== Soekris net4801 hardware == http://soekris.com/Manuals/net4801_manual.pdf There are no linux nor BSD drivers for the vpn1411 device we had hoped to use. http://lists.soekris.com/pipermail/soekris-tech/2006-June/010523.html On the other hand, all five ethernet (NatSemi) devices are fully supported pretty much everywhere. You will want a paperclip. You're going to be poking that reset switch a lot. == connect a console == Get a linux laptop with a serial port. Connect the Soekris serial port to it using a crossover serial cable. There are a lot of these, unused, floating around ORBIT. They have "X OVER" written on them. Run minicom in a terminal window that can handle vt102 (any of them can). Minicom should be set for 9600 baud, 8 databits, no parity, 1 stop bit, no flow control. Turn hardware flow control off in minicom. The UNIX device for talking to the console is almost certainly /dev/ttyS0. Minicom and the Soekris console driver seem a little fragile. If you do wind up dumping junk to the serial port (as will be the case if you run pppd carelessly), you may gum it up so badly that you need to reboot. == configure the Soekris net4801 BIOS == Look at the banner from when the net4801 boots. Get the BIOS version and check it against the Soekris web site. Make sure you have the latest. Hit C-p as it is booting to get to a BIOS prompt. Issue these commands at the BIOS prompt, filling in today's date and the current time. {{{ date YYYY/MM/DD time HH:MM:SS set ConSpeed=9600 }}} The only reliable way to obtain the MAC address of 'Eth 0', without having an operating system already loaded, is to watch the diagnostic output of {{{ boot f0 }}} == net install == The netboot image for debian is already around. You might need http://centerclick.org/net4801/pxelinux/pxelinux.0.gz as opposed to the pxelinux.bin that's already around. The pxelinux.0 that comes with the net-install.tar.gz from debian works, but does not print banners to minicom properly. You need to make a link in pxelinux.cfg to an appropriate pxelinux configuration file, namely the one for serial. To the end of the 'install' image you want to add: {{{ DEBIAN_FRONTEND=text }}} (we did this, so it's probably already there.) We tried this in several different ways with a remarkable number of pre-compiled pxelinux.0 files, but the net install could never find the CF disk. Eventually we gave up and moved to pre-loading the CF. == Voyage Linux == Voyage Linux is Debian with enough removed so it will fit in 64Mb. http://www.voyage.hk/software/voyage.html The "Kingston Elite Pro" CF card is reported by the 4801 as Pri Sla SAMSUNG CF/ATA LBA Xlt 1012-32-63 The SimpleTech CF card is Pri Mas Hitachi XX.V.3.7.0.0 LBA 993-16-63 The Kingston has an extremely different geometry when connected to my laptop through an IOMEGA USB media adapter. Nor can I adjust the reported geometry in fdisk. So you can't use it to hold bootable images. I have no idea why the Kingston shows up as a slave. Get the tarball, untar it on your linux laptop as root like this: {{{ sudo tar --numeric-owner -zxvf voyage-0.2pre4.tar.gz }}} There's a README in that tarball, and you should. Attach the CF card to your linux laptop. If it gets automounted, unmount it. Cd into the untarred directory and run voyage.update as root. The CF card is likely to be /dev/sdb. On an Ubuntu box you can use /media/usbdisk as the mount point. When this finishes, move the CF card into the Soekris net4801, and reboot it. LILO may be less than perfect at displaying over the serial port. Don't worry, it will boot. Log in to the net4801 as root. The default root password is, predictably, 'voyage'. Voyage linux tries to be cute by mounting everything read only, so you need to remount the root partition as read write, like this: {{{ mount -o remount,rw / }}} Now you can and should change the root password. Change /etc/rc2.d/S99voyage so that the commands that keep remounting / ro are disabled. You may also want to remove the rc link for rc2.d/S89watchdog, or set run_watchdog to 0 in init.d/watchdog. Note that things like /root are normally linked to /rw/root, which is a tmpfs. It's all very cute, but you need to disable it at least for /root. /root needs to hold a persistent .ssh directory. Run {{{ apt-get update apt-get upgrade }}} as usual. Reboot. == PPP/SSH client configuration == General instructions can be found at http://tldp.org/HOWTO/ppp-ssh Details of how the commands below work are probably most in the man pages for pppd and ssh. The idea is: 1. Create a vpn account on the landing. 2. Allow the vpn account on the landing to run pppd as root, by configuring /etc/sudoers with lines like these {{{ Cmnd_Alias VPN=/usr/bin/pppd vpn: ALL=NOPASSWD: VPN }}} 3. Allow the vpn client to log in to the vpn account on the landing using an ssh key with no password. You're proably looking for this command: {{{ ssh-keygen -b 2048 -t rsa }}} 4. Run a script like the following on the landing. {{{ #!/bin/bash case "$1" in start) /usr/sbin/pppd updetach noauth passive pty "ssh vpn@${LANDING} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn ${LANDING_IP}:${CLIENT_IP} ;; stop) killall -9 pppd ;; *) echo please stop or start exit 1 ;; esac exit 0 }}} 5. Change iptables and the routing table in the Soekris net4801 so that the traffic coming in over ppp0 goes to the right interface on the ORBIT node, and so that all traffic from the ORBIT node's interfaces goes to ppp0. 6. Change iptables, the routing table, and multi-homed interfaces in the landing so that packets for the remote ORBIT nodes get there. As of 9/20, we're up to 5.