Wireguard Roadwarrior setup using Ubuntu Server 18.04, Pi-hole and Google Wifi (with some double NAT)
Wireguard has had a lot of press because of its addition to the Linux Kernel. With this in mind I look to setup a Roadwarrior setup
This is an article I’ve put together to create an Open source Home Network stack using various technologies which are mostly free however all have paid subscriptions as well.
This is NOT a howto document, this is a high level view of some great software you might not be aware of.
The basic idea here was to bring you some alternatives to the well known mainstream tech brands.
Before I start with this list of software what am I running it on? An HP Proliant Gen 8, with 4 x 3TB stock WD Red Disks and 16Gb RAM.
This same box runs ESXi 6.x and Xenserver 6 however I’ve had issues running HyperV on it.
I also have a couple of 8GB small footprint PC’s (Chinese NUC like things) both running local 256GB SSD’s and 8 GB of ram.
So lets start at the bottom of the stack, the core OS I want to run on my HP, it’s possible to run an OS like Linux or Windows on there however with 12TB of storage and 16GB of Ram i’m looking to run virtual machines on this hardware.
The landscape of “free” virtual platforms has been pretty wide for a while, VMware provide ESXi, Micrsosoft provide Hyper-V server and Citrix provide Xenserver and all three of these are great options. I recently found a 4th alternative.
ProxMox VE is from it’s own website
Proxmox VE is a complete open-source platform for all-inclusive enterprise virtualization that tightly integrates KVM hypervisor and LXC containers, software-defined storage and networking functionality on a single platform, and easily manages high availability clusters and disaster recovery tools with the built-in web management interface.
The enterprise-class features and the 100% software-based focus make Proxmox VE the perfect choice to virtualize your IT infrastructure, optimize existing resources, and increase efficiencies with minimal expense. You can easily virtualize even the most demanding Linux and Windows application workloads, and dynamically scale-out your computing and storage as your needs grow ensuring to stay adaptable for future growth of your data center.
So what does this actually mean?
Well it’s an installable ISO image based on Debian Linux. This for a start means it works on a large number of lower end platforms HyperV, ESX and XenServer might not be “approved” to work on.
Out of the box its all web managed, and provides you the ability to not only create Virtual Windows or Linux machines using KVM
(KVM is a kernel module merged into the mainline Linux kernel and runs with near native performance on all x86 hardware with support for virtualization — either Intel VT-x or AMD-V.)
It also supports LXE containers. Containers are a lightweight alternative to fully virtualized VMs. Instead of emulating a complete Operating System (OS), containers simply use the OS of the host they run on.
You may have heard of Docker, well this is essentially the same thing, except it’s been around a bit longer.
This is all native in the Proxmox Infrastructure out of the box. If you run two Proxmox servers and centralized storage and one of those servers falls over, the virtual machines will start running on the other server.
These are all features found on the other three services, however they are being provided using open platforms.
This means the underlying code is open, the ownership of data is open, and the platform itself is supported by subscription model for the latest updates. The free version gets the same updates just a little later, support which is provided at a forum (and google) level for the free version and I have to say the documentation (free) is very well written.
Setting up the disk space on Proxmox did i’ll confess involve me dropping to a command line and setting up a LVM Disk array containing all my Disks, however once that was done and added to ProxMox (and explained well in the documentation if you’re able to follow instructions) everything else is Wizard driven from the Web interface.
Viewing of the console of the virtual machines is done using the web interface too. Not needing a windows client to manage this system was something which really pushed me towards it.
This also leads very nicely to the Android app Aprox which provides all the web interface access in a handy App, which when coupled with the VPN (see below) gives me complete management access to the Virtual infrastructure on the move.
Having installed the core Virtual OS, I wanted to provide a storage server, I use NFS on Plex and other servers mounted to this server. Historically i’ve used FreeNas which I have to say is a bullet proof NAS system. However the point of this was to find alternatives and that's how I found
(I am aware i could actually do this nativly within ProxMox there are other reasons for using Rockstor as you’ll see)
Rockstor is a NAS server at its core, however its so so much more than that.
Utilizing BTRFS which while not new to Linux, its been embraced by companies like Facebook however it can be an absolute pig to setup right so utilising an Operating system that does all the heavy lifting for you and just provides you with a web interface to setup your storage within that OS. The setup is quick and easy
If you want a good read as to why BTRFS is a good thing head over here https://www.virtualtothecore.com/en/2016-btrfs-really-next-filesystem/
However setting Rockstor up as a NAS doesn’t even scratch the surface of just how this OS can make life easier for you.
Have you heard of Docker? Small virtual containers that utilise the kernel of the host OS and run services in a bubble. Well in the world of Rockstor they use Docker under the name Rock-Ons.
Enable Rockon’s via the Rockstor web interface and you open yourself up to a group of Docker images for things like Plex, OwnCloud, DropBox, Voip Services (full list here) and a myriad of other services which essentially need just to be turned on, told where to store their data and off you go, within a minute of so you have a fully functioning Media Server, VPN or Backup server.
As well as this amazing feature letting you easily use Docker if you host multiple rockstor servers you can sync data between them, redirect logs, apply SSL and many other features you’d expect from a NAS device.
So you’d like the ease of Windows Active Directory, the user management, the file shares, the users automatically getting an exchange like outlook supported mailbox with a fully featured web interface.
Thankfully you don’t need a Windows Server to do this, and you also don’t need to wrestle with LDAP and command line managed mail systems for this.
Linux has a whole host of SME business servers covering many different choices and needs. However if the above are your chosen issues than i’d suggest looking at
Zentyal 5.0.x: http://zentyal.com/
Head over to the above link and you’ll soon be asking “huh, i can only get a demo and i need to pay for this, what is this guy talking about” however head here..
And you can download the fully functional, fully supported, fully patched Development version.
Like the previous software listed here, Zentyal can be installed as an OS within ProxMox and once installed is totally web managed.
During the post install setup clicking on the Windows Active Directory and Mail options will tick both of those boxes.
Once installed Zentyal will provide you with
With email it will also provide you with
Zentyal is an infrastructure server so as well as the above it can act as a DNS or DHCP server as well and provide you with an easily manageable certificate authority.
So with our storage setup and our infrastructure working, lets start thinking a little bigger. What else can we manage on our system.
While you obviously have a box connecting you to the internet, it doesn’t harm any network to have a 2nd router on the network, and internal router. Other than providing another level of security, you can use it to better effect that the hardware router.
There is nothing better as acting as an internal router than
Based on BSD, following the trend so far this rock solid distro keeps you post install as far as it can from the BSD Command line with its web based setup.
I love PFSense for one simple reason, no matter how many google searched articles you look for about setting up Linux as a router, none of them seem to work properly. Out of the box, with no fiddling with kernel values or lengthy setup, you can take a machine with 2 (or more) network cards running this OS, put one on one network one on the other and bingo you’ve got a simple router setup in seconds.
The Firewall (pf) also makes more visual sense to me start at the top, get to the bottom, if a rule isn’t matched, block the packet. Done.
pfSense also provides many other functions, like Zentyal it can act as a DNS server or a DHCP server, you can run it as a VPN or Logging server. However its designed as a Router/Firewall and does a great simple effective job doing just that.
Sure, spend a fortune on a Cisco ASA, i will for the love of me never understand why outside of a 500+ enterprise anyone would ever spend so much money on a Cisco device.
OpenVPN is the simplest, easiest most cost effective method of providing either a site to site VPN or a method of connecting from the outside back into your network.
Coupled with either certificates and/or 2 factor authentication its just as secure as any Cisco. I’d go to argue that it’s more secure as most small businesses will install the Cisco, get it working, and then leave it unpatched for years because every sysadmin has had that Cisco bricked because of a dodgy Cisco patch.
With OpenVPN you’re updating the core OS a tried and tested thing which with some obvious security tweaks can be locked down as well.
Setting up OpenVPN is well documented
And of heading down the command line isn’t you’re thing Rockstor (above) has a Docker OpenVPN-AS instance which provides a web Gui which you can manage OpenVPN with.
Once installed OpenVPN is supported on EVERY platform known to man or beast.
When i’m writing about security here, i’m looking at 2 Factor Authentication (2FA) mainly and I covered SaasPass as an alternative to Duo here.
I should note that while Saaspass is free its not opensource
Solid opensource alternatives are
Security Onion: https://securityonion.net/
However if you want to go that “extra mile” you could run Security Onion, operating as a server on your network, and a client which would sit in our example here between your hardware router and pfsense box. the client can be a virtual machine, it just needs 2 network interfaces.
One Interface sits on the same LAN as the Security onion server and is used to pass data back to the server
The other interface sits on the network between your hardware router and pfsense and just listens, to everything sent between the two.
This is all sent back to the main security onion server which provides you with Web interfaces to monitor that data. Malware, bad agents and nastiness will all be flagged up. You can be notified of these.
Security onion has various levels of interface for data feedback from Snorby’s high level interface to Elsa which provides in depth packet information on whats going in and out of your network.
As well as knowing what is going on on your system in realtime, knowing what has past is equally as important.
Everything on this list not only provides a log file, it also provides the ability to send that log file to another server. Surprisingly a syslog server :-)
There are plenty of options for syslog servers from creating a fully fledged ELK server to the again web driven GrayLog2 server.
Graylog can be run using docker, however i’ve had better luck installing it on its own server. The sites own documentation is quick easy copy and paste level instructions.
Graylog provides a great interface which you can use to search across all your logs looking for specific events and create notifications based on those searches. as an example, “if there are any successful or unsuccessful logins on server x y or z between 10pm and 6am notify me.”
Knowing that historically can help hugely tracing patterns and troubleshooting issues in general.
Docker Hub: https://hub.docker.com/
Mentioned a few times here, its no argument that Docker is a great tool for creating consistent working, low resource, highly available infrastructure. Learning docker itself has a curve as you’d expect. however that fact shouldn’t stop you using it.
Rockstor comes with it’s RockOn’s however Docker Hub has thousands of projects which can be run on a docker server.
Setting up docker on most of today's main Linux OS’s is as simple as it gets and well documented. I prefer CentOS on servers however it’s available on all the major platforms. Running Docker on Windows is also supported and improving all the time with Microsofts input and commitment to the platform.
As we are looking to manage things as easily as we can, and command line may not be your thing. Docker has a couple of good Web management tools.
While i prefer Portainer in my environment, Rancher is also worth a look and something i’m experimenting with. At the moment i’d describe it as Portainer with all the bells and whistles exposed.
Portainer runs as a docker container and provides a web interface to manage your docker containers.
It provides support for Docker Images, containers, uploading to docker hub, high availability, docker swarm and event logging. You can use it to provide a console inside your docker machines as well and view the container’s event logs etc.
Very useful quick docker management.
I could do a whole article on this section on its own. as a system administrator at heart these are some essential management tools i use daily to keep the infrastructure I manage easier to use.
Think Teamviewer without that constant nag screen. Connectwise is a remote connection tool. The free version provides 3 agents and 1 user access which can be handy if you need to get on a PC at home or in an office.
Supported natively on Windows, OSX, Linux deb/rpm/gz its a simple agent install and login to your account and your away able to view files on your PC remotely and transfer files back and forward.
One very neat feature is to be able to run comment line scripts on the remote platform, so bash, powershell etc without opening a remote session.
I covered why i prefer this service to TeamViewer here
and I will be subscribing to the service.
The number of times i’ve turned up to a new role and asked what IP Address ranges do you use and what are used where and either get a spreadsheet no one updates or a blank stare astounds me.
IP Address management, knowing what has what IP Address assigned, is it still up is essential. In even a small business depending on how you’re subnets work you can quickly run out of IP addresses when using IoT or VDI technologies in house.
This becomes especially true as a business scales, knowing static and DHCP ranges, if devices have been shut down and if machines suddenly appear with IP’s on your wifi at 2am in the morning.
All this can be managed (using your Zentayl AD login) centrally from here. and reported on when needed.
“Is service X up?”
A common roadwarrior question, keeping the external and even internal userbase upto speed if you’re having an issue with a server or service is important and can reduce frustration and support tickets.
This is the purpose of cachet. it’s a portal, usually hosted off site, on an AWS or Digital Ocean machine, which can be accessed and users updated to the status of the services.
Making this the first point of call can seriously keep people happier..
All of this software is Linux based (except pfsense) and while learning the linux command line is not essential for most of the software at some point you’re going to need to do something on the underlying the OS.
If your exposure to Linux is minimal, then Webmin is the tool for you. Running on all the major Linux distros via deb or rpm files of from their repos. Webmin is a web gui for Linux.
The interface is standard across any platforms and adapts to work with the different config locations.
Essentially if you need to do it from the command line, it can be done via Webmin. Disk management, network setup, OpenVPN Configuration its all there
Hardcore Linux admins will mock and tell you to learn the OS, simple fact is you can, however why not provide an ease of use platform for new users?
While we have covered phpipam for monitoring live IP Addresses, monitoring services running on servers is also essential and PandoraFMS does this. The free version will more than cover multiple devices and provides a simple Green, Yellow, Red traffic light system to tell you when things are going wrong on your network.
Setting up agents on all major operating systems to talk back to the PandoraFMS is easy, and once communicating you can setup notifications to email or as I do to a slack channel.
PandoraFMS can be setup to restart essential services on servers if they fail, and let you know whey they failed. It can manage CPU, Disk and RAM usage and does so in a clear interface.
Keeping those passwords which are different for all administrators and logins everywhere is difficult. Keepass might suffice for a team of two however will at some point get corrupt. Lastpass is great however its cloud based and you might not want this information in the cloud.
Passbolt steps right in as a self hosted, well tested, actively developed password manager.
Compatible on desktop of phone, 2FA supported and fully encrypted, this is where you need to be storing your passwords. Not on a spreadsheet… or notepad files on your PC.
So what do we have here is a list of well tested, working, cheap software, with subscription plans should you need them. they cover a great level of areas for a home network or small business and show that you can provide a solid stable environment without needing Windows Servers should you wish.
None of the data is locked in, and all of it can be moved to other platforms as well so you can scale if you need to.
I’m happy to provide more information, answer questions and provide more details just contact me.