-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathblog.html
82 lines (82 loc) · 100 KB
/
blog.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<!doctype html>
<html lang="en" dir="ltr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-beta.17">
<link rel="alternate" type="application/rss+xml" href="/pages/blog/rss.xml" title="SPR RSS Feed">
<link rel="alternate" type="application/atom+xml" href="/pages/blog/atom.xml" title="SPR Atom Feed"><title data-rh="true">Blog | SPR</title><meta data-rh="true" property="og:title" content="Blog | SPR"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" name="description" content="Blog"><meta data-rh="true" property="og:description" content="Blog"><meta data-rh="true" property="og:url" content="https://www.supernetworks.org/pages/blog"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docusaurus_tag" content="blog_posts_list"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docsearch:docusaurus_tag" content="blog_posts_list"><link data-rh="true" rel="icon" href="/pages/img/favicon.ico"><link data-rh="true" rel="canonical" href="https://www.supernetworks.org/pages/blog"><link data-rh="true" rel="alternate" href="https://www.supernetworks.org/pages/blog" hreflang="en"><link data-rh="true" rel="alternate" href="https://www.supernetworks.org/pages/blog" hreflang="x-default"><link rel="stylesheet" href="/pages/assets/css/styles.746319c9.css">
<link rel="preload" href="/pages/assets/js/runtime~main.cb48395d.js" as="script">
<link rel="preload" href="/pages/assets/js/main.607f1fa1.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"dark")}()</script><div id="__docusaurus">
<div role="region"><a href="#" class="skipToContent_ZgBM">Skip to main content</a></div><nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/pages/"><div class="navbar__logo"><img src="/pages/img/logo.png" alt="Secure Programmable Router" class="themedImage_W2Cr themedImage--light_TfLj"><img src="/pages/img/logo.png" alt="Secure Programmable Router" class="themedImage_W2Cr themedImage--dark_oUvU"></div><b class="navbar__title">SPR</b></a><a class="navbar__item navbar__link" href="/pages/docs/intro">Documentation</a><a class="navbar__item navbar__link" href="/pages/api/0">API</a><a class="navbar__item navbar__link" href="/pages/docs/setup_run_spr">Setup Guide</a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/pages/blog">Blog</a></div><div class="navbar__items navbar__items--right"><a href="https://github.com/spr-networks/" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link"><span>SPR GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a><div class="toggle_S7eR toggle_TdHA toggleDisabled_f9M3"><div class="toggleButton_rCf9" role="button" tabindex="-1"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_v35p"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_nQuB"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></div><input type="checkbox" checked="" class="toggleScreenReader_g2nN" aria-label="Switch between dark and light mode (currently dark mode)"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div class="main-wrapper blog-wrapper blog-list-page"><div class="container margin-vert--lg"><div class="row"><aside class="col col--3"><nav class="sidebar_a9qW thin-scrollbar" aria-label="Blog recent posts navigation"><div class="sidebarItemTitle_uKok margin-bottom--md">Recent posts</div><ul class="sidebarItemList_Kvuv"><li class="sidebarItem_CF0Q"><a class="sidebarItemLink_miNk" href="/pages/blog/virtual-spr-on-a-gcloud-tier-free-instance">Run Virtual SPR on a Google Cloud Free Tier Instance</a></li><li class="sidebarItem_CF0Q"><a class="sidebarItemLink_miNk" href="/pages/blog/virtual-spr-on-a-aws-micro-tier-instance">Run Virtual SPR on a AWS Micro Tier Instance</a></li><li class="sidebarItem_CF0Q"><a class="sidebarItemLink_miNk" href="/pages/blog/virtual-spr-on-a-digital-ocean-droplet">Run Virtual SPR on a Digital Ocean Droplet</a></li><li class="sidebarItem_CF0Q"><a class="sidebarItemLink_miNk" href="/pages/blog/virtual SPR">SPR in the cloud</a></li><li class="sidebarItem_CF0Q"><a class="sidebarItemLink_miNk" href="/pages/blog/secure router chaining">Securely Chaining Routers</a></li></ul></nav></aside><main class="col col--7" itemscope="" itemtype="http://schema.org/Blog"><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/virtual-spr-on-a-gcloud-tier-free-instance">Run Virtual SPR on a Google Cloud Free Tier Instance</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-10-13T00:00:00.000Z" itemprop="datePublished">October 13, 2022</time> · <!-- -->3 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/capslcc" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Philip Olausson</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="introduction">Introduction<a class="hash-link" href="#introduction" title="Direct link to heading"></a></h2><p>This guide shows how to setup a new E2 instance in Google Cloud, allow VPN access in firewall and install Virtual SPR.
The result is a private VPN with a custom DNS server able to block ads, log traffic, and more <a href="/pages/docs/intro#the-service-listing">features</a> included in SPR.</p><p>For a more general and in-depth guide see the <a href="/pages/blog/virtual SPR">Virtual SPR Guide</a>.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="setup-account">Setup Account<a class="hash-link" href="#setup-account" title="Direct link to heading"></a></h2><p><a href="#create-instance">Skip</a> this section if you already have an Google Cloud account & a project setup.</p><p>Go to <a href="https://cloud.google.com" target="_blank" rel="noopener noreferrer">Google Cloud</a> & sign in with a Google account, or create a new one and enable Google Cloud.
Google have a <a href="https://cloud.google.com/free/" target="_blank" rel="noopener noreferrer">Free Tier</a> where you get $300 in free credits when signing up as a new customer.
Continue by creating a Payment Profile.</p><p>When done click <strong>New Project</strong> in the top menu dropdown and pick a name for your project.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="create-instance">Create Instance<a class="hash-link" href="#create-instance" title="Direct link to heading"></a></h2><p><img loading="lazy" src="/pages/assets/images/gcloud-1-d717f56e144b82e7f42e12a7a7952d34.png" width="2373" height="1568"></p><p>In the top navigation menu go to <strong>Compute Engine</strong> and click <strong>VM Instances</strong>.</p><p>Click <strong>Enable</strong> if you haven't used the service before. If promped to create a project, pick a name for it & click <strong>Create</strong>.</p><p>Click <strong>Create Instance</strong>.</p><p><img loading="lazy" src="/pages/assets/images/gcloud-2-1b86c8ae7fb9207e74aa9981a03979ae.png" width="1958" height="1626"></p><p>Select a name for your instance & pick a region.</p><p>For Series go with E2 and <em>Machine type</em> for the least expensive alternative.</p><p>Under <em>Boot disk</em> click <strong>Change</strong>:</p><p><img loading="lazy" src="/pages/assets/images/gcloud-3-99765b92c841419c1efdf9185788e25a.png" width="2123" height="1246"></p><p>Select and save:</p><ul><li>Operating System <strong>Ubuntu</strong></li><li>Version <strong>Ubuntu 22.04 LTS</strong> <em>x86/64</em></li></ul><p>Expand <em>Advanced options</em>, then <em>Networking</em>, scroll down to <em>Network interfaces</em> and click <strong>default</strong>.
Select <em>External IPv4 address</em> and click <strong>Create IP address</strong> to assign a static IP address for your instance.</p><p><img loading="lazy" src="/pages/assets/images/gcloud-6-0c880ad3c1ee99f749615383ec7216cc.png" width="2030" height="1646"></p><p>The default settings is fine for the other options.
Now click <strong>Create</strong> to boot up the instance.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="firewall-rules-for-vpn-access">Firewall rules for VPN access<a class="hash-link" href="#firewall-rules-for-vpn-access" title="Direct link to heading"></a></h2><p>In the navigation go to <strong>VPC Network</strong> and click <strong>Firewall</strong>. Click <strong>Create Firewall Rule</strong> at the top of the page.</p><p><img loading="lazy" src="/pages/assets/images/gcloud-5-28bb490d742f1abe47984b82695e9ffd.png" width="1778" height="1610"></p><p>Settings in screenshot:</p><ul><li>Name <strong>allow-wireguard</strong></li><li>Diretion of Traffic <strong>ingress</strong></li><li>Network <strong>default</strong></li><li>Targets <strong>All instances in the network</strong> <em>all is fine, specify a target if you run more instances</em></li><li>Source Filter <strong>IP ranges</strong></li><li>Source IP Ranges 0.0.0.0/0 <em>or if you know the range you will be connecting from</em></li><li>Protocols and Ports <strong>UDP</strong> and <strong>51280</strong></li><li>Second Source filter <strong>None</strong></li></ul><p><em>Note: This only allows connections to the instance, WireGuard will authorize clients when connecting</em>.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="access-instance--install-spr">Access instance & install SPR<a class="hash-link" href="#access-instance--install-spr" title="Direct link to heading"></a></h2><p>Your instance should be available under <em>Compute Engine</em> -> <em>VM Instances</em>.
Click <strong>SSH</strong> in the listing:</p><p><img loading="lazy" src="/pages/assets/images/gcloud-4-d47918f061785814ae4933d8d555703e.png" width="2051" height="1623"></p><p>A browser window should popup with a terminal.
Run the SPR virtual installer with sudo:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Check out the source for <code>virtual_install.sh</code> <a href="https://github.com/spr-networks/super" target="_blank" rel="noopener noreferrer">here</a>.</p><p>If you want to add another device, just run the setup script again:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">cd super</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo ./virtual_install.sh</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Now you have a WireGuard VPN config ready, either scan the QR Code or paste the config into the <a href="https://www.wireguard.com/install/" target="_blank" rel="noopener noreferrer">WireGuard client</a>.</p><p>For more information on setting up the client see <a href="/pages/blog/virtual SPR#configure-the-vpn-client-on-your-device">the Virtual SPR Guide</a> on how to connect your VPN client to the instance.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/virtual">Virtual</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/cloud">Cloud</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/vpn">VPN</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wire-guard">WireGuard</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/google-cloud">Google Cloud</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/virtual-spr-on-a-aws-micro-tier-instance">Run Virtual SPR on a AWS Micro Tier Instance</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-10-07T00:00:00.000Z" itemprop="datePublished">October 7, 2022</time> · <!-- -->3 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/capslcc" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Philip Olausson</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="introduction">Introduction<a class="hash-link" href="#introduction" title="Direct link to heading"></a></h2><p>This guide shows how to setup Virtual SPR on a Micro Tier Instance on AWS, and connect to it using WireGuard VPN.</p><p>The result is a private VPN with a custom DNS server able to block ads, log traffic, and more features included in SPR.</p><p>For a more general and in-depth guide see the <a href="/pages/blog/virtual SPR">Virtual SPR Guide</a>.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="create-a-instance">Create a Instance<a class="hash-link" href="#create-a-instance" title="Direct link to heading"></a></h2><p>Sign in to <a href="https://console.aws.amazon.com/ec2/home" target="_blank" rel="noopener noreferrer">AWS Console</a> and navigate to <em>Instances</em> in the menu.
Click <strong>Launch Instances</strong> for your selected region.</p><p><img loading="lazy" src="/pages/assets/images/aws-1-bdfd66fa6b9c8d0ed108eb8f38ee259a.png" width="2880" height="1562"></p><p>Name your instance and select Ubuntu and 64-bit (x86) as architecture under OS Images.</p><p>For instance type choose any micro tier eligible for free, t2.micro is used in the example.</p><p><img loading="lazy" src="/pages/assets/images/aws-2-1d0a29f7e8401ee36884f579741adc3a.png" width="2880" height="1563"></p><p>If you already have a keypair that you want to use, select it under <em>Key pair</em> or click <strong>Create new key pair</strong>, save the .pem-file to your ~/.ssh directory and make sure only your user can read it.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="allow-vpn-access">Allow VPN access<a class="hash-link" href="#allow-vpn-access" title="Direct link to heading"></a></h3><p>Under <em>Network settings</em> click <strong>Edit</strong> and scroll down to <strong>Add security group rule</strong>.
Select UDP & port 5128, "vpn" as description and if you want to allow access from a specific source ip or range.</p><p><img loading="lazy" src="/pages/assets/images/aws-3-f078d071e2539fa79b380f117e5c6387.png" width="2880" height="1562"></p><p>Click <strong>Launch Instance</strong> in the bottom right.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="install-virtual-spr">Install Virtual SPR<a class="hash-link" href="#install-virtual-spr" title="Direct link to heading"></a></h2><p>Navigate to <em>Instances</em>, the newly created instance should be available in the listing and shown as Running, click it.
Copy the value under Public IPv4 address and ssh into the box as the ubuntu user:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">ssh -i ~/.ssh/awsspr.pem ubuntu@paste-ipv4-address-here</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p><em>NOTE</em> You can also use the <em>Instance Connect</em>-feature if you don't have access to a ssh client. Click <strong>Connect</strong> under the <em>Instance Summary</em> to get access to a terminal.</p><p>Run the SPR virtual installer with sudo:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p><em>NOTE: If the script cannot get the public ip address of the instance from one of the network interfaces, it will ask to fetch this from <a href="https://ifconfig.me." target="_blank" rel="noopener noreferrer">https://ifconfig.me.</a>
Answer yes to fetch this or edit this later (<strong>Endpoint</strong> in the WireGuard config).</em></p><p>The script will download the <a href="https://github.com/spr-networks/super" target="_blank" rel="noopener noreferrer">SPR repository</a> and run <em>virtual_install.sh</em> (you can also checkout the <a href="https://github.com/spr-networks/super" target="_blank" rel="noopener noreferrer">repository</a> and run the script manually if you want to inspect the script before running it.)</p><p>If you want to add another device, just run the setup script again:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">cd super</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo ./virtual_install.sh</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Now you have a WireGuard VPN config ready, either scan the QR Code or paste the config into the <a href="https://www.wireguard.com/install/" target="_blank" rel="noopener noreferrer">WireGuard client</a>.</p><p>For more information on setting up the client see <a href="/pages/blog/virtual SPR#configure-the-vpn-client-on-your-device">the Virtual SPR Guide</a> on how to connect your VPN client to the instance.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/virtual">Virtual</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/cloud">Cloud</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/vpn">VPN</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wire-guard">WireGuard</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/aws">AWS</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/virtual-spr-on-a-digital-ocean-droplet">Run Virtual SPR on a Digital Ocean Droplet</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-10-03T00:00:00.000Z" itemprop="datePublished">October 3, 2022</time> · <!-- -->2 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/capslcc" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Philip Olausson</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="introduction">Introduction<a class="hash-link" href="#introduction" title="Direct link to heading"></a></h2><p>This guide shows how to setup Virtual SPR on a Digital Ocean Droplet and connect to it using WireGuard VPN.</p><p>For a more general and in-depth guide see the <a href="/pages/blog/virtual SPR">Virtual SPR Guide</a>.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="create-a-droplet">Create a Droplet<a class="hash-link" href="#create-a-droplet" title="Direct link to heading"></a></h2><p>Login to <a href="https://cloud.digitalocean.com" target="_blank" rel="noopener noreferrer">Digital Ocean</a> and click <em>Create Droplet</em>.</p><p><img loading="lazy" src="/pages/assets/images/cloud-digital-ocean-1-bedee1ad9531fc8bcda5933b7dfa45c9.png" width="2880" height="1622"></p><p>Select prefered Region and Datacenter (<em>Amsterdam</em> and <em>AMS3</em> in the example),
go with default <em>Ubuntu 22.04 x64</em> for OS and version.</p><p>For Droplet Size, the smallest <em>$4/month</em> Basic with 512 MB RAM is enough but feel free to choose another one.</p><p><img loading="lazy" src="/pages/assets/images/cloud-digital-ocean-2-ca9699589bf6a28aa093388e8024b00b.png" width="2880" height="1618"></p><p>If you already have a ssh key configured for a project you can choose the pubkey or click <em>New SSH Key</em> for <em>Choose Authentication Method</em>.</p><p>Click <em>Create Droplet</em> & wait for it to spin up.</p><p><img loading="lazy" src="/pages/assets/images/cloud-digital-ocean-3-aaefd596e6c71828de8211b4bb61d104.png" width="2880" height="1621"></p><h2 class="anchor anchorWithStickyNavbar_mojV" id="install-virtual-spr">Install Virtual SPR<a class="hash-link" href="#install-virtual-spr" title="Direct link to heading"></a></h2><p>When the droplet has started, copy the ipv4 address and ssh into the box using your ssh key as root:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">ssh -i .ssh/id_rsa root@paste-ipv4-address-here</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Run the SPR virtual installer as root on the droplet:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>The script will download the <a href="https://github.com/spr-networks/super" target="_blank" rel="noopener noreferrer">SPR repository</a> and run <em>virtual_install.sh</em> (you can also checkout the <a href="https://github.com/spr-networks/super" target="_blank" rel="noopener noreferrer">repository</a> and run the script manually if you want to inspect the script before running it.)</p><p>If you want to add another device, just run the setup script again:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">cd super</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">./virtual_install.sh</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Now you have a WireGuard VPN config ready, either scan the QR Code or paste the config into the <a href="https://www.wireguard.com/install/" target="_blank" rel="noopener noreferrer">WireGuard client</a>.</p><p>For more information on setting up the client see <a href="/pages/blog/virtual SPR#configure-the-vpn-client-on-your-device">the Virtual SPR Guide</a> on how to connect your VPN client to the droplet instance.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/virtual">Virtual</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/cloud">Cloud</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/vpn">VPN</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wire-guard">WireGuard</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/digital-ocean">Digital Ocean</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/virtual SPR">SPR in the cloud</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-09-07T00:00:00.000Z" itemprop="datePublished">September 7, 2022</time> · <!-- -->4 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/capslcc" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Philip Olausson</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="introduction">Introduction<a class="hash-link" href="#introduction" title="Direct link to heading"></a></h2><p>This guide will show how to setup virtual SPR and connect to it using a WireGuard VPN client from your phone or desktop computer.</p><p>The result is a private VPN with a custom DNS server able to block ads, log traffic, and more.</p><p><strong>Quick install</strong></p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Open WireGuard & scan the QR Code/import config - Done!</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="virtual-spr-install">Virtual SPR Install<a class="hash-link" href="#virtual-spr-install" title="Direct link to heading"></a></h2><p><strong>What you need</strong></p><ul><li>A linux server running Ubuntu 22.04</li><li>If there is a firewall <em>port 51280/udp</em> needs to be open for incoming traffic</li><li><a href="https://www.wireguard.com/install/" target="_blank" rel="noopener noreferrer">WireGuard</a> (<em>© Jason A. Donenfeld</em>) installed on your client phone or desktop<ul><li><code>apt install wireguard</code> for ubuntu</li><li>Official clients for <a href="https://download.wireguard.com/windows-client/wireguard-installer.exe" target="_blank" rel="noopener noreferrer">Windows</a>, <a href="https://itunes.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12" target="_blank" rel="noopener noreferrer">macOS</a>, <a href="https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8" target="_blank" rel="noopener noreferrer">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.wireguard.android" target="_blank" rel="noopener noreferrer">Android</a></li></ul></li></ul><p><strong>Run Virtual Installer</strong></p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo bash -c "$(curl -fsSL https://raw.github.com/spr-networks/super/master/virtual_install.sh)"</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p><strong>What the script does</strong></p><ul><li>downloads the latest SPR repository from <a href="https://github.com/spr-networks/super/" target="_blank" rel="noopener noreferrer">https://github.com/spr-networks/super/</a></li><li>downloads prebuilt docker images</li><li>generate default configs</li><li>setup admin password and auth token for API access</li><li>start SPR</li><li>add a VPN peer and output the WireGuard config</li></ul><p>You can also download the script if you want to check it out or add blocklists for ads:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">curl -s -O https://raw.githubusercontent.com/spr-networks/super/main/virtual_install.sh</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">chmod +x virtual_install.sh</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo DNS_BLOCK=hosts,ads,tracking,redirects ./virtual_install.sh</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>See <a href="https://github.com/blocklistproject/Lists" target="_blank" rel="noopener noreferrer">here</a> for available blocklists.</p><p>Example to block DNS requests to adservers and social media:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sudo DNS_BLOCK=ads,tracking,facebook,tiktok ./virtual_install.sh</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>If you want to change the admin password you can edit the file <code>configs/base/auth_users.json</code></p><p>Running the script you should see login info, a QR Code & the WireGuard client config. Example:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">...</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[+] WireGuard config: (save this as wg.conf & import in client)</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">----------------------------------------------------------</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[Interface]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">PrivateKey = privkey</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Address = 192.168.2.94</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">DNS = 192.168.2.1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[Peer]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">PublicKey = pubkey</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">AllowedIPs = 0.0.0.0/0, ::/0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">Endpoint = 198.211.120.224:51280</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">PersistentKeepalive = 25</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">PresharedKey = psk</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>If you want to connect to the VPN using a desktop client, save the config as wg.conf on your local computer.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="configure-the-vpn-client-on-your-device">Configure the VPN client on your device<a class="hash-link" href="#configure-the-vpn-client-on-your-device" title="Direct link to heading"></a></h2><p><strong>For iOS and Android</strong></p><p>Scan the QR Code in the official WireGuard App (<a href="https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8" target="_blank" rel="noopener noreferrer">iOS</a>, <a href="https://play.google.com/store/apps/details?id=com.wireguard.android" target="_blank" rel="noopener noreferrer">Android</a>) to import your VPN profile.</p><p><strong>Linux, macOS and Windows</strong></p><p>Click <em>"Add empty tunnel..."</em> paste the config and set a name for the tunnel. Or, if you saved the config to a file:</p><ul><li>Open your WireGuard client and click <em>"Import tunnel(s) from file"</em></li><li>Select the wg.conf file</li><li>Click Activate</li></ul><h2 class="anchor anchorWithStickyNavbar_mojV" id="admin-interface">Admin interface<a class="hash-link" href="#admin-interface" title="Direct link to heading"></a></h2><p><img loading="lazy" src="/pages/assets/images/screenshot_login-d6eccf46d43c7a5a3cdd6d7872ff7415.png" width="1998" height="1010"></p><p>Make sure you're connected to the VPN endpoint & browse to <a href="http://192.168.2.1" target="_blank" rel="noopener noreferrer">http://192.168.2.1</a> to access the admin interface.</p><p>Login using the credentials shown in the output from the script or if you set the password manually (<em>NOTE</em> you can check the login info by running <code>SKIP_VPN=1 ./virtual_install.sh</code>).</p><p>If you prefer to use curl:</p><div class="codeBlockContainer_I0IT language-sh theme-code-block"><div class="codeBlockContent_wNvx sh"><pre tabindex="0" class="prism-code language-sh codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">$ export TOKEN="BASE64-TOKEN-FROM-OUTPUT"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">$ curl -s -H "Authorization: Bearer $TOKEN" 192.168.2.1/devices</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Checkout the <a href="https://www.supernetworks.org/pages/api/0#section/Introduction" target="_blank" rel="noopener noreferrer">documentation</a> to get started using the SPR API.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="modify-blocklists">Modify Blocklists<a class="hash-link" href="#modify-blocklists" title="Direct link to heading"></a></h2><p>In the admin interface you can enable more blocklists by clicking <em>Blocklists/Ad-block</em> under DNS:
<img loading="lazy" src="/pages/assets/images/screenshot_dns_blocklist-579c25c2088d86938ca50e098f225501.png" width="1974" height="940"></p><p>SPR comes bundled with the hosts file from <a href="https://github.com/StevenBlack/hosts" target="_blank" rel="noopener noreferrer">https://github.com/StevenBlack/hosts</a> and the blocklists from the <a href="https://github.com/blocklistproject/Lists" target="_blank" rel="noopener noreferrer">https://github.com/blocklistproject/Lists</a> repository, including:
<em>redirect, ads, facebook, twitter, malware, porn, redirect, tracking, youtube, everything</em></p><p>If something is missing you can always add custom blocklists or block specific domains.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="view-traffic">View traffic<a class="hash-link" href="#view-traffic" title="Direct link to heading"></a></h2><p>Navigate to <em>DNS Log</em> in the DNS category, select the client to get a log of domains:
<img loading="lazy" src="/pages/assets/images/screenshot_dns_log-370b2aa4ba0241c3e494facd7d4dcec9.png" width="1990" height="944"></p><p>Here you can also add more blocks, domain overrides if you want to allow something temporarily, delete logs or disable them completely under <em>Settings</em>.</p><p>It is also possible to get more detail traffic for connections under <em>Traffic</em>:
<img loading="lazy" src="/pages/assets/images/screenshot_traffic-2f69a0c1ea6d51d18677a11246c41bdd.png" width="2086" height="880"></p><h2 class="anchor anchorWithStickyNavbar_mojV" id="outro-and-random-notes">Outro and random notes<a class="hash-link" href="#outro-and-random-notes" title="Direct link to heading"></a></h2><p>You can remove lan from your device groups for a device but its needed to access the admin interface.</p><p>SPR is configured to use DNS over HTTPs when resolving domains. You can modify the Coredns configuration under configs/dns/Corefile</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/virtual">Virtual</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/cloud">Cloud</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/vpn">VPN</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wire-guard">WireGuard</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/secure router chaining">Securely Chaining Routers</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-09-03T00:00:00.000Z" itemprop="datePublished">September 3, 2022</time> · <!-- -->4 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="building-a-home-wifi-network">Building a Home WiFi Network<a class="hash-link" href="#building-a-home-wifi-network" title="Direct link to heading"></a></h2><p>Putting together a home network has several subtly annoying security tradeoffs.</p><p><em>Users want</em></p><ul><li><p><strong>Ease of Use & Connectivity</strong></p><p>Maximized by keeping devices maximally connected with a simple passphrase</p></li><li><p><strong>Privacy and Security</strong></p><p>Maximized by keeping devices minimally connected. And ideally offline 🦦</p></li></ul><p>If the goal is a bit of both, how to do segmentation correctly quickly becomes
a bit of a puzzle</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="whats-the-best-way-to-chain-your-routers">What's the Best Way to Chain Your Routers?<a class="hash-link" href="#whats-the-best-way-to-chain-your-routers" title="Direct link to heading"></a></h2><p>The "Secure Router" can be considered the Work From Home access point,
and the "Guest Router" can be considered the Guest, Personal, or IOT access point.</p><p> <img loading="lazy" src="/pages/assets/images/chaining_choices-f543aa893de8eefeda219c3d1e6619fe.png" width="1812" height="940"></p><h4 class="anchor anchorWithStickyNavbar_mojV" id="the-worst-choice">The Worst Choice<a class="hash-link" href="#the-worst-choice" title="Direct link to heading"></a></h4><p>Option #3 is to connect the internet to the secure router, and then plug the
guest router into the secure router. Guests and untrustworthy devices can connect
to the guest router.</p><p>This might make sense intuitively for some. You put the Secure Router close
to the internet since that's where all the internet traffic will go out from, and
if the Guest Router is compromised, it can't intercept traffic.</p><p>However, since the Guest Router is a Peer on the Secure Router network's LAN,
every "Guest" station and the router will be able to reach the secure router and
devices on the secure network LAN.</p><p>Unless either the Guest Router can block requests to the Secure LAN with its firewall,
or the Secure Router can isolate the port for the Guest Router for only internet access,
this is not an accepted best practice.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="split-essids">Split ESSIDs<a class="hash-link" href="#split-essids" title="Direct link to heading"></a></h4><p>Option #2 is to share a router for both SSIDs, with one ESSID and password for the
Secure LAN and one for the Guest LAN.</p><p>The expectation is that devices can not send packets across the two LANs.</p><p>The great tradeoff with this is that if a user wants to control their IOT devices
they have to switch to the guest network. And if device isolation is enabled on the guest network,
devices won't be able to communicate at all. So as security improves, usability decreases.</p><p>The guest isolation may also be insufficient. The shared passphrase implies MITM capabilities,
and passive traffic decryption capabilities with WPA2 or active decryption capabilities with WPA3.</p><p>Some routers place both ESSIDs on the SAME LAN. Usually this allows the secure devices
to reach the guest devices. Usability has been increased, but this often leads to subtle flaws
that allow the guest devices to bypass their isolation entirely.</p><p>Another upside to this approach is that bandwidth can be shared for the ESSIDs,
reducing wasted WiFi spectrum.</p><p>Overall, this is an accepted best practice, but it comes down to the details where very quickly
users are trading off security for usability.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="the-best-of-the-three-guest-router-first-secure-router-second">The Best of the Three: Guest Router First, Secure Router Second<a class="hash-link" href="#the-best-of-the-three-guest-router-first-secure-router-second" title="Direct link to heading"></a></h4><p>Option #1 is the recommended and accepted best practice. The guest network connects
directly to the internet, and the secure router plugs into the guest Router.</p><p>This approach yields a favorable combination of security and usability. Devices on the
secure LAN can access devices on the Guest LAN, which is great for controlling IOT devices.
And devices on the Guest LAN have no way to initiate communication to devices on the
Secure LAN, blocked by the Guest Router firewall.</p><p>The main downsides: The guest router could have ISP credentials, and could MITM
internet traffic if compromised by an untrusted device</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="multi-psk--vlans">Multi PSK & VLANs<a class="hash-link" href="#multi-psk--vlans" title="Direct link to heading"></a></h3><p>Today's most featureful home routers offer support for one passphrase per device. This solves
many of the MITM and decryption issues for guest isolation. The devices can be placed into VLANs with unique WiFi passphrases, GTKs, and secure firewall rules creating truly strong isolation. These mechanisms provide powerful mechanisms for designing a home network securely.</p><p>This is the approach SPR follows, and we've <a href="/pages/blog/multipsk and wpa3">spearheaded Multi-PSK with WPA3</a>.
SPR provides maximum isolation capabilities by placing each station into its own LAN. Users can then easily
create groups of interconnected devices.</p><p><img loading="lazy" src="/pages/assets/images/tinynets-1cc6f9d81a93c8b078f78fc0f5ad2f21.png" width="1594" height="932"></p><h3 class="anchor anchorWithStickyNavbar_mojV" id="spr-supports-plugging-into-an-existing-router-securely">SPR Supports Plugging into An Existing Router Securely<a class="hash-link" href="#spr-supports-plugging-into-an-existing-router-securely" title="Direct link to heading"></a></h3><p>We recommend running SPR by plugging it into an existing router. To support securely doing this,
by default -- the firewall will block access to private network addresses over the upstream interface.</p><p>This prevents devices connected to SPR from accessing devices on the LAN of the current router.</p><p>To allow a device access to private network addresses upstream, users can apply the <code>lan_upstream</code> tag to the device.</p><p><img loading="lazy" src="/pages/assets/images/add_wifi_device_lan_upstream-145072582030d7952626322f2bd1575b.png" width="1602" height="960"></p><p>And then manage the tag in the Devices view</p><p><img loading="lazy" src="/pages/assets/images/manage_lan_upstream_tag-88b8dd183fce79f2313324b0725db7a8.png" width="2176" height="1066"></p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/routers">Routers</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/networking-101">Networking 101</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/multipsk and wpa3">SPR Supports WPA3 with Multiple Passwords</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-05-02T00:00:00.000Z" itemprop="datePublished">May 2, 2022</time> · <!-- -->2 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h3 class="anchor anchorWithStickyNavbar_mojV" id="sprs-wpa3-multiple-passwords-per-ssid-surprises-people">SPR's WPA3 Multiple Passwords per SSID Surprises People<a class="hash-link" href="#sprs-wpa3-multiple-passwords-per-ssid-surprises-people" title="Direct link to heading"></a></h3><p> WiFi nerds and people working on WiFi products have shared their surprise with me a few times now about the integration for multi-PSK with WPA3. This is something already mostly built into HostAP so it should be possible anywhere, although it is not obvious from the documentation. I'm told that most other projects simply don't do it, putting SPR at the head of the pack! In this post I'll share how it's integrated, so that others can benefit from the ideas and improve WiFi security for people all around the world.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="wpa3-authentication-is-fundamentally-different">WPA3 Authentication is Fundamentally Different<a class="hash-link" href="#wpa3-authentication-is-fundamentally-different" title="Direct link to heading"></a></h3><p>WPA3 authentication uses <a href="https://datatracker.ietf.org/doc/html/rfc7664" target="_blank" rel="noopener noreferrer">Dragonfly</a>, a Zero-Knowledge Proof in its Simulataneous Authentication of Equals Handshake protocol. With SAE there is nothing to sniff and crack offline from the key exchange. This is in contrast to WPA/WPA2 which is notorious for password cracking of weak passwords from captured handshakes -- or even more conteniently, by using the <a href="https://hashcat.net/forum/thread-7717.html" target="_blank" rel="noopener noreferrer">RSN IE specification flaw</a>.</p><p>For Multi-PSK, a router can go down the list of stored PSKs and try each key and see if it had a matching one.
For WPA3, this is not possible. Authenticating a password requires an interactive zero knowledge proof, so a new handshake is required to try a different password.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="spr-uses-hostaps-mac-assignment">SPR Uses HostAP's MAC Assignment<a class="hash-link" href="#spr-uses-hostaps-mac-assignment" title="Direct link to heading"></a></h3><p>PSKs are assigned by MAC address. HostAP finds the passphrase to use by MAC address to perform the authentication, using the correct PSK the first time around for the interactive proof.</p><p>The syntax for hostapd.conf to assign multiple devices is as follows:</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sae_password=1stPassphraseHere|mac=01:23:45:67:89:aa</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">sae_password=2ndPassphraseHere|mac=01:23:45:67:89:ab</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><h3 class="anchor anchorWithStickyNavbar_mojV" id="adding-device-is-seamless">Adding Device is Seamless<a class="hash-link" href="#adding-device-is-seamless" title="Direct link to heading"></a></h3><p>Adding devices is an easy process. If a user does know a MAC address, they can certainly
specify the MAC address ahead of time. However, SPR can use a wildcard MAC to match a new
incoming device. When the device authenticates, that PSK will be assigned to the device.</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">sae_password=3rdPassphraseHere|mac=ff:ff:ff:ff:ff:ff</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><h3 class="anchor anchorWithStickyNavbar_mojV" id="devices-workflow">Devices Workflow<a class="hash-link" href="#devices-workflow" title="Direct link to heading"></a></h3><h4 class="anchor anchorWithStickyNavbar_mojV" id="first-go-to-the-add-device-modal-and-add-a-device-name-and-hit-next">First, go to the add device modal and add a device name and hit next<a class="hash-link" href="#first-go-to-the-add-device-modal-and-add-a-device-name-and-hit-next" title="Direct link to heading"></a></h4><p><img loading="lazy" src="/pages/assets/images/add_device_1-01b0f5f44775c92f40090e85db695506.png" width="980" height="642"></p><h4 class="anchor anchorWithStickyNavbar_mojV" id="next-scan-the-qr-code--or-type-the-passphrase-on-a-new-device">Next, scan the QR code or type the passphrase on a new device<a class="hash-link" href="#next-scan-the-qr-code--or-type-the-passphrase-on-a-new-device" title="Direct link to heading"></a></h4><p><img loading="lazy" src="/pages/assets/images/add_device_2-ec89e7ff6f26c0d21d79dc9d059c18d9.png" width="968" height="809"></p><h4 class="anchor anchorWithStickyNavbar_mojV" id="upon-connection-the-ui-will-notify-success-and-the-psk-will-be-assigned-to-the-mac">Upon connection the UI will notify success and the PSK will be assigned to the MAC<a class="hash-link" href="#upon-connection-the-ui-will-notify-success-and-the-psk-will-be-assigned-to-the-mac" title="Direct link to heading"></a></h4><p><img loading="lazy" src="/pages/assets/images/add_device_3-48bef3bc65a140fc598aa1497ed71e56.png" width="974" height="846"></p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wifi-6">wifi6</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wpa-3">WPA3</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/ppsk">PPSK</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/wifi6">Gigabit WiFi with SPR & The 4x4 MT7915</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-04-13T00:00:00.000Z" itemprop="datePublished">April 13, 2022</time> · <!-- -->3 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="intro">Intro<a class="hash-link" href="#intro" title="Direct link to heading"></a></h2><p>In this post we'll cover how to configure hostapd with the mt7915 to run 160 MHz channels over 5ghz.
This allows stations to break gigabit speeds for WiFi with only 2 spatial streams.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="requirements">Requirements<a class="hash-link" href="#requirements" title="Direct link to heading"></a></h2><ul><li>A 160Mhz capable card on the SPR device, for example <a href="https://www.asiarf.com/shop/wifi-wlan/wifi_mini_pcie/wifi6-4t4r-dual-bands-selectable-mpcie-card-ieee802-11ax-ac-a-b-g-n-2-4g-5ghz-aw7915-np1/" target="_blank" rel="noopener noreferrer">AsiaRF's AW7915-NP1</a></li><li>160MHz capable client wifi card, such as <a href="https://www.intel.com/content/www/us/en/products/sku/204836/intel-wifi-6e-ax210-gig/specifications.html" target="_blank" rel="noopener noreferrer">Intel's AX210</a>. <a href="https://ark.intel.com/content/www/us/en/ark/products/130293/intel-wifi-6-ax201-gig.html" target="_blank" rel="noopener noreferrer">Intel's AX201 and AX200</a> also have 160Mhz support for 5ghz.</li></ul><h2 class="anchor anchorWithStickyNavbar_mojV" id="preparation">Preparation<a class="hash-link" href="#preparation" title="Direct link to heading"></a></h2><ul><li>Set up your AP device according to the <a href="/pages/docs/setup_run_spr">SPR Setup Guide</a></li><li>For mt7915, run a mainline kernel or a kernel with fixes from <code>https://github.com/openwrt/mt76</code> and the latest firmware. I'll publish some updates to building SPR with these in the near future. Fixes are needed for DFS support.</li></ul><h2 class="anchor anchorWithStickyNavbar_mojV" id="hostapd-configuration">Hostapd configuration<a class="hash-link" href="#hostapd-configuration" title="Direct link to heading"></a></h2><ol><li>Modify <code>config/wifi/hostpad.conf</code></li><li>Make sure vht_capab includes <!-- -->[VHT160]<!-- --> and <!-- -->[SHORT-GI-160]</li><li>Make sure to set vht_oper_chwidth/he_oper_chwidth set to 2.</li><li>For the channel configuration, the following are valid 160mhz centers on 5ghz: <!-- -->[50, 114, 163]<!-- -->. Set the vht/he_oper_centr_freq_seg0_idx to these values and the channel to the center value - 14.</li><li>Set ieee80211ax to 1</li></ol><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">ctrl_interface=/state/wifi/control</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">country_code=US</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">interface=wlan0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ssid=TestLab</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">hw_mode=a</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211d=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211h=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211n=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211ac=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211ax=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_su_beamformer=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_su_beamformee=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_mu_beamformer=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">wmm_enabled=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">preamble=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ht_capab=[LDPC][HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">vht_capab=[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][VHT160][RXLDPC][SHORT-GI-160][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER[[MU-BEAMFORMEE]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">vht_oper_chwidth=2</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_oper_chwidth=2</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">channel=36</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">vht_oper_centr_freq_seg0_idx=50</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_oper_centr_freq_seg0_idx=50</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">auth_algs=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">wpa=2</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">rsn_pairwise=CCMP</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Security parameters</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Isolate stations and per-station group keys</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">ap_isolate=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">multicast_to_unicast=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Mitigate krack attack</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">wpa_disable_eapol_key_retries=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># VLAN</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">per_sta_vif=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Passwords</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">sae_psk_file=/configs/wifi/sae_passwords</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">wpa_psk_file=/configs/wifi/wpa2pskfile</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><ol start="2"><li>Restart hostapd</li></ol><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">root@pirouter:~/super# docker-compose restart wifid</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>If anything has gone wrong, check the docker compose logs for the wifid service.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="perf-test">Perf Test<a class="hash-link" href="#perf-test" title="Direct link to heading"></a></h2><p>Running iperf3 on the SPR device, and iperf3 on a client with AX210 chip, we see the following:</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="on-spr">On SPR:<a class="hash-link" href="#on-spr" title="Direct link to heading"></a></h4><p><code>iw wls6 info</code></p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">Interface wls6</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> ifindex 5</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> wdev 0x1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> addr 00:0a:52:07:32:c9</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> ssid testlab</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> type AP</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> wiphy 0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> channel 100 (5500 MHz), width: 160 MHz, center1: 5570 MHz</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> txpower 23.00 dBm</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> multicast TXQ:</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> 0 0 246 0 0 0 0 27114 272</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p><code>iperf3 -s</code></p><h4 class="anchor anchorWithStickyNavbar_mojV" id="on-the-station">On the station:<a class="hash-link" href="#on-the-station" title="Direct link to heading"></a></h4><p><code>iperf3 -c 192.168.2.1</code></p><h4 class="anchor anchorWithStickyNavbar_mojV" id="performance-results">Performance results<a class="hash-link" href="#performance-results" title="Direct link to heading"></a></h4><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">Accepted connection from 192.168.2.26, port 56156</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] local 192.168.2.1 port 5201 connected to 192.168.2.26 port 56158</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ ID] Interval Transfer Bitrate </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 0.00-1.00 sec 139 MBytes 1.17 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 1.00-2.00 sec 126 MBytes 1.06 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 2.00-3.00 sec 141 MBytes 1.18 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 3.00-4.00 sec 137 MBytes 1.15 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 4.00-5.00 sec 152 MBytes 1.27 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 5.00-6.00 sec 153 MBytes 1.28 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 6.00-7.00 sec 155 MBytes 1.30 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 7.00-8.00 sec 148 MBytes 1.24 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 8.00-9.00 sec 145 MBytes 1.21 Gbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 9.00-10.00 sec 119 MBytes 995 Mbits/sec </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[ 5] 10.00-10.00 sec 482 KBytes 1.22 Gbits/sec </span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/wifi-6">wifi6</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/80211-ax">80211ax</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/spr_mini_pc">Running SPR on a Mini PC with WiFi 6</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-03-18T00:00:00.000Z" itemprop="datePublished">March 18, 2022</time> · <!-- -->3 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="intro">Intro<a class="hash-link" href="#intro" title="Direct link to heading"></a></h2><p>In the blog post we'll describe how to build and run SPR on a Mini-PC. And we'll use a WiFi 6 capable radio inside.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="first-get-a-mini-pc-ready">First, get a Mini PC ready<a class="hash-link" href="#first-get-a-mini-pc-ready" title="Direct link to heading"></a></h2><ol><li><p>Identify a good mini PC to use. <a href="https://twitter.com/willy_wong" target="_blank" rel="noopener noreferrer">Wilson</a> suggested
a look at QOTOM's i3 broadwell routers.</p><p> The <a href="https://amzn.to/36qmZjI" target="_blank" rel="noopener noreferrer">g330</a> is not bad. It's a fanless build with a TDP of 15W. One mini pci-e slot is dedicated to <a href="https://en.wikipedia.org/wiki/Serial_ATA#Mini-SATA_(mSATA)" target="_blank" rel="noopener noreferrer">mSATA</a>, and the other can be used to fit a wifi radio. It also has additional SATA available for one more storage drive.</p><a href="https://amzn.to/36qmZjI" target="_blank" rel="noopener noreferrer"><p> <img src="https://m.media-amazon.com/images/I/61KcP6zQLsL._AC_SX679_.jpg"></p></a><p> WARNING: On this device, the mini-pcie slot has a tall post for half-sized cards that needs to be removed to fit thicker full sized WiFi cards.</p></li><li><p>Get a good WiFi radio.</p><p>We'll run with an 802.11ax card that works with Linux in AP mode (at least 802.11ac is recommended).</p><p>Mediatek is the disruptor in this space and supports AP mode on Linux. <!-- -->[<!-- -->NOTE: Many other cards will NOT work with ax in AP mode on Linux with open source drivers<!-- -->]<!-- --> . If you have recommendations please do not hesitate to reach out on the <a href="https://matrix.to/#/#spr:matrix.org" target="_blank" rel="noopener noreferrer">matrix chat</a>. For the G330 Qotom, 2 antennas wires are provided to outside the case, so the 2x2 configuration is best.</p><p>The <a href="https://www.asiarf.com/shop/wifi-wlan/wifi_mini_pcie/wifi6-2t2r-dual-bands-dbdc-mpcie-card-11ax-mt7915-aw7915-npd/" target="_blank" rel="noopener noreferrer">MT7915</a> can be purchased from AsiaRF.</p><a href="https://www.asiarf.com/shop/wifi-wlan/wifi_mini_pcie/wifi6-2t2r-dual-bands-dbdc-mpcie-card-11ax-mt7915-aw7915-npd/" target="_blank" rel="noopener noreferrer"><p><img src="https://sp-ao.shortpixel.ai/client/to_webp,q_glossy,ret_img,w_400,h_400/https://www.asiarf.com/wp-content/uploads/2021/07/aw7915-npd-1_top.jpg"></p></a></li></ol><h2 class="anchor anchorWithStickyNavbar_mojV" id="setup">Setup<a class="hash-link" href="#setup" title="Direct link to heading"></a></h2><p>Download and install Ubuntu Server. Since the WiFi 6 driver is a work in progress, we grabbed a daily release of <a href="https://cdimage.ubuntu.com/ubuntu-server/daily-live/current/jammy-live-server-amd64.iso" target="_blank" rel="noopener noreferrer">Jammy Jellyfish 22.04</a> from the <a href="https://cdimage.ubuntu.com/ubuntu-server/daily-live/current/" target="_blank" rel="noopener noreferrer">Ubuntu Live</a> page to get the latest fixes. Copy the installer to installation media (a flash drive) then plug it in and go.</p><p>Then follow the <a href="/pages/docs/setup_run_spr">SPR Setup Guide</a>.</p><p>Our config/base/config.sh:</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">#!/bin/sh </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">SSID_NAME=6lab </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">SSID_INTERFACE=wlan1 </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#PPPIF=eth0 </span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#WANIF=ppp0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#PPP_VLANID=201</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#PPP_PROVIDER=provider-config</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">WANIF=enp1s0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">RUN_WAN_DHCP=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">RUN_WAN_DHCP_IPV=4</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Uncomment the next line if a second ethernet port goes to wired LAN</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#LANIF=eth1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">VLANIF=wlan1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">VLANSIF=$VLANIF.</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">LANIP=192.168.3.1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">DNSIP=$LANIP</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">TINYNETSTART=192.168.3.4</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">TINYNETSTOP=192.168.3.255</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">TINYNETMASK=255.255.255.252</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">TINYSLASHMASK=30</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">DOCKERNET=172.17.0.0/16</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">DOCKERIF=docker0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">WIREGUARD_PORT=51280</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">#WIREGUARD_NETWORK=192.168.3.1/24</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><h2 class="anchor anchorWithStickyNavbar_mojV" id="configure-hostapd-for-80211ax">Configure hostapd for 802.11AX<a class="hash-link" href="#configure-hostapd-for-80211ax" title="Direct link to heading"></a></h2><p>On the SPR device, modify <code>configs/wifi/hostapd.conf</code> and add:</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">ieee80211ax=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_su_beamformer=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_su_beamformee=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_mu_beamformer=1</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_oper_chwidth=1 # 80mhz channel</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">he_oper_centr_freq_seg0_idx=42</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Restart wifid</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain">docker-compose restart wifid</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><p>Connect a wifi 6 client and verify HE codings are available</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar" style="color:#F8F8F2;background-color:#282A36"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#F8F8F2"><span class="token plain"># iw dev wlan1.4096 station dump -v | grep bitrate</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> tx bitrate: 1200.9 MBit/s 80MHz HE-MCS 11 HE-NSS 2 HE-GI 0 HE-DCM 0</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> rx bitrate: 720.6 MBit/s 80MHz HE-MCS 7 HE-NSS 2 HE-GI 0 HE-DCM 0</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_wuS7 clean-btn">Copy</button></div></div><h2 class="anchor anchorWithStickyNavbar_mojV" id="some-notes-on-the-mt7915">Some Notes on the MT7915<a class="hash-link" href="#some-notes-on-the-mt7915" title="Direct link to heading"></a></h2><p>The MT7915 is a Dual Mode driver. This means that it supports both 2Ghz and 5Ghz
frequencies simultaneously. For our install the 2ghz interface is on <code>wlan0</code> and 5Ghz on <code>wlan1</code>. This is really wonderful, since one card can serve older IOT devices that only run on 2Ghz as well as more modern devices at high speeds.</p><p>The linux kernel driver is not yet as stable as it could be, so beware that it may not yet be production ready -- several assertions and crashes were noticed. The mainline kernel does not yet support radar scanning, however the code is available in the <a href="https://github.com/openwrt/mt76" target="_blank" rel="noopener noreferrer">openwrt development branch</a>.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/x-64">x64</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/80211-ax">80211ax</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/UI Push">Supernetworks just Released a React User Interface</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-01-19T00:00:00.000Z" itemprop="datePublished">January 19, 2022</time> · <!-- -->3 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="user-friendliness">User Friendliness<a class="hash-link" href="#user-friendliness" title="Direct link to heading"></a></h2><p>The SPR project started out as a series of bash scripts and configuration files. Adding new devices
was a little bit error prone, as everything was done on the command line. Each device would
require a new, strong password, and each device needed to be added to a zone's configuration.
Next, hostapd had to be restarted to get WPA3 password reloading to work. It was hard to debug and not apparent if things failed.</p><p>What would make SPR super useful, though, would be if it was easy to use. And a user interface can do that for us.</p><p>So this week, Supernetworks pushed out a <a href="https://github.com/spr-networks/super/tree/main/frontend" target="_blank" rel="noopener noreferrer">frontend</a> for testing.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="this-release-delivers-basic-ui-features">This Release Delivers Basic UI Features<a class="hash-link" href="#this-release-delivers-basic-ui-features" title="Direct link to heading"></a></h2><p>Three functions are now available:</p><ul><li>Add a new wireless device to the network</li><li>List devices</li><li>Set device access zones</li></ul><p>While these are simple things, and seemingly easy, SPR's services work together to build a network
that is virtually unlike all other wifi setups available today. As a result, the base station service,
the DHCP server, and the API need to work together to leverage their features so that users have
a super smooth experience.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="see-a-demo">See a Demo<a class="hash-link" href="#see-a-demo" title="Direct link to heading"></a></h2><div><video width="100%" height="100%" playsinline="" muted="" controls="" src="/pages/video/sprui.mp4" type="video/mp4"></video></div><h3 class="anchor anchorWithStickyNavbar_mojV" id="how-devices-are-connected-to-spr">How Devices are Connected to SPR<a class="hash-link" href="#how-devices-are-connected-to-spr" title="Direct link to heading"></a></h3><ul><li>Each wireless device is on an isolated network, keyed in by their MAC address and passphrase</li><li>MAC/ARP spoofing is blocked by hardened firewall rules to completely stop ethernet/IP-based evasion for lateral movement</li><li>Zones specify the level of each individual device's access</li><li>Custom zones can create groups of devices that can intercommunicate without having full LAN access</li><li>Built in ad blocking with CoreDNS</li></ul><h4 class="anchor anchorWithStickyNavbar_mojV" id="some-of-the-challenges-were">Some of the challenges were<a class="hash-link" href="#some-of-the-challenges-were" title="Direct link to heading"></a></h4><ul><li>Laying down a solid foundation between the API and frontend to make adding new features great</li><li>Supporting a smooth WPA3 experience, which uses a ZKP for authentication</li><li>Making it fast and easy to add a device without having to also know or enter its MAC address ahead of time</li></ul><h2 class="anchor anchorWithStickyNavbar_mojV" id="the-zones">The Zones<a class="hash-link" href="#the-zones" title="Direct link to heading"></a></h2><p>The built in zones are</p><ul><li>DNS for outbound DNS queries</li><li>WAN for outbound internet access</li><li>LAN for general access to all local devices</li></ul><p>When a user types in a new name, such as "Cameras", NFTables verdict maps gets created
by the API. All of the members of the maps can send and receive IP traffic to one another,
but do not get general access to the LAN. In the future, custom firewall rules will be added
to further specify how the groups interact.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="whats-next-for-the-ui">What's Next for the UI<a class="hash-link" href="#whats-next-for-the-ui" title="Direct link to heading"></a></h2><p>For the road map, I'm thinking about security features such as intrusion detection
or automated security scanning and fingerprinting, network debugging and bandwidth monitoring,
per-device ad blocking, and home automation.</p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/ui">UI</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/react">React</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/golang">Golang</a></li></ul></div></footer></article><article class="margin-bottom--xl" itemprop="blogPost" itemscope="" itemtype="http://schema.org/BlogPosting"><header><h2 class="blogPostTitle_rzP5" itemprop="headline"><a itemprop="url" href="/pages/blog/first-blog-post">Announcing The SPR Project</a></h2><div class="blogPostData_Zg1s margin-vert--md"><time datetime="2022-01-10T00:00:00.000Z" itemprop="datePublished">January 10, 2022</time> · <!-- -->6 min read</div><div class="margin-top--md margin-bottom--sm row"><div class="col col--6 authorCol_FlmR"><div class="avatar margin-bottom--sm"><div class="avatar__intro" itemprop="author" itemscope="" itemtype="https://schema.org/Person"><div class="avatar__name"><a href="https://twitter.com/defendtheworld" target="_blank" rel="noopener noreferrer" itemprop="url"><span itemprop="name">Alex Radocea</span></a></div></div></div></div></div></header><div class="markdown" itemprop="articleBody"><h2 class="anchor anchorWithStickyNavbar_mojV" id="hello-spr">Hello, SPR<a class="hash-link" href="#hello-spr" title="Direct link to heading"></a></h2><p>I'm happy to start releasing the <strong>Secure Programmable Router</strong> project to the world. I've been running my home WiFi
with it for the past few months and I'm beyond excited to give back to the open source community.
I started working on this project because I think that Linux provides a tremendous amount of agility and
power for secure home networking but I felt like there was no router project out there that pulled it all together.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="the-spr-project-is-about-several-things">The SPR project is about several things<a class="hash-link" href="#the-spr-project-is-about-several-things" title="Direct link to heading"></a></h2><ul><li><p>A highly secure foundation to operate a home network where using the internet is safe and it's easy to see and control what IoT devices are up to when they are plugged in.</p></li><li><p>Making home privacy easy instead of begrudgingly sharing telemetry with big data companies.</p></li><li><p>Open source and empowering developers by lowering the barrier to entry for coding with home networking.</p></li><li><p>About reducing the barrier for entry.</p></li><li><p>Enabling scripting and rapid prototyping.</p></li><li><p>Adapting modern networking paradigms and tools that can meets today's needs.</p></li></ul><h2 class="anchor anchorWithStickyNavbar_mojV" id="how-spr-came-to-be">How SPR Came To Be<a class="hash-link" href="#how-spr-came-to-be" title="Direct link to heading"></a></h2><p>During the past year, I took a serious look at <a href="https://opnsense.org/" target="_blank" rel="noopener noreferrer">opnsense</a> and <a href="https://openwrt.org/" target="_blank" rel="noopener noreferrer">OpenWRT</a>, and ordered over a dozen different wifi routers to set up my home network. I sat down and built and deployed my own OpenWRT images and to set up secure wifi networks to connect with a more serious firewall. What I found was that the setups I had managed to achieve were not only frustrating to manage, but when I went to test their security, I found time and time again that vendor wifi routers were insecure due to fundamental limitations with the network designs. On top of that, they were <a href="https://www.zerodayinitiative.com/blog/2021/11/1/pwn2ownaustin" target="_blank" rel="noopener noreferrer">riddled with software security holes</a>. Unfortunately, running the open source builds of OpenWRT often had degraded performance versus the proprietary vendor patches or required breaking secure boot.</p><p>I felt frustrated because I felt like I had lost control over my own home network. I had only a basic idea of what I was running and what my devices were doing, let alone the routers themselves. Between smart bulbs and vacuum cleaners and home security cameras and speakers, TVs, gaming consoles, laptops, desktops, streaming devices, more routers, and work equipment, there was a lot of stuff that was online.</p><p>I've been working in computer security for over 15 years and I often get asked for how to set up a home network.</p><p>The best advice I could give people for their home wifi was to keep their mission critical systems on a dedicated wifi router, and plug that one into the main wifi router with all the other
"stuffs" that ultimately connects to the internet. This is awkward and requires switching networks or IGMP proxying to do discovery or zeroconf. This doesn't scale well across a multi-office home with repeaters and backhaul. It also doesn't scale well in an apartment where there's competition for radio bandwidth with neighbors for essentially one of only three coveted 80mhz channels on 5ghz.</p><p>The next best advice was to split out the "whatever" non-critical devices to the guest network, and the mission critical stuff on the main network. Hardening the guest network with isolation breaks discovery and streaming as well. In practice I found that most of the routers I looked at did not have good guest isolation anyway when enabled, something I will blog about later. No exploits are required, because more or less an attacker can just ask a router to send packets for them to work around hostapd's AP Isolation feature, and most of the routers will happily do what they do best, route the packets.</p><p>At the end of the day though, it's fundamentally a flawed idea to have a shared passphrase across many devices because that passphrase effectively lets devices spoof each other or attempt to intercept traffic, making it tough to truly firewall devices.</p><p>So then I started looking into enterprise wifi authentication: 802.1x (EAP-PEAP, EAP-TLS, EAP-PWD). EAP-TLS really is the only secure way to do things since EAP-PEAP suffers from fundamental <a href="https://datatracker.ietf.org/doc/html/draft-josefsson-pppext-eap-tls-eap-10#section-5.8" target="_blank" rel="noopener noreferrer">man in the middle issues</a> that were <a href="https://github.com/latelee/hostapd/commit/a190189d221aaef869ae2f52f7ead75b0c327995" target="_blank" rel="noopener noreferrer">never fixed</a>. Or EAP-PWD (which is almost wpa3) would be great, if it was supported by more devices and drivers, and well with EAP-TLS, certificate management is pain.</p><p>I really wished that one could just use a unique passphrase per device. Well, it turns out that yes, that works, and hostapd supports it out of the box. With some logic and <a href="https://github.com/spr-networks/hostap/commit/279c5203e4c767701ac9fb7cf31624390437d854" target="_blank" rel="noopener noreferrer">usability and correctness fixes</a> to hostapd, and it was easy to seamlessly add new devices and their passphrases on the fly.</p><p>Okay that was great. Next, I created strong device isolation with per-device subnets that could be configured to communicate with other subnets using forwarding rules. The resulting network was a bit too different than the spirit of the networking scripts in OpenWRT, and the patching became unreasonable to expect for upstream to accept, so I started from fresh ground.</p><p>SPR is implemented for rapid iteration. Services are containerized so that developers can swap out core services or roll up new ones in a testable, reproducible manner. An API drives configuration to allow for customization. SPR Runs off of Ubuntu, with Docker containers, and manages the network with NFTables. It uses hostapd for the base station software, CoreDHCP for DHCP, CoreDNS for DNS, and supports Wireguard.</p><p>SPR simply enables users to do better than today's status quo. It lets users run a hardened, secure network without restrictive drawbacks. It lets users connect their consumer electronics to the internet with the peace of mind that doing so does not weaken their home network security.</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="whats-next">What's Next<a class="hash-link" href="#whats-next" title="Direct link to heading"></a></h2><p>Today SPR runs as a proof of concept on a Raspberry Pi. With a USB dongle it's well able to handle over a dozen wifi stations and serve data from the internet with rates up to 500mbps. Work is underway to expand to new systems.</p><p>I'm currently wrapping up a Web UI to make SPR user friendly. In the near future I'll be posting a road map for what's planned.</p><p>Want to learn more and discuss? Join the <a href="https://discord.gg/WeNKMVTR" target="_blank" rel="noopener noreferrer">Discord Chat</a></p></div><footer class="row docusaurus-mt-lg"><div class="col"><b>Tags:</b><ul class="tags_XVD_ padding--none margin-left--sm"><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/spr">SPR</a></li><li class="tag_JSN8"><a class="tag_hD8n tagRegular_D6E_" href="/pages/blog/tags/hello-world">Hello World</a></li></ul></div></footer></article><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></main></div></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="row footer__links"><div class="col footer__col"><div class="footer__title">SPR Links</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/pages/">SPR Homepage</a></li><li class="footer__item"><a class="footer__link-item" href="/pages/docs/intro">Documentation</a></li></ul></div><div class="col footer__col"><div class="footer__title">Community</div><ul class="footer__items"><li class="footer__item"><a href="https://matrix.to/#/#spr:matrix.org" target="_blank" rel="noopener noreferrer" class="footer__link-item"><span>Matrix<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li class="footer__item"><a href="https://twitter.com/spr_networks" target="_blank" rel="noopener noreferrer" class="footer__link-item"><span>Twitter<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li></ul></div><div class="col footer__col"><div class="footer__title"> </div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/pages/blog">Blog</a></li><li class="footer__item"><a href="https://github.com/spr-networks/" target="_blank" rel="noopener noreferrer" class="footer__link-item"><span>GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li></ul></div></div><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2022 Longterm Security, Inc. Built with Docusaurus.</div></div></div></footer></div>
<script src="/pages/assets/js/runtime~main.cb48395d.js"></script>
<script src="/pages/assets/js/main.607f1fa1.js"></script>
</body>
</html>