API tools faq
paste
Guest User

Untitled

a guest
Nov 17th, 2017
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.31 KB | None | 0 0
raw download clone embed print report
  1. # Network Topology
  2. I really like the Qubes philosophy, routing all the traffic through the SysNET domU. For this reason, I chose to install OPNsense as my network domain and route the whole traffic, including that of Dom0, through it. For this, I made the following Open-VSwitch setup.
  3.  
  4. ## OpenVSwitch
  5. Install openvswitch, if not already installed
  6. ```shell
  7. sudo apt-get install openvswitch
  8. ```
  9.  
  10. Create the two bridges:
  11. ```shell
  12. sudo ovs-vsctl add-br ovsbr0
  13. sudo ovs-vsctl add-br ovssec
  14. ```
  15. The two bridges are for the two sides of the router, with ```ovssec``` being the secure one, to which I will be attaching all my virtual machines. ```ovsbr0``` will be exposed to the outside world, thus, it will be connected to the physical network interface
  16.  
  17. ```shell
  18. sudo ovs-vsctl add-port ovsbr0 eth0
  19. ```
  20.  
  21. # XL CFG file
  22.  
  23. ```python
  24. # This configures an HVM rather than PV guest
  25. builder = "hvm"
  26.  
  27. # Guest name
  28. name = "router"
  29.  
  30. # Initial memory allocation (MB)
  31. memory = 2048
  32.  
  33. # Number of VCPUS
  34. vcpus = 2
  35.  
  36. # Two network devices, later assigned to
  37. # ovsbr0: WAN
  38. # ovssec: LAN
  39. vif = [ 'script=vif-openvswitch,bridge=ovsbr0'
  40. , 'script=vif-openvswitch,bridge=ovssec'
  41. ]
  42.  
  43. # Disk Devices
  44. disk = [ '/mnt/xen/disks/opnsense.qcow2,qcow2,xvda,rw'
  45. # the following line can be commented out after the installation is finished
  46. , '/opt/iso/OPNsense-17.7.5-OpenSSL-dvd-amd64.iso,raw,xvdc,devtype=cdrom,r'
  47. ]
  48.  
  49. #pci = [ '0000:02:00.0' ]
  50.  
  51. # Guest VGA console configuration, either SDL or VNC
  52. #sdl = 1
  53. #vnc = 1
  54.  
  55. spice=1
  56. spicehost='0.0.0.0'
  57. spiceport=6001
  58. ## spicedisable_ticketing enabled is for no spice password, instead use spicepasswd
  59. spicedisable_ticketing=1
  60. # #spicepasswd="test"
  61. spicevdagent=1
  62. spice_clipboard_sharing=1
  63. ## this will automatically redirect up to 4 usb devices from spice client to domUs
  64. spiceusbredirection=4
  65. ```
  66.  
  67.  
  68. # Installation
  69. Start the image using
  70. ```shell
  71. sudo xl create /etc/xen/opnsense.cfg
  72. ```
  73. and go over the installation steps. Configure (assign) the interfaces. You might want to enable DHCP on the LAN interface, so that OPNsense assigns the IP addresses automatically to all machines connected to ```ovssec```
  74.  
  75. In order to check the connectivity through the new router, switch to Dom0 and
  76. ```shell
  77. sudo dhclient ovssec
  78. ```
  79. If you get an IP address, then the DHCP server on the router is working.
  80. ```shell
  81. ping google.com
  82. wget google.com
  83. ```
  84. # Auto-Start
  85. As I am using OPNsense for networking, I need it to be auto-started. For this, moce the ```opnsense.cfg``` file into the folder ```/etc/xen/auto```. You might need to create the folder.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!