ELUG Meetup: 28 September 2023

Topic: How to set up and use opnsense/pfsense, a.k.a. a refresher in how to secure your home network
Presenter: Robert was the test subject

We walked through a hypothetical home network setup, where the user (me) wanted to isolate his home network from the default ISP router-created network. I also wanted to add pihole (or some equivalent adblocking functionatlity).

Either one of pfsense or Opnsense will do for this purpose; i happened to choose opnsense because that’s the one that installed with no issues. David and Rajiv provided some direction in how to configure opnsense, and we discussed other options and configurations that may be useful for other users and varying situations.

ELUG Meetup: August 26, 2021

In our meeting on August 26 Spencer walked us through how to setup different machines and ensure that they are equipped with certificates. Once accessed with a browser these devices show up as “secure” where as the default behaviour would highlight the site as not secure.

A video of that session was recorded so if you want to take a look at look check that out here:

https://nextcloud.elug.rocks/index.php/s/AkaeFBHDBZ8DFpL?path=%2F2021-08%20Certificate%20authority%20(Spencer)

Spencer also was kind enough to provide a high level overview:

# "something about a self-signed certificate and pi-hole"## Objective
---
​
As a user I want to view the pi-hole admin page using https instead of http. As the creator of a local certificate authority, I accept the risk of installing its certificate on my local devices.
​
## Requirements (prework)
---
​
1. Lessons 1.1, 1.2, and 1.3 from *resource #1*
    1. Check the device hostname
    1. Sync your clock
    1. Review your OpenSSL configuration (openssl version -a)
    1. Create a directory structure to store the keys, signing requests, and certs
    1. Lock it down (chmod 600)
​
## Create the private key and cert for the CA
---
``` sh
# Create a private key for the CA
openssl genrsa -aes256 -out private/cakey.pem 4096
​
# Create a certificate for the CA
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
```
## Create the private key and cert for the pihole
---
​
``` sh
# Create a new private key
openssl genpkey -algorithm RSA -out /root/ca/private/my_server.key
​
# Create a new certificate signing request (CSR)
openssl req -new -key /root/ca/private/my_server.key -out /root/ca/requests/my_server.csr
​
# CA signing the CSR 
openssl ca -in /root/ca/requests/my_server.csr -out /root/ca/certs/my_server_NO-SAN.crt
​
# CA signing the CSR with configuration file with X509v3 extensions to add
# NET::ERR_CERT_COMMON_NAME_INVALID is resolved by adding 'subjectAltName'
openssl ca -in /root/ca/requests/my_server.csr -extfile /root/ca/my_server.ext -out /root/ca/certs/my_server_SAN.crt
```
​> my_server.ext
​
``` sh
subjectAltName = DNS:my_server.local, DNS:pi.hole, IP:10.0.0.10
```
​
### Checking the certificate
---
​
``` sh
# Check for SAN
openssl x509 -text -in /root/ca/certs/my_server_SAN.crt -noout
```
> Expected output should include:
``` sh
X509v3 extensions:
    X509v3 Subject Alternative Name:
        DNS:my_server.local, DNS:pi.hole, IP Address:10.0.0.10
```
​
## lighttpd config
---
​
``` sh
nano /etc/lighttpd/external.conf
```
​
``` sh
server.modules += ("mod_openssl")
$HTTP["host"] == "my_server.local" {
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"                                # basic option
    ssl.pemfile = "/usr/lib/ssl/certs/my_server_SAN.crt" # basic option
#   ssl.pemfile = "/usr/lib/ssl/certs/my_server_NO-SAN.crt"
    ssl.privkey = "/usr/lib/ssl/private/my_server.key"   # basic option
    ssl.ca-file = "/usr/lib/ssl/certs/cacert.pem"        # (deprecated) renamed ssl.verifyclient.ca-file (since 1.4.60)
  }
}
```
​## Resources
---
​
1. [OpenSSL Certification Authority (CA) on Ubuntu Server](https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server)
    1. Prerequisites
        1. hostname, /etc/hosts, and ntp
    1. OpenSSL Configuration
        1. Specify the path, generate cakey.pem & cacert.pem
        1. Install cacert.pem on your client machine(s)
2. [Enabling HTTPS for your Pi-hole Web Interface](https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
    1. Which config file to edit (/etc/lighttpd/external.conf)
3. [OpenSSL man pages - genpkey](https://www.openssl.org/docs/man1.1.1/man1/genpkey.html)
    1. Generate a private key using genpkey; 
4. [Lighttpd wiki #Self-Signed-Certificates](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Self-Signed-Certificates)
    1. Used the 'Quick Start'
    1. Tip: keep your lighttpd -version in mind
5. [Firefox no longer trusts my internal certificate authority used for internal sites on our domain.](https://support.mozilla.org/en-US/questions/1175296)
    1. See also *security.enterprise_roots.enabled* on the about:config page.

ELUG Meetup: August 27, 2020

Rick ran through a Pi-hole demo for the group, showing us to implement a simple network level block for advertisements and trackers. Now you can explore the internet without the nuisance and distractions. If you’d like to follow along you can run through the notes that Rick provided as well some videos that he thinks you should check out!

Install Raspbian
---- make sure the Micro Card is blank----
I use Gparted and ;  Delete all partitions   # There can be some weird stuff hanging around.
Then  'Create partition table' under the Device tab.  #  This messed me up a few times too .
Das Geek Video
Pi-Hole - Setup Network-wide Ad Blocking w_ Raspberry Pi
The Link :
https://www.youtube.com/watch?v=t2Waj9O8XmI&pbjreload=101
Timestamp ;  2:45 ==== Note of how it Does Not Download Adds to Save D/L bandwidth --Neat
Timestamp :  4:15 run the curl script below
curl -sSL https://install.pi-hole.net | bash
Timestamp 7:25 Note the Assigned IP address of the Pi-Hole
Timestamp  9:50  # Note the http://pi.hole/admin or
http://192.168.1.43/admin   # My Pi IP is 43
+++++++  note the Login password
Timestamp 12:00 Router setup
++++++++++++++++++++++++++