Connect your CHIP to your PC with a USB data cable, then login:
$ ls /dev/tty.usb*
/dev/tty.usbmodem201413
$ screen /dev/tty.usbmodem201413
Debian GNU/Linux 8 chip ttyGS0
chip login: root
Password:
Last login: Thu Jan 1 00:01:46 UTC 1970 on ttyGS0
Linux chip 4.4.13-ntc-mlc #1 SMP Tue Dec 6 21:38:00 UTC 2016 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@chip:~#
chip@chip:~$ uname -a
Linux chip 4.4.13-ntc-mlc #1 SMP Tue Dec 6 21:38:00 UTC 2016 armv7l GNU/Linux
If you need to update it, use the C.H.I.P. Flasher, then start over from the beginning.
Remember, the default username/password is chip/chip, the root credentials are root/chip. Log in and change them immediately:
root@chip:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@chip:~# passwd chip
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@chip:~#
On my Macbook, the default $TERM setting was vt102, which caused garbled text when running the nmtui
later:
chip@chip:~$ echo $TERM
vt102
Set it to ANSI to prevent problems with the networking UI text later:
chip@chip:~$ echo "TERM=ansi" >> ~/.bashrc
chip@chip:~$ cat ~/.bashrc
TERM=ansi
chip@chip:~$ bash
chip@chip:~$ echo $TERM
ansi
Do this for root also:
chip@chip:~$ sudo sh -c "echo TERM=ansi >> /root/.bashrc"
chip@chip:~$ sudo cat /root/.bashrc
TERM=ansi
This upstanding human being said it pretty well, so I'm just going to copy it in:
At this point you'll probably feel an urge to put on fingerless gloves and mutter "i'm in", but we have work to do here. First order of business is to connect to the internet. Type nmtui to open up network manager's curses based interface.
┌─┤ NetworkManager TUI ├──┐ │ │ │ Please select an option │ │ │ │ Edit a connection │ │ Activate a connection │ │ Set system hostname │ │ │ │ Quit │ │ │ │ <OK> │ │ │ └─────────────────────────┘
> Pretty nifty eh? You can move your cursor around with the arrow keys and select with the enter key. Chose Activate a connection and then select your network from the list. You will then be prompted to enter the password. Exit out of nmtui and open it back up again, this time selecting edit a connection. You'll see lots of scary options, but the important ones are at the bottom. Scroll down the whole way using the arrow buttons.
> ```
> ┌───────────────────────────┤ Edit Connection ├───────────────────────────┐
> │ ↑│
> │ │ Mode <Client> ▒│
> │ │ ▒│
> │ │ Security <WPA & WPA2 Personal> ▒│
> │ │ Password *************___________________________ ▒│
> │ │ [ ] Show password ▒│
> │ │ ▒│
> │ │ BSSID ________________________________________ ▒│
> │ │ Cloned MAC address ________________________________________ ▒│
> │ │ MTU __________ (default) ▒│
> │ └ ▒│
> │ ▒│
> │ ═ IPv4 CONFIGURATION <Automatic> <Show> ▒│
> │ ═ IPv6 CONFIGURATION <Automatic> <Show> ▒│
> │ ▒│
> │ [X] Automatically connect ▒│
> │ [X] Available to all users ▒│
> │ ▒│
> │ <Cancel> <OK>▮│
> │ ↓│
> └─────────────────────────────────────────────────────────────────────────┘
the important options are the ones that say [X] Automatically connect and [X] Available to all users Make sure both are connected and you are done. The CHIP will automatically connect to the proper network and the password will be saved.
chip@chip:~$ sudo apt-get update && sudo apt-get install aptitude vim
chip@chip:~$ sudo aptitude safe-upgrade
This fine person said it best, but I'm going to copy the relevant part here for simplicity:
Install dnsmasq:
sudo apt-get install dnsmasq
the file
/etc/default/dnsmasq
has the enable flag for running as daemon, if needed. Create a configure file to restrict DHCP injections on client network interface. With this wlan0 becomes a way to connect to a network, and wlan1 becomes CHIPs access point.
sudo nano /etc/dnsmasq.d/access_point.conf
add the lines
#If you want dnsmasq to listen for DHCP and DNS requests only on #specified interfaces (and the loopback) give the name of the #interface (eg eth0) here. #Repeat the line for more than one interface. interface=wlan1 #Or you can specify which interface not to listen on except-interface=wlan0
> we also want to set the range and time of leases:
> ```
> #Uncomment this to enable the integrated DHCP server, you need
> #to supply the range of addresses available for lease and optionally
> #a lease time. If you have more than one network, you will need to
> #repeat this for each network on which you want to supply DHCP
> #service.
> dhcp-range=172.20.0.100,172.20.0.250,1h
Create a file to set up a static IP for the access point:
sudo nano /etc/network/interfaces
and have the contents like so:
# interfaces(5) file used by ifup(8) and ifdown(8) # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto wlan1 iface wlan1 inet static address 172.20.0.1 netmask 255.255.255.0
> Confirm that the static IP is assigned:
>
> `sudo ifup wlan1`
>
> `ip addr show wlan1`
>
> and you'll see the address listed
>
> `inet 172.20.0.1`
>
> now restart the DHCP server that dnsmasq provides
>
> `sudo /etc/init.d/dnsmasq restart`
>
> We have just tested the IP configuration portion.
> Now we can configure the WiFi access point on wlan1.
> Create a config file:
>
> `sudo nano /etc/hostapd.conf`
>
> and add the lines:
Now I'm going to interject here, because the [Adafruit Instructions for OnionPi here](https://learn.adafruit.com/onion-pi/install-tor) I think have a better access point configuration:
interface=wlan1 ssid= hw_mode=g channel=6 macaddr_acl=0 auth_algs=1
ignore_broadcast_ssid=0 wpa=2 wpa_passphrase= wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ctrl_interface=/var/run/hostapd
Now back to the other instructions:
> then we can start the access point with
>
> `sudo hostapd /etc/hostapd.conf`
>
> You'll see the network come up on another device, like your laptop or tablet or phone:
>
> `<Your SSID>`
>
> Now we would like to configure CHIP to create the access point automatically on boot.
> We can setup a systemd service to do our bidding. We give the service a unique name, so it doesn't conflict with the systemV stuff in init.d:
>
> `sudo nano /lib/systemd/system/hostapd-systemd.service`
>
> Fill the service file with these contents:
> ```
> [Unit]
> Description=hostapd service
> Wants=network-manager.service
> After=network-manager.service
> Wants=module-init-tools.service
> After=module-init-tools.service
> ConditionPathExists=/etc/hostapd.conf
>
> [Service]
> ExecStart=/usr/sbin/hostapd /etc/hostapd.conf
>
> [Install]
> WantedBy=multi-user.target
Disable the existing systemV script for booting hostapd:
sudo update-rc.d hostapd disable
Now we can setup the systemd service with these commands:
sudo systemctl daemon-reload
sudo systemctl enable hostapd-systemd
Reboot or test with these commands:
sudo systemctl start hostapd-systemd
systemctl status hostapd-systemd
The access point and DHCP server should be accessible from other devices!
Install tor:
chip@chip:~$ sudo aptitude install tor
Now here's Adafruit again:
Edit the tor config file by running
sudo nano /etc/tor/torrc
and copy and paste the text into the top of the file, right below the the FAQ notice.
Log notice file /var/log/tor/notices.log VirtualAddrNetwork 10.192.0.0/10 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 172.20.0.1 DNSPort 9053 DNSListenAddress 172.20.0.1
...
> Next we'll create our log file (handy for debugging) with
> ```
> sudo touch /var/log/tor/notices.log
> sudo chown debian-tor /var/log/tor/notices.log
> sudo chmod 644 /var/log/tor/notices.log
Check it with
ls -l /var/log/tor
Start the tor service manually
sudo service tor start
Check its really running (you can run this whenever you're not sure, it something is wrong you'll see a big FAIL notice
sudo service tor status
Finally, make it start on boot
sudo update-rc.d tor enable
Life is easier if we use the iptables-persistent
package:
chip@chip:~$ sudo aptitude install iptables-persistent
It will ask you about saving the current rules, select "no" for IPv4 and IPv6 (we'll do that later):
Package configuration
��������������������Ĵ Configuring iptables-persistent ��������������������Ŀ
� �
� Current iptables rules can be saved to the configuration file �
� /etc/iptables/rules.v4. These rules will then be loaded automatically �
� during system startup. �
� �
� Rules are only saved automatically during package installation. See the �
� manual page of iptables-save(8) for instructions on keeping the rules �
� file up-to-date. �
� �
� Save current IPv4 rules? �
� �
� <Yes> <No> �
� �
�����������������������������������������������������������������������������
Again, here's adafruit (updated to use wlan1 instead of wlan0):
Time to change our ip routing tables so that connections via the wifi interface (wlan0) will be routed through the tor software. Type the following to flush the old rules from the ip NAT table
sudo iptables -F sudo iptables -t nat -F
> If you want to be able to ssh to your Pi after this, you'll need to add an exception for port 22 like this (not shown in the screenshot below)
>
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 22 -j REDIRECT --to-ports 22`
Note that at this stage, you might get an error:
`iptables: No chain/target/match by that name`
If you do, you need to install the nf_nat_redirect kernel module. Follow [these instructions](https://bbs.nextthing.co/t/ready-made-chip-image-with-nat-ip-table-support/11609/30):
sudo bash cd /lib/modules/4.4.13-ntc-mlc/kernel/net wget https://dl.dropboxusercontent.com/u/48891705/chip/4.4.13-ntc-mlc/netfilter.tar tar -xf netfilter.tar rm netfilter.tar depmod
>
> Type the following to route all DNS (UDP port 53) from interface wlan0 to internal port 53 (DNSPort in our torrc)
>
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p udp --dport 53 -j REDIRECT --to-ports 9053`
>
> Type the following to route all TCP traffic from interface wlan0 to port 9040 (TransPort in our torrc)
>
> `sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --syn -j REDIRECT --to-ports 9040`
>
> Next you can check that the ip tables are right with
>
> `sudo iptables -t nat -L`
>
## 3.3 Save the rules so they will be installed at boot (from [AskUbuntu](http://askubuntu.com/questions/117155/do-i-need-to-restore-iptable-rules-everytime-on-boot):
chip@chip:$ sudo sh -c "iptables-save > /etc/iptables/rules.v4"
chip@chip:$ sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"
# 4 Testing
# References
* https://bbs.nextthing.co/t/setting-up-chip-as-a-headless-server-with-minimal-tools/1505
* https://slack-files.com/T02GVC9G6-F0H7G3WCT-25e7dfb781
* https://bbs.nextthing.co/t/ready-made-chip-image-with-nat-ip-table-support/11609/30
* http://askubuntu.com/questions/117155/do-i-need-to-restore-iptable-rules-everytime-on-boot