Introduction: Your Personal Intranet (Part 2).
In part two we will get into virtual private networks, dnsmasq, and other media servers.
See also: https://www.instructables.com/id/Your-personal-intranet-Part-1/
You may also like: https://www.instructables.com/id/Statusnet-the-Twitter-clone-setup/
Update: added wireless option.
Step 1: Swapping Out Router 1 for a Pc and Installing Dnsmasq.
DNSmasq provides two services, either of which can be used independently.
- DNS service
- DHCP service (including features relating to network boot)
A local DNS cache can speed up internet browsing because the user's browser will not need to access a domain name server when it looks up a domain name the computer has visited before.
DHCP allows the user's computer to allocate network addresses to other computers on the wired or wireless network. A computer needs a unique network address in order to do access the internet.
DNSmasq is not designed for so-called "Internet Connection Sharing," however, it does provide a lot of the services needed in the background. With DNSmasq set up, only two additional commands can set up internet connection sharing (ref?).
Note that the package "dnsmasq" interferes with Network Manager which can use "dnsmasq-base" to provide DHCP services when sharing an internet connection. Therefore, if you use network manager (fine in simple set-ups only), then install dnsmasq-base, but not dnsmasq. If you have a more complicated set-up, uninstall network manager, use dnsmasq, or similar software (bind9, dhcpd, etc), and configure things by hand.
Setup for dnsmasq
Like much of the Ubuntu packages, dnsmasq is in universe. Make sure its enabled, then run these commands
$ sudo apt-get install dnsmasq
dnsmasq can be configured by editing the file
$ nano /etc/dnsmasq.conf
Local DNS Cache
A DNS server resolves human readable domain names into IP addresses. For example, when one requests ubuntu.com, the DNS server finds the IP address for ubuntu.com . One can run a DNS cache on a computer via the steps below. This will shorten the time required to look up domain names when browsing. The difference in time is on the order of hundreds of milliseconds.
After dnsmasq has been installed, use the text editor of choice, such as gedit, nano or vim to edit:
Note: in order to save modifications, the editor must be run with administrator permissions, e.g. sudo gedit /etc/dnsmasq.conf . Change the line that looks like (should be around line 90):
Now, edit the file
Make sure that around line 20 looks like the following:
#supersede domain-name "fugue.com home.vix.com"; prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, netbios-name-servers, netbios-scope;
The prepend domain-name-servers 127.0.0.1; is the important part of the configuration. Adding the prepend option ensures that 127.0.0.1 will appear on the top of the list of DNS servers. 127.0.0.1 refers to the user's own computer. Whenever the user's computer needs to resolve a domain name, it will forward that request to dnsmasq (which is running at 127.0.0.1).
Now, edit the file:
The file should look something like this,
search yourisp.com nameserver 192.168.0.1 nameserver 220.127.116.11 nameserver 18.104.22.168
Don't worry if the above listed nameserver numbers are not the same as what appear in the text editor. But be sure to add the user's computer as a nameserver at the top of the list:
search yourisp.com nameserver 127.0.0.1 nameserver 192.168.0.1 nameserver 22.214.171.124 nameserver 126.96.36.199
All that is left is to restart dnsmasq so that the changes we made to the configuration file come into effect. We do that via the command:
$ sudo /etc/init.d/dnsmasq restart
Now there is a DNS cache set up on the user's computer. To see the difference in speed, we can make use of the dig command twice on our test website:
$ dig ubuntu.com
The first time this happens, the output will look like:
;; Query time: 117 msec
The second time will look like:
;; Query time: 0 msec
- If you are on a large LAN (e.g. business or university) it might not be desirable to provide name service or DHCP for a thousand colleagues, so add the line:
except-interface=eth0 if eth0 is the user's internet/LAN connected interface.
- Add DHCP server:
dhcp-range=192.168.0.20,192.168.0.254,255.255.255.0 This range must not clash with your LAN IP address.
Save and exit the file, restart the daemon:
sudo invoke-rc.d dnsmasq restart
DNSmasq is now listening on some interfaces for DNS lookups and/or DHCP requests. One can verify this by running:
ss -ltp # -l = listen, -t = tcp, -p = show program name
The user can add the line: nameserver 127.0.0.1 to the top of your /etc/resolv.conf file to use the local DNS cache first.
Alternatively, the package resolvconf sorts all this out automatically.
Note: If you have the resolvconf package installed, you cannot use the "resolv-file=" option in your /etc/dnsmasq.conf configuration file as this value will be overridden by the init.d script when dnsmasq is started up. You should specify your upstream DNS servers using a dns-nameservers line (and optionally a dns-search line and other dns- options) for each interface in /etc/network/interfaces. The resolvconf scripts will automatically create a special file located at /var/run/dnsmasq/resolv.conf with your upstream servers and put 127.0.0.1 in /etc/resolv.conf to ensure DNS queries on your local machine use dnsmasq. For more information, see the resolvconf(8) man page.
Unlike the ISC DHCP server which "... in some configurations bypasses the kernel firewall rules entirely" - http://thekelleys.org.uk/dnsmasq/docs/FAQ
- for dnsmasq to work, iptables mustn't block the DHCP port
$ sudo ufw allow bootps^ This command will cause UFW to open the DHCP port, called bootps in /etc/services
Step 2: VPN.
Before setting up the VPN Server, you must first make sure your installed build of DD-WRT includes the PPTP VPN features. The DD-WRT feature list shows this as “PPTP / PPTP Client” on their chart. Check the installed version on your router (which you can see in the upper right corner on the configuration pages) against the chart. If the feature is not included in your build, you will need to flash your router with a DD-WRT version which does include the “PPTP / PPTP Client”.
To turn on the PPTP VPN Server, navigate to the Services tab and then the VPN sub-tab and select the option to enable the PPTP Server.Once enabled, several previously hidden options will appear. Configure them as follows:
- Server IP: Public IP address of the router
- Client IP(s): List of local IP’s (respective to the VPN network) to use when assigning IP addresses to clients connecting through the VPN. In our example, we are setting aside 5 IP addresses (192.168.16.5, .6, .7, .8, .9) for use by the VPN clients.
- CHAP-Secrets: User name and passwords for VPN authentication. The format is “user * password *” (user[space]*[space]password[space]*), with each entry on its own line. In our example, there is just a single accepted user name (jfaulkner) and password (SecretPassword1).
You can view detailed documentation on all of these options by clicking the “Help more…” link on this page on the right side of the DD-WRT configuration.
Once you are finished, click the Apply Settings button to push the configuration through to your DD-WRT router and you are finished.
Connecting to the PPTP VPN Server
Once you have your DD-WRT router configured, all that is left is to simply connect your client computers to the VPN. For our example, we will be showing how this is done using Windows 7 Professional.
In the Network and Sharing Center of the Control Panel, click the option to set up a new network connection.
Select the option to connect to a workplace VPN.If you have existing connections, they will be displayed here. For our example, we want to create a new connection.
Select the option to use your Internet connection to connect to the VPN.
Enter the domain or IP address of your VPN Server (the public IP address of the DD-WRT router configured above) and give a title to the VPN connection.
Enter the credentials for your VPN login which was configured in the DD-WRT router settings. Click Connect.
After a few moments, if everything is configured correctly, you should be connected to the PPTP VPN Server on the DD-WRT router.
Running ‘ipconfig’ on the local machine should show you are connected to both the VPN and your existing internet connection.Once connected, you can now access all the resources on the VPN as though you were connected to the network locally.
Step 3: Media Server - MediaTomb.
There are several media servers on the market that work well with TVs and PlayStation 3’s. I prefer MediaTomb, a uPnP-compliant server, because it is simple to install and configure. MediaTomb works flawlessly with my WD TV Live, and allows me to stream video (mostly AVI files), audio (mostly AAC files with .m4a extensions), and photos from my server to my TV.
MediaTomb is simple to install on Ubuntu Server because a Debian package for it is in the repositories. To install MediaTomb, simply install the mediatomb package.
$ sudo apt-get install mediatomb
The MediaTomb daemon will start automatically after installation.
Configure Port Number
By default, MediaTomb will pick the first available port starting with 49152. When restarting the server, it may pick a different port, such as 49153. I prefer to lock MediaTomb down to a certain point, so my bookmarks for the web interface are always correct, and so I can set firewall and networking rules consistently.
To lock MediaTomb to a single port, simply edit the XML configuration file.
$ sudo nano /etc/mediatomb/config.xml
Find the <name> element in the configuration file. (You can rename its contents if you wish to. Personally, I don’t like the word “tomb” displayed on my TV, so I rename the service “MediaServer”.) Underneath the element, insert a
element, as follows:
Save the configuration file, and restart the service.
$ sudo service mediatomb restart
Now MediaTomb will be locked down to port 49152. You can now set up your firewall to allow traffic on that port.
Add Media Files to MediaTomb’s Library
MediaTomb needs to be told where your media files reside in order to serve them. For simplicity, I prefer to keep all my media files in one folder tree, with high-level subfolders corresponding to media type. My media folder tree is within my home directory; your media may be spread out over your hard drive. MediaTomb doesn’t really care; you simply need to add each folder your media is in to the media library.
Add Media to MediaTomb
To add my media folder to MediaTomb, I use MediaTomb’s web interface. I point my browser to my server’s IP address, plus the port it is running on, as follows: http://serverip:49152.
MediaTomb’s sparse web user interface will appear. You will want to click on the Filesystem link, then browse the file system tree to find your media folder. Click on the media folder you wish to add, then click the icon that looks like a plus sign with two sync arrows, as in (+). This button calls up a form that allows you to add that folder to the media library, and set up automatic updating.
Set the scan mode to Inotify, the initial scan to Full, and check the Recursive checkbox. Then click Set, and you have added the folder. MediaTomb will scan the folder for media files to serve. Because we selected the Inotify scan mode, MediaTomb will monitor this folder tree for file changes, and update the media library accordingly. This allows you to add and remove media using Samba or the command line.
Repeat this process for each media folder on your server. Note that Inotify will not work with media served from remote file shares; you will need to set scanning to a timed interval.
Note: It is possible to add media via the command line, but it does not work well for the packaged Ubuntu install.
Enabling Web Interface
MediaTomb provides a web interface to help with configuration. To enable:
<ui enabled="yes" show-tooltips="yes">
With any changes to the configuration file, the MediaTomb service will need to be restarted for them to take effect.
As of version 0.12.1 to be able to 'Login', it appears like having accounts enabled now is mandatory. To do this change:
<accounts enabled="no" session-timeout="30">to yes. Here you can change the password too. However since MediaTomb only runs on a local network you may want to consider whether privacy is an issue. Default login/password is: mediatomb/mediatomb.
Connect to your Server
You will need to port foward 49152 on your router. After setting up the server and adding media to it, you are essentially done. Your front-end device should automatically discover MediaTomb on the network. XMBC and VLC work well with Mediatomb.
Step 4: Irc Server and Web Browser.
IRC Internet Relay chat. is an online real time chat betweeen users that are connected to the server. used in a lot of gaming.
Installing the server..(since this is on a private network (assuming no wifi) i will not get into al the security details.
$ sudo apt-get install ircd-hybrid
# nano /etc/ircd-hybrid/ircd.conf
Change as following:
/* port: the specific port to listen on. if no host is specified
* before, it will listen on all available IPs.
* ports are seperated via a comma, a range may be specified using ".."
/* port: listen on all available IPs, ports 6665 to 6669 */
# host = "127.0.0.1"; # change this!
port = 6667;
Change your message of the day.
# nano .etc/ircd-hybrid/ircd.motd
Restart server for changes to take effect.
# service ircd-hybrid restart
You will neet to forward port 6667 the same way we did other ports in part 1.
Install xchat or ircii and see if you can connect from the other network.
Step 5: Wisp (Wireless InTRAnet Service Provider)
One thing you could do if you wanted to add wireless access is to use hotspot software. I would set up a router 4 with Coovap and only allow wan access so that way you would have a front door to everything that is behind other routers. There is also other turnkey hotspot software, but this seems to be the most turnkey. Wireless security is a bit out of date on the stock package. Not enough time here to get into all the details, but just wanted to show some possibilities. Might be the subject of a future instructable.
CoovaAP is based on Openwrt.
Step 6: Multi-homed Network (no Routing).
More and more people are wanting to separate their private network from the internet but still want to access both for a system or two. No problem. You can set up multihomed nics faily easily and all things being equal, no packets should go between the two.
If you have 2 NIC (network Lan card) each connected to different networks:
=> eth0: 192.168.1.0/24
=> eth1: 192.168.2.0/24
Consider above setup. Now if you want to route traffic to connected network only (eth0 and eth1) w/o setting Linux server as a router. This is generally called multi homing setup. You don't have to setup Linux box as a router to use multi homing :). Just assign as IP address to each NIC and you are done.
How do I configure Linux multi homing?Just assign each interface IP address using ifconfig or use DHCP and multi homing will be turned on:
# ifconfig eth0 192.168.1.254 up
# ifconfig eth1 192.168.2.254 up
Commonly, most admin confuse the idea of multi-homing with the concept of routing or IP forwarding. Once two IP address assigned your system follows the default. No special configuration needed. Your multi-homing is up and running :).
Private network setup: