This is more of a guide or more or less a set of instructions on how to setup a Gameshell with the ability to:
- Use as a wireless bridge/extension using hostapd, dnsmasq
- Host an encrypted IRC server from the device using inspircd
- Reroute *.cpi addresses to our device using dnsmasq
All of the nice things this kind individual provided (because this is going to be our base)
Custom D.E.O.T. V2.0+/Clockwork OS v0.5 image - With customised DEOT interface, Kernel 5.4.24, Optional 1400MHz OC, Debian 10 Buster, Retroarch 1.8.5, Mupen64+ plus more! (Current build: 200423) I recommend this as the starting point just because it has a bunch of other cool features that I personally think should come stock with the Gameshell
- Host a custom web server using apache2
- Potential for other things if you decide to build your own kernel (this guide assumes you are)
If you don’t want to compile your own kernel, I’ve posted the one I’ve compiled and am using here:
EDIT: Sorry guys it looks like I forgot to turn on something for hostapd! You will need the authenticator dependency in your kernel!
If those things don’t sound appealing to you, then maybe this guide isn’t for you…
This guide will generally assume that you are working from the /home/cpi directory. Please note that I may have forgotten a step or two, most of these commands are tested but PLEASE do your own research before carelessly entering any commands and you will be required to have a little common sense. I am not liable for how you interpret or use this information and am not responsible for any loss of data. I will be referencing other sources of data/packages some of which provided by the community here.
There’s also good reference material that can be found at linuxfromscratch.org regarding kernel references for iptables and bridge-utils. There were a few other components that I’ve turned on that weren’t based on explicit instructions to do so such as enabling IP masquerading which is required if we’re to resubmit wireless traffic back to our main wifi.
It’s also meant to be a guide for myself in case I mess up badly and have to start all over so in short this is going to be truncated, not going into too much detail over every single component…
Be warned that there are a lot of steps to this and may take a good chunk of your time especially if you decide to compile the kernel directly on the device as defaulty instructed below. Edit: Assume that these commands are run as root. You can login to root by typing
With this out of the way…
You will need a flashed micro SD card. I recommend BACKING UP your data before messing with any of this! It’s also recommended that you change your power settings to 'SERVER’
- Secure your device. Connect to the internet. We will need it to install some dependencies later… It’s important to do the following if you haven’t already:
Optional: Add an SSH banner and change the MOTD.
echo 'Banner /etc/banner.net' >> /etc/ssh/sshd_config
echo 'shadowsword#0179\nGAMESHELL TERMINAL' > /etc/banner.net
Change the default password from cpi to something else.
Change PermitRootLogin from yes to no
sudo nano /etc/ssh/sshd_config
- Create folders to work with. This isn’t an exact science. You can name these however you like as long as you apply your naming convention to later commands. This step isn’t even all that important.
One just because we can use it as a $PATH
echo 'PATH="/home/cpi/xx_shells:$PATH"' >>/home/cpi/.bashrc
One because we’ll need a place to put the compiling stuff
One to copy our certificates to because we’ll need SSL for inspircd and apache2
Optional alias because I like it
echo "alias ll='ls -l'">>.bashrc
- Mount the boot point of your micro SD. It’s not important that this stays mounted so we’re not adding it to fstab.
mount /dev/mmcblk0p1 /mnt/boot
- Update, upgrade, install dependencies and extras
sudo apt-get update; sudo apt-get upgrade
Install the following packages (some were included better-safe-than-sorry and personal preference)
sudo apt-get install bridge-utils dnsmasq hostapd apache2 certbot locate flex bison bc libssl-dev build-essential irssi
If you installed locate, we can use this later to find things easier. Index the system by typing:
locate *(filename)* to search for your file using this index.)
Install Simple Terminal, this is a life saver.
tar -xvzf SimpleTerminal.tar.gz
cp 03_SimpleTerminal /home/cpi/apps/Menu/60_Utils/12_SimpleTerminal
- Stop the services we installed. They don’t need to be running while we configure them.
sudo systemctl stop hostapd
sudo systemctl stop dnsmasq
- Dealing with our SSL certificates. We’ll need this for inspircd and apache2.
IMPORTANT! YOU WILL NEED TO HAVE PORT 80 FORWARDED ON YOUR ROUTER AND HAVE OBTAINED A DOMAIN FOR YOUR IP!
Please replace somedomain.tk with the domain given to you by letsencrypt.
sudo systemctl start apache2 # if not started already certbot certonly cd /etc/letsencrypt/live/somedomain.tk/ openssl dhparam -out dhparams.pem 2048 cp cert.pem /certs/ cp chain.pem /certs/ cp dhparams.pem /certs/ cp fullchain.pem /certs/ cp privkey.pem /certs/ cd /certs/ sudo chown cpi:cpi * sudo chmod 440 * sudo systemctl stop apache2
- inspircd installation and configuration. This is somewhat of a big section to try and squish a default in. Please be sure to read over and change as needed, you will likely want to do your own customization settings but this is the basis for how our system works and includes the proper references for our SSL .pem’s. I’m not going to comment much here. It’s best to spend the extra time to do it yourself.
# Install IRC Daemon wget https://github.com/inspircd/inspircd/archive/v3.6.0.tar.gz tar -xvf v3.6.0.tar.gz # YOU WILL THEN NEED TO CD INTO THE FOLDER AND: ./configure # remember that you can specify --enable-extras m_foo.cpp if needed in above line make install cd run/conf echo "shadow's" > motd.txt echo '_________ __ _________ '>> motd.txt echo '/ ____/ | / |/ / ____/ '>> motd.txt echo '/ / __/ /| | / /|_/ / __/ '>> motd.txt echo '/ /_/ / ___ |/ / / / /___ '>> motd.txt echo '\____/_/ _|_/_/__/_/_____/ __ '>> motd.txt echo '/ ___// / / / ____/ / / / '>> motd.txt echo '\__ \/ /_/ / __/ / / / / '>> motd.txt echo '___/ / __ / /___/ /___/ /___'>> motd.txt echo '/____/_/ /_/_____/_____/_____/'>> motd.txt echo '<define name="bindip" value="*">' >inspircd.conf echo '<define name="localips" value="&bindip;/24">' >>inspircd.conf echo '<server name="shadownet.irc.shadowsword.tk" description="Dimension Engineering Operations Terminal" network="Omega">'>>inspircd.conf echo '<admin name="shadowsword#0179" nick="cpi" email="firstname.lastname@example.org">'>>inspircd.conf echo '<bind address="*" port="6697" type="clients" ssl="openssl" defer="0" free="no">'>>inspircd.conf echo '<sslprofile name="openssl" provider="openssl" cafile="/certs/fullchain.pem" certfile="/certs/fullchain.pem" ciphers="DEFAULT" compression="no" dhfile="/certs/dhparams.pem" ecdhcurve="prime256v1" hash="sha256" keyfile="/certs/privkey.pem" renegotiation="no" requestclientcert="yes" tlsv1="no" tlsv11="yes" tlsv12="yes">'>>inspircd.conf echo '<bind address="*" port="6660-6669" type="clients">'>>inspircd.conf echo '<connect deny="3ffe::0/32" reason="The 6bone address space is deprecated">'>>inspircd.conf echo '<connect name="main" allow="*" maxchans="20" timeout="20" pingfreq="2m" hardsendq="1M" softsendq="10240" recvq="10K" threshold="10" commandrate="1000" fakelag="on" localmax="3" globalmax="3" resolvehostnames="yes" useident="no" limit="5000" modes="+x">'>>inspircd.conf echo '<cidr ipv4clone="32" ipv6clone="128">'>>inspircd.conf echo '<files motd="motd.txt">'>>inspircd.conf echo '<dns timeout="5">'>>inspircd.conf echo '<maxlist chan="*" limit="100">'>>inspircd.conf echo '<options prefixquit="DISCONNECTION: " suffixquit="" prefixpart=""" suffixpart=""" syntaxhints="no" casemapping="ascii" cyclehostsfromuser="no" announcets="yes" allowmismatch="no" defaultbind="auto" hostintopic="yes" pingwarning="15" serverpingfreq="1m" splitwhois="no" defaultmodes="not" xlinemessage="Youre banned! Email email@example.com with the ERROR line below for help." allowzerolimit="no" modesinlist="no" exemptchanops="censor:o filter:o nickflood:o nonick:v regmoderated:o" invitebypassmodes="yes" nosnoticestack="no">'>>inspircd.conf echo '<performance netbuffersize="10240" somaxconn="128" softlimit="12800" clonesonconnect="yes" timeskipwarn="2s" quietbursts="yes">'>>inspircd.conf echo '<security allowcoreunload="no" announceinvites="dynamic" hideulines="no" flatlinks="no" hidebans="no" hidekills="" hideulinekills="yes" hidesplits="no" maxtargets="20" customversion="" restrictbannedusers="yes" genericoper="no" userstats="Pu">'>>inspircd.conf echo '<limits maxnick="30" maxchan="64" maxmodes="20" maxident="10" maxhost="64" maxquit="255" maxtopic="307" maxkick="255" maxreal="128" maxaway="200">'>>inspircd.conf echo '<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="ircd.log">'>>inspircd.conf echo '<whowas groupsize="10" maxgroups="100000" maxkeep="5d">'>>inspircd.conf echo '<badip ipmask="192.0.2.69" reason="No porn here thanks.">'>>inspircd.conf echo '<badnick nick="ChanServ" reason="Reserved for a network service">'>>inspircd.conf echo '<badhost host="*@banneduser.example.net" reason="Evading Bans">'>>inspircd.conf echo '<badhost host="root@*" reason="Dont IRC as root!">'>>inspircd.conf echo '<badhost host="*@198.51.100.0/24" reason="This subnet is bad.">'>>inspircd.conf echo '<exception host="*@localhost" reason="Opers hostname">'>>inspircd.conf echo '<insane hostmasks="no" ipmasks="no" nickmasks="no" trigger="95.5">'>>inspircd.conf echo '<include file="opers.conf">'>>inspircd.conf echo '<class name="Shutdown" commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE" privs="users/auspex channels/auspex servers/auspex users/mass-message users/flood/no-throttle users/flood/increased-buffers" usermodes="*" chanmodes="*" snomasks="*">'>>opers.conf echo '<class name="SACommands" commands="SAJOIN SAPART SANICK SAQUIT SATOPIC SAKICK SAMODE OJOIN">'>>opers.conf echo '<class name="ServerLink" commands="CONNECT SQUIT RCONNECT RSQUIT MKPASSWD ALLTIME SWHOIS LOCKSERV UNLOCKSERV" usermodes="*" chanmodes="*" privs="servers/auspex" snomasks="Cc">'>>opers.conf echo '<class name="BanControl" commands="KILL GLINE KLINE ZLINE QLINE ELINE TLINE RLINE CHECK NICKLOCK NICKUNLOCK SHUN CLONES CBAN" usermodes="*" chanmodes="*" snomasks="Xx">'>>opers.conf echo '<class name="OperChat" commands="WALLOPS GLOBOPS" usermodes="*" chanmodes="*" privs="users/mass-message" snomasks="Gg">'>>opers.conf echo '<class name="HostCloak" commands="SETHOST SETIDENT SETIDLE CHGNAME CHGHOST CHGIDENT" usermodes="*" chanmodes="*" privs="users/auspex">'>>opers.conf echo '<type name="NetAdmin" classes="SACommands OperChat BanControl HostCloak Shutdown ServerLink" vhost="netadmin.shadowsword.tk" maxchans="60" modes="+s +cCqQ">'>>opers.conf echo '<type name="GlobalOp" classes="SACommands OperChat BanControl HostCloak ServerLink" vhost="serverop.omega.shadowsword.tk">'>>opers.conf echo '<type name="Helper" classes="HostCloak" vhost="helper.omega.example.org">'>>opers.conf echo '<oper name="Shadow" password="oper" host="*@localhost *@clockworkpi *@DEOT *@2001:db8::/32" type="NetAdmin">'>>opers.conf
- Let’s add some custom utilities to the launcher. We can then access this later if we need to do something fast. Edit or append as needed. I’ve commended out 01_APON because I decided I want the system to enable our virtual access point interface from rc.local;
EDIT: These instructions may lead to errors that might lead to a reflashing. PROCEED WITH CAUTION! I have yet to figure out the EXACT CAUSE of what makes this fail. Please see https://github.com/clockworkpi/launcher/issues/329 hence why I believe I’ve isolated the cause of the problem to these lines.
mkdir /home/cpi/apps/Menu/60_Utils/12_Xtra echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh echo '#sudo iw phy phy0 interface add wlan1 type __ap' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh echo '#sudo systemctl start dnsmasq; sudo systemctl start hostapd' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/02_APOFF.sh echo 'sudo systemctl stop hostapd; sudo systemctl stop dnsmasq' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/02_APOFF.sh echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_ON.sh echo '/home/cpi/inspircd/run/inspircd restart'>>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_ON.sh echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/04_IRC_OFF.sh echo '/home/cpi/inspircd/run/inspircd stop'>>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_OFF.sh echo 'sudo iw wlan0 set power_save off' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/04_WIFI_PS_DISABLE.sh chmod 555 /home/cpi/apps/Menu/60_Utils/12_Xtra/*
- Compiling. Please see http://www.linuxfromscratch.org/blfs/view/svn/postlfs/iptables.html and http://www.linuxfromscratch.org/blfs/view/svn/basicnet/bridge-utils.html - that is not an all inclusive list of what I enabled when using menuconfig but if you are going through the compiling route then I highly recommend that you put in the extra time to enable what you need or think you might need. IP masquerading is one of those modules I also enabled before compiling. The link to the kernel is in the introduction.
wget https://releases.linaro.org/components/toolchain/binaries/7.2-2017.11/arm-linux-gnueabihf/gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz tar -xvf gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz rm gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz echo 'export PATH="/xcompile/gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf/bin:$PATH"' >> /home/cpi/.bashrc cd /home/cpi git clone https://github.com/asypost/clockwork-pi3-kernel cd clockwork-pi3-kernel #cp ./arch/arm/configs/clockworkpi_cpi3_defconfig .config make -j5 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig make -j5 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- mkimage -A arm -O linux -T kernel -C none -a 0x40008000 -e 0x40008000 -n "Linux kernel" -d arch/arm/boot/zImage uImage
Copy the kernel to the mount point:
sudo cp /mnt/boot/uImage /mnt/boot/uImage.bak
sudo cp uImage /mnt/boot/uImage
Reboot your device! Update, upgrade, and we’ll continue with configuring our access point.
We don’t have a second internet interface on the device by default so we’re going to try to use. In the predefined configuration below, we’ll be using 10.10.0.XX as our network.
# set a static IP for wlan1 echo 'interface wlan1' >/etc/dhcpcd.conf echo 'static ip_address=10.10.0.1/24' >>/etc/dhcpcd.conf # deny wlan1 from being auto configured echo 'denyinterfaces wlan1' >>/etc/dhcpcd.conf # configure DHCP mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig echo 'interface=wlan1' >/etc/dnsmasq.conf echo ' dhcp-range=10.10.0.10,10.10.0.128,255.255.255.0,24h' >>/etc/dnsmasq.conf # and lets reroute traffic anything .cpi echo 'address=/.cpi/127.0.0.1' >>/etc/dnsmasq.conf # configure hostapd echo 'interface=wlan1' >/etc/hostapd/hostapd.conf echo 'bridge=br0'>>/etc/hostapd/hostapd.conf echo 'hw_mode=g'>>/etc/hostapd/hostapd.conf # change as needed echo 'channel=7'>>/etc/hostapd/hostapd.conf echo 'wmm_enabled=0'>>/etc/hostapd/hostapd.conf echo 'macaddr_acl=0'>>/etc/hostapd/hostapd.conf echo 'auth_algs=1'>>/etc/hostapd/hostapd.conf echo 'ignore_broadcast_ssid=0'>>/etc/hostapd/hostapd.conf echo 'wpa=2'>>/etc/hostapd/hostapd.conf echo 'wpa_key_mgmt=WPA-PSK'>>/etc/hostapd/hostapd.conf echo 'wpa_pairwise=TKIP'>>/etc/hostapd/hostapd.conf echo 'rsn_pairwise=CCMP'>>/etc/hostapd/hostapd.conf # the bits that matter echo 'ssid=shadownet'>>/etc/hostapd/hostapd.conf echo 'wpa_passphrase=cpi'>>/etc/hostapd/hostapd.conf # tell core where conf is echo 'DAEMON_CONF="/etc/hostapd/hostapd.conf"' >> /etc/default/hostapd # enable IP forwarding echo 'net.ipv4.io_forward=1' >>/etc/sysctl.conf #enable postrouting sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE # try update-alternatives --config iptables if having issues
IMPORTANT! In Phase Nine, we have 04_WIFI_PS_DISABLE which simply disables power saving on our wifi. You have the option of disabling this from rc.local or through the script. I would default to using the script to be on the safe side. Doing this may increase performance and stop the Wifi from occasional interrupts.
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat" echo 'iptables-restore < /etc/iptables.ipv4.nat' >>/etc/rc.local # this bit here is not recommended echo 'sudo iw wlan0 set power_save off' >>/etc/rc.local echo 'sudo iw phy phy0 interface add wlan1 type __ap' >>/etc/rc.local # We wanna make sure inspircd starts with the other services echo '/home/cpi/inspircd/run/inspircd start'>>/etc/rc.local
- Adding the bridge interface. More fruits of our labour in kernel.
# add a bridge sudo brctl addbr br0 # bridge wlan0 sudo brctl addif br0 wlan0
Check to see what’s already in /etc/network/interfaces before applying the below:
echo 'auto br0' >>/etc/network/interfaces echo 'iface br0 inet manual' >>/etc/network/interfaces echo 'bridge_ports wlan0 wlan1' >>/etc/network/interfaces
You might want to double check your hostname and resolv.conf;
- Reboot your device!!
Check your kern.log, dmesg; ensure that hostapd, dnsmasq, inspircd, and apache2 all started up correctly.
There’s multiple ways of doing things, all in all I think that from start to finish followed through it’s a neat little project and I have to say that I learned a lot about the in’s and out’s of the Clockworkpi Gameshell just tinkering and trying to do something nobody else seemingly has done with their device before yet. I know that I didn’t talk a lot about apache2, but the focus of this was the initial setting up of a template/basis to work with. I built my first kernel… feels like something I should have been doing since my Backtrack 4 days.
and here is a snapshot of the fruits of our labour: