BadVPN – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | NCD Router Example |
2 | |||
3 | -- Operation --- |
||
4 | |||
5 | These are the NCD scripts I run on my home router. |
||
6 | Three network interfaces are being configured: |
||
7 | |||
8 | 1. The LAN interface. |
||
9 | The DHCP server is started for this interface, and also a DNS server (unbound). |
||
10 | 2. The Internet interface. |
||
11 | This is a PPPoE interface with NAT. |
||
12 | 3. The ServerIf interface. |
||
13 | This one behaves similarly to the LAN interface, except that there is no DHCP server. |
||
14 | The intention is to put servers here so you can restrict communication not only between Internet and the servers, |
||
15 | but also between LAN and the servers (though this configuration doesn't actually do the latter). |
||
16 | |||
17 | Hosts on the LAN and ServerIf interfaces can access the Internet, and source NAT is used here. |
||
18 | Additionally, it is possible to add port forwardings (DNAT) from the Internet interface to either |
||
19 | of those two interfaces. These can be managed with the scripts {list,add,remove}-port-forwarding. |
||
20 | The list of port forwarding is stored in the file /var/lib/ncd-port-forwardings.ncdvalue. |
||
21 | However, you should NOT modify this file while NCD is running. You should not modify it at all, because |
||
22 | NCD may accidentally overwrite your changes. Just use the scripts. |
||
23 | |||
24 | Iptables is used to filter incoming connections from the Internet interface. |
||
25 | Exceptions can be added; for example, there's a commented line in template network_internet_pppoe_preup which allows access to the local SSH server. |
||
26 | To allow access to servers running on other hosts (LAN or ServerIf interface), a port forwarding should be added dynamically. |
||
27 | |||
28 | -- Installation -- |
||
29 | |||
30 | The following pppd patch is required for PPPoE to work: |
||
31 | https://code.google.com/p/ambro-gentoo-overlay/source/browse/trunk/net-dialup/ppp/files/pppd-configurable-paths.patch |
||
32 | |||
33 | Copy ncd.conf to /etc/, and copy all other files here into a new directory /etc/ncd-network. |
||
34 | Explanation: ncd.conf just loads network.ncdi, which is where the bulk of the configuration is defined. |
||
35 | Make the {list,add,remove}-port-forwarding scripts executable. Additionally, if your NCD interpreter is not located at /usr/bin/badvpn-ncd, |
||
36 | adjust the interpreter paths inside them. |