Welcome to the Ubuntu SoftRouter repository! This guide aims to provide a detailed walkthrough on setting up an Ubuntu-based router without a GUI, similar to OpenWrt. By following this tutorial, you'll be able to transform your Ubuntu Server into a powerful and customizable router solution.
- Hardware Requirements
- Installing Ubuntu Server
- Initial Configuration
- Disabling NetworkManager and Configuring Netplan
- Installing and Configuring Required Packages
- Configuring Firewall Rules
- Starting Services
- Testing and Verification
- Advanced Configuration
- Troubleshooting
- Contributing
- License
Before getting started, ensure that you have the following hardware:
- A computer or a single-board computer (e.g., Raspberry Pi) with multiple network interfaces
- Ethernet cables for each network interface
- A USB drive or CD/DVD for installing Ubuntu Server
Follow these steps to install Ubuntu Server on your hardware:
- Download the latest version of Ubuntu Server from the official website (https://ubuntu.com/download/server).
- Create a bootable USB drive or burn the ISO image to a CD/DVD.
- Connect the computer to a monitor, keyboard, and power source.
- Insert the bootable USB drive or CD/DVD and boot from it.
- Follow the installation wizard to install Ubuntu Server. Choose the "minimal" installation option for a lightweight setup.
- Set up a username and password for the administrator account.
- Once the installation is complete, remove the installation media and reboot the system.
After installing Ubuntu Server, perform the initial configuration steps:
- Log in to the Ubuntu Server using the administrator account.
- Update the system packages by running the following commands:
sudo apt update sudo apt upgrade
By default, Ubuntu uses NetworkManager for network configuration. However, for a router setup, it's recommended to use Netplan. Follow these steps to disable NetworkManager and configure Netplan:
- Disable NetworkManager by running the following commands:
sudo systemctl stop NetworkManager sudo systemctl disable NetworkManager - Identify the network interfaces on your system by running the following command:
Take note of the interface names (e.g., enp5s0, enp7s0f0, enp7s0f1, etc.).
ip addr - Configure the network interfaces by editing the
/etc/netplan/00-installer-config.yamlfile. Assign static IP addresses to the LAN interfaces and configure the WAN interface to use DHCP:Replace the interface names and IP addresses according to your network setup.network: version: 2 renderer: networkd ethernets: enp5s0: dhcp4: true dhcp6: true optional: true accept-ra: true enp7s0f0: dhcp4: false dhcp6: false optional: true enp7s0f1: dhcp4: false dhcp6: false optional: true enp7s0f2: dhcp4: false dhcp6: false optional: true enp7s0f3: dhcp4: false dhcp6: false optional: true bridges: br_lan: # A bridged gateway named br_lan combining several network interfaces interfaces: # Contains the unique identifiers of each network interfaces - "enp7s0f0" - "enp7s0f1" - "enp7s0f2" - "enp7s0f3" addresses: # Local IP addresses - 192.168.100.1/24 - fc00:192:168:2::1/64 dhcp4: false # Disabling DHCPv4 dhcp6: false # Disabling DHCPv6 parameters: stp: true # Prevent internal looping forward-delay: 4 optional: true # optional for network optimization
- Apply the network configuration by running:
sudo netplan apply
Install and configure the necessary packages for routing and firewall functionality:
- Install the required packages:
sudo apt install iptables dnsmasq hostapd - Configure dnsmasq for DHCP and DNS services. Edit the
/etc/dnsmasq.conffile and add the following lines:This configures dnsmasq to provide DHCP leases on each LAN interface with the specified IP ranges and lease times.interface=br_lan dhcp-range=192.168.100.100,192.168.100.200,255.255.255.0,24h dhcp-option=3,192.168.100.1 dhcp-option=6,192.168.100.1 dhcp-range=fc00:192:168:2::1,fc00:192:168:2::ff,24h dhcp-range=fc00:192:168:2::,slaac dhcp-option=option6:dns-server,[fc00:192:168:2::1] enable-ra dhcp-authoritative cache-size=0 # Please set the DNS manually and uncomment the following if you have mosdns properly set up. # server=127.0.0.1#5335 server=8.8.8.8 server=2001:4860:4860::8888 dns-forward-max=10000000 no-resolv no-poll port=53 bogus-priv # Block reverse lookups for private IP ranges filterwin2k # Filter unnecessary NetBIOS requests interface=enp5s0 no-dhcp-interface=enp5s0 bind-interfaces - Configure hostapd for wireless access point functionality (if required). Create a new file
/etc/hostapd/hostapd.confand add the following lines:Replaceinterface=wlan0 driver=nl80211 ssid=YourWiFiNetworkName hw_mode=g channel=7 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=YourWiFiPassword wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMPwlan0with the actual wireless interface name,YourWiFiNetworkNamewith your desired Wi-Fi network name, andYourWiFiPasswordwith a secure password. - Enable packet forwarding by uncommenting the following line in the
/etc/sysctl.conffile:Apply the changes by running:net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv4.conf.default.forwarding=1 net.ipv4.conf.all.route_localnet=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1or if changes are not applied:sudo sysctl -psystemctl restart systemd-sysctl.service
Set up firewall rules to control network traffic:
- Create a script to configure the firewall rules. Create a new file
/etc/init.d/firewallwith the following content:Make the script executable by running:#!/bin/sh ### BEGIN INIT INFO # Provides: firewall # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start firewall at boot time # Description: Enable service provided by firewall. ### END INIT INFO # Clear existing rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X WAN_NAME='enp5s0' iptables -A FORWARD -p udp --dport 53 -j ACCEPT iptables -A FORWARD -p udp -f -j DROP iptables -A FORWARD -p udp -m conntrack --ctstate INVALID -j DROP iptables -t nat -N mt_rtr_4_n_rtr iptables -t nat -A POSTROUTING -j mt_rtr_4_n_rtr iptables -t nat -A mt_rtr_4_n_rtr -o ${WAN_NAME} -j MASQUERADE iptables -t mangle -N mt_rtr_4_m_rtr iptables -t mangle -A FORWARD -j mt_rtr_4_m_rtr iptables -t mangle -A mt_rtr_4_m_rtr -o ${WAN_NAME} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t mangle -A mt_rtr_4_m_rtr -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t mangle -A mt_rtr_4_m_rtr -m conntrack --ctstate INVALID -j DROP iptables -t mangle -A mt_rtr_4_m_rtr -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -t mangle -A mt_rtr_4_m_rtr -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables -t mangle -A mt_rtr_4_m_rtr -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t mangle -A mt_rtr_4_m_rtr -i br_lan -o ${WAN_NAME} -j ACCEPT # Save the rules sudo iptables-save > /etc/iptables/rules.v4 # Clear existing rules ip6tables -F ip6tables -X ip6tables -t nat -F ip6tables -t nat -X ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -A FORWARD -p udp --dport 53 -j ACCEPT ip6tables -A FORWARD -p udp -m frag --fragmore -j DROP ip6tables -A FORWARD -p udp -m conntrack --ctstate INVALID -j DROP ip6tables -t nat -N mt_rtr_6_n_rtr ip6tables -t nat -A POSTROUTING -j mt_rtr_6_n_rtr ip6tables -t nat -A mt_rtr_6_n_rtr -o ${WAN_NAME} -j MASQUERADE ip6tables -t mangle -N mt_rtr_6_m_rtr ip6tables -t mangle -A FORWARD -j mt_rtr_6_m_rtr ip6tables -t mangle -A mt_rtr_6_m_rtr -o ${WAN_NAME} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip6tables -t mangle -A mt_rtr_6_m_rtr -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -t mangle -A mt_rtr_6_m_rtr -m conntrack --ctstate INVALID -j DROP ip6tables -t mangle -A mt_rtr_6_m_rtr -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP ip6tables -t mangle -A mt_rtr_6_m_rtr -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP ip6tables -t mangle -A mt_rtr_6_m_rtr -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP ip6tables -t mangle -A mt_rtr_6_m_rtr -i br_lan -o ${WAN_NAME} -j ACCEPT # Save the rules sudo ip6tables-save > /etc/iptables/rules.v6
sudo chmod +x /etc/init.d/firewall - Configure the firewall script to run at system startup. Create a new file
/etc/systemd/system/firewall.servicewith the following content:Enable the firewall service by running:[Unit] Description=Firewall Service After=network.target [Service] ExecStart=/etc/init.d/firewall [Install] WantedBy=multi-user.targetsudo systemctl enable firewall.service
Start the necessary services for the router functionality:
- Start the dnsmasq service:
sudo systemctl start dnsmasq - Start the hostapd service (if configured):
sudo systemctl start hostapd - Reboot the system to ensure all changes take effect:
sudo reboot
- Add the following line for the file located in /etc/modules-load.d/modules.conf
nf_conntrack - reboot
Verify that your Ubuntu-based router is functioning correctly:
- Connect client devices to each LAN interface or the Wi-Fi network.
- Verify that the client devices receive IP addresses from the DHCP server.
- Test internet connectivity by accessing a website or running a ping test.
- Verify that the firewall rules are applied by checking the iptables rules:
sudo iptables -L -n -v
- Modify the startup script
vim /usr/lib/systemd/system/v2raya.service - Add argument --ipv6-support=off
ExecStart=/usr/bin/v2raya --log-disable-timestamp --ipv6-support=off - Restart service
systemctl reenable v2raya systemctl restart v2raya
Bind network interfaces with MAC addresses to their corresponding names, drivers and other settings.
- Modifythe following config file with similar styles.
# Located in /etc/udev/rules.d/custom-devices.rules # Network Interface Card # Format: SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="(replace with MAC address)", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="(replace with desired interface name)" # Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="40:b0:76:42:58:96", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="enp5s0" # Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (Port 1) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="40:a8:f0:25:34:a8", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="enp7s0f0" # Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (Port 2) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="40:a8:f0:25:34:a9", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="enp7s0f1" # Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (Port 3) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="40:a8:f0:25:34:aa", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="enp7s0f2" # Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (Port 4) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="40:a8:f0:25:34:ab", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="enp7s0f3"
Here are some additional configuration options to enhance your Ubuntu-based router:
- VPN Server: Set up a VPN server to securely access your network remotely. You can use OpenVPN or WireGuard for this purpose.
- DNS Over HTTPS (DoH): Implement DNS over HTTPS to encrypt DNS queries and enhance privacy. You can use tools like dnscrypt-proxy or cloudflared.
- Quality of Service (QoS): Configure QoS rules to prioritize network traffic based on your requirements. You can use tools like tc (Traffic Control) and htb (Hierarchical Token Bucket) for QoS management.
- Dynamic DNS: If you have a dynamic IP address, set up a dynamic DNS service to access your router using a domain name. Popular dynamic DNS providers include No-IP, DynDNS, and Duck DNS.
- Port Forwarding: Configure port forwarding rules to allow incoming connections to specific services running on your network. This is useful for hosting servers or accessing devices remotely.
- Logging and Monitoring: Set up logging and monitoring solutions to keep track of network activity and detect any anomalies. Tools like Nagios, Zabbix, or Prometheus can be used for monitoring purposes. Refer to the respective documentation and guides for each advanced configuration option to implement them on your Ubuntu-based router.
If you encounter any issues while setting up or using your Ubuntu-based router, consider the following troubleshooting steps:
- Check the system logs for any error messages or warnings. You can use the
journalctlcommand or view the log files in the/var/logdirectory. - Verify that all the required services (e.g., dnsmasq, hostapd) are running correctly. Use the
systemctl statuscommand to check their status. - Double-check the configuration files for any syntax errors or incorrect settings.
- Ensure that the firewall rules are properly configured and not blocking necessary traffic.
- Consult the official Ubuntu Server documentation (https://help.ubuntu.com/lts/serverguide/) or seek support from the Ubuntu community forums (https://ubuntuforums.org/).
Contributions to this repository are welcome! If you have any improvements, bug fixes, or additional features to suggest, please follow these steps:
- Fork the repository.
- Create a new branch for your feature or bug fix.
- Make your modifications and test thoroughly.
- Commit your changes and push them to your forked repository.
- Submit a pull request, describing your changes and their benefits. Please ensure that your contributions adhere to the repository's coding style and guidelines.
This repository is licensed under the GNU General Public License v3.0. You are free to use, modify, and distribute the code in this repository, subject to the terms and conditions of the license. For more information, please refer to the LICENSE file.