OpenWRT KVM Setup

I was able to eek out a little period of time this weekend to work on the Ubuntu server.  My concentration was on getting some vlans setup coming into the server from a trunk line.

But before that I attempted to setup some OpenWRT VMs using instructions from the openwrt website.  First, I downloaded https://downloads.openwrt.org/chaos_calmer/15.05/x86/64/openwrt-15.05-x86-64-combined-ext4.img.gz, then I moved it to the Ubuntu server and unpacked it.

gunzip openwrt-x86-generic-combined-ext4.img.gz
qemu-img convert -f raw -O vmdk openwrt-x86-generic-combined-ext4.img openwrt-x86-generic-combined-ext4.vmdk

Once that was done, I converted it to qcow2 using the script here.  Once that was accomplished I pulled the qcow2 file into KVM and cloned it three times.  The three clones are for additional router functions in the future.

Once I had the KVMs generated I then updated the ethernet connection going to the card that had the No-Mans Land vlan on it.  I added several more tagged vlans to the trunk that I had formed using the Netgear switch.  I then setup a number of vlans using the instructions from https://wiki.ubuntu.com/vlan.  I then updated the /etc/network/interfaces file to setup the new vlans from the trunk line (truncated):

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo br0-vlan6 br2-vlan300 br1-vlan200 enp3s0 enp4s5 enp4s6
iface lo inet loopback

# The primary network interface
iface enp3s0 inet manual
iface br0-vlan6 inet static
    address 192.168.0.133
    netmask 255.255.255.0
    broadcast 192.168.0.255
    network 192.168.0.0
    gateway 192.168.0.2
    bridge_ports enp3s0
    bridge_stp off
    bridge_fd 0
    bridge_waitport 0
    dns-nameservers 8.8.8.8 8.8.4.4 192.168.1.1

iface enp4s5 inet manual

...

iface br2-vlan300 inet static
    address 10.100.30.50
    netmask 255.255.255.0
    broadcast 10.100.30.255
    network 10.100.30.0
    bridge_ports enp4s5
    bridge_stp off
    bridge_fd 0
    bridge_waitport 0

auto enp4s5.4
iface enp4s5.4 inet static
        address 10.10.4.45
        netmask 255.255.255.0
        vlan-raw-device enp4s5
(and so on ...)

Now that I have the vlans (tagged) setup on the same Ethernet as the No-Mans Land vlan, I can concentrate on setting up the OpenWRT VMs to point to the correct vlans.

Bringing Back the 1-Port Router

Ok, now I need to set up a Raspberry Pi 1-Port Router.  I know how to accomplish this (see the article here), I just have to go through the motions to implement it.  Strange - I am on SD052; I'm going to have to quit buying these things and start reusing the ones that I already have.  The setup was as follows:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install vlan shorewall

Then to get webmin setup and running, I did the following:

I added to /etc/apt/sources.list -

deb http://download.webmin.com/download/repository sarge contrib

I then got the key for the webmin repository -

sudo wget http://www.webmin.com/jcameron-key.asc
sudo apt-key add jcameron-key.asc

I then installed webmin -

sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
sudo apt-get install webmin

I am going to use the 1-Port Router to connect between three different vlans, vlan4, vlan6, and vlan8.  Webmin will be used to setup the routing functions on Shorewall so that I can do the following:

1. Have a firewall facing out towards vlan4 from vlan6; supply dhcp services to vlan4; allow only traffic from the Mac Mini to vlan4 from vlan6; and provide a one-to-one NAT ip from my WD MyCloud onto vlan4.
2. Have a firewall facing out towards vlan8 from vlan6; supply dhcp services to vlan8; allow only traffic from the Mac Mini to vlan8 from vlan6; and provide a one-to-one NAP ip from my ubuntuServer VM cluster.

I am going to accomplish this by the following setup (TBD).

Thinking about distributing the network servers

I have been reading up on openvswitch, openflow, and docker and it occurs to me that I might want to take advantage of some of the concepts available to me.  I have a VM Server currently that pretty much limits things to the KVM world, each connected to a specific bridge to a hardware port.  Those hardware ports in turn are connected to a managed switch.  I can do a lot with this setup but I can do better.

One thing that I want to do is distribute the data plane between different VMs and allow for usage of different file servers across my network.  I have plenty of space available to me for various files but because of the need to distribute the VMs between different vlans it becomes more difficult without having several hardware routers in the network.  I want to use SDN and openvswitch to be able to spread the VM connections around to places that I need them as well as give myself the ability to access any device that I want to.  So how would I go about doing this?  I have decided to use openvswitch to spread the network access plane around my house without changing the physical network layout of routers and switches.  I will instead go the virtual route and apply some Software Defined Network (SDN) concepts.

More Later.

Project #11 - Use SDN and OpenVSwitch to connect VMs across the Network No-Mans Land

I have been studying up on software define networks and have been looking at OpenVSwitch as a means to run GRE connections across the No-Mans Land vlan.

Cluster #3 - Rearranged the Cluster for Experimentation

One of the issues that I have fixed is how to take each one of the RPis in the Cluster and be able to independently move them from one location to another.  I was able to achieve this by the use of a Netgear 116E 16-port managed switch.  Since I have 4 RPis in the cluster, I took up 8 ports on the switch and managed to be able to move things around at my convenience.  This was evident when I decided to take .101 and tie it to the same vlan as .100.  However, in this case I started up an openVPN setup following the instructions at https://github.com/StarshipEngineer/OpenVPN-Setup.  By having .101 on the switch, I was able to easily move the head from the LAN1 vlan to the CEH input vlan.  Now I can setup the openVPN independently from what I was intending on doing with .100.

Another interesting tidbit was that I was able to hook up the PowerLine adapter to the No-MansLand vlan in another area in my house and connect to it via the other PowerLine adapter on my front porch.  So I was able to do some updates to the RPi while sitting on my porch - and No-MansLand vlan was separated from the outside world.  Now what I want to be able to do is access specific vlans from outside using a double IPSec encryption setup.  More later.

Tips #0 - Wow - Amazing Find to Convert VMWare to KVM

I just happened to have enough time over the weekend to look around for some ways to convert from multiple VMWare vmdks to qcow2 and I stumbled across this site.  Now that I have found this site I can go about getting some of my VMs into a KVM setup.  The bash code that I am using is:

#!/bin/bash

for i in *.vmdk; do qemu-img convert -f vmdk $i -O raw $i.raw; done
cat *.raw > tmpImage.raw
qemu-img convert tmpImage.raw finalImage.qcow2
rm *.raw

I cant tell you how much I needed to find this in order to ease the process.  Thanks to Kees Cook and muru for the code.

Also found this to convert spaces in names to underscores:

for f in *\ *; do mv "$f" "${f// /_}"; done

Update: I spent a good portion of the day converting VMWare VMs to qcow2 and then to KVM images.  Life is once again good to me.  I was able to get a number of different VMs related to Penetration Testing completed as well as set up a bridge that could be used for the same.