medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update docs/tech_docs/OPENwrt.md

Browse Source
This commit is contained in:
medusa
2024-04-18 20:57:40 +00:00
parent 4e4180eb94
commit e45ca2034a
1 changed files with 57 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
docs/tech_docs/OPENwrt.md
View File

@@ -1,84 +1,89 @@
To set up a Proxmox container (CT) with OpenWRT using the `pct create` command and configure the firewall to allow SSH and HTTPS access on the WAN interface (`eth1`), let's compile a comprehensive guide including the commands for creating the container and the necessary firewall configuration within OpenWRT.
To streamline your guide for setting up Proxmox containers with OpenWRT and configuring the necessary firewall rules for SSH and HTTPS access, heres a refined and concise approach:
### Container Creation with Proxmox
### Proxmox Container Creation
First, let's clarify the Proxmox command for creating the container:
Below are the commands to create three different containers, each with a unique configuration for network interfaces:
### Container 1
#### **Container 1 Setup:**
```bash
pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1
```
### Container 2
#### **Container 2 Setup:**
```bash
pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-1 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr2,firewall=1
```
### Container 3
#### **Container 3 Setup:**
```bash
pct create 102 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-2 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr3,firewall=1
```
This command creates an unprivileged container with ID 106, using an OpenWRT root filesystem. It configures three network interfaces:
### OpenWRT Firewall Configuration
- **eth0**: Main LAN interface with a static IP and gateway.
- **eth1**: WAN interface on `vmbr1`, which will be used to allow external SSH and HTTPS access.
- **eth2**: Additional network interface.
You need to ensure that `eth1` is recognized as the WAN interface on each OpenWRT container. Configure the network settings and define firewall rules to allow SSH and HTTPS access.
### Firewall Configuration in OpenWRT
#### **Define Network Interfaces**:
Update the `/etc/config/network` to reflect `eth1` as the WAN interface. This setup applies universally across your containers:
For the OpenWRT container to allow SSH (port 22) and HTTPS (port 443) on `eth1`, you must ensure that `eth1` is treated as the WAN interface in OpenWRT's network and firewall settings. Here's how to set up the necessary firewall rules within the OpenWRT system:
```bash
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
```
1. **Define Network Interfaces in OpenWRT**:
Ensure `eth1` is configured as the WAN interface in `/etc/config/network`. This might look something like this:
#### **Update Firewall Settings**:
In `/etc/config/firewall`, append rules to allow SSH and HTTPS access. The following rules will enable connectivity for management via `eth1`:
```bash
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
```
```bash
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
2. **Update Firewall Settings**:
In `/etc/config/firewall`, you should add rules to allow SSH and HTTPS. These rules need to specify that they apply to traffic coming in on `eth1` (which should be associated with the `wan` zone). Heres how you would configure the firewall:
config rule
option name 'Allow-SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
```bash
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-SSH'
option src 'wan'
option dest_port '22'
option proto 'tcp'
option target 'ACCEPT'
config rule
option name 'Allow-HTTPS'
option src 'wan'
option dest_port '443'
option proto 'tcp'
option target 'ACCEPT'
```
config rule
option name 'Allow-HTTPS'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
```
### Applying the Configuration
After editing the configuration files, apply the changes:
- Restart the network service: `/etc/init.d/network restart`
- Reload the firewall: `/etc/init.d/firewall restart`
After updating the configuration files, you should apply the changes:
- **Restart Network Services**:
```bash
/etc/init.d/network restart
```
- **Reload Firewall Settings**:
```bash
/etc/init.d/firewall restart
```
### Final Considerations
- **Security**: Ensure you have set strong passwords and consider using key-based authentication for SSH.
- **Testing**: After setting up, test the accessibility of SSH and HTTPS from outside your LAN to confirm the firewall rules are working as expected.
- **Backup Configurations**: Always keep backups of your configurations before making significant changes.
This setup will configure your Proxmox container with OpenWRT to allow SSH and HTTPS traffic on `eth1`, ensuring remote management capabilities from the WAN side.
- **Security**: Implement strong authentication methods, such as key-based SSH access.
- **Testing**: Verify connectivity by accessing SSH and HTTPS from a network outside your LAN.
- **Backup Configurations**: Always back up your configurations before making significant changes.
This streamlined guide provides a clear and effective method for deploying Proxmox containers with OpenWRT, configured for remote management access through SSH and HTTPS on the WAN interface.