From 8d82faf64d31cdafa6c8db6ce20e759cfa2af837 Mon Sep 17 00:00:00 2001 From: medusa Date: Thu, 18 Apr 2024 16:34:39 +0000 Subject: [PATCH] Add docs/tech_docs/OPENwrt.md --- docs/tech_docs/OPENwrt.md | 71 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 docs/tech_docs/OPENwrt.md diff --git a/docs/tech_docs/OPENwrt.md b/docs/tech_docs/OPENwrt.md new file mode 100644 index 0000000..e5fda54 --- /dev/null +++ b/docs/tech_docs/OPENwrt.md @@ -0,0 +1,71 @@ +To set up a Proxmox container (CT) with OpenWRT using the `pct create` command and configure the firewall to allow SSH and HTTPS access on the WAN interface (`eth1`), let's compile a comprehensive guide including the commands for creating the container and the necessary firewall configuration within OpenWRT. + +### Container Creation with Proxmox + +First, let's clarify the Proxmox command for creating the container: + +```bash +pct create 106 /var/lib/vz/template/cache/rootfs.tar.xz --unprivileged 1 --ostype unmanaged --hostname openwrt --storage local-lvm \ +--net0 name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,ip=192.168.1.2/24 \ +--net1 name=eth1,bridge=vmbr1,firewall=1 \ +--net2 name=eth2,bridge=vmbr2,firewall=1 +``` + +This command creates an unprivileged container with ID 106, using an OpenWRT root filesystem. It configures three network interfaces: + +- **eth0**: Main LAN interface with a static IP and gateway. +- **eth1**: WAN interface on `vmbr1`, which will be used to allow external SSH and HTTPS access. +- **eth2**: Additional network interface. + +### Firewall Configuration in OpenWRT + +For the OpenWRT container to allow SSH (port 22) and HTTPS (port 443) on `eth1`, you must ensure that `eth1` is treated as the WAN interface in OpenWRT's network and firewall settings. Here's how to set up the necessary firewall rules within the OpenWRT system: + +1. **Define Network Interfaces in OpenWRT**: + Ensure `eth1` is configured as the WAN interface in `/etc/config/network`. This might look something like this: + + ```bash + config interface 'wan' + option ifname 'eth1' + option proto 'dhcp' + ``` + +2. **Update Firewall Settings**: + In `/etc/config/firewall`, you should add rules to allow SSH and HTTPS. These rules need to specify that they apply to traffic coming in on `eth1` (which should be associated with the `wan` zone). Here’s how you would configure the firewall: + + ```bash + config zone + option name 'wan' + list network 'wan' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' + + config rule + option name 'Allow-SSH' + option src 'wan' + option dest_port '22' + option proto 'tcp' + option target 'ACCEPT' + + config rule + option name 'Allow-HTTPS' + option src 'wan' + option dest_port '443' + option proto 'tcp' + option target 'ACCEPT' + ``` + +### Applying the Configuration +After editing the configuration files, apply the changes: +- Restart the network service: `/etc/init.d/network restart` +- Reload the firewall: `/etc/init.d/firewall restart` + +### Final Considerations +- **Security**: Ensure you have set strong passwords and consider using key-based authentication for SSH. +- **Testing**: After setting up, test the accessibility of SSH and HTTPS from outside your LAN to confirm the firewall rules are working as expected. +- **Backup Configurations**: Always keep backups of your configurations before making significant changes. + +This setup will configure your Proxmox container with OpenWRT to allow SSH and HTTPS traffic on `eth1`, ensuring remote management capabilities from the WAN side. \ No newline at end of file