How to set up a BitBurrow hub
NOTE: THIS SOFTWARE DOES NOT EXIST YET
Everything below is proposed draft documentation. The software to do what is described is being developed and is not at all usable yet.
Introduction
This page will help you set up a BitBurrow hub. For an introduction, see BitBurrow overview.
What you will need
- Some background in Linux system administration and working on the command line.
- A Linux server with a fixed, public IPv4 address, e.g. from DigitalOcean, Linode, or other VPS provider. BitBurrow can share the server with other services so long as TCP ports 53 and 8443, and UDP port 53 are available.
- A domain or subdomain name with the ability to host your own DNS (i.e. add an NS record for the subdomain). The nameserver service provided by some domain name registrars does not allow adding NS records for subdomains. This was true of Hover as of March, 2023. To work around this, yuu will need to use a different nameserver service, such as DigitalOcean, for the entire domain.
- Time to manage a public server long-term.
Steps
Acquire a domain name
Purchase your new domain name from a domain name registrar such as Hover or Google Domains. Alternatively, create a new subdomain for an existing domain such as your company or organization. For example, if your organization owns example.org
, you could set up vxm.example.org
to use for BitBurrow, where vxm
is a subdomain you choose.
When choosing a domain name or subdomain, it is recommended that it not contain vpn
, proxy
, bitburrow
, gateway
, or similar words. Public WiFi networks that restrict VPN usage may block domain names that include these. Also, choosing a name that is easy to type will make it easier for admins setting up VPN servers.
Set up the Linux server
These instructions are written for Ubuntu. If you are setting up a new server, use the most recent Ubuntu LTS server image.
- Sign in to the Linux server, preferably as a normal user with
sudo
privileges. - Configure automatic security updates (more information):
Create a container
This section is recommended but not required. A container helps with security by isolating BitBurrow hub from other applications running on the same server, provides a firewall from the internet, and allows the hub to run processes as root without actually being root. Additionally, to simplify the installation process below, you can run Ubuntu inside the container even if the host uses another Linux flavor.
After these steps, you should have a command prompt in the container.
- Install LXD:
- Initialize LXD--choose one of these lines; the first one will prompt you with options:
- Create a new container and connect to it:
Install BitBurrow hub
In the commands below, replace vxm.example.org
with your BitBurrow hub domain name and replace 1.2.3.4
with the public IP address of your BitBurrow hub host machine. At the BECOME password
prompt (after the ansible-playbook
command), enter your sudo
password, or just press enter if there isn't one, which is the default for lxc
. In most cases, the ansible-playbook
command will fail at Test BIND and DNS config
the first time it is run. This is normal.
- Download the installer (run inside container):
- Run Ansible (run inside container; remember above-mentioned replacements):
- If the script fails with "Missing sudo password", run it again with
--ask-become-pass
beforeinstall.yaml
. - If the script fails for any other reason prior to the
Test BIND and DNS config
step, resolve whatever caused the failure (thedebugging
tips ininstall.yaml
may be useful) and rerun the aboveansible-playbook
line
Forward ports to the container
Skip this section if you are not using a container.
- Type
exit
and enter to exit the container. - Download and run the script generated above (run on host):
- The above should display several lines beginning
Device
- Connect to the container again (run on host):
Make BitBurrow hub the authoritative name server
- Do this only if you have a new subdomain of an existing domain for your organization or company. Configure the nameserver for
example.org
(usually done through the website of your domain name registrar) to have two additional records. Substitutevxm.example.org
with your domain. First, add an NS record (short for name server) forvxm.example.org
which points tovxm.example.org
. This tells the internet thatvxm.example.org
(your BitBurrow hub) is the authoritative nameserver for all of it's subdomains, e.g.foxes.vxm.example.org
. Use the default TTL value. Second, add an A record forvxm.example.org
which points to the IP address of your host. This is called a "glue record" (more info). Here is a partial zone file forexample.org
which represents these two records: - Do this only if you have a domain exclusively for BitBurrow hub. Configure
example.org
(usually done through the website of your domain name registrar) to have it's NS (name server) records point to the IP address of your BitBurrow hub. This tells the internet thatexample.org
(your BitBurrow hub) is the authoritative nameserver for all of it's subdomains, e.g.foxes.example.org
.
Finish installing BitBurrow hub
- Run Ansible again (run inside container):
- If the script fails with "Missing sudo password", run it again with
--ask-become-pass
beforeinstall.yaml
. - If the script fails for another reason, resolve whatever caused the failure (the
debugging
tips ininstall.yaml
may be useful) and rerun the aboveansible-playbook
line
Configure ssh directly to container (optional)
In the steps below, replace vxm.example.org
with your BitBurrow hub domain and 18962
with a port number of your choosing.
This assumes authorized_keys
on the host is already configured for public-key ssh authentication.
- Set up ssh to container (run on host):
VMNAME=bitburrow lxc exec $VMNAME -- apt install -y ssh cat ~/.ssh/authorized_keys |lxc exec $VMNAME -- sudo -u ubuntu bash -c 'cd; mkdir -p .ssh; cat - >> ~/.ssh/authorized_keys; chmod go-w . .ssh; chmod ugo-x,go-w .ssh/authorized_keys' lxc config device add $VMNAME ssh proxy listen=tcp:0.0.0.0:18962 connect=tcp:127.0.0.1:22
- On your personal computer, edit
~/.ssh/config
and add:
Create a BitBurrow hub administrator account and coupon code
- Add the admin account (run inside container):
- Write down this login key in a safe place. It is effectively the master username and password for this BitBurrow hub.
- Create a coupon code (run inside container):
- Write down this coupon. It is what you will distribute to others to set up their own VPN server.
Restart the container and test
- Reboot (run inside the container):
- Test a connection from the client app