8 June 2024

Shirka Router

I absolutely loved watching Ulysses 31 back in the day. Now I'm starting to set up a home server lab behind a DIY router and there's only one name for it: Shirka. Maybe one day I'll give it a display on the front with the animated star-swirl thing but for now it's just the hardware fixed to a wooden frame.

I'm no expert in cybersecurity, so I need a system that can reliably warn me if anything unusual happens to it. I also want to minimise the amount of electricity the system draws to avoid nasty energy bills.

So I have a Dell/Wyse 3040 running OpenBSD as the router itself and a Raspberry Pi 4 (2GB) linked up to it via USB-ttl. The serial link would be important so if anyone managed to compromise the router I would already have the log data safely on a separate machine before they could hide their tracks. Important to get the security right on the serial link though!

Installing OpenBSD via USB stick was reasonably straight-forward. It wouldn't boot from the install though until I manually copied the BOOTX64.EFI file into the EFI partition. So I presumably messed something up in the installer options.

Installing Debian on the Raspberry Pi 4 started off easily by dding one of the daily images onto an SD card and booting from that. To get the UK keyboard map working, I installed the console-common and keyboard-configuration packages.

Then I hooked up the serial and installed minicom on both machines to test it out. On the pi, the default UART device is /dev/ttyS1 but the device name on the OpenBSD side was more tricky to figure out. First, I had to find the device in the dmesg output. This gave me the USB... identifier. Then when I ran the cu program to connect to that identifier it showed me the device name: /dev/xxxxx.

Once connected, it turned out that by default, the Debian image exposes a tty console via the serial link. I definitely did NOT want the internet-exposed router having access to a console on the pi. To disable this, I needed to edit /etc/defaults/raspi-firmware and set the CONSOLES variable to tty0. That would have no effect without regenerating the initial ram disk though, so then I had to run update_initramfs -u -k all to sort that.

Finally, I set up pf.conf on the router to block all network traffic except ssh from my trusted subnet and then I ran out of time and energy.

The next job is setting up the software auto-updates and filesystem intrusion-detection. Once I've got that working and stable I can set up some port-forwarding and a simple test server! Slow going, but I'm loving it. :)