User Login      + Register  

SecureOffice Installation  SecureOffice  xoops  29-Nov-2020 21:40  0  17184 reads

Table_of_Contents

1      SecureOffice Copyright and Licensing

2      Install SecureOffice on Boot Device

2.1                Install on Target PC Using Rescue USB Boot Disk

2.2                Install on Target PC Using SecureOffice USB Boot Disk

2.3                Install on Target Media Using Linux PC

2.4                Install on Target Media Using Linux VM

2.5                Optional SSH Into Installation PC

2.6                Identify SecureOffice Boot Media Device

2.7                Install SecureOffice to Boot Media

3      Initial SecureOffice Boot

3.1                Configure Boot Device

4      Configure OpenWrt Router

4.1                OpenWrt Local Console Access

4.2                Set OpenWrt Root Password

4.3                Basic Network Configuration

4.4                Configure WAN Network Topology

4.4.1      Configure LAN Ethernet Interface

4.4.2      Configure WAN Ethernet Interface

4.5                Configure LAN Network Topology

4.6                Configure WiFi

4.7                Configure Dynamic DNS

4.7.1      Choose a DDNS Service Provider

4.7.2      Configure and Enable DDNS Service

4.8                Configure SecureOffice Domain

5      Install Other Services and Applications

5.1                Other Services and Applications

5.2                Requesting Missing Packages and Drivers

5.3                Licensed Services and Applications

5.3.1      About Licensing

5.3.2      Secure Telephone System

5.3.3      Virtual Machine Hosting

5.3.4      Docker Container Support

5.3.5      Free and Automatic Renewing SSL Certs

5.3.6      Developing Applications and Services

List of Figures

Figure 1:       System Rescue Boot Options Menu

Figure 2:       Boot Failure Kernel Panic

Figure 3:       GRUB Boot Menu

Figure 4:       Edit GRUB Boot Menu

Figure 5:       Successful Boot

Figure 6:       Edit GRUB Configuration

Figure 7:       RFC 1918 Private Address Space

Figure 8:       LAN Configuration Section

Figure 9:       Web GUI Password Prompt

Figure 10:       Web GUI Status Page

Figure 11:       Internet Traffic Graph

Figure 12:       WAN Protocol Selection

Figure 13:      WAN Static Address Configuration

Figure 14:       OpenWrt Firewall Allow GUI

Figure 15:       DDNS Configuration

List of Tables

Table 1:      SecureOffice Default Settings

1      SecureOffice Copyright and Licensing

Licensing terms for SecureOffice and applications are available in the licensing section. The licensing terms basically state that you are aware of and consent to:

  • Will not remove or alter any copyright notices from any files.
  • Will respect licensing and copyright terms of OpenWrt distribution and all packages, including those that are installed later.
  • Will not re-brand or claim the work as your own.
  • Will not re-distribute SecureOffice or any portion thereof by any manner, including by publishing, download or on any media.
  • Any portion of SecureOffice, including premium applications not copyrighted by others or not a standard part of OpenWrt, FreeSwitch, FusionPBX or VmWare is copyright the owner of SecureOffice.
  • The copyright grants usage but not ownership rights to a single user on a single PC, per installation.
  • Legal entities (corporations, etc) requiring site / volume licenses for their own use can download and use as many copies of the free portion of SecureOffice as required.

The developers of SecureOffice stand on the shoulders of giants and owe a huge debt of respect and gratitude (and do not take credit) to all opensource (monopoly breakers) developers. In particular: the OpenWrt, FreeSwitch and FusionPBX teams.

SecureOffice contains copyrighted enhancements / material that may be "of use" to the projects above and developers may wish to incorporate them. Should team members of the above projects be interested in incorporating copyrighted SecureOffice enhancements into the above projects, it is the intent of the developer of SecureOffice to be liberal in granting copyright waivers. Contact us if interested.

When volumes warrant, the SecureOffice copyright owner is willing to discuss allowing VAR's (Value Added Retailers) and PC / HTPC manufacturers to sell and distribute pre-installed SecureOffice systems. Further, it is intended to sell pre-installed systems for customers without the time, expertise or patience to install SecureOffice. Contact us if interested.

The developers are porting SecureOffice to lower cost MIPS / ARM architectures for the home market. VmWare Workstation is not possible / practical on these architectures. Contact us if interested.

License terms for SecureOffice and applications are available below:

Installation or downloading any portion, including the install script for SecureOffice indicates consent to the licensing terms.

2      Install SecureOffice on Boot Device

Users who purchased hardware (x86_64 or aarch64) with SecureOffice pre-installed can skip ahead to Configure OpenWrt Router.

These instructions are for installing SecureOffice on real hardware. If hardware is not yet available, or if you want to evaluate SecureOffice with zero hardware cost, you can install SecureOffice as a virtual machine or create a SecureOffice USB boot disk. When real hardware is available, SecureOffice configuration can be backed up and restored to real hardware.

It is assumed (from Tools for Initial SecureOffice Install) that one of the following Linux system options is available for installation:

Note that Sme-Server (recommended VM for service provision using licensed VmWare Workstation application) can also be used as the Linux system for initial SecureOffice installation. This avoids having to create two Linux virtual machines.

2.1                Install on Target PC Using Rescue USB Boot Disk

  • Connect the chosen boot media (USB, SD, TF, mSATA, SATA) to target PC, using a disk adapter if required.
  • Connect target PC ethernet interface to your LAN.
  • Connect the Linux Emergency Recovery USB Boot Disk to a USB port on the target PC.
  • Connect keyboard and monitor to target PC.
  • Power up target PC, enter BIOS settings (usually by pressing Del or Esc during boot start), select USB as first boot device. Try selecting different USB boot devices until it boots to the System Rescue options screen, like the figure below.
  • At options screen, press enter for default settings, wait for boot complete.
  • Test network connectivity by entering "ping yahoo.com" at command prompt. If there is no response, try another Ethernet interface on the target PC, fix any network connectivity issues before proceeding.
  • Proceed to section 2.5.

Figure 1: System Rescue Boot Options Menu

2.2                Install on Target PC Using SecureOffice USB Boot Disk

  • Connect the chosen boot media (SD, TF, mSATA, SATA) to target PC, using a disk adapter if required.
  • Connect target PC Ethernet interface to your LAN.
  • Connect the SecureOffice USB Boot Disk to a USB port on the target PC.
  • Connect keyboard and monitor to target PC.
  • Power up target PC, enter BIOS settings (usually by pressing Del or Esc during boot start), select USB as first boot device. Try selecting different USB boot devices until it boots to the SecureOffice Grub boot menu (Figure 3).
  • Test network connectivity by entering "ping yahoo.com" at command prompt. If there is no response, try another Ethernet interface on target PC, fix any network connectivity issues before proceeding.
  • Proceed to section 2.5.

2.3                Install on Target Media Using Linux PC

  • Connect chosen boot media (USB, SD, TF, mSATA, SATA) to installation PC, using a disk adapter if required.
  • Connect the installation PC's ethernet interface to your LAN
  • Connect keyboard and monitor to installation PC.
  • Power up installation PC, wait for boot to complete.
  • Open a shell command prompt, if in GUI such as KDE or Gnome
  • Test network connectivity by entering "ping yahoo.com" at command prompt. If there is no response, fix any network connectivity issues before proceeding.
  • Proceed to section 2.5.

2.4                Install on Target Media Using Linux VM

  • Installation PC is powered up, keyboard, monitor and internet connected.
  • Connect chosen boot media (USB, SD, TF, mSATA, SATA) to installation PC, using a disk adapter if required.
  • Start Linux VM (virtual machine), wait for boot to complete. A SecureOffice virtual machine can also be used for installation.
  • Select Vmplayer->Removable Devices-><Boot Media Device>->Connect
  • Open a shell command prompt in virtual machine, if in GUI such as KDE or Gnome
  • Test virtual machine network connectivity by entering "ping yahoo.com" at command prompt. If there is no response, fix any network connectivity issues before proceeding.

2.5                Optional SSH Into Installation PC

It is assumed that you are at a Linux command prompt on the installation PC.

If in a virtual machine or rescue system console, most likely you do not have copy and paste ability for commands which is cumbersome. Using PuTTY to SSH into the installation machine will remedy this.

  • System Rescue: Change root password (SSH requires) at command prompt.
  • System Rescue: Disable firewall (SSH requires), enter "systemctl stop iptables" at a command prompt.
  • SecureOffice VM: Disable firewall (SSH requires), enter "/etc/init.d/firewall stop" at a command prompt.
  • Determine IP address: (SSH requires) by entering "ifconfig", enter.
  • SSH (from another PC) into installation machine using PuTTY.

2.6                Identify SecureOffice Boot Media Device

It is assumed you are at a Linux command prompt on the installation PC, either directly or using PuTTY.

During boot, Linux enumerates block devices (disks) and assigns them names: "sda, sdb, sdc", etc. The Linux device name of the disk that is intended to become the SecureOffice boot disk needs to be identified.

Enter "dmesg | grep sdX" repeatedly, where X increments from "a", "b", "c", etc., until you identify the correct disk.

You are looking for a portion of output (from dmesg) of the following form, corresponding to your disk, where XXX is the disk size in GB:

"sd 2:0:0:0: [sdb] 976773168 512-byte logical blocks: (XXX GB/YYY GiB)"

If the size of the target boot disk is unique (only one on installation system with XXX equal to the SecureOffice target boot disk size), this is likely the correct disk (sdb, sdc, etc). Note that "sda" cannot be the correct disk since that contains the OS of the installation system (unless using USB rescue disk).

As a sanity check, to confirm the SecureOffice boot disk candidate is correct, the disk partitions can be inspected using the "fdisk" command.

  • Enter "fdisk /dev/disk" where "disk" is the candidate identified above (sdb, sdc, etc).
  • Enter "p" at the fdisk prompt to display partitions. You will see the partitions for the disk.
  • No partitions indicate an unformatted disk.
  • Some partitions indicate a formatted disk.
  • Enter "q" at the fdisk prompt to exit fdisk.

If still uncertain regarding correct disk choice (candidate disk has partitions you are unsure of), another sanity check is to inspect the disk contents.

  • Enter "mount | grep /dev/disk", where "disk" is the candidate (sdb, sdc, etc.) to determine if the disk is mounted and where.
  • If the disk is mounted, you will see output of form "/dev/sdXY on" "some path", where X is the drive letter (a,b,c) corresponding to the candidate disk and Y is partition number.
  • If the disk is not mounted (not listed by mount command above), you can mount it to inspect the contents for each partition. Enter "mkdir /tmp/diskY; mount /dev/diskY /tmp/diskY", where "disk" is the candidate disk (sdb, sdc, etc.), for each partition number (Y) identified by the fdisk command above
  • To inspect the disk partition contents, enter "ls some path" for each mounted partition above. You will see the files on the partition. Ensure (for each partition) they are files you are willing to lose.

The disk identified as the SecureOffice boot disk will be re-partitioned and formatted in the next step, wiping out all data on the selected disk. Be certain the disk chosen is the correct disk. Otherwise, at best, you will lose all data on the disk, at worse, wipe out the installation PC operating system. Recovery from this disaster is left as an exercise for the reader.

2.7                Install SecureOffice to Boot Media

The SecureOffice operating system (pre-configured OpenWrt) is installed by downloading and running an installation script on the Linux installation PC. During installation, you must agree to SecureOffice licensing terms before proceeding with installation.

Disk technical notes:

Installation will result in four partitions on the target disk:

  • /dev/sdX1 - Boot Partition, ext2, active
  • /dev/sdX2 - Root filesystem, ext4
  • /dev/sdX3 - Swap partition (8GB)
  • /dev/sdX4 - Data partition, ext4, (Total disk size minus 16 GB)

The size of partitions 1 plus 2 is 8GB, more than adequate for installing many applications and cannot be changed easily.

The size of the Swap (sdX3) and Data (sdX4) partitions can be changed by using fdisk to delete them and create new ones of the desired size and reformatting (mkswap, mkfs.ext4) them. These partitions are initially empty and contain no useful data. Not recommended. The only reasons for modifying partition layout is:

  • multiboot scenarios which are not useful for a server appliance intended to run 24/7.
  • changing the swap partition size.

To install the latest version of SecureOffice, from a Linux command prompt, enter the following commands, in order:

  • "cd /tmp"
  • "wget --no-check-certificate https://rossco.org/Downloads/OpenWrt/do_install.sh"
  • "chmod +x do_install.sh"
  • "./do_install.sh disk" where "disk" is the intended SecureOffice boot disk identified above, for example "sdb".

Previous versions of SecureOffice can be downloaded from here. Choose "<version>/do_install.sh" where <version> is the desired version.

To install a locally archived (previously saved) version of SecureOffice, from a Linux command prompt, enter the following commands, in order:

  • "cd /tmp"
  • "wget --no-check-certificate https://rossco.org/Downloads/OpenWrt/do_install.sh"
  • "chmod +x do_install.sh"
  • "./do_install.sh <disk> <image>" where "<disk>" is the intended SecureOffice boot disk identified above, for example "sdb" and "<image>" is the full path to a previously saved zipped SecureOffice archive (eg: /<path>/SecureOffice-x86_64.img.gz).

SecureOffice will be installed on the target disk. It will take some time to download and complete, depending on disk size and speed. The script will inform you of success / failure and the disk will be synced and unmounted when complete. Do not remove the target disk prior to script completion, or abort the script, else, the target disk will be corrupted. If you do so, run the script again. Be patient.

If SecureOffice was not installed using the target PC / HTPC, remove the target disk from the installation PC and install it on the (unpowered) target PC / HTPC.

If SecureOffice was installed on the target PC / HTPC using a rescue or other Linux USB boot disk, power down or reboot the target PC / HTPC and remove the USB boot disk.

3      Initial SecureOffice Boot

SecureOffice has undergone a major update and any IP addresses and versions in the following figures may not be current and can be ignored.

It is assumed that the SecureOffice PC / HTPC is powered off.

  • Connect a standard PC monitor to SecureOffice VGA or HDMI port. The monitor must be connected prior to SecureOffice boot, to be recognized by the BIOS. A reboot is required should the video interface be changed (VGA <--> HDMI).
  • Connect a standard PC keyboard to one of the SecureOffice USB ports.
  • Connect an Ethernet cable from your LAN to SecureOffice PC / HTPC.
  • Power on SecureOffice PC / HTPC.

3.1                Configure Boot Device

It is suggested that all disks intended to be used for normal SecureOffice operation be installed prior to this step, otherwise, it may have to be repeated. For example, if booting from mSATA with a SATA disk for data and virtual machine storage (recommended configuration), both disks should be installed at this point. Any temporary disks such as USB flash drives which will not be part of normal SecureOffice operation should be disconnected, lest they affect BIOS disk enumeration and boot disk selection.

SecureOffice (assuming BIOS capability) is capable of using different boot disks such as SATA, mSATA, TF, SD, USB Flash and hard disks. The disks are enumerated by BIOS at boot and, the correct boot disk must be selected by the bootloader (GRUB) in order to boot.

The boot disk is specified in the form /dev/sdX2, where "X" is a, b, c, etc., the order which BIOS enumerates the disks. "sdX2" is the root filesystem partition.

The easiest way to select the proper boot disk is to power on SecureOffice, determine if boot results in a Kernel Panic, as shown in the screenshot below. If more disks are added to SecureOffice in the future, this may alter the BIOS disk enumeration order and this boot device configuration procedure may need to be repeated.

Figure 2: Boot Failure Kernel Panic

If you see the boot process stopped with console output similar to the above screenshot, this means an incorrect boot device is configured and boot device configuration must be performed. This is done by editing the GRUB bootloader settings at boot.

To change the boot device configuration, during boot (after cycling power or reset) of SecureOffice, when you see the screen below, type "e" (no quotes) to invoke the GRUB edit menu, for recovery, the second screenshot below.

Figure 3: GRUB Boot Menu

Figure 4: Edit GRUB Boot Menu

The easiest, surest way to configure the correct boot device is to iteratively use the following algorithm until the proper boot device is found.

  • Power SecureOffice off / on.
  • Press "e" at the GRUB menu above, to get into GRUB edit mode.
  • Edit the boot device (root=/dev/sdX2) starting with X=a (sda2) and incrementing a->b, b->c at each boot failure.
  • Press F10 to boot with the new setting.
  • If the boot device is correct, you will see the screen pause at "ethX: Link becomes ready" Press enter and, you will see a screenshot similar to below. Make note of the proper boot device (/dev/sdX2), you will need it later. The boot device selection algorithm is complete.
  • If boot failure, start this algorithm again, incrementing the boot device (a, b, c, etc) selected.

Figure 5: Successful Boot

After successful boot, the boot device configuration (/dev/sdX2) must be made permanent by editing the GRUB bootloader configuration file to use the device identified by the above selection algorithm. Enter the Linux commands below, pressing enter after each line. Do not enter any text surrounded by ().

  • "mount /dev/sdX1 /mnt/boot" (X is the boot drive letter: a, b, c, ... identified above)
  • "nano /mnt/boot/boot/grub/grub.cfg" (edit GRUB bootloader configuration file)

Since this is the first mention of the nano editor, if required, usage instructions can be found by following the link.

You will see something like the screenshot below.

Figure 6: Edit GRUB Configuration

Using the cursor, backspace keys, change both occurrences of "root=/dev/sdX2", where X may be a, b, c, etc. to the correct X as determined by the boot drive selection algorithm above. For example, if the boot drive was determined as "/dev/sdb2", the two entries would be changed to "root=/dev/sdb2". Type CTL+o (together) to save changes. Type CTL+x (together) to exit. Type "reboot" or, cycle SecureOffice power to re-boot.

If SecureOffice boots correctly (observe OpenWrt splash screen and command prompt after pressing Enter, as shown in the above figure "Successful Boot"), this configuration step is complete. If not, you must go back, verifying the steps and correcting any errors.

If disks are later added to SecureOffice (and still present at next boot), this may alter the BIOS disk enumeration order, causing a boot failure (Kernel Panic) which will require the above boot disk configuration procedure to be repeated.

If a disk, such as USB Flash drive is temporarily present at boot, this may alter the BIOS drive enumeration (/dev/sdX) and cause a boot failure. To remedy this, remove the temporary disk, reboot and then connect the disk if still required.

4      Configure OpenWrt Router

The initial installation of SecureOffice is a fully configured version of OpenWrt, usable as a high performance (free) router.

At first boot, the default SecureOffice configuration is suitable for most users, allowing many of the following sections to be skipped until necessary.

Setting

Default

Section

When to change

 

 

 

 

Root password

admin_54321

Set OpenWrt Root Password

Final site security.

Topology

WAN

Configure WAN Network Topology

Default, unless SecureOffice is not primary router.

LAN IP Address

192.168.10.1

Configure LAN Ethernet Interface

If you want to retain static IP addresses of devices on existing LAN.

WAN IP Address

DHCP

Configure WAN Ethernet Interface

If your modem connection to the internet is not DHCP.

WIFI SSID, Password

SecureOffice, admin_54321

Configure WIFI

Final site security.

Table 1:SecureOffice Default Settings

If the default settings are acceptable, SecureOffice is ready to use as a router / gateway, with access to the following functionality, assuming the WAN and LAN network interfaces are connected:

If using LAN Topology with only one ethernet port, access to the OpenWrt web GUI and secure shell access must be enabled by following Configure LAN Network Topology.

Unless already familiar with how to test WAN, LAN network connectivity and connect to SecureOffice / OpenWrt, it is suggested that any skipped sections be reviewed and understood, for instructions.

Once network connectivity is tested and established, if intending to host internet services, such as websites or IOT services, skip ahead to Configure Dynamic DNS. Otherwise, follow applicable instructions in Securing Your Site and enjoy this free, secure, state of the art, high performance router / gateway.

(Optional) Once SecureOffice is installed (real hardware or virtual machine) and you have an active domain name and DNS provider, SecureOffice must be configured to use it. This is necessary for access to the custom repository and premium packages. It is crucial to perform this step prior to registering SecureOffice (System->Licensing->Registration). For example, if your domain is "mydomain.com" and your LAN address is "192.168.10.1" (default), enter the following at a SecureOffice command prompt (real hardware or, within virtual machine):

"echo 192.168.10.1 mydomain.com >> /etc/hosts"

Replacing "192.168.10.1" and "mydomain.com" with your LAN address and your domain respectively.

(Optional) To access premium packages, including custom applications and additional installation scripts (from HowTo's), it is necessary to pay a small annual access fee to cover development, maintenance and distribution costs. Instructions for accessing premium content and packages are available here.

Any applications, troubleshooting, HowTo's or configuration that is not covered by basic SecureOffice documentation is available by searching the OpenWrt documentation or forum. For the most part, unless otherwise stated in this documentation, SecureOffice and applications are standard and configured using standard OpenWrt / Linux methods.

4.1                OpenWrt Local Console Access

Until the OpenWrt network is configured (allowing command line SSH access from LAN using PuTTY and / or browser access to GUI), a monitor and keyboard are required to access the OpenWrt (Linux) command prompt.

  • Connect a monitor to the SecureOffice VGA or HDMI video port.
  • Connect a keyboard to a SecureOffice USB port.
  • Turn off /on (or, enter "reboot" at the command prompt) SecureOffice.
  • Wait until you see "ethX: Link becomes ready".
  • Press "Enter" key and, you will see a display like "Successful Boot" figure above.

4.2                Set OpenWrt Root Password

The default root (user) password for LAN SSH console access and OpenWrt web configuration GUI is "admin_54321". It is highly recommended to change this password for security considerations.

The OpenWrt / SecureOffice command prompt may be accessed via SSH (example: PuTTY client) from a PC on the SecureOffice LAN or, using a monitor / keyboard.

It is highly recommended that the root password be at least 8 characters long including: at least one each of the following: Upper case letter, lower case letter, number, symbol "({, [, +, etc)", with no spaces.

If the OpenWrt network has been configured, the OpenWrt root password can be changed remotely, using SSH or web GUI configuration.

Type the following commands (within " ") followed by Enter at the command prompt.

  • type "passwd" (you will see: "Changing password for root").
  • type "your new password" (characters will not be displayed).
  • you may see "Bad password: (some reason)". This is from the password strength checker, a warning. You may choose to use this password, or, enter "CTL+c" (together) to abort and start again.
  • you will see "Retype password:". Type "your new password" again to confirm.
  • If successful, you will see "Password for root changed by root", else, keep trying until the passwords match and are what you chose.
  • Remember your root password for future reference.
  • If you forget your root password, this procedure (using console: display, keyboard may be repeated at any time).
  • If the root password should ever be forgotten, connecting a monitor and keyboard to SecureOffice is the easiest option for recovery, since access using the local console requires no password and a new one can easily be entered.

4.3                Basic Network Configuration

It is assumed that the pros / cons of installing SecureOffice as your main router (WAN Topology) or, as a server on your LAN (LAN Topology) using your existing router has been considered and, a choice made by considering WAN versus LAN topology.

The network topology choice affects how SecureOffice is physically connected to the network and how network interfaces are configured.

Independent of whether the network is configured using the OpenWrt web GUI (browser on a PC) or using command line, the Network is configured by altering the contents of file "/etc/config/network". This section is solely concerned with basic ethernet interface configuration, setting IP addresses and how they are acquired for the LAN and WAN ethernet interfaces.

Configuration uses a combination of command line and web browser GUI. There are many other aspects of the network that can be configured, such as IPV6, VLANs and VPN that are not discussed here. Configuration will be done using IPV4 addresses. A full reference for network configuration possibilities is available in the OpenWrt network documentation.

4.4                Configure WAN Network Topology

SecureOffice is connected directly to the internet using a Cable / DSL modem or other device. The following information is required for WAN configuration:

  • How your internet connection is accessed. Your internet provider can provide this. Examples are DSL (modem connects to phone line) and Cable (modem connects to coaxial - round cable).
  • Any login credentials (userID, password) and settings required for connecting to the internet, provided by your internet provider.
  • Many modern cable modems are configured by your ISP, requiring no login credentials and automatically provide the WAN IP address to SecureOffice using DHCP.

Devices on your local network such as PC's, Tablets, IP cameras are connected to SecureOffice LAN, wired or wireless.

4.4.1      Configure LAN Ethernet Interface

The default settings for SecureOffice LAN (eth0) are: Protocol: Static, IP Address: 192.168.10.1, NetMask: 255.255.255.0, DHCP Server: Enabled.

For new installations, it is recommended to keep the default settings. One reason for not using a common LAN IP addresses such as 192.168.1.1 is that it will likely result in IP address conflicts when using SecureOffice as a VPN server and remotely connecting from public WiFi hotspots.

When replacing an existing router, especially if your LAN has devices with static IP addresses, it is initially easiest to use the same LAN settings as the router being replaced, otherwise, you will have to change all existing static IP address assignments to be within the SecureOffice LAN address range.

If the default LAN settings are acceptable, skip to the next step, "Configure WAN Ethernet Interface".

The chosen LAN address must fall within the RFC 1918 Private Address space.

Figure 7: RFC 1918 Private Address Space

Using command line access, enter the following commands to change the LAN configuration section (image below) for SecureOffice:

config interface 'lan'

option ifname 'eth0'

option type 'bridge'

option proto 'static'

option ipaddr '<desired LAN address>'

option netmask '<desired netmask>'

option dns '<desired LAN address>'

option ip6assign '60'

Figure 8: LAN Configuration Section

  • type "nano /etc/config/network"
  • change only the following entries: "option ipaddr 'desired LAN address'", "option dns 'desired LAN address'" and option "netmask 'desired netmask'". For most users (moderate size LAN, 253 device addresses), the default netmask of "255.255.255.0" is adequate.
  • type "CTL+o" to save file and "CTL+x" to exit.
  • type "/etc/config/network restart" for new settings to take effect.

Important: If you remotely change the LAN address using a SSH console or OpenWrt web GUI, you will lose network connectivity and must reconnect using the new LAN address.

4.4.2      Configure WAN Ethernet Interface

Now that SecureOffice LAN is configured, the OpenWrt web GUI can be used to configure the WAN (eth1) Internet interface.

From a PC on the same LAN as SecureOffice, enter the configured LAN address (default 192.168.10.1) into your web browser address field and press enter. SecureOffice will prompt for your root password, as shown below. You may be prompted for a security exception due to self-signed SSH keys.

Figure 9: Web GUI Password Prompt

Type your root password (default: "admin_54321", you should have previously configured a new one) and press enter. You will see the main router status page, a portion of which is shown in the screenshot below.

Figure 10: Web GUI Status Page

Navigation to a particular configuration section in subsequent instructions will be of the form: "Tab1->Tab2->Tab3, etc". For example: "Status->Realtime Graphs->Traffic->eth1" will show the network traffic for eth1 (WAN, Internet), as shown below:

Figure 11: Internet Traffic Graph

Using the web GUI, select "Network->Interfaces->WAN". The Protocol dropdown field will allow you to select your Internet connection type and other tabs will allow you to configure your WAN (Internet) interface as required by your ISP (Internet Service Provider). WAN interface types are shown in the screenshot below:

Figure 12: WAN Protocol Selection

It is easiest to copy the settings from your existing router, or, do an internet search: "your internet provider connection setup", or consult your internet provider (help pages, tech support). Another option is to search "OpenWrt 'your internet provider'" since SecureOffice uses standard OpenWrt and, odds are, given the widespread popularity of OpenWrt, many customers of your internet provider are already using OpenWrt.

After making changes, click the "Save & Apply" button in the web GUI to save changes.

To verify WAN settings, enter "ping yahoo.com" from a command prompt (console, or, via SSH client). A response should come from the site, or, a failure message will be displayed. Keep researching and altering WAN settings until you get a ping response example:

"PING yahoo.com (206.190.36.45): 56 data bytes" and "64 bytes from 98.139.183.24: seq=0 ttl=53 time=34.677 ms"

If all else fails, contact your ISP technical support department.

4.5                Configure LAN Network Topology

SecureOffice will be connected to the internet through your existing router, as a device or virtual machine with a static IP address on your existing LAN. Any virtual machines /devices providing public services hosted by SecureOffice must also have static IP LAN addresses. The SecureOffice WAN interface will be connected to your LAN using an interface on your existing router. The SecureOffice LAN interface (if two or more ethernet interfaces) is left disconnected and not used, unless another private LAN is required for other uses, outside of the scope of this document.

When using LAN Topology, the existing router must provide the following functionality:

  • If you are using SecurePBX: Firewall, TCP/UDP ports 5060 to 5880 (SIP), UDP ports 49152 to 65535 (RTP) must be forwarded to the static WAN IP address of SecureOffice.
  • If other public services are configured for SecureOffice, the required ports must be forwarded to the static IP address of the server providing the service on the router firewall. For example, websites and email server virtual machines.
  • Dynamic DNS client (unless DDNS is handled by SecureOffice), configured with domain name(s) if you have public services such as external SecurePBX extensions (SIP phones), IOT or email or web servers.
  • It is beyond the scope of this document how to configure your existing router, although the DDNS section may be helpful.

SecureOffice in LAN topology must be configured with a static WAN IP address outside of the DHCP assignment range of the router, but within LAN address space of your existing router.

Determine the address of your existing router (usually the IP address that you use to access its web configuration page).

Access the configuration page of your existing router to determine the existing LAN subnet (eg: 255.255.255.0), DHCP address assignment range, for example 192.168.1.100 to 192.168.1.250.

With the above information, choose a static WAN IP address for SecureOffice outside of the router DHCP assignment range, but not ending with the router base (.1) or broadcast (.255) addresses and not yet assigned (unique) on LAN. For example: 192.168.1.20 or 192.168.1.251

Using console command line access mode (monitor / keyboard or SSH client), edit "nano /etc/config/network" and change the wan configuration section to read as follows, then, save:

  • config interface 'wan'
  • option proto 'static'
  • option ifname 'eth1' (eth0 if single ethernet interface hardware)
  • option ipaddr 'the_LAN_address_you_chose_above'
  • option netmask '255.255.255.0' (or, if your LAN has a different size subnet, as appropriate, from existing router configuration)
  • option gateway 'the address of your existing router', for example 192.168.1.1
  • option dns 'the address of your existing router'

config interface 'wan'

option proto 'static'

option ifname 'eth1'

option ipaddr '192.168.1.20'

option netmask '255.255.255.0'

option gateway '192.168.1.1'

option dns '192.168.1.1

Figure 13:WAN Static Address Configuration

By default, access to the SecureOffice web configuration GUI and secure shell access using the WAN interface is disabled by the OpenWrt firewall. For LAN topology (since your existing router firewall is protecting SecureOffice), firewall rules must be added to allow access. IMPORTANT: If you later change to WAN topology, these rules must be deleted, else SecureOffice / OpenWrt configuration GUI and shell will be accessible from the internet, a huge security risk.

Using console command line access mode (monitor / keyboard or SSH client), edit "nano /etc/config/firewall", scroll (down arrow key) to the end of the file. Enter the information shown below, then, save and exit ("CTL +o", "CTL + x").

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp'

option dest_port '80'

option name 'allow-http'

 

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp'

option dest_port '443'

option name 'allow-https'

 

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '22'

option name 'allow-ssh'

Figure 14: OpenWrt Firewall Allow GUI

Type "/etc/init.d/firewall restart" enter and "ifup wan" enter (to apply the above configuration changes)

Edit file "/etc/config/dropbear" and change line "option Interface 'lan'" to "#option Interface 'lan'" (comment line) so dropbear listens on all interfaces. Enter "/etc/init.d/dropbear restart" to apply the changes.

After the above changes for LAN topology, SecureOffice can be accessed from devices on the LAN:

  • (LAN Topology) Remote access to SecureOffice from local LAN for SSH console and file transfers. Use <WAN IP Address> for access. SecureOffice WAN port must be connected to existing LAN.
  • (LAN Topology) Remote access to SecureOffice Luci web GUI (https://<WAN IP Address>) for status / configuration. SecureOffice WAN port must be connected to existing LAN.

SecureOffice should now be visible on your LAN. To test this, from SecureOffice console, enter "ping <the address of your router>". A valid reply should be received. If not, follow the troubleshooting steps below. Note that ping runs continuously and can be stopped by entering "CTL+c" (together) from the console.

To verify SecureOffice WAN internet settings, enter "ping yahoo.com" or another website on the internet from a SecureOffice command prompt (console, or, via SSH client). A response should come from the site, or, a failure message will be displayed. Keep researching and altering WAN ("/etc/config/network") settings until you get a ping response. Example:

"PING yahoo.com (206.190.36.45): 56 data bytes" and "64 bytes from 98.139.183.24: seq=0 ttl=53 time=34.677 ms".

The SecureOffice GUI configuration page should now be accessible from your LAN. To test this, enter the configured SecureOffice WAN (WAN_address_you_chose_above) into a web browser address field and confirm the SecureOffice web configuration page (login first) is displayed.

Possible ping failure reasons are:

  • The assigned SecureOffice WAN IP address is not unique on your LAN. To check this, disconnect the SecureOffice WAN interface from your LAN and "ping <WAN_address_you_chose_above>". If there is a valid response, choose another (unique to your LAN) WAN address and try again.
  • Your hardware has more than one ethernet interface and you configured the wrong one. Single ethernet interface systems have only eth0 which must be assigned to the WAN. For dual ethernet interface systems, eth0 is LAN and eth1 is WAN. To test this, connect the Ethernet cable to the other interface and try again.

If all else fails, search the internet for "openwrt WhatIs the problem"

Note: if your existing router is not capable of being a DDNS client, and you require DDNS, it is possible to configure DDNS to be a client from SecureOffice on the LAN, as explained in the DDNS configuration section below.

4.6                Configure WiFi

Default settings for SecureOffice WiFi are:

  • SSID: "SecureOffice" (the name of WiFi network, visible when browsing WiFi, alter to taste)
  • Password: "admin_54321" (change to prevent unauthorized access)
  • Encryption: "psk2" (advanced, do not change unless necessary and you know what you are doing)


OpenWrt provides WiFi configuration instructions and how-to setup various WiFi cards, if the standard SecureOffice WiFi is not supported by your hardware.

TODO: Elaborate, enumerate tested WiFi (5G included) cards and how to use auto-detect and configure script (which is not yet released).

4.7                Configure Dynamic DNS

Dynamic DNS service can be performed by your existing router (LAN Topology, if capable) or SecureOffice (both topologies). Only one DDNS service should be configured to service your entire network.

Dynamic DNS (DDNS) is a service that updates Internet Dynamic Name Service (DNS) entries (on Internet name servers) relating your Domain Name (eg: example.com) to your current IP address (eg: aaa.bbb.ccc.ddd).

Simply put, this service gives a name to your numeric IP address. So, if you're hosting some service on your internet connection, people do not have to bother finding and typing your numeric IP address. They can just type in your domain name. It also helps when your IP address changes (a common occurrence with most internet providers). Users won't need to discover your new IP address, they can simply type your domain name.

You need a DDNS service provider and to configure the service if all of the following conditions are true:

  • You want users on the internet (outside of your LAN) to be able to access your services such as SecurePBX (telephone system), IOT, websites, email and file sharing services you host.
  • Your internet connection does not provide a static (unchanging over time) IP address.

Static IP addresses are a premium service, for which internet providers usually charge extra. If you are considering using a paid DDNS service, it may be worthwhile to weigh the costs of static IP versus DDNS service.

DDNS services may be paid (yearly domain name rental fee) or free.

Paid DDNS services allow you to have a domain name of the form "yourdomain.com". Paid DDNS services such as dyn.com and dynu.com also have the option to setup and pay for the Domain Name "yourdomain.com".

Free DDNS services such as duckdns.org allow you to have a subdomain within their domain such as "yoursubdomain.duckdns.org".

You must pay for your own Domain name and use a paid DDNS Service if you want to have your domain name unique to your site (eg: yourdomain.com) as opposed to a subdomain of a DDNS providers site (eg: yoursubdomain.duckdns.org).

For SecureOffice users who are satisfied with their domain name being a subdomain of a DDNS provider (eg: "yoursite.provider.com"), a free DDNS service is adequate and the expense of renting a domain name can be avoided. You can still provide internet services such as websites, file sharing, email servers, IOT and (encrypted) SecurePBX phone services.

4.7.1      Choose a DDNS Service Provider

Criteria for choosing a DDNS service provider is discussed in Domain Names and DDNS. For now, to be up and running quickly, it is best to use one of the recommended DDNS providers suggested in the previous link and defer final DDNS provider selection / configuration until you have configured and tested all of your internet services and are ready for the final configuration steps in "Securing Your Site".

OpenWrt has comprehensive documentation regarding DDNS Services, including listing DDNS service providers (free, paid) and configuring OpenWrt DDNS.

SecureOffice comes pre-configured for two free DDNS service (dynu.com, duckdns.org) and a paid DDNS service (dyn.org). It is required to register an account with the chosen DDNS service provider and configure user credentials. Otherwise, an alternate DDNS provider needs to be chosen by following the instructions in the OpenWrt DDNS services documentation.

Technical Note: With reference to OpenWrt DDNS documentation above, for SecureOffice, all packages required for wget DDNS are already installed and, the modifications for encrypted (SSL) DDNS, including SSL certificate installation for the preconfigured DDNS providers is already done.

4.7.2      Configure and Enable DDNS Service

Enter the configured SecureOffice LAN address (WAN topology, default: 192.168.10.1) or WAN address (LAN topology) in a browser and click "Services->Dynamic DNS". You will see the screenshot below, with the preconfigured DDNS providers:

Figure 15: DDNS Configuration

Note: OpenWrt DDNS has many options (documented in OpenWrt DDNS documentation) that are not configurable using the web GUI. To change them, use command line access mode and edit "/etc/config/ddns". This is not necessary if the one of the three preconfigured DDNS services are used.

Choose the DDNS service you want.

If you need a unique domain name such as yourdomain.com, dynu.com and dyn.com provide this service.

For duckdns.org (free), login to get an account here. For dyn.com (paid), login to get an account here.

Once you have your domain name and DDNS account credentials for the corresponding provider, fill in the following fields: Hostname, Username, Password and click the Enable checkbox for the selected DDNS service. Click "Save & Apply" to make the changes permanent.

Technical Note: SecureOffice DDNS is configured to function in either (WAN, LAN) topology by doing internet queries to determine the public IP address. For WAN topology, it is possible to use uPNP to eliminate these web queries and speed up DDNS. To enable this, in addition to the DDNS configuration steps above, prior to doing "Save & Apply":

  • edit (nano) "/etc/config/ddns" for the chosen service
  • change "option ip_source web" to "option ip_source network"
  • comment (add "#" add at beginning of line) the "option ip_url" field so it reads "#option ip_url http://ipv4.wtfismyip.com/text" or "option ip_url "#http://checkip.dyndns.com"
  • Click "Save & Apply" or enter (command line) "/etc/init.d/ddns restart; ifup wan" to have the changes take effect.

The easiest way to test your DDNS settings and new domain name is to use SSH or console access to SecureOffice. Enter the following commands:

  • type "/etc/init.d/ddns enable" (to start DDNS service at boot)
  • type "/etc/init.d/ddns start" (to start DDNS service now)
  • type "ifup wan" (to restart all services on wan / eth1 interface, DDNS included)
  • It may take a few minutes for your domain name to be updated on internet DNS servers
  • type "ping www.yourdomain" (replace yourdomain with the real one), wait for response or failure. Note that "ping yourdomain" is not a valid test since "yourdomain" resolves to a local address on the SecureOffice LAN.
  • If failure, enter "logread | grep ddns" and look for "user.notice ddns-scripts-yourdomain:" messages to debug (logging is enabled in "/etc/config/ddns").
  • type "ifconfig eth1" to determine your WAN (public) IP address (WAN topology only)
  • compare your public IP address to the address from the ping response. If identical, you are done.
  • If all else fails, follow the debugging procedures at the OpenWRT DDNS documentation.

4.8                Configure SecureOffice Domain

This setting is required for the following reasons:

  • Licensing and registration. The license server compares the registered domain (which comes from this setting) IP to the requesting IP address and fails it they are different.
  • DNS for remote services clients. If they are on the local LAN or VPN client, the domain will resolve to the local LAN address. If they are not on the local LAN, DNS will resolve to your public IP address.
  • For example, a SIP Android phone can seamlessly and automatically access SecurePBX as a local WiFi client when home and as a remote client when roaming, without having to change SIP domain settings on the phone.
  • This setting is also used by the custom OpenVpn scripts package for SSL certificate creation.

To change the domain (from SecureOffice command prompt):

  • type "nano /etc/hosts"
  • add a line with the following contents at file end "<LAN_address><space><domain without www>". For example, "192.168.10.1 mydomain.com"
  • From a command prompt enter: "/etc/init.d/dnsmasq restart" to refresh the DNS cache.
  • From a command prompt enter "ping mydomain.com". The response should be from your configured <LAN_address>. If not, recheck configuration and try again.

5      Install Other Services and Applications

Assuming configuration in the applicable previous sections is complete; you now have internet access, a fully functioning (free) high performance router / gateway / WiFi access point (unless using a virtual machine) and are ready to install more applications / services, to customize to meet your requirements, limited only by imagination.

5.1                Other Services and Applications

OpenWrt / SecureOffice has many standard applications that can be download and used for free such as web, file, media servers, etc. To appreciate the vast number of applications / services available and how to configure them, search the internet for "OpenWrt packages".

Application packages specific to SecureOffice must be installed from the SecureOffice package repositories using the standard OpenWrt package manager. Attempting to use other repositories and installation methods will most likely break your SecureOffice installation (translation: don't even try).

To see a list of packages already installed or available for SecureOffice, use a browser logged into the SecureOffice / OpenWrt web GUI (default: LAN address 192.168.10.1) and navigate to "System->Software". Select "Installed Packages" to view installed packages or "Available Packages" to view available packages.

If not licensed for premium packages / scripts, only free packages will be displayed, otherwise, the full package list will be displayed.

A list of free packages can be viewed online for x86_64 (PC architecture) and aarch64 (AmLogic S9XX architecture)

A list of premium packages can be viewed online for x86_64 (PC architecture) and aarch64 (AmLogic S9XX architecture)

5.2                Requesting Missing Packages and Drivers

The packages available at initial (free) installation should meet the needs of most users, but that is just the opinion of the development team. If some package / driver is currently unavailable, it is the policy of the SecureOffice team to be responsive to user needs. Users can request unavailable packages / drivers in the forum. Requests will be prioritized according to effort required and how many users the requested feature will serve.

If creating the requested package / driver is a simple matter of selecting it in configuration and rebuilding, the intent is to update the SecureOffice package repository on a regular basis, perhaps monthly.

When a package / driver is added to SecureOffice, the repository will be updated and a notice posted in the forum.

5.3                Licensed Services and Applications

Premium applications must be installed using the SecureOffice web GUI which requires users to register and install the application using the SecureOffice license manager (System->Licensing). Time limited trial (try before buy) licenses are available for premium applications

5.3.1      About Licensing

Licensed applications and licenses are encrypted and custom created for each user / target hardware / domain and will not work on any other hardware or domain. Further, licenses are verified by an internet license server.

In the unlikely event that your license is compromised and someone else manages to clone / steal your license and break copy protection, pretending to be you, what will happen is:

  • They will have your license (first come, first served)
  • The license manager will detect and refuse duplicate license requests from differing IP addresses.
  • Licenses contain identity information which allows tracking the source of any compromised licenses.

A bounty (free license) is available for any hackers who manage to break copy protection, upon proof and providing technical details.

5.3.2      Secure Telephone System

If you want the economic and / or privacy and security benefits of hosting your own secure phone system SecurePBX is for you.

5.3.3      Virtual Machine Hosting

If you want the economic, reduced maintenance and security benefits of running standard Linux servers (or any OS, or legacy systems) as virtual machines, VmWare Workstation is for you.

5.3.4      Docker Container Support

Provide services using Docker containers such as Home Assistant, NextCloud, etc from a vast array of containers.

5.3.5      Free and Automatic Renewing SSL Certs

If you want the economic, security and reduced maintenance benefits of free, automatically updating SSL certificates, luci-app-nginx-certificates is for you.

5.3.6      Developing Applications and Services

SecureOffice is also an application hosting platform, able to host and copy protect any Linux application / service. Copy protection requires no changes to source code. Application files are encrypted at the binary level and decrypted using public key cryptography by a custom Linux loader at run time.

Developers or enterprises wishing to sell and run their killer application / service for SecureOffice need to meet / agree to the following requirements:

  • If willing, provide source code to allow cross-compiling (Non-Disclosure Agreement, NDA) will be provided to protect IP.
  • Provide OpenWrt or Linux Makefile if source code provided.
  • Alternatively, provide application binaries / files for copy protection and packaging (Non-Disclosure Agreement, NDA) will be provided to protect IP.
  • Provide file structure / directory list for installation.
  • Alternatively, if providing source code is unacceptable, upon signing an NDA and paying for a copy of the proprietary SecureOffice build virtual machine, you can build your own application and provide binaries, a list of which binaries to protect, plus encryption keys. Alternatively, SSH login credentials / keys can be acquired to remotely use the SecureOffice build system. Another option is to license the IP for copy protection. Contact us for details.
  • The application must have a main executable for copy protection. Any library used by the main executable can also be copy protected.
  • Successfully negotiate income sharing with SecureOffice team.
  • You retain your IP rights.
Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team