octavia
Octavia est mon routeur maison. J'ai écrit mon tout premier article pour LWN à son sujet, voir 2016-11-15-omnia.
Il porte le nom de l'auteure de science-fiction Octavia E. Butler, "an African-American science-fiction writer" known for her "critique of present day hierarchies, the remaking of the human, the creation of alternative communities, and afro-futurism". The New York times described her novels as "evocative" and "often troubling" explorations of "far-reaching issues of race, sex, power".
The destiny of Earthseed is to take root among the stars.
-- Octavia Butler
Configuration of the Omnia router
Basic configuration
Features enabled in the basic config:
- auto-updates
- email notifications, setup from devnull@omnia.anarc.at, with SSMTP on port 465 straight to marcos, no password
Features disabled:
- wondershaper (wshaper package uninstalled) - it is apparently horrible for bufferbloat and we have plenty of bandwidth
UCI configuration:
- setup some internal static IPs
- setup DNS forwards for marcos
- firewall configuration (block everything but port forwards to marcos)
- change wifi frequency to Canada
Services retired:
- bitcoin (8333)
- retroshare (8359)
- TAHOE (3457)
- workrave (27273)
- xmpp (5222, 5269)
- irklab (8080)
- IPv6 firewall - disabled for now
- tinc and babel mesh
- munin node
Installed bash, screen and tcpdump:
opkg update
opkg install bash screen tcpdump
Interesting guide? http://www.jauu.net/2015/03/03/complete-openwrt-guide/
Had to hack the resolver to fix internal name resolution, see:
https://forum.turris.cz/t/knot-resolver-configuration-improvement-in-omnia/934/4
-- forward requests to marcos for internal hostnames
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('anarc.at')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('anarcat.ath.cx')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('orangeseeds.org')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('168.192.in-addr.arpa')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('16.172.in-addr.arpa')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('9.0.0.0.1.0.0.0.8.2.9.1.1.0.0.2.ip6.arpa')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('a.0.d.4.b.e.1.9.0.c.2.f.7.0.6.2.ip6.arpa')}))
policy:add(policy.suffix(policy.FORWARD('192.168.0.3'), {todname('0.0.f.8.f.0.0.f.0.c.2.f.7.0.6.2.ip6.arpa')}))
Traffic shaper
created /etc/updater/hook_postupdate/03_remove_wshaper.sh
with this:
#!/bin/sh
opkg remove "luci-i18n-wshaper-cs"
opkg remove "luci-i18n-wshaper-en"
opkg remove "luci-app-wshaper"
opkg remove "wshaper"
so turris doesn't install it again, then installed sqm:
opkg install luci-app-sqm
and followed: https://wiki.openwrt.org/doc/howto/sqm
before: http://www.dslreports.com/speedtest/6435557 after: http://www.dslreports.com/speedtest/6435680
lost 2mbps down, but fixed bufferbloat issue...
some tweaking may restore the 2mbps.
see also: https://forum.turris.cz/t/wondershaper-srsly-qos-aqm/1095
consider flent for network tests: https://forum.turris.cz/t/wondershaper-srsly-qos-aqm/1095
e.g. flent rrul netperf.bufferbloat.net
Deployment procedure
- change LAN IP
- change WAN connection to
PPPoE
Tests to run
Web, on another host:
curl https://anarc.at/
If no shell access, try Webbloatscore since it produces a screenshot.
DNS: local network should resolve locally, outside should show CNAMEs
$ host shell.anarc.at shell.anarc.at is an alias for marcos.anarc.at. marcos.anarc.at has address 206.248.172.91
SSH: test if we can reach the inside server from the outside of the network (and not the router)
$ nc -v shell.anarc.at 22 Connection to shell.anarc.at 22 port [tcp/ssh] succeeded! SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
Other ports are assumed to be correctly configured unless otherwise noticed during later use.
Changes from usual OpenWRT configurations
There is a real syslog with persistent logfiles, in /var/log
, so
forget about logread
.
Same with SSH, it's openssh
, so /root/.ssh/authorized_keys
-
because /etc/dropbear/authorized_keys
was weird anyways.