This guide is a quick step-by-step guide to how I implement public wifi access on Devuan. Earlier guides were based on Ubuntu, but I have become increasingly dissatisfied with systemd and have moved to Devuan for its sane init system choices and higher-quality packages. The end result is a graphical system using the KDE desktop, so that staff can graphically manage print queues and track wifi usage stats. This guide, however, is mostly command-line with no hand-holding.
Below are my local install notes for putting together a public access server on Devuan 4.0 Chimaera, providing print management and statistics for wifi users as well as library-provided gear.
You'll need to be pretty comfortable with Linux and the command line to replicate this. But it's really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 2 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.
/etc/apt/sources.list and comment out the "cdrom" repository so you are not bothered to put the memory stick back in, then run apt updateapt install vim ntp
/etc/ntp.conf to add
pool us.pool.ntp.org iburst to the top of the list of servers already in there./etc/ssh/sshd_config. Below the line
#Banner none, enter Banner /etc/issue.net./etc/issue.net to give whatever notice your
lawyers say is appropriate to people trying to log into your
server. Ours is this:*******************************************************************************
NOTICE TO USERS
This computer system is the property of the Branch District Library. It is
for authorized use only. Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.
By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.
Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate. By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.
*******************************************************************************
/etc/network/interfaces. Leave the entry for
lo, add the following for eth0 and eth1. If your eth0 subnet is
192.168.1.X, you'll need to change IP addresses in this tutorial
accordingly to suit your situation. Your interfaces may also be labeled differently than ethX; they might be emX or something else. Use what makes senseauto eth0 iface eth0 inet static address 192.168.40.8 netmask 255.255.255.0 broadcast 192.168.40.255 gateway 192.168.40.1 dns-nameservers 66.231.32.25 66.231.32.26 auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 dns-nameservers 66.231.32.25 66.231.32.26
Install the DHCP server and back up the original config file:
apt install isc-dhcp-server && \ mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
Edit /etc/dhcp/dhcpd.conf as needed, adding static
address assignments for your library-provided public computers. If
you are using this DHCP server to give addresses to all your public
and staff computers, make sure all library computers are defined in
this file. The file should look something like this:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style none;
option routers 192.168.1.1;
option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2;
subnet [Subnet of eno1, just ending in .0] netmask 255.255.255.0
{
}
subnet 192.168.1.0 netmask 255.255.255.0
{
range 192.168.1.100 192.168.1.254; # desired public service IP address range
host HOSTNAME-HERE # host names for static IP assignment
{
hardware ethernet MAC-ADDRESS-USING-COLONS;
fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE;
}
}
Edit /etc/defaults/isc-dhcp-server to comment out the ipv6 server and add the appropriate interfaces to the ipv4 entry: INTERFACESv4="eth0 eth1"
Restart DHCP server:
service isc-dhcp-server restart
We'll use Shorewall to make it easier to maintain rules for public Internet access. Note: I highly recommend that you have this gateway behind another firewall, limiting access from the public Internet. In this case, think of "net" in all the examples below to mean your staff network and "loc" is your public access network.
Install shorewall and copy configuration files:
apt install shorewall shorewall-init && \ cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/; \ cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/; \ cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/; \ cp /usr/share/doc/shorewall/examples/two-interfaces/snat /etc/shorewall/; \ cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/
/etc/shorewall/shorewall.conf. Find the line
that reads IP_FORWARDING=Keep and change that to
IP_FORWARDING=On./etc/shorewall/interfaces to make sure the options for both interfaces start with "dhcp".
Edit /etc/shorewall/policy:
loc all ACCEPT fw loc ACCEPT fw net REJECT net all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECTEdit
/etc/shorewall/rules. At minimum, append the
following rules to the end of the existing file and edit per your
situation.
# file sharing SMB(ACCEPT) net fw SMB(ACCEPT) fw net # Accept SSH connections for administration ACCEPT net fw tcp 22 # Accept HTTP for the wifi stats ACCEPT net fw tcp 80,443 # let the other servers access apcupsd for shutdown commands # after a power failure ACCEPT net fw tcp 3551 # VNC ACCEPT net fw tcp 5900 # Allow both sides of the firewall to access the filter # (as in your staff side can use the filter, too) ACCEPT net fw tcp 8081 # Route all HTTP traffic from library computers to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.2-192.168.1.255 8081 tcp 80,8000,8001,8080 - #################################################### # RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # #################################################### # ping ACCEPT fw net icmp #DNS ACCEPT fw net udp 53 ACCEPT fw net tcp 53 # HTTP(s) ACCEPT fw net tcp 80,8000,8001,8080,443 # NTP ACCEPT fw net udp 123 # Security Cams ACCEPT fw net tcp 7001,7002 # Allow all traffic out to the local staff and public networks ACCEPT fw net:192.168.0.0/16 all ACCEPT fw loc all ######################################################## # END RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # ######################################################## # This last rule needs to be in place to allow for unfiltered library computers. It needs to be kept last. ACCEPT loc net tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/default/shorewall. Change
startup=0 to startup=1. Restart
shorewall:shorewall restart
apt install phpa2enmod ssl rewrite headersservice apache2 reloadapt install phpmyadmin mariadb-server. We don't actually need phpMyAdmin to get the system
running, but it's nice to have if we ever need to look at the stats
database directly. You can access it by going to
http://YOUR-SERVER-IP-ADDRESS-OR-URL/phpmyadminmysql -p -u root mysql> CREATE USER 'phpmyadmin'@'localhost' IDENTIFIED BY 'PASSWORD-HERE'; mysql> GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost'; mysql> FLUSH PRIVILEGES;
/etc/dhcp/dhcpd.conf. Create the MySQL database for
tracking stats:mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
wifi_stats.sql
into a file of the same name in your current directory. This is
the database schema which will create an empty database. Import
your file into MySQL:mysql -u root -p wifi_stats < wifi_stats.sql
wifi_stats.php
into the file /var/www/html/wifi_stats.php. Edit the top of
the file to enter your own password.DHCPd-parse.php
into the file /var/www/html/DHCPd-parse.php. Edit the top of
the file to enter your own password. You can look at your collected
stats at
http://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php.
reportdhcp.pl into
/usr/lib/cgi-bin/reportdhcp.pl. chmod 755 /usr/lib/cgi-bin/reportdhcp.pl a2enmod cgi service apache2 restartThis program isn't actually used for any of the stats collection, but it can be useful for troubleshooting. Access it from
http://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl.
1 * * * * wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1
/home/temp:mkdir /home/temp chown nobody:nogroup /home/temp chmod 777 /home/temp
apt install samba./etc/samba/smb.conf. Put the following lines
at the end:[temp] comment = Public file sharing space path = /home/temp read only = no user mask = nobody create mask = 0666 directory mask = 0777 browseable = no public = yes writeable = yes guest ok = yes guest only = yes
service smbd restart
\\192.168.1.1\temp in a file manager window. No
password should be required and you shoudl have full write
access.apt install hplip printer-driver-cups-pdf package.service cups-browsed stop; update-rc.d cups-browsed disable/etc/samba/smb.conf to share and hold the print
jobs. Comment out the [printers] and
[print$] sections, then add the following lines to the
end of the file, changing as necessary to fit your situation:[ServiceDeskPrinter] path = /var/spool/samba browseable = yes printable = yes printer name = ServiceDeskPrinter cups options = job-hold-until=indefinite
lpadmin group. In your user account with sudo priveleges, go to System Settings ->Startup and Shutdown->Login Screen->Advanced->Autologin, and set your new user to log in automatically.kde-print-queue ServiceDeskPrinter. From here you can release the print jobs to the printer or delete them.4 21 * * * /usr/bin/lprm -P ServiceDeskPrinter - 5 21 * * * /bin/rm /var/cache/cups/job.cache* 6 21 * * * /bin/rm /var/spool/cups/c* 7 21 * * * /bin/rm /var/spool/cups/d*
adduser --no-create-home --disabled-login <user>, and make an accompanying Samba user with smbpasswd -a <username>\\192.168.1.XXX\Black_and_White_Printer, etc. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.
To easily share your printers for Android and Apple users, you'll need to visit the CUPS configuration pages from a web browser on the server. But first, you'll need to add your username to the lapadmin group:
usermod -aG lpadmin <username>
Next, to open the printing config for your computer, go to http://localhost:631/admin in a web browser on the server.
On the Administration page on the right-hand side, enable the option that says "Share printers connected to this system", and click "Change Settings". Authenticate with the username and password of the account you just added to lpadmin, and you'll be good to go.
In the KDE printer settings dialog, click "share" on the printer you want to share for mobile clients.
Enter the following command to hold print job sent from mobile clients until you release them:
lpadmin -p ServiceDeskPrinter -o job-hold-until-default=indefinite
For your staff to release the print jobs from library computers or mobile devices, they'll need to see the screen on the server. It it's in an accessible space, great--just have them use the computer like any other. If it's not accessible, you'll need to remote in via VNC.
apt install x11vnc
Then, from the print queue user account your created above:
x11vnc -storepasswd
Create a small script, x11vnc.sh, and save it to ~/.vnc/:
#! /bin/bash /usr/bin/x11vnc -xkb -noxrecord -noxfixes -noxdamage -display :0 -auth guess -rfbauth ~/.vnc/passwd -rfbport 5900 -shared -forever -o ~/.vnc/x11vnc.log
Go to System Settings->Startup and Shutdown, and add your script from above to start automaticaly. Go to Display and set the screen resolution to 1024x768. Go to Desktop Behavior and turn off all desktop effects. Go to Power Management->Energy Settings and disable screen dimming or auto turn-off.
On the staff computers, create a shortcut to the UltraVNC executatble, and use the following parameters:
"C:\Program Files\uvnc bvba\UltraVNC\vncviewer.exe" /host 192.168.42.2 /password <password> /autoscaling
Add the Bluecherry Repo key and install the server, answering the prompts as needed (more at http://community.bluecherrydvr.com/topic/xenial-driver-instructions):
wget -q http://ubuntu.bluecherrydvr.com/key/bluecherry.asc -O- | apt-key add - wget --output-document=/etc/apt/sources.list.d/bluecherry-unstable-xenial.list http://unstable.bluecherrydvr.com/sources.list.d/bluecherry-xenial.list apt update; sudo apt install bluecherry apt-get install linux-image-4.8.0-39-generic systemctl enable bluecherry service bluecherry start
Log into the Bluecherry web admin at https://192.168.1.1:7001/ and activate with your license key. Set up the system as desired. The default login is a username of admin and password of bluecherry. Change these immediately and setup user account(s) for those who will be watching the video streams.
Install the Bluecherry client program or web client views as needed.
$ ssh-keygen -t rsa # ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
5 0 * * * mysqldump -u root --password=YOUR-PASSWORD wifi_stats > /home/username/wifi_stats_dump.sql; scp -i /home/username/.ssh/id_rsa /home/username/wifi_stats_dump.sql username@remote_host:/path/to/backup/directory/
from="YOUR-FILTER'S-IP-ADDRESS", followed by a
space, before the "ssh-rsa [...]" stuff in your
/home/username/.ssh/authorized_keys file. This will
limit the key to being used only from your filter.
apt-get install apcupsd; \ mv /etc/apcupsd/apcupsd.conf /etc/apcupsd/apcupsd.conf.bak
apcupsd.conf into
/etc/apcupsd/apcupsd.conf, editing parameters as you
see fit.
/etc/default/apcupsd and change
ISCONFIGURED=no to ISCONFIGURED=yes.And that is all! Reboot and make sure everything comes back up the way it should. And TEST!