corp.ecal network site server config
- Download the latest version of Raspbian lite from the Raspberry Pi Foundation website.
- Write it to an SD card using Etcher.
- Create a blank file on the card called ‘ssh’ to enable headless SSH access.
- Sign in with the default credentials –
pi:raspberry
. - Change the default pi user password with
passwd
. - Update the package list with
sudo apt-get update
. - Process any available updates with
sudo apt-get upgrade
. - Finalise any updates with
sudo dpkg --configure -a
.
- Open raspi-config with
sudo raspi-config
. - Enter a new hostname in Network options > Change hostname.
- Change the memory allocation in Advanced options > Memory split.
- Expand the file system in Advanced options > Expand filesystem.
- Reboot with
sudo reboot
.
- Make a new directory to keep things tidy with
mkdir cloudflare
. - Enter the new directory with
cd cloudflare
. - Download the setup script with
wget https://git.io/JeseG -O lwp-cloudflare-dyndns.sh
. - Replace ‘email@example.com’ on line 8 with the Cloudflare account email address.
- Replace ‘global_api_key_goes_here’ on line 9 with the global API key, available under Cloudflare account settings.
- Replace ‘example.com’ on line 10 with the root domain to be used.
- Replace ‘home.example.com’ on line 11 with the domain or subdomain to be updated.
- Save the file.
- Change the file permissions to be executable with
chmod +x lwp-cloudflare-dyndns.sh
. - Run the file with
sudo sh lwp-cloudflare-dyndns.sh
. The IP will be updated and three new files should be generated. - Start setting up a cron job to automate the updating with
crontab -e
, then choosing a text editor. - Add a new line to the bottom of the crontab file (changing the timing stars as appropriate – default every five minutes) –
*/5 * * * * /bin/bash /home/pi/cloudflare/lwp-cloudflare-dyndns.sh
. - Restart the cron server to make sure the new job is actioned with
sudo service cron reload
.
- Start the Pi-hole installer with
curl -sSL https://install.pi-hole.net | bash
. - Follow the Pi-hole installer.
- Once the installer’s finished, reset the admin password for Pi-hole with
pihole -a -p
. - Finish setting up Pi-hole via the web interface.
- Change the interfaces Pi-hole listens on (via Settings > DNS > Interface listening behaviour) to ‘Listen on all interfaces’.
- Reboot with
sudo reboot
.
- Make a new directory to keep things tidy with
mkdir vpn
. - Download the VPN setup script with
wget https://git.io/Jesec -O vpn/vpnsetup.sh
. - Replace ‘your pre shared key’ on line 27 with your chosen shared secret.
- Replace ‘your.user.name’ on line 28 with your first user’s username.
- Replace ‘your password’ on line 29 with your first user’s password.
- Run the installer with
sudo sh vpnsetup.sh
. - Open ‘/etc/iptables.rules’ and add the following lines to the end (replacing ‘172.16.10.0/16’ with the IP range and subnet for your network):
# For IPsec/L2TP
iptables -I FORWARD 2 -i ppp+ -d 172.16.0.0/16 -j ACCEPT
iptables -I FORWARD 2 -s 172.16.0.0/16 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# For IPsec/XAuth ("Cisco IPsec")
iptables -I FORWARD 2 -s 192.168.43.0/24 -d 172.16.0.0/16 -j ACCEPT
iptables -I FORWARD 2 -s 172.16.0.0/16 -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- Reboot with
sudo reboot
.
- Install certbot with
sudo apt-get install certbot
. - Run the installer in webroot mode with
sudo certbot certonly --webroot
. - Follow the Certbot installer.
- Generate a combined certificate and private key file by running the following command (replacing ‘pihole.example.com’ with the domain or subdomain to be used):
sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
/etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem
- Make sure the lighttpd user (www-data) can read the certificates with
sudo chown www-data -R /etc/letsencrypt/live
. - Open ‘/etc/lighttpd/external.conf’ and add the contents of ‘https://git.io/JeseC’ to the end (replacing ‘pihole.example.com’ with the domain or subdomain to be used).
- Restart the web server with
sudo service lighttpd restart
. - Reboot with
sudo reboot
.
- Download the Landing page template with
git clone https://git.io/JeseW /var/www/html
. - Enter the web server root directory with
cd /var/www/html
. - Delete the unnecessary readme with
sudo rm readme.md
. - Open and make any relevant changes to ‘landing.php’.
- Choose an accent colour in ‘style.css’.
-
Forward the following ports to the server via the router administration page:
TCP port 80 (HTTP)
TCP port 443 (HTTPS)
UDP port 500 (IPSec)
UDP port 4500 (IPSec) -
Test the forwarding and web server by attempting to access the landing page and Pi-hole admin page from an external network.
- Download the script with
wget https://git.io/Jesel -O vpn/add_vpn_user.sh
. - Run the script with
sudo sh add_vpn_user.sh 'username.to.add' 'new.password'
.
- Download the script with
wget https://git.io/Jese8 -O vpn/del_vpn_user.sh
. - Run the script with
sudo sh del_vpn_user.sh 'username.to.delete'
.
- Open ‘/etc/ipsec.secrets’ and change the listed key in quotemarks.
- Restart services with
service ipsec restart
andservice xl2tp restart
.