diff --git a/docs/tech_docs/OPENwrt.md b/docs/tech_docs/OPENwrt.md index b5f00af..bd562db 100644 --- a/docs/tech_docs/OPENwrt.md +++ b/docs/tech_docs/OPENwrt.md @@ -1,84 +1,89 @@ -To set up a Proxmox container (CT) with OpenWRT using the `pct create` command and configure the firewall to allow SSH and HTTPS access on the WAN interface (`eth1`), let's compile a comprehensive guide including the commands for creating the container and the necessary firewall configuration within OpenWRT. +To streamline your guide for setting up Proxmox containers with OpenWRT and configuring the necessary firewall rules for SSH and HTTPS access, here’s a refined and concise approach: -### Container Creation with Proxmox +### Proxmox Container Creation -First, let's clarify the Proxmox command for creating the container: +Below are the commands to create three different containers, each with a unique configuration for network interfaces: -### Container 1 +#### **Container 1 Setup:** ```bash pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --storage local-lvm \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr1,firewall=1 ``` -### Container 2 + +#### **Container 2 Setup:** ```bash pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-1 --storage local-lvm \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr2,firewall=1 ``` -### Container 3 +#### **Container 3 Setup:** ```bash pct create 102 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-2 --storage local-lvm \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr3,firewall=1 ``` -This command creates an unprivileged container with ID 106, using an OpenWRT root filesystem. It configures three network interfaces: +### OpenWRT Firewall Configuration -- **eth0**: Main LAN interface with a static IP and gateway. -- **eth1**: WAN interface on `vmbr1`, which will be used to allow external SSH and HTTPS access. -- **eth2**: Additional network interface. +You need to ensure that `eth1` is recognized as the WAN interface on each OpenWRT container. Configure the network settings and define firewall rules to allow SSH and HTTPS access. -### Firewall Configuration in OpenWRT +#### **Define Network Interfaces**: +Update the `/etc/config/network` to reflect `eth1` as the WAN interface. This setup applies universally across your containers: -For the OpenWRT container to allow SSH (port 22) and HTTPS (port 443) on `eth1`, you must ensure that `eth1` is treated as the WAN interface in OpenWRT's network and firewall settings. Here's how to set up the necessary firewall rules within the OpenWRT system: +```bash +config interface 'wan' + option ifname 'eth1' + option proto 'dhcp' +``` -1. **Define Network Interfaces in OpenWRT**: - Ensure `eth1` is configured as the WAN interface in `/etc/config/network`. This might look something like this: +#### **Update Firewall Settings**: +In `/etc/config/firewall`, append rules to allow SSH and HTTPS access. The following rules will enable connectivity for management via `eth1`: - ```bash - config interface 'wan' - option ifname 'eth1' - option proto 'dhcp' - ``` +```bash +config zone + option name 'wan' + list network 'wan' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' -2. **Update Firewall Settings**: - In `/etc/config/firewall`, you should add rules to allow SSH and HTTPS. These rules need to specify that they apply to traffic coming in on `eth1` (which should be associated with the `wan` zone). Here’s how you would configure the firewall: +config rule + option name 'Allow-SSH' + option src 'wan' + option proto 'tcp' + option dest_port '22' + option target 'ACCEPT' - ```bash - config zone - option name 'wan' - list network 'wan' - option input 'REJECT' - option output 'ACCEPT' - option forward 'REJECT' - option masq '1' - option mtu_fix '1' - - config rule - option name 'Allow-SSH' - option src 'wan' - option dest_port '22' - option proto 'tcp' - option target 'ACCEPT' - - config rule - option name 'Allow-HTTPS' - option src 'wan' - option dest_port '443' - option proto 'tcp' - option target 'ACCEPT' - ``` +config rule + option name 'Allow-HTTPS' + option src 'wan' + option proto 'tcp' + option dest_port '443' + option target 'ACCEPT' +``` ### Applying the Configuration -After editing the configuration files, apply the changes: -- Restart the network service: `/etc/init.d/network restart` -- Reload the firewall: `/etc/init.d/firewall restart` + +After updating the configuration files, you should apply the changes: + +- **Restart Network Services**: + ```bash + /etc/init.d/network restart + ``` + +- **Reload Firewall Settings**: + ```bash + /etc/init.d/firewall restart + ``` ### Final Considerations -- **Security**: Ensure you have set strong passwords and consider using key-based authentication for SSH. -- **Testing**: After setting up, test the accessibility of SSH and HTTPS from outside your LAN to confirm the firewall rules are working as expected. -- **Backup Configurations**: Always keep backups of your configurations before making significant changes. -This setup will configure your Proxmox container with OpenWRT to allow SSH and HTTPS traffic on `eth1`, ensuring remote management capabilities from the WAN side. \ No newline at end of file +- **Security**: Implement strong authentication methods, such as key-based SSH access. +- **Testing**: Verify connectivity by accessing SSH and HTTPS from a network outside your LAN. +- **Backup Configurations**: Always back up your configurations before making significant changes. + +This streamlined guide provides a clear and effective method for deploying Proxmox containers with OpenWRT, configured for remote management access through SSH and HTTPS on the WAN interface. \ No newline at end of file