PortaPi Router

From kipiki
Revision as of 14:13, 1 September 2017 by Dan (talk | contribs)
Jump to: navigation, search

'This is a WIP document, should be finished by Sept 2nd 2017 at the latest'


Building a very small portable lan for groups like the 2600 and lug where you want shared resources without bringing in the big machines/routers/ect but still providing a useful environment.

Points to accomplish with build

  • Have one to two units, small enough to comfortably fit in small backpack compartment
  • No interaction required at meeting to have it up and running, steps: 1> apply power, 2> drink beer
  • Automatically set up on wireless - pre-configured to

Hardware Used

  • Raspberry Pi 3 B+ Wireless
  • Sandisk Ultra 32GB - I suggest using Sandisk Ultra or Extreme cards as they have error correcting, cheap SD cards usually die in short order being used as root for a computer.
  • Anker 20000 battery that can put out 4A (way overkill)
  • Edimax nano wireless that works with linux (for spawning its own access point)
  • Switch that can run off 5v - For me a Trendnet TEG-S5g then using a direct usb -> 2.1mm barrel connector to power
  • Short Ethernet cable
  • Short USB cable (Pi Power)
  • Short USB -> 2.1mm jack (Switch Power)

Finished build picture

#### Picture Placeholder ####

Software Used

Buildout Process

Image deployment

First we are going to download, extract then stick the image on our microsd card

I will be using a linux machine to perform these initial imaging steps.

Deploying the image:

  • Download whatever linux your using (I'm using raspbian / debian stretch in this case) using whatever method you like, I used the torrent via deluge
  • Put your microsd into a reader, and insert into your linux box
  • Find what your device got named, on a single disk modern linux system it is probably /dev/sdb
  • Make sure you do not have data on the microsd that you want to preserve, the following actions will erase the microsd. My example is for /dev/sdb, ensure you use the proper device for your microsd, I am not responsible for destroyed data.

The following commands are run as root

# fdisk -l /dev/sdb
Disk /dev/sdb: 29.7 GiB, 31914983424 bytes, 62333952 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x8c9f67fa

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 62333951 62331904 29.7G  b W95 FAT32
# time dd if=2017-08-16-raspbian-stretch-lite.img of=/dev/sdb bs=4M
442+1 records in
442+1 records out
1854418944 bytes (1.9 GB, 1.7 GiB) copied, 199.563 s, 9.3 MB/s

real	3m19.565s
user	0m0.000s
sys	0m1.727s
# fdisk -l /dev/sdb
Disk /dev/sdb: 29.7 GiB, 31914983424 bytes, 62333952 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xee397c53

Device     Boot Start     End Sectors  Size Id Type
/dev/sdb1        8192   93813   85622 41.8M  c W95 FAT32 (LBA)
/dev/sdb2       94208 3621911 3527704  1.7G 83 Linux
# sync

Setting up initial system

Items covered in this section:

  • Hooking up pi
  • Set user password
  • Set hostname
  • Start SSHD
  • Update system

Hooking up pi

After the image is deployed to the microsd card, put it into the pi, hook up the pi to a monitor, keyboard, wired internet connection

Power the pi on (connect it to a 2+Amp usb power source), it will automatically resize its second partition (root) to fill the sd card then reboot.

Log into the pi, default credentials:
User: pi Pass: raspberry

Initial setup of raspbian

After logging into the pi as the pi user, configure the os:

pi@raspberrypi:~ $ sudo raspi-config

To navigate: use the arrow keys and tab What to change using the menu (and what each option does):

  • Localization Options
    • Change Locale (This changes the default/supported languages of the system, UK by default for raspbian)
      • Remove en_GB.UTF-8 UTF-8
      • Add en_US.UTF-8 UTF-8 (or whatever other lang/countries you want)
    • Change Timezone (setting up your local timezone)
      • For me it was US -> Eastern
    • Change Keyboard Layout (changes the keyboard layout (In US the issue is the | sends a ~ with 105 intl, you need to change to 104))
      • Change Generic 105-key (intl) PC to Generic 104-key PC
      • Keyboard Layout: (default English(UK), choose other)
      • English (US)
      • English (US)
      • The default for the keyboard layout
      • No compose key
  • Advanced Options
    • Memory split
      • I chose 16 here since we are going to be running this headless most of the time, this gives the OS the most memory and provides better performance for our purposes
  • Finish

Now reboot the machine, then when it comes back up, set your password and hostname.
The reason we do the localization first, is when your putting in your password/hostname, the keyboard layout may be different, and if you change it with the wrong layout, then change the layout, you may not be able to log in (not from personal experience or anything).

  • If you have locked yourself out of the pi:
    • Shut off the pi
    • Pull the microsd card, load into your linux box
    • mount partition 2 (IE mount /dev/sdb2 /mnt)
    • edit the /mnt/etc/shadow file, find the 'pi' entry, remove the second field (fields are denoted with a :)
    • unmount the media, put back into the pi, boot the pi
    • pi user will no longer have a password, set a new password using `passwd` or the method below.
pi@raspberrypi:~ $ sudo raspi-config
  • User password
    • This simply runs (as root) `passwd pi`
  • Hostname
    • This changes the /etc/hostname and /etc/hosts entries to rename the machine

Setting up sshd

SSH (daemon) allows you to ssh to the new router and not have to be physically attached. It is installed by default in raspbian.

Steps in setting up sshd to automatically come up at boot:

  • Create a root password (useful if your user gets locked out and you need to log in with superuser directly)
    • sudo passwd root
  • Edit /etc/ssh/sshd_config (I use vi, others might use vim or nano [easiest]. If you dont know what vi is and how to use it, use nano as in the example below) Note: This is not strictly necessary, I do it because I never want to log in using root user remotely, and I do set up a password for root account
    • sudo nano /etc/ssh/sshd_config
    • add the line:
      PermitRootLogin no
    • write and exit the file editor
  • Set the ssh daemon to start at boot and start it
    • sudo systemctl enable ssh; systemctl start ssh
  • Determine your IP, and ssh (if you want) to the pi from another box
    • sudo /sbin/ifconfig ## my ethernet was an unfortunate mix of enx and the full mac address, will address this soon
    • On the other box: ssh pi@<ip address>

If you are old-hat like me, and want the original eth0/wlan0/ect instead of enx<16digitmac> (predictable but ugly as f), just do this:

sudo ln -s /dev/null /etc/systemd/network/99-default.link
sudo reboot

Update the system

You should do this periodically, preferably every time before you take the pi out to an event to make sure you have the most modern patches for security

apt update
apt upgrade

Setting up WPASupplicant

Items covered in this section:

  • Having the internal wireless card connect to a building wireless access point automatically

Building the local access point

Items covered in this section:

  • Building an access point using the usb

Setting up DHCP/DNS

Items covered in this section:

  • Setting up dnsmasq to broadcast DHCP over access point and physical lan
  • Setting up local resolutions for DNS
  • Setting up Stephen Black's Hostfile

dnsmasq setup

Local DNS resolutions

Stephen Black's Hostfile

This section covers using Stephen Black's Hostfile. It is used for two things, and is configurable:

  • Protect users from things like ads, tracking, malware, viruses
  • Prevent users from going to nefarious sites.

As cool as the hosts file is, please take the following into consideration:

  • If you want pure-internet access, do not perform this section. Things like ad services will not work with this enabled.
  • I generally consider this as protect only, if you block stuff that users *want* to see, they will find a way around it.

Setting up routes and restrictions

Caretaking/after build

Items covered in this section:

  • Updating the installation
  • Saving/restoring image for backup or if intrusion concern