44Net Connect/Routed Subnet/Debian based distributions
Prerequisites
Set up a single-device tunnel to your machine.
Note the IP and name of your WireGuard interface. The name of your WireGuard interface is the same as the name
of your config file. For example, if your config file is /etc/wireguard/wg0.conf, then your
interface name is wg0. The IP of your WireGuard interface can be obtained from running ifconfig <interface> and finding the IP listed under the interface in the inet field.
Below is some example output of ifconfig wg0.
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1380
inet 44.27.133.190 netmask 255.255.255.255 destination 44.27.133.190
inet6 fe80::f728:a0b0:3af5:b5c6 prefixlen 128 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 17331 bytes 5865364 (5.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13389 bytes 2146828 (2.0 MiB)
TX errors 0 dropped 1 overruns 0 carrier 0 collisions 0
Request a Subnet
Go to the Network tab of 44Net Connect, and request a network. Requests up to a /28 (16 IPs) are automatically approved. It's recommended to request at least a /29 (8 IPs), since at least 2 of your IPs must be set aside for network and broadcast addresses. That way, you have at least 6 usable addresses for your hosts.
Setting Up The Network Interface
The recommended way to set up the router for your subnet is with two ethernet interfaces. The second can be provided by a USB ethernet adapter if necessary. This section has the steps that are required regardless of whether you're using ethernet or WiFi. If you're using WiFi, you'll also need the steps in the following section. Otherwise, you can skip them.
Step 1: Create a new connection in nmcli
nmcli is the CLI interface for NetworkManager, which is the high level network configuration tool included in most Debian-based distributions by default. These configuration steps can be completed using the NetworkManager GUI, but many people operate a "headless" machine (without a screen or keyboard) and use SSH to remotely configure it. Thus, this tutorial uses a CLI tool to accommodate that use case.
An nmcli "connection" is an abstraction representing a network configuration attached to a device. Create a new connection by running
sudo nmcli con add conn-name <name> ifname <interface name> type <type>.
You can name the connection whatever you like, but it's recommended to name it something descriptive. For example, if you're configuring a 44net routed subnet for eth1, you might name it 44net-eth1. The interface name is the name of the interface you're using, as described by ifconfig. The type is either wifi or ethernet. For a WiFi interface, you must also specify the BSSID (network name) by adding the parameter ssid <BSSID> at the end.
Step 2: Configure the IP
Set the IPv4 method to manual using the following command:
sudo nmcli con modify <name> ipv4.method manual
Next, set the IP range for this interface.
sudo nmcli con modify <name> ipv4.address <subnet>
Your subnet should be specified in CIDR notation. At this point, if you're configuring an ethernet interface, you're ready to start it up. If you're configuring a WiFi interface, don't start your interface yet, and move on to the next section for additional configuration.
Step 3: Starting the Interface
First, disable the existing connection, which is likely named netplan-<interface>. If you're using eth1 for your 44net clients, it may look like netplan-eth1. If you are configuring your Debian machine over SSH, be careful not to deactivate the connection over which your SSH is traveling.
sudo nmcli con down <name of existing connection>
After deactivating the regular connection, activate your new connection. If this succeeds, you're good to go.
sudo nmcli con up <name of new connection>
Optional: Setting Up A Wireless Access Point
If you have wireless only clients, or wish to utilize an existing WiFi interface in lieu of an additional ethernet interface, you can configure the interface as an access point.
After your subnet is approved, you must attach it to your tunnel. Go to your Tunnels tab on 44Net Connect, and click Edit on the tunnel for your routing device. Go to the "Route additional Networks Through This Tunnel" section, and check the box for the subnet you want to use for this tunnel.
Step 1: Set your wireless regulatory domain
Different countries have different rules about which frequencies and bandwidths devices are allowed to use for WiFi. Setting the regulatory domain ensures that your device will use the right ones, making it work best with nearby devices and ensuring regulatory compliance.
Your regulatory domain may have already been set during OS installation. Run
sudo iw reg get to check whether it's been set. Look at the country set under global. If it says unset, you have not set the regulatory domain.
If your regulatory domain has not been set, set it with sudo iw reg set <country code> where the country code is your two letter ISO country code.
Step 2: Configure WiFi settings for your nmcli connection
Set the access point security and password. First, we set the wifi-sec.key-mgmt parameter to wpa-psk to disable the older insecure WEP encryption method. At this point, you will also need to set a password.
sudo nmcli con modify <connection name> wifi-sec.key-mgmt wpa-psk
sudo nmcli con modify <connection name> wifi-sec.psk <password>
For security, leave only WPA2 enabled. By default, the older WPA protocol is enabled for compatibility, but it only supports the less secure TKIP encryption algorithm. Disable it by setting wifi-sec.proto to rsn.
sudo nmcli con modify <connection name> wifi-sec.proto rsn
Even after disabling the older WPA protocol, WPA2 supports TKIP for compatibility. As an additional security measure, enable only the CCMP encryption algorithm, disabling TKIP.
sudo nmcli con modify <connection name> wifi-sec.pairwise ccmp
Finally, set the connection to access point mode and configure it to use your subnet assignment.
sudo nmcli con modify <connection name> 802-11-wireless.mode ap 802-11-wireless.band <band> ipv4.method manual ipv4.addr <subnet in CIDR notation>
For the 802-11-wireless.band setting, choose either bg for 2.4 GHz or a for 5 GHz.
Now we need to disable the current nmcli connection and enable our new one. Current connections can be viewed by running nmcli connection. If your device is currently connected to a WiFi network, you'll see something like netplan-wlan0-<name of your wifi network>. Disable that connection by running the following command:
sudo nmcli conn down netplan-wlan0-<name of your wifi network>
Next, enable your new connection by running sudo nmcli conn up <name of connection>
Setting up DHCP
Kea is the recommended DHCP server for setting up a routed subnet. dhcpd is deprecated as of 2022.
Install kea by running
sudo apt install kea.
After installing, configure its settings by editing /etc/kea/kea-dhcp4.conf. This file uses an extended JSON syntax that supports shell style comments using #, C style single line comments with //, and C style multi-line comments with /* */.
Configure Interface
Inside the Dhcp4 struct, under interfaces-config, add the interface you want your DHCP server to operate on to the interfaces list. For example, in a setup using 2 ethernet interfaces, you might have eth0 connected to your LAN and eth1 connected to your client devices. In this case, you would use eth1. If you're using the built-in wireless card to broadcast an access point, use wlan0.
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "eth1" ]
}
}
Configure DNS
Inside the Dhcp4 struct, under option-data set at least one DNS server. Cloudflare's DNS servers are 1.1.1.1 and 1.0.0.1. Google's DNS servers are 8.8.8.8 and 8.8.4.4.
"Dhcp4": {
"option-data": [
{
"name": "domain-name-servers",
"data": "1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4"
},
],
}
Configure your subnet
subnet4 is a list (denoted with brackets) of structures (denoted with curly brackets) where each structure is one subnet. Inside each subnet structure, set the client IP range(s) in pools, and define at least one router in the option-data field. Comment out or delete the example DHCP reservations in the reservations field, since they're for the wrong subnet.
"subnet4": [
// Put your subnet here in CIDR notation.
"subnet": "44.27.45.128/29",
// Define the range of client IP addresses here.
"pools": [ { "pool": "44.27.45.129 - 44.27.45.133" } ],
// These options are subnet specific. You must configure at least one router.
"option-data": [
{
"name": "routers",
"data": "44.27.45.129"
}
],
"reservations": [
// Comment out or delete the examples in this list, since they are for the wrong subnet.
]
]
Ethernet Hot Plugging Workaround
At present, kea does not support hot plugging interfaces. This means that ethernet devices must have at least one client at the time the DHCP server starts, otherwise it will not properly bind to the interface. If you plan on hot plugging ethernet devices on your Pi, this can be worked around by configuring service-sockets-max-retries to an extremely large number such as 9223372036854775807, the upper limit of a signed 64-bit integer. You may also wish to increase service-sockets-retry-wait-time, which specifies the retry time in milliseconds, though the default time of 5000 ms is typically fine. These options should go in the interfaces-config section at the top of your Dhcp4 section in /etc/kea/kea-dhcp4.conf. Here is an example:
"Dhcp4": {
// Add names of your network interfaces to listen on.
"interfaces-config": {
// See section 8.2.4 for more details. You probably want to add just
// interface name (e.g. "eth0" or specific IPv4 address on that
// interface name (e.g. "eth0/192.0.2.1").
"interfaces": ["eth1" ],
// max retries is set to int64 max as a workaround for kea not supporting
// hot plugging of interfaces.
"service-sockets-max-retries": 9223372036854775807,
"service-sockets-retry-wait-time": 2000
},
// The rest of this config is omitted for brevity.
}