linux-router/README.md

540 lines
18 KiB
Markdown
Raw Normal View History

2018-08-31 05:41:06 -05:00
# Linux-router
2021-11-06 21:31:15 -05:00
Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
2018-08-31 05:41:06 -05:00
2021-01-19 23:10:02 -06:00
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
2018-08-31 05:41:06 -05:00
2022-01-05 06:01:38 -06:00
[Linux-Router News & Developer Notes 📰](https://github.com/garywill/linux-router/issues/28) | [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
2018-08-31 05:41:06 -05:00
2023-04-23 01:36:37 -05:00
2018-08-31 05:41:06 -05:00
## Features
Basic features:
- Create a NATed sub-network
- Provide Internet
2021-11-06 21:31:15 -05:00
- DHCP server (and RA)
- Specify what DNS the DHCP server assigns to clients
- DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
2020-12-24 06:36:09 -06:00
- IPv6 (behind NATed LAN, like IPv4)
2021-11-06 21:31:15 -05:00
- Creating WiFi hotspot:
2018-08-31 05:41:06 -05:00
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (usually require same channel)
2018-08-31 05:41:06 -05:00
- Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets)
2021-11-20 06:32:38 -06:00
- Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
2021-11-06 21:31:15 -05:00
- You can run many instances, to create many different networks. Has instances managing feature.
2018-08-31 05:41:06 -05:00
**For many other features, see below [CLI usage](#cli-usage-and-other-features)**
### Useful in these situations
```
Internet----(eth0/wlan0)-Linux-(wlanX)AP
|--client
|--client
```
```
Internet
2021-11-06 21:31:15 -05:00
WiFi AP(no DHCP) |
2018-08-31 05:41:06 -05:00
|----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP)
|--client
|--client
```
```
Internet
Switch |
|---(eth1)-Linux-(eth0/wlan0)--------
|--client
|--client
```
```
Internet----(eth0/wlan0)-Linux-(eth1)------Another PC
```
```
Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
```
2023-04-23 01:01:35 -05:00
## Install
2023-04-23 01:36:37 -05:00
1-file-script. Release on [Linux-router repo on Github](https://github.com/garywill/linux-router). Just download and run the bash script (meet the dependencies). In this case use without installation.
2023-04-23 01:01:35 -05:00
2023-10-04 09:02:49 -05:00
> I'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here
2023-04-23 01:01:35 -05:00
| Linux distro | |
| ------------ | ---------------------------------------------------------------------------------------------------------- |
2023-04-23 01:36:37 -05:00
| Any | download [1-file-script](https://raw.githubusercontent.com/garywill/linux-router/master/lnxrouter) and run without installation |
2023-04-23 01:01:35 -05:00
2023-10-04 09:02:49 -05:00
### Dependencies
2023-04-23 01:01:35 -05:00
- bash
- procps or procps-ng
- iproute2
- dnsmasq
- iptables (or nftables with `iptables-nft` translation linked)
- WiFi hotspot dependencies
- hostapd
- iw
- iwconfig (you only need this if 'iw' can not recognize your adapter)
- haveged (optional)
2018-08-31 05:41:06 -05:00
## Usage
### Provide Internet to an interface
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -i eth1
2018-08-31 05:41:06 -05:00
```
no matter which interface (other than `eth1`) you're getting Internet from.
2021-10-22 21:56:51 -05:00
2021-11-06 21:31:15 -05:00
### Create WiFi hotspot
2018-08-31 05:41:06 -05:00
```
2021-10-22 21:56:51 -05:00
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
2018-08-31 05:41:06 -05:00
```
no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.
2021-10-22 21:56:51 -05:00
### Provide an interface's Internet to another interface
Clients access Internet through only `isp5`
<details>
2018-08-31 05:41:06 -05:00
```
2021-10-22 21:56:51 -05:00
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
2018-08-31 05:41:06 -05:00
```
> In this case of usage, it's recommended to:
>
> 1. Stop serving local DNS
2022-04-03 04:46:24 -05:00
> 2. Tell clients which DNS to use ISP5's DNS. (Or, a safe public DNS, like above example)
2021-10-22 21:56:51 -05:00
> Also, read *Notice 1*
</details>
2023-04-22 21:17:41 -05:00
### Create LAN without providing Internet
2018-08-31 05:41:06 -05:00
2021-10-22 21:16:12 -05:00
<details>
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
> Read _Notice 1_
2018-08-31 05:41:06 -05:00
2021-10-22 21:16:12 -05:00
</details>
2018-08-31 05:41:06 -05:00
### Internet for LXC
2021-10-22 21:16:12 -05:00
<details>
2018-08-31 05:41:06 -05:00
Create a bridge
```
2020-12-24 06:36:09 -06:00
sudo brctl addbr lxcbr5
2018-08-31 05:41:06 -05:00
```
In LXC container `config`
```
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr5
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
```
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -i lxcbr5
```
2021-10-22 21:16:12 -05:00
</details>
2021-10-22 21:56:51 -05:00
### Transparent proxy
2023-01-06 19:07:18 -06:00
All clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use)
2020-12-24 06:36:09 -06:00
2021-10-22 21:16:12 -05:00
<details>
2020-12-24 06:36:09 -06:00
```
2021-10-22 21:56:51 -05:00
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
2020-12-24 06:36:09 -06:00
```
In `torrc`
```
TransPort 192.168.55.1:9040
DNSPort 192.168.55.1:9053
TransPort [fd00:5:6:7::1]:9040
DNSPort [fd00:5:6:7::1]:9053
2018-08-31 05:41:06 -05:00
```
2023-01-06 19:07:18 -06:00
> **Warn**: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity.
>
> Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity.
2021-10-22 21:16:12 -05:00
</details>
2020-12-24 06:36:09 -06:00
### Clients-in-sandbox network
To not give our infomation to clients. Clients can still access Internet.
2020-12-24 06:36:09 -06:00
2021-10-22 21:16:12 -05:00
<details>
2020-12-24 06:36:09 -06:00
```
sudo lnxrouter -i eth1 \
--tp 9040 --dns 9053 \
--random-mac \
--ban-priv \
--catch-dns --log-dns # optional
```
2021-10-22 21:16:12 -05:00
</details>
2020-12-24 06:36:09 -06:00
2023-01-06 19:07:18 -06:00
> Linux-router comes with no warranty. Use on your own risk
2020-12-24 06:36:09 -06:00
2018-08-31 05:41:06 -05:00
### Use as transparent proxy for LXD
2021-10-22 21:16:12 -05:00
<details>
2018-08-31 05:41:06 -05:00
Create a bridge
```
2020-12-24 06:36:09 -06:00
sudo brctl addbr lxdbr5
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
Create and add a new LXD profile overriding container's `eth0`
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
lxc profile create profile5
lxc profile edit profile5
2018-08-31 05:41:06 -05:00
### profile content ###
config: {}
description: ""
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr5
type: nic
name: profile5
2020-12-24 06:36:09 -06:00
lxc profile add <container> profile5
2018-08-31 05:41:06 -05:00
```
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053
2018-08-31 05:41:06 -05:00
```
To remove that new profile from container
```
2020-12-24 06:36:09 -06:00
lxc profile remove <container> profile5
2018-08-31 05:41:06 -05:00
```
#### To not use profile
2020-12-24 06:36:09 -06:00
Add new `eth0` to container overriding default `eth0`
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
lxc config device add <container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5
2018-08-31 05:41:06 -05:00
```
To remove the customized `eth0` to restore default `eth0`
```
2020-12-24 06:36:09 -06:00
lxc config device remove <container> eth0
2018-08-31 05:41:06 -05:00
```
2021-10-22 21:16:12 -05:00
</details>
2018-08-31 05:41:06 -05:00
### Use as transparent proxy for VirtualBox
2021-10-22 21:16:12 -05:00
<details>
2021-01-19 23:10:02 -06:00
In VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled.
2018-08-31 05:41:06 -05:00
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
2018-08-31 05:41:06 -05:00
```
2021-10-22 21:16:12 -05:00
</details>
2018-08-31 05:41:06 -05:00
### Use as transparent proxy for firejail
2021-10-22 21:16:12 -05:00
<details>
2018-08-31 05:41:06 -05:00
Create a bridge
```
2020-12-24 06:36:09 -06:00
sudo brctl addbr firejail5
2018-08-31 05:41:06 -05:00
```
```
2020-12-24 06:36:09 -06:00
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
2021-11-06 21:31:15 -05:00
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
2018-08-31 05:41:06 -05:00
```
2021-11-06 21:31:15 -05:00
Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
2021-10-22 21:16:12 -05:00
</details>
2018-08-31 05:41:06 -05:00
### CLI usage and other features
2021-10-22 21:16:12 -05:00
<details>
2018-08-31 05:41:06 -05:00
```
Usage: lnxrouter <options>
Options:
-h, --help Show this help
--version Print version number
-i <interface> Interface to make NATed sub-network,
and to provide Internet to
2021-11-06 21:31:15 -05:00
(To create WiFi hotspot use '--ap' instead)
2018-08-31 05:41:06 -05:00
-o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
2018-08-31 05:41:06 -05:00
(Note using this with default DNS option may leak
queries to other interfaces)
2020-12-24 06:36:09 -06:00
-n Do not provide Internet (See Notice 1)
2020-12-24 06:36:09 -06:00
--ban-priv Disallow clients to access my private network
2022-04-03 05:03:51 -05:00
2021-01-19 23:10:02 -06:00
-g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
2018-08-31 05:41:06 -05:00
-6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6'
2022-04-03 05:03:51 -05:00
2020-12-24 06:36:09 -06:00
--p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
2022-04-03 05:03:51 -05:00
2018-08-31 05:41:06 -05:00
--dns <ip>|<port>|<ip:port>
DNS server's upstream DNS.
Use ',' to seperate multiple servers
(default: use /etc/resolve.conf)
(Note IPv6 addresses need '[]' around)
--no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
2020-12-24 06:36:09 -06:00
whose destination port is 53 to this host
--log-dns Show DNS query log (dnsmasq)
2018-08-31 05:41:06 -05:00
--dhcp-dns <IP1[,IP2]>|no
2021-10-22 21:56:51 -05:00
Set IPv4 DNS offered by DHCP (default: this host).
2018-08-31 05:41:06 -05:00
--dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA)
(default: this host)
(Note IPv6 addresses need '[]' around)
Using both above two will enable '--no-dns'
2018-08-31 05:41:06 -05:00
--hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional
hosts file
2022-04-03 05:03:51 -05:00
--dns-nocache DNS server no cache
2018-08-31 05:41:06 -05:00
--mac <MAC> Set MAC address
2020-12-24 06:36:09 -06:00
--random-mac Use random MAC address
2022-04-03 05:03:51 -05:00
2018-08-31 05:41:06 -05:00
--tp <port> Transparent proxy,
2023-01-06 19:10:05 -06:00
redirect non-LAN TCP and UDP(not tested) traffic to
port. (usually used with '--dns')
2022-04-03 05:03:51 -05:00
2021-11-06 21:31:15 -05:00
WiFi hotspot options:
2018-08-31 05:41:06 -05:00
--ap <wifi interface> <SSID>
2021-11-06 21:31:15 -05:00
Create WiFi access point
2020-12-24 06:36:09 -06:00
-p, --password <password>
2021-11-06 21:31:15 -05:00
WiFi password
--qr Show WiFi QR code in terminal (need qrencode)
2022-04-03 05:03:51 -05:00
2018-08-31 05:41:06 -05:00
--hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface
Using this you can't use same wlan interface
for both Internet and AP
2023-01-06 19:10:05 -06:00
--virt-name <name> Set name of virtual interface
2023-10-04 09:02:49 -05:00
-c <channel> Specify channel (default: use current, or 1 / 36)
2018-08-31 05:41:06 -05:00
--country <code> Set two-letter country code for regularity
(example: US)
--freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4)
--driver Choose your WiFi adapter driver (default: nl80211)
2021-01-19 23:10:02 -06:00
-w <WPA version> '2' for WPA2, '1' for WPA, '1+2' for both
(default: 2)
2018-08-31 05:41:06 -05:00
--psk Use 64 hex digits pre-shared-key instead of
passphrase
2021-11-06 21:31:15 -05:00
--mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of WiFi hotspot MAC address filter list
2018-08-31 05:41:06 -05:00
(defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients
2023-10-03 22:43:35 -05:00
--no-haveged Do not run haveged automatically when needed
2023-10-04 09:02:49 -05:00
--hs20 Enable Hotspot 2.0
2023-10-03 22:43:35 -05:00
WiFi 4 (802.11n) configs:
2023-10-04 09:02:49 -05:00
--wifi4 Enable IEEE 802.11n (HT)
--req-ht Require station HT (High Throughput) mode
--ht-capab <HT caps> HT capabilities (default: [HT40+])
2023-10-03 22:43:35 -05:00
WiFi 5 (802.11ac) configs:
2023-10-04 09:02:49 -05:00
--wifi5 Enable IEEE 802.11ac (VHT)
--req-vht Require station VHT (Very High Thoughtput) mode
--vht-capab <VHT caps> VHT capabilities
2022-04-03 05:03:51 -05:00
2023-10-04 09:02:49 -05:00
--vht-ch-width <index> Index of VHT channel width:
2023-10-03 22:43:35 -05:00
0 for 20MHz or 40MHz (default)
1 for 80MHz
2 for 160MHz
3 for 80+80MHz (Non-contigous 160MHz)
2023-10-04 09:02:49 -05:00
--vht-seg0-ch <channel> Channel index of VHT center frequency for primary
segment. Use with '--vht-ch-width'
--vht-seg1-ch <channel> Channel index of VHT center frequency for secondary
(second 80MHz) segment. Use with '--vht-ch-width 3'
2018-08-31 05:41:06 -05:00
Instance managing:
--daemon Run in background
-l, --list-running Show running instances
--lc, --list-clients <id|interface>
2021-01-19 23:10:02 -06:00
List clients of an instance. Or list neighbors of
an interface, even if it isn't handled by us.
(passive mode)
2018-08-31 05:41:06 -05:00
--stop <id> Stop a running instance
For <id> you can use PID or subnet interface name.
You can get them with '--list-running'
2023-10-03 22:43:35 -05:00
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
2021-10-22 21:56:51 -05:00
```
2020-12-24 06:36:09 -06:00
2021-10-22 21:56:51 -05:00
</details>
2021-10-22 21:16:12 -05:00
## What changes are done to Linux system
2021-11-20 06:32:38 -06:00
On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes (if needed) will **not** be undone, which are:
2021-10-22 21:16:12 -05:00
1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
2021-11-20 06:32:38 -06:00
2. dnsmasq in Apparmor complain mode
3. hostapd in Apparmor complain mode
2021-10-22 21:16:12 -05:00
4. Kernel module `nf_nat_pptp` loaded
5. The wifi device which is used to create hotspot is `rfkill unblock`ed
2021-11-06 21:31:15 -05:00
6. WiFi country code, if user assigns
2018-08-31 05:41:06 -05:00
2023-04-23 01:05:41 -05:00
## Meet contributor(s) and become one of them
Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫码领红包并打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
>
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
👨‍💻 You can be contributor, too!
- 🍃 There're some TO-DOs listed, in both [readme TODO](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code)
- 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement)
- 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer
2023-10-04 09:02:49 -05:00
## Notice
<details>
```
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
```
</details>
2018-08-31 05:41:06 -05:00
## TODO
2022-01-05 06:01:38 -06:00
Sooner is better:
2021-11-20 06:32:38 -06:00
- Detect firewalld and make sure it won't interfere our interface
2022-01-05 06:01:38 -06:00
Future:
2020-12-24 06:36:09 -06:00
- WPA3
- Global IPv6
- Explictly ban forwarding if not needed
2021-01-19 23:10:02 -06:00
- Bring bridging method back
2018-08-31 05:41:06 -05:00
2021-10-22 21:16:12 -05:00
## License
linux-router is LGPL licensed
<details>
```
linux-router
Copyright (C) 2018 garywill
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
```
</details>
Upstream create_ap was BSD licensed
<details>
```
Copyright (c) 2013, oblique
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
```
</details>
2021-08-21 20:27:49 -05:00