== Soekris Hardware ==

In this page I'm talking mostly about a net4801, but we have lots of different models around.

They don't come with CF storage, and you'll need some.  You have to open the whole enclosure to install it.

The manual for the net4801, http://soekris.com/Manuals/net4801_manual.pdf, is inadequate.

There are no linux nor BSD drivers for the vpn1411 device we had hoped to use.  See http://lists.soekris.com/pipermail/soekris-tech/2006-June/010523.html.

On the other hand, all five ethernet (NatSemi) devices are fully supported pretty much everywhere.

You will want a paperclip.  You're going to be poking that reset switch a lot.

== Connect a Console ==

Get a linux laptop with a serial port.  Connect the Soekris serial port to it using a crossover serial cable.  There are a lot of these, unused, floating around ORBIT.  They have "X OVER" written on them.

Run minicom in a terminal window that can handle vt102 (any of them can).  The first time you start a console, minicom should be set for 19200 baud, 8 databits, no parity, 1 stop bit, no flow control.  Be sure to turn hardware and software flow control off in minicom.  The UNIX device for talking to the console is almost certainly /dev/ttyS0, /dev/ttyUSB0, or /dev/ttyUSB1.  Usually when linux runs its console on a serial port, it goes at 9600 baud, so set the console baud to 9600 (see below) when you have the chance.

Minicom and the Soekris console driver seem a little fragile.  If you do wind up dumping junk to the serial port (as will be the case if you run pppd carelessly), you may gum it up so badly that you need to reboot.

== configure the Soekris net4801 BIOS ==

Look at the banner from when the net4801 boots.  Get the BIOS version and check it against the Soekris web site.  Make sure you have the latest.

Hit C-p as it is booting to get to a BIOS prompt.

Issue these commands at the BIOS prompt, filling in today's date and the current time.

{{{
date YYYY/MM/DD
time HH:MM:SS
set ConSpeed=9600
}}}

The only reliable way to obtain the MAC address of 'Eth 0', without having an operating system already loaded, is to watch the diagnostic output of 

{{{
boot f0
}}}

== Net Install ==

The netboot image for debian is already around.  You might need

http://centerclick.org/net4801/pxelinux/pxelinux.0.gz

as opposed to the pxelinux.bin that's already around.  The pxelinux.0 that comes with the net-install.tar.gz from debian works, but does not print banners to minicom properly.  You need to make a link in pxelinux.cfg to an appropriate pxelinux configuration file, namely the one for serial.  To the end of the 'install' image you want to add:

{{{
DEBIAN_FRONTEND=text
}}}

(We did this, so it's probably already there.)

We tried this in several different ways with a remarkable number of pre-compiled pxelinux.0 files, but the net install could never find the CF disk.  Eventually we gave up and moved to pre-loading the CF.

== Voyage Linux ==

Voyage Linux is Debian with enough removed so it will fit in 64Mb.  See http://www.voyage.hk/software/voyage.html.

There is one CF slot inside the net4801.  We're not sure all CF cards work with it.  The "Kingston Elite Pro" CF card is reported by the 4801 as

Pri Sla SAMSUNG CF/ATA LBA Xlt 1012-32-63

The SimpleTech CF card is

Pri Mas Hitachi XX.V.3.7.0.0 LBA 993-16-63

The Kingston has an extremely different geometry (last three numbers reported above) when connected to my laptop through an IOMEGA USB media adapter.  Nor can I adjust the reported geometry in fdisk. So you can't use it to hold (some) bootable images.  I have no idea why the Kingston shows up as a slave.  It just seems best for now to avoid using any CF card for which fdisk and the net4801 bios report different geometries.

Get the tarball, untar it on your linux laptop as root like this:

{{{
sudo tar --numeric-owner -zxvf voyage-0.2pre4.tar.gz
}}}

You must untar as root.  There are special device files in the tar.  There's a README in the tar, and you should.

Attach the CF card to your linux laptop.  If it gets automounted, unmount it.  Cd into the untarred directory and run voyage.update as root.  The CF card is likely to be /dev/sdb.  On an Ubuntu box you can use /media/usbdisk as the mount point.  When this finishes, move the CF card into the Soekris net4801, and boot it.  At worst you will need to get to a BIOS prompt with C-p, then issue the command
{{{
boot 80
}}}

LILO may be less than perfect at displaying over the serial port. Don't worry, it will boot.

Log in to the net4801 as root.  The default root password is, predictably, 'voyage'.  Voyage linux tries to be cute by mounting everything read only, so you need to remount the root partition as read write, like this:

{{{
mount -o remount,rw /
}}}

In stable versions of voyage linux, the following commands do exactly that.
{{{
remountrw
remountro
}}}

Now you can and should change the root password.

Change /etc/rc2.d/S99voyage so that the commands that keep remounting / ro are disabled.

Note that things like /root are normally linked to /rw/root, which is a tmpfs.  It's all very cute, but you need to disable it at least for /root.  /root needs to hold a persistent .ssh directory.

Run 

{{{
apt-get update
apt-get upgrade
}}}

as usual. Reboot.

Edit /etc/network/interfaces so that there are entries for all five interfaces.  If you're to use the Soekris as an ORBIT node host, organize them like this:

||Eth 0||eth0||uplink||
||Eth 1||eth1||CM||
||Eth 2||eth2||DATA||
||Eth 3||eth3||CONTROL||
||Eth 4||eth4||bonus uplink||

== Cheapo PPP/SSH VPN Client Configuration ==

General instructions can be found at

http://tldp.org/HOWTO/ppp-ssh

Details of how the commands below work are probably most in the man pages for pppd and ssh.

The idea is:

1. Create a vpn account on the landing.

2. Allow the vpn account on the landing to run pppd as root, by configuring /etc/sudoers with lines like these
{{{
Cmnd_Alias VPN=/usr/bin/pppd
vpn: ALL=NOPASSWD: VPN 
}}}

3. Allow the vpn client to log in to the vpn account on the landing using an ssh key with no password.  You're proably looking for this command:
{{{
ssh-keygen -b 2048 -t rsa
}}}
If you just hit Enter when it asks you for a pass phrase, it will make a private key that is stored unencrypted.

4. Run a script like the following on the client.
{{{
#!/bin/bash
case "$1" in
  start)
    /usr/sbin/pppd updetach noauth passive pty "ssh vpn@${LANDING} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn ${LANDING_IP}:${CLIENT_IP}
    ;;
  stop)
    killall -9 pppd
    ;;
  *)
    echo please stop or start
    exit 1
    ;;
esac
exit 0
}}}

5. Configure the Soekris net4801 as a router (echo 1 >> ip_forward) over ppp0.