thisven/Website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add advamced networking guide

Browse source
This commit is contained in:
this.ven 2024-05-20 03:38:44 +02:00
parent 80a08c079b
commit e23b7d3f66
3 changed files with 272 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

242
content/docs/computer/advanced-networking.md Normal file
View file

@ -0,0 +1,242 @@
---
title: 'Advanced networking'
date: 2024-05-19T19:35:43+02:00
weight: 4
prev: /docs/computer/basic-configuration
next: /docs/computer/xfce-desktop
---
The initial setup during the [system preparation](../system-preparation) may be
sufficient for the [basic configuration](../basic-configuration) tasks. However,
time synchronization[^1] and enhanced privacy requires a more advanced setup:
1. Switch to a [#Network Manager](#network-manager) with:
1. [#IPv6 privacy](#ipv6-privacy)
2. [MAC address randomization](#mac-address-randomization)
2. Use chrony for [#Time synchronization](#time-synchronization)
3. [#Securing DNS](#securing-dns) via:
1. [#DNSSEC](#dnssec) for validating DNS queries
2. [#DNS over TLS](#dns-over-tls) for encrypting DNS traffic
## Network manager
First of all an utility for controlling network related tasks is desirable. The
[NetworkManager](https://wiki.archlinux.org/title/NetworkManager) can easily,
yet extensively manage wireless and wired ethernet[^2] interfaces. I install the
[networkmanager](https://archlinux.org/packages/?name=networkmanager) package:
```bash
sudo pacman -Sy networkmanager
```
The [DHCP client](https://wiki.archlinux.org/title/NetworkManager#DHCP_client),
which is integrated in the NetworkManager can cause issues in big wireless
networks such as [eduroam](https://eduroam.org). For this reason, I install the
[dhclient](https://archlinux.org/packages/?name=dhclient) as an alternative:
```bash
sudo pacman -Sy dhclient
```
For switching, I create a `/etc/NetworkManager/conf.d/dhcp-client.conf` file:
```{filename="/etc/NetworkManager/conf.d/dhcp-client.conf"}
[main]
dhcp=dhclient
```
### IPv6 privacy
To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of
my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I
create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing:
``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"}
[connection]
ipv6.ip6-privacy=2
```
### MAC address randomization
Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization)
enabled my physical MAC address is never leaked during layer 2 communication.
I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`:
``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"}
[device-mac-randomization]
# "yes" is already default, but let's be safe
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
# randomize MAC for each connection
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
```
### Starting NetworkManager
I disable and stop the Systemd-networkd service which has been configured in the
[#Networking](../system-preparation/#Networking) section of system preparation:
```bash
sudo systemctl stop systemd-networkd.service
sudo systemctl disable systemd-networkd.service
```
Afterwards I enable and start the NetworkManager to take over control:
```bash
sudo systemctl enable NetworkManager.service
sudo systemctl start NetworkManager.service
```
The existing wired configuration of the system preparation should be detected
and connect automatically. I remove the configuration file afterwards to ensure
that Systemd-networkd cannot interfere with the NetworkManager:
```bash
sudo rm /etc/systemd/network/20-wired.network
```
## Time synchronization
Synchronizing the system clock can happen via internet by using the Network Time
Protocol[^3] (NTP). The [chrony](https://wiki.archlinux.org/title/Chrony) NTP
client is a roaming friendly alternative to the reference implementation `ntp`.
I install the [chrony](https://archlinux.org/packages/?name=chrony) package via:
```bash
sudo pacman -Sy chrony
```
### NTS
The time synchronization can apply Transport Layer Security[^4] (TLS) by
[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers).
I edit the `/etc/chrony.conf` file to use a nearby NTS server and a fallback:
```{filename="/etc/chrony.conf"}
server ptbtime1.ptb.de offline nts
server nts1.time.nl offline nts
```
### Starting chrony
I disable and stop Systemd-timesyncd to prevent any conflicts:
```bash
sudo systemctl disable systemd-timesyncd.service
sudo systemctl stop systemd-timesyncd.service
```
Afterwards I enable and start the chronyd.service using these commands:
```bash
sudo systemctl enable chronyd.service
sudo systemctl start chronyd.service
```
And I check the configured NTP servers via:
```bash
chronyc -N 'sources -a -v'
```
### NetworkManager dispatcher
Additionally, chrony can automatically go into online/offline mode depending on
the connection state when using a NetworkManager dispatcher script. Install the
[networkmanager-dispatcher-chrony](https://aur.archlinux.org/packages/networkmanager-dispatcher-chrony/)
package from the AUR:
```bash
yay -Sy networkmanager-dispatcher-chrony
```
I enable and start the NetworkManager-dispatcher.service afterwards:
```bash
sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl start NetworkManager-dispatcher.service
```
## Securing DNS
The DNS[^5] is used to map IP addresses to domain names. DNS traffic from and to
your computer is unencrypted by default and leaks information about the sites
you visit in your web browser or can be used to identify which operating system
you are running, for example. Read more background information on this topic in
the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security)
section in the Arch Wiki article about Domain name resolution.
### DNSSEC
I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content
to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query
validation in Systemd-resolved:
```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"}
[Resolve]
DNSSEC=true
```
### DNS over TLS
Additionally, to use TLS for encrypting the DNS traffic between my host and the
DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable
[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for
Systemd-resolved by containing:
```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"}
[Resolve]
DNS=176.9.93.198#dnsforge.de
DNSOverTLS=yes
```
{{< callout type="warning" >}}
The DNS server must support DNS over TLS. Otherwise all requests will fail. A
list of censorship-free DNS servers can be found at
[DNS Checker](https://dnschecker.org/public-dns/de).
{{< /callout >}}
Afterwards I restart the systemd-resolved.service to activate the changes:
```bash
sudo systemctl restart systemd-resolved.service
```
I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols*
in the output of the following command:
```bash
resolvectl status
```
### Known bugs
Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the
file `/etc/hosts` instead of using Systemd's resolver[^6]. To prevent resolving
`localhost` over the network I add the following lines to `/etc/hosts`:
```
127.0.0.1 localhost
::1 localhost
127.0.1.1 arch-studio24
```
Remember to change `arch-studio24` to your hostname!
Next up is the [Xfce desktop](../xfce-desktop/) guide describing how to install
and setup a desktop environment.
[^1]: [Time synchronization](https://wiki.archlinux.org/title/Time_synchronization)
in the ArchWiki
[^2]: [Ethernet](https://en.wikipedia.org/wiki/Ethernet) in the Wikipedia
[^3]: [Network Time Protocol](https://en.wikipedia.org/wiki/Network_Time_Protocol)
in the Wikipedia
[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
in the Wikipedia
[^5]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in
the Wikipedia
[^6]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network)
section of the Network configuration article in the ArchWiki

157
content/docs/computer/basic-configuration.md
View file

@ -3,7 +3,7 @@ title: 'Basic configuration'
date: 2024-04-28T12:07:39+02:00
weight: 3
prev: /docs/computer/system-preparation
next: /docs/computer/xfce-desktop
next: /docs/computer/advanced-networking
---
After [system preparation](../system-preparation/) I am able to boot the
@ -30,10 +30,9 @@ for a general basic setup to my needs include the following tasks:
1. Creating [#Users and groups](#users-and-groups)
2. Apply [#Security measures](#security-measures)
3. Improve [#Privacy settings](#privacy-settings)
4. [#Package management](#package-management)
5. Adding [#Console improvements](#console-improvements)
3. [#Package management](#package-management)
4. Adding [#Console improvements](#console-improvements)
5. Installing a [#Graphics driver](#graphics-driver)
{{< callout type="info" >}}
Some of my instructions are specific to the hardware found in the laptop model
@ -74,7 +73,7 @@ the `wheel` group is an option I use to implement:
```bash
pacman -Sy sudo
gpasswd -a patient0 wheel
gpasswd -a thisven wheel
EDITOR=vim visudo
```
@ -150,132 +149,6 @@ to avoid cluttering system logs by executing:
sudo ufw logging off
```
## Privacy settings
Further measures for tightening security and improving privacy include a more
advanced setup of network services and application fine tuning. The next
sections deal with the adaption of default configurations to use trustworthy
service providers (from my perspective) and a high level of encryption to
prevent some leakage of personal data.
### Securing DNS queries
The DNS[^3] is used to map IP addresses to domain names. DNS traffic from and to
your computer is unencrypted by default and leaks information about the sites
you visit in your web browser or can be used to identify which operating system
you are running, for example. Read more background information on this topic in
the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security)
section in the Arch Wiki article about Domain name resolution.
I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content
to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query
validation in Systemd-resolved:
```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"}
[Resolve]
DNSSEC=true
```
Additionally, to use TLS[^4] for encrypting the traffic between my host and the
DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable
[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for
Systemd-resolved by containing:
```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"}
[Resolve]
DNS=176.9.93.198#dnsforge.de
DNSOverTLS=yes
```
{{< callout type="warning" >}}
The DNS server must support DNS over TLS. Otherwise all requests will fail. A
list of censorship-free DNS servers can be found at
[DNS Checker](https://dnschecker.org/public-dns/de).
{{< /callout >}}
Afterwards I restart the `systemd-resolved.service` to activate the changes:
```bash
sudo systemctl restart systemd-resolved.service
```
I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols*
in the output of the following command:
```bash
resolvectl status
```
Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the
file `/etc/hosts` instead of using Systemd's resolver[^5]. To prevent resolving
`localhost` over the network I add the following lines to `/etc/hosts`:
```
127.0.0.1 localhost
::1 localhost
127.0.1.1 arch-studio24
```
Remember to change `arch-studio24` to your hostname!
### NTS
The time synchronization can also be configured to require a TLS connections by
[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers).
I edit the `/etc/chrony.conf` file to use a local NTS server and fallback:
```
server ptbtime1.ptb.de offline nts
server nts1.time.nl offline nts
```
After editing I restart the following services:
```bash
sudo systemctl restart chronyd.service
sudo systemctl restart NetworkManager-dispatcher.service
```
And I check the configured NTP servers via:
```bash
chronyc -N 'sources -a -v'
```
### IPv6 privacy
To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of
my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I
create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing:
``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"}
[connection]
ipv6.ip6-privacy=2
```
### MAC address randomization
Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization)
enabled my physical MAC address is never leaked during layer 2 communication.
I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`:
``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"}
[device-mac-randomization]
# "yes" is already default, but let's be safe
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
# randomize MAC for each connection
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
```
Don't forget to restart the `NetworkManager.service` after these adaptions:
```bash
sudo systemctl restart NetworkManager.service
```
## Package management
In order to automatically retrieve, build and install the many packages from an
@ -378,7 +251,7 @@ sudo ln -s /usr/bin/vim /usr/bin/vi
For efficient working with `vim` in a graphical desktop environment, I like to
deactive [using the mouse](https://wiki.archlinux.org/title/Vim#Using_the_mouse)
in order to use the copy & paste function in terminal windows. I also set syntax
highlighting[^6], indentation and spell checking. I create a `~/.vimrc`
highlighting[^3], indentation and spell checking. I create a `~/.vimrc`
configuration file and insert the following settings:
```vim {filename="$HOME/.vimrc"}
@ -433,7 +306,7 @@ source /usr/share/doc/pkgfile/command-not-found.bash
EOF
```
### Graphics driver
## Graphics driver
To set display resolution from the kernel space rather than the user space I use
[Kernel mode setting](https://wiki.archlinux.org/title/Kernel_mode_setting). As
@ -481,21 +354,11 @@ I finally [reboot](../system-preparation/#reboot) my machine to apply the
graphics driver configuration and troubleshoot any issues. The configuring of
the VA-API is only necessary if you encounter errors.
As the general recommendations state, running graphical applications requires a
GUI[^7]. On the [Xfce desktop](../xfce-desktop/) page I will describe how to
install and setup a desktop environment.
In the next [advanced networking](../advanced-networking) guide, I show how to
secure and tweak the default network configuration.
[^1]: [Pacman](https://wiki.archlinux.org/title/Pacman) in the ArchWiki
[^2]: [CPU](https://en.wikipedia.org/wiki/Central_processing_unit) in the
Wikipedia
[^3]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in
the Wikipedia
[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
in the Wikipedia
[^5]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network)
section of the Network configuration article in the ArchWiki
[^6]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting)
in the Wikipedia
[^7]: [Graphical user interface](https://en.wikipedia.org/wiki/Graphical_user_interface)
[^3]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting)
in the Wikipedia

26
content/docs/computer/xfce-desktop.md
View file

@ -1,9 +1,9 @@
---
title: 'Xfce desktop'
date: 2024-05-19T16:20:19+02:00
weight: 4
prev: /docs/computer/basic-configuration
next: /docs/computer/advanced-networking
weight: 5
prev: /docs/computer/advanced-networking
next: /docs/computer/multimedia-internet
---
[Xfce](https://wiki.archlinux.org/title/Xfce) is a lightweight but full-featured
@ -159,6 +159,20 @@ the [panel preferences](https://docs.xfce.org/xfce/xfce4-panel/preferences) and
add it to a panel of my choice (per default this is most probably *Panel 1*) in
the *Items* tab.
### NetworkManager applet
To manage NetworkManager connections graphically, I install the package
[network-manager-applet](https://archlinux.org/packages/?name=network-manager-applet)
and start it in the background using the `nm-applet &` command:
```bash
sudo pacman -Sy network-manager-applet
nm-applet &
```
Using the [nm-applet](https://wiki.archlinux.org/title/NetworkManager#nm-applet)
I can easily create additional connections as needed.
### Theming
To apply a built-in dark theme I open the Xfce settings and set *Adwaita dark*
@ -297,14 +311,14 @@ URI scheme, but mounting it using the `/etc/fstab` file is provided by Thunar.
Sometimes the background image or color is missing and the right click menu
doesn't appear. This is fixed by running `xfdesktop` in a terminal as described
on [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html):
at [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html):
```bash
xfdesktop &
```
In the next [advanced networking](../advanced-networking) guide, I show how to
secure and tweak the default network configuration.
For setting up multimedia capabilities and Internet technologies proceed with
the next guide [Multimedia and Internet](../multimedia-internet).
[^1]: [Desktop Environment](https://wiki.archlinux.org/title/Desktop_environment)
in the ArchWiki