
B.17. /etc/init.d/gpio
B.18. /etc/sysconfig/gpio.conf
B.19. /etc/init.d/network
B.20. /etc/init.d/dropbear
B.21. /etc/init.d/dnsmasq
B.22. /etc/init.d/mini_httpd
B.23. /etc/init.d/hostapd
B.24. /etc/init.d/ntpd
B.25. /etc/init.d/racoon
B.26. /etc/init.d/l2tpd
B.27. /etc/sysconfig/network/ifup
B.28. /etc/sysconfig/network/ifdown
C. APPENDIX: Configuration Files for Services
C.1. /etc/TZ
C.2. /etc/sysconfig/ntpd.conf
C.3. /etc/sysconfig/ntpd/ntpserver
C.4. /etc/sysconfig/mini_httpd.conf
D. APPENDIX: Configuration Files for network configuration
D.1. /etc/sysconfig/network.conf
D.2. /etc/sysconfig/network/lo.conf
D.3. /etc/sysconfig/network/eth0.conf
D.4. /etc/sysconfig/dnsmasq.conf
D.5. /etc/sysconfig/dnsmasq/hosts
D.6. /etc/sysconfig/dnsmasq/resolv.conf
D.7. /etc/sysconfig/network/eth1.conf
D.8. /etc/sysconfig/network/udhcpc.script
D.9. /etc/init.d/firewall
D.10. /etc/sysconfig/firewall.conf
D.11. /etc/init.d/tc
D.12. /usr/bin/tcstat
D.13. /etc/sysconfig/tc.conf
E. APPENDIX: Configuration Files for VPN Server
E.1. gencert
E.2. openssl.conf
E.3. /etc/sysconfig/racoon.conf
E.4. /etc/sysconfig/l2tpd.conf
E.5. /etc/sysconfig/ppp/options.l2tp
E.6. /etc/sysconfig/ppp/chap-secrets
E.7. vpn-client:/etc/sysconfig/racoon/racoon.conf
E.8. vpn-client:/etc/sysconfig/ipsec/setkey.conf
F. APPENDIX: Patch file and Configuration files for Secure Wireless
F.1. /etc/sysconfig/network/ath0.conf
F.2. hostapd .config
F.3. /etc/sysconfig/hostapd.conf
F.4. /etc/sysconfig/hostapd/hostapd.eap_user
F.5. wpa_supplicant .config
F.6. wpa-supplicant:/etc/init.d/wpa_supplicant
F.7. wpa-supplicant:/etc/sysconfig/wpa_supplicant
F.8. wpa-supplicant:/etc/wpa_supplicant/wpa_supplicant.conf
F.9. wpa-supplicant:/etc/sysconfig/network-scripts/ifcfg-wlan0
F.10. patch for syslog:/etc/log.d/scripts/shared/onlyhost
F.11. syslog:/etc/log.d/conf/services/firewall.conf
F.12. syslog:/etc/log.d/scripts/services/firewall
F.13. syslog:/etc/log.d/conf/services/dnsmasq.conf
F.14. syslog:/etc/log.d/scripts/services/dnsmasq
F.15. syslog:/etc/log.d/conf/services/hostapd.conf
F.16. syslog:/etc/log.d/scripts/services/hostapd