Skip to content

Instantly share code, notes, and snippets.

@jjzazuet

jjzazuet/debian-router.md

Last active April 24, 2022 20:45
Show Gist options
  • Save jjzazuet/6885411febf866961595190432173fae to your computer and use it in GitHub Desktop.
Save jjzazuet/6885411febf866961595190432173fae to your computer and use it in GitHub Desktop.
Download ZIP
Debian router on ZOTAC ZBOX PI22
Raw
debian-router.md

Install Debian on the PI22, use a usb ethernet adapter to source Debian updates. Uses this awesome LTE hotspot tutorial as a starting point.

apt-get update && apt-get upgrade
apt-get install libqmi-utils modemmanager net-tools tcpdump dnsutils

Configure the LTE connection APN

echo "APN=simple" > /etc/qmi-network.conf

Configure wwp0s21f0u1i4 in /etc/network/interfaces.

auto wwp0s21f0u2i4
allow-hotplug wwp0s21f0u2i4
iface wwp0s21f0u2i4 inet dhcp

Allow root login for ssh in /etc/ssh/sshd_config (kind of like OpenWRT does).

PermitRootLogin yes

Install wifi hotspot packages

apt-get install -y dnsmasq hostapd openssl iptables-persistent

Configure wlp1s0 with a static IP

auto wlp1s0
allow-hotplug wlp1s0
iface wlp1s0 inet static
    address 172.16.3.1
    netmask 255.255.255.0

Configure wlp1s0 as an access point in /etc/hostapd/hostapd.conf (5GHz band)

#### Interface configuration ####
interface=wlp1s0
driver=nl80211

#### WPA/IEEE 802.11 related configuration ####
ssid=gopher
hw_mode=a
channel=0
country_code=US
ignore_broadcast_ssid=0

#### WPA/IEEE 802.11i configuration ####
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=wearethegreatgopher
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0

Then set as default configuration in /etc/default/hostapd

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Configure dnsmasq in /etc/dnsmasq.conf

interface=wlp1s0
dhcp-range=wlp1s0,172.16.3.100,172.16.3.254,255.255.255.0,12h
domain=gopher.io
domain-needed
expand-hosts
log-queries

Istall openvpn client

apt-get install -y openvpn

Copy the *.ovpn config file to /etc/openvpn/client.conf, add this line to your openvpn client's config file

auth-user-pass pw.txt

Create a new file named pw.txt and then add your client's username and password:

username
password

then start the vpn client.

systemctl start openvpn@client

Remove DNS nameserver request option in /etc/dhcp/dhclient.conf in order to skip the DNS name servers provided by the LTE upstream interface.

request domain-name-servers <--- remove this attribute

Put custom DNS entries in /etc/resolv.conf (Google's nameservers in this case).

nameserver 8.8.8.8

Ebable ip forwarding (permanent) in /etc/sysctl.conf

net.ipv4.ip_forward=1
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Clear all iptables rules

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Use the following iptables in /etc/iptables.ipv4.nat rules to:

  • Accept ssh connections, DNS and DHCP service on wifi interface.
  • Enable external routing on tun0 interface only.
  • Enable loopback routing from needed interfaces only.
  • Add routing rules to leave TTL values unmodified. In my case, the cellular carrier drops all packets having a TTL less than 64.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i wlp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i wlp1s0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wwp0s21f0u2i4 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o wlp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlp1s0 -o tun0 -j ACCEPT
-A OUTPUT -o wlp1s0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o wlp1s0 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -o wlp1s0 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o wlp1s0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wwp0s21f0u2i4 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j TTL --ttl-set 65
COMMIT

Persist rules

iptables-save > /etc/iptables.ipv4.nat

Restore rules during startup from /etc/network/interfaces for the wireless interface config block.

up iptables-restore < /etc/iptables.ipv4.nat

Monitor traffic except for ssh sessions (i.e. ours).

tcpdump -n -i wwan0 port not 22

Config for Intel AC card (2.4GHz)

interface=wlp2s0
hw_mode=g
channel=10
ieee80211d=1
country_code=US
ieee80211n=1
wmm_enabled=1

ssid=gir-vpn
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=ohfxcO45!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment