Add advamced networking guide

2024-05-20 03:38:44 +02:00 · 2024-05-20 03:38:44 +02:00 · e23b7d3f66
commit e23b7d3f66
parent 80a08c079b
3 changed files with 272 additions and 153 deletions
--- a/content/docs/computer/advanced-networking.md
+++ b/content/docs/computer/advanced-networking.md
@ -0,0 +1,242 @@
 ---
 title: 'Advanced networking'
 date: 2024-05-19T19:35:43+02:00
 weight: 4
 prev: /docs/computer/basic-configuration
 next: /docs/computer/xfce-desktop
 ---
 The initial setup during the [system preparation](../system-preparation) may be
 sufficient for the [basic configuration](../basic-configuration) tasks. However,
 time synchronization[^1] and enhanced privacy requires a more advanced setup:
 1. Switch to a [#Network Manager](#network-manager) with:
   1. [#IPv6 privacy](#ipv6-privacy)
   2. [MAC address randomization](#mac-address-randomization)
 2. Use chrony for [#Time synchronization](#time-synchronization)
 3. [#Securing DNS](#securing-dns) via:
   1. [#DNSSEC](#dnssec) for validating DNS queries
   2. [#DNS over TLS](#dns-over-tls) for encrypting DNS traffic
 ## Network manager
 First of all an utility for controlling network related tasks is desirable. The
 [NetworkManager](https://wiki.archlinux.org/title/NetworkManager) can easily,
 yet extensively manage wireless and wired ethernet[^2] interfaces. I install the
 [networkmanager](https://archlinux.org/packages/?name=networkmanager) package:
 ```bash
 sudo pacman -Sy networkmanager
 ```
 The [DHCP client](https://wiki.archlinux.org/title/NetworkManager#DHCP_client),
 which is integrated in the NetworkManager can cause issues in big wireless
 networks such as [eduroam](https://eduroam.org). For this reason, I install the
 [dhclient](https://archlinux.org/packages/?name=dhclient) as an alternative:
 ```bash
 sudo pacman -Sy dhclient
 ```
 For switching, I create a `/etc/NetworkManager/conf.d/dhcp-client.conf` file:
 ```{filename="/etc/NetworkManager/conf.d/dhcp-client.conf"}
 [main]
 dhcp=dhclient
 ```
 ### IPv6 privacy
 To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of
 my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I
 create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing:
 ``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"}
 [connection]
 ipv6.ip6-privacy=2
 ```
 ### MAC address randomization
 Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization)
 enabled my physical MAC address is never leaked during layer 2 communication.
 I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`:
 ``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"}
 [device-mac-randomization]
 # "yes" is already default, but let's be safe
 wifi.scan-rand-mac-address=yes
 [connection-mac-randomization]
 # randomize MAC for each connection
 ethernet.cloned-mac-address=random
 wifi.cloned-mac-address=random
 ```
 ### Starting NetworkManager
 I disable and stop the Systemd-networkd service which has been configured in the
 [#Networking](../system-preparation/#Networking) section of system preparation:
 ```bash
 sudo systemctl stop systemd-networkd.service
 sudo systemctl disable systemd-networkd.service
 ```
 Afterwards I enable and start the NetworkManager to take over control:
 ```bash
 sudo systemctl enable NetworkManager.service
 sudo systemctl start NetworkManager.service
 ```
 The existing wired configuration of the system preparation should be detected
 and connect automatically. I remove the configuration file afterwards to ensure
 that Systemd-networkd cannot interfere with the NetworkManager:
 ```bash
 sudo rm /etc/systemd/network/20-wired.network
 ```
 ## Time synchronization
 Synchronizing the system clock can happen via internet by using the Network Time
 Protocol[^3] (NTP). The [chrony](https://wiki.archlinux.org/title/Chrony) NTP
 client is a roaming friendly alternative to the reference implementation `ntp`.
 I install the [chrony](https://archlinux.org/packages/?name=chrony) package via:
 ```bash
 sudo pacman -Sy chrony
 ```
 ### NTS
 The time synchronization can apply Transport Layer Security[^4] (TLS) by
 [using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers).
 I edit the `/etc/chrony.conf` file to use a nearby NTS server and a fallback:
 ```{filename="/etc/chrony.conf"}
 server ptbtime1.ptb.de offline nts
 server nts1.time.nl offline nts
 ```
 ### Starting chrony
 I disable and stop Systemd-timesyncd to prevent any conflicts:
 ```bash
 sudo systemctl disable systemd-timesyncd.service
 sudo systemctl stop systemd-timesyncd.service
 ```
 Afterwards I enable and start the chronyd.service using these commands:
 ```bash
 sudo systemctl enable chronyd.service
 sudo systemctl start chronyd.service
 ```
 And I check the configured NTP servers via:
 ```bash
 chronyc -N 'sources -a -v'
 ```
 ### NetworkManager dispatcher
 Additionally, chrony can automatically go into online/offline mode depending on
 the connection state when using a NetworkManager dispatcher script. Install the
 [networkmanager-dispatcher-chrony](https://aur.archlinux.org/packages/networkmanager-dispatcher-chrony/)
 package from the AUR:
 ```bash
 yay -Sy networkmanager-dispatcher-chrony
 ```
 I enable and start the NetworkManager-dispatcher.service afterwards:
 ```bash
 sudo systemctl enable NetworkManager-dispatcher.service
 sudo systemctl start NetworkManager-dispatcher.service
 ```
 ## Securing DNS
 The DNS[^5] is used to map IP addresses to domain names. DNS traffic from and to
 your computer is unencrypted by default and leaks information about the sites
 you visit in your web browser or can be used to identify which operating system
 you are running, for example. Read more background information on this topic in
 the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security)
 section in the Arch Wiki article about Domain name resolution.
 ### DNSSEC
 I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content
 to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query
 validation in Systemd-resolved:
 ```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"}
 [Resolve]
 DNSSEC=true
 ```
 ### DNS over TLS
 Additionally, to use TLS for encrypting the DNS traffic between my host and the
 DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable
 [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for
 Systemd-resolved by containing:
 ```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"}
 [Resolve]
 DNS=176.9.93.198#dnsforge.de
 DNSOverTLS=yes
 ```
 {{< callout type="warning" >}}
  The DNS server must support DNS over TLS. Otherwise all requests will fail. A
  list of censorship-free DNS servers can be found at
  [DNS Checker](https://dnschecker.org/public-dns/de).
 {{< /callout >}}
 Afterwards I restart the systemd-resolved.service to activate the changes:
 ```bash
 sudo systemctl restart systemd-resolved.service
 ```
 I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols*
 in the output of the following command:
 ```bash
 resolvectl status
 ```
 ### Known bugs
 Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the
 file `/etc/hosts` instead of using Systemd's resolver[^6]. To prevent resolving
 `localhost` over the network I add the following lines to `/etc/hosts`:
 ```
 127.0.0.1        localhost
 ::1              localhost
 127.0.1.1        arch-studio24
 ```
 Remember to change `arch-studio24` to your hostname!
 Next up is the [Xfce desktop](../xfce-desktop/) guide describing how to install
 and setup a desktop environment.
 [^1]: [Time synchronization](https://wiki.archlinux.org/title/Time_synchronization)
 in the ArchWiki
 [^2]: [Ethernet](https://en.wikipedia.org/wiki/Ethernet) in the Wikipedia
 [^3]: [Network Time Protocol](https://en.wikipedia.org/wiki/Network_Time_Protocol)
 in the Wikipedia
 [^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
 in the Wikipedia
 [^5]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in
 the Wikipedia
 [^6]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network)
 section of the Network configuration article in the ArchWiki
--- a/content/docs/computer/basic-configuration.md
+++ b/content/docs/computer/basic-configuration.md
@ -3,7 +3,7 @@ title: 'Basic configuration'
 date: 2024-04-28T12:07:39+02:00
 weight: 3
 prev: /docs/computer/system-preparation
-next: /docs/computer/xfce-desktop
+next: /docs/computer/advanced-networking
 ---
 After [system preparation](../system-preparation/) I am able to boot the
@ -30,10 +30,9 @@ for a general basic setup to my needs include the following tasks:
 1. Creating [#Users and groups](#users-and-groups)
 2. Apply [#Security measures](#security-measures)
-3. Improve [#Privacy settings](#privacy-settings)
+3. [#Package management](#package-management)
-4. [#Package management](#package-management)
+4. Adding [#Console improvements](#console-improvements)
-5. Adding [#Console improvements](#console-improvements)
+5. Installing a [#Graphics driver](#graphics-driver)
 {{< callout type="info" >}}
  Some of my instructions are specific to the hardware found in the laptop model
@ -74,7 +73,7 @@ the `wheel` group is an option I use to implement:
 ```bash
 pacman -Sy sudo
-gpasswd -a patient0 wheel
+gpasswd -a thisven wheel
 EDITOR=vim visudo
 ```
@ -150,132 +149,6 @@ to avoid cluttering system logs by executing:
 sudo ufw logging off
 ```
 ## Privacy settings
 Further measures for tightening security and improving privacy include a more
 advanced setup of network services and application fine tuning. The next
 sections deal with the adaption of default configurations to use trustworthy
 service providers (from my perspective) and a high level of encryption to
 prevent some leakage of personal data.
 ### Securing DNS queries
 The DNS[^3] is used to map IP addresses to domain names. DNS traffic from and to
 your computer is unencrypted by default and leaks information about the sites
 you visit in your web browser or can be used to identify which operating system
 you are running, for example. Read more background information on this topic in
 the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security)
 section in the Arch Wiki article about Domain name resolution.
 I create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content
 to enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query
 validation in Systemd-resolved:
 ```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"}
 [Resolve]
 DNSSEC=true
 ```
 Additionally, to use TLS[^4] for encrypting the traffic between my host and the
 DNS server I create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable
 [DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for
 Systemd-resolved by containing:
 ```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"}
 [Resolve]
 DNS=176.9.93.198#dnsforge.de
 DNSOverTLS=yes
 ```
 {{< callout type="warning" >}}
  The DNS server must support DNS over TLS. Otherwise all requests will fail. A
  list of censorship-free DNS servers can be found at
  [DNS Checker](https://dnschecker.org/public-dns/de).
 {{< /callout >}}
 Afterwards I restart the `systemd-resolved.service` to activate the changes:
 ```bash
 sudo systemctl restart systemd-resolved.service
 ```
 I check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols*
 in the output of the following command:
 ```bash
 resolvectl status
 ```
 Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the
 file `/etc/hosts` instead of using Systemd's resolver[^5]. To prevent resolving
 `localhost` over the network I add the following lines to `/etc/hosts`:
 ```
 127.0.0.1        localhost
 ::1              localhost
 127.0.1.1        arch-studio24
 ```
 Remember to change `arch-studio24` to your hostname!
 ### NTS
 The time synchronization can also be configured to require a TLS connections by
 [using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers).
 I edit the `/etc/chrony.conf` file to use a local NTS server and fallback:
 ```
 server ptbtime1.ptb.de offline nts
 server nts1.time.nl offline nts
 ```
 After editing I restart the following services:
 ```bash
 sudo systemctl restart chronyd.service
 sudo systemctl restart NetworkManager-dispatcher.service
 ```
 And I check the configured NTP servers via:
 ```bash
 chronyc -N 'sources -a -v'
 ```
 ### IPv6 privacy
 To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of
 my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I
 create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing:
 ``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"}
 [connection]
 ipv6.ip6-privacy=2
 ```
 ### MAC address randomization
 Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization)
 enabled my physical MAC address is never leaked during layer 2 communication.
 I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`:
 ``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"}
 [device-mac-randomization]
 # "yes" is already default, but let's be safe
 wifi.scan-rand-mac-address=yes
 [connection-mac-randomization]
 # randomize MAC for each connection
 ethernet.cloned-mac-address=random
 wifi.cloned-mac-address=random
 ```
 Don't forget to restart the `NetworkManager.service` after these adaptions:
 ```bash
 sudo systemctl restart NetworkManager.service
 ```
 ## Package management
 In order to automatically retrieve, build and install the many packages from an
@ -378,7 +251,7 @@ sudo ln -s /usr/bin/vim /usr/bin/vi
 For efficient working with `vim` in a graphical desktop environment, I like to
 deactive [using the mouse](https://wiki.archlinux.org/title/Vim#Using_the_mouse)
 in order to use the copy & paste function in terminal windows. I also set syntax
-highlighting[^6], indentation and spell checking. I create a `~/.vimrc`
+highlighting[^3], indentation and spell checking. I create a `~/.vimrc`
 configuration file and insert the following settings:
 ```vim {filename="$HOME/.vimrc"}
@ -433,7 +306,7 @@ source /usr/share/doc/pkgfile/command-not-found.bash
 EOF
 ```
-### Graphics driver
+## Graphics driver
 To set display resolution from the kernel space rather than the user space I use
 [Kernel mode setting](https://wiki.archlinux.org/title/Kernel_mode_setting). As
@ -481,21 +354,11 @@ I finally [reboot](../system-preparation/#reboot) my machine to apply the
 graphics driver configuration and troubleshoot any issues. The configuring of
 the VA-API is only necessary if you encounter errors.
-As the general recommendations state, running graphical applications requires a
+In the next [advanced networking](../advanced-networking) guide, I show how to
-GUI[^7]. On the [Xfce desktop](../xfce-desktop/) page I will describe how to
+secure and tweak the default network configuration.
 install and setup a desktop environment.
 [^1]: [Pacman](https://wiki.archlinux.org/title/Pacman) in the ArchWiki
 [^2]: [CPU](https://en.wikipedia.org/wiki/Central_processing_unit) in the
 Wikipedia
-[^3]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in
+[^3]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting)
 the Wikipedia
 [^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
 in the Wikipedia
 [^5]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network)
 section of the Network configuration article in the ArchWiki
 [^6]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting)
 in the Wikipedia
 [^7]: [Graphical user interface](https://en.wikipedia.org/wiki/Graphical_user_interface)
 in the Wikipedia
--- a/content/docs/computer/xfce-desktop.md
+++ b/content/docs/computer/xfce-desktop.md
@ -1,9 +1,9 @@
 ---
 title: 'Xfce desktop'
 date: 2024-05-19T16:20:19+02:00
-weight: 4
+weight: 5
-prev: /docs/computer/basic-configuration
+prev: /docs/computer/advanced-networking
-next: /docs/computer/advanced-networking
+next: /docs/computer/multimedia-internet
 ---
 [Xfce](https://wiki.archlinux.org/title/Xfce) is a lightweight but full-featured
@ -159,6 +159,20 @@ the [panel preferences](https://docs.xfce.org/xfce/xfce4-panel/preferences) and
 add it to a panel of my choice (per default this is most probably *Panel 1*) in
 the *Items* tab.
 ### NetworkManager applet
 To manage NetworkManager connections graphically, I install the package
 [network-manager-applet](https://archlinux.org/packages/?name=network-manager-applet)
 and start it in the background using the `nm-applet &` command:
 ```bash
 sudo pacman -Sy network-manager-applet
 nm-applet &
 ```
 Using the [nm-applet](https://wiki.archlinux.org/title/NetworkManager#nm-applet)
 I can easily create additional connections as needed.
 ### Theming
 To apply a built-in dark theme I open the Xfce settings and set *Adwaita dark*
@ -297,14 +311,14 @@ URI scheme, but mounting it using the `/etc/fstab` file is provided by Thunar.
 Sometimes the background image or color is missing and the right click menu
 doesn't appear. This is fixed by running `xfdesktop` in a terminal as described
-on [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html):
+at [Fosslicious](https://www.fosslicious.com/2019/09/fix-xfce-desktop-error-cant-right-click.html):
 ```bash
 xfdesktop &
 ```
-In the next [advanced networking](../advanced-networking) guide, I show how to
+For setting up multimedia capabilities and Internet technologies proceed with
-secure and tweak the default network configuration.
+the next guide [Multimedia and Internet](../multimedia-internet).
 [^1]: [Desktop Environment](https://wiki.archlinux.org/title/Desktop_environment)
 in the ArchWiki