How to mod and install a router into your 1U server accessing IPMI through VPN - jbilander/HowTos GitHub Wiki
(and power the router from the motherboards +5V stand-by jst connector)
This guide will show you how to install a router card in a 1U Supermicro-server and power it from the +5V stand-by power of the machine with a little mod that I did, we will also set up the router with VPN and have the dedicated IPMI interface of the machine connected to the LAN of the router so that we can access the IPMI BMC from our browser client securely through VPN.
SuperServer SYS-1027R-WRF (Motherboard: X9DRW-iF) with legacy stand-by +5V, 3 ampere output, WOL (Wake-On LAN) connector (jstby1).
The nice thing with using the legacy +5V stand-by WOL (Wake On Lan) connector on the motherboard is that if the server goes down and is unreachable through normal SSH we can still access the IPMI interface through VPN since the router is powered even though the machine is turned off. The machine only needs the power cord connected for the stand-by connector to deliver +5V to the router. Checking the specs of my motherboard the stand-by connector can deliver 3 amps which is more than enough for powering the router I've got for this mod, (+5V, 2 amps).
Please note, this setup is not for someone having a whole serverfarm to administer, but for someone having a single 1U-server at a co-location site who doesn't want to pay extra for hosting an external firewall/router. Physical rack space is typically charged by number of Units you need in the cabinet. We will only need 1U with this solution.
This setup will make use of two public static IPs
- One public IP for the router's GbE WAN Port
- One public IP for one of the internal GbE Ports of the Supermicro server.
A different setup with using only one public IP would also be possible but would require all traffic to go through the router, not recommended here since we are using a consumer grade router with limited throughput capability. It would mean putting a patch cable between the router's LAN and one of the nics on the server. In addition, many forwarding rules would have to be setup in the router to enable ssh, http etc for the machine, so not shown here.
The router I've got is a small consumer router from GL-iNet called Slate (GL-AR750S).
- Model: GL-AR750S
- CPU: Qualcomm Atheros QCA9563, @775MHz SoC
- Memory: DDRII 128MB
- DIY Features: UART, GPIO, 3.3V & 5V power port
- Power Input: 5V/2A
- Power Consumption: <6W
- Dimension, Weight: 100mm X 68mm X 24mm, 86g
https://www.gl-inet.com/products/gl-ar750s/
Start by gutting the device and get the pcb out...disconnect the antenna cables, we will not use the wifi feature and will disable that in the router config later on.
Okay, now check how the card fits with the servers chassis screw holes, for me it fitted almost directly by using a couple of motherboard standoffs, but I had to make a small plate to line up the second screw hole with the card.
I put some insulation on the edge of the card to insulate the electronics from the other card, the LSI SAS 9207-8i controller card, that is fitted in the second slot on top of the router card.
Okay time to fix the power cable. I chose to use the micro usb input here for powering the device rather than soldering to DIY inputs so that I can easily replace this router card should it fail in the future for some reason. I got hold of a cheap WOL-cable for around $2 and cut it in half. The same goes for the usb cable that came with the router, strip the cables with your favorite wire stripper.
Now, I will crimp these cables together, but soldering is also an option or maybe do both. It is important to check that the usb cable's polarity is correct, meaning red goes to positive and black to GND, sometimes the wire colors can be mixed up inside the cable but this cable was correct. I also double checked the red wire on the WOL-cable was +5V with a multimeter, so just crimp red to red and black to black. Grab your favorite crimp tool and start crimping. Remember to add shrink tubes before crimping the wires together, I used two for insulating the separate wires and then one larger to go on top of those two to make the joint sturdy.
Okay, now slide the two shrink tubes over the joints and heat with a heat gun or using your iron gently. Then do the same with the larger shrink tube. And there we go, one nice cable made ready for use.
Okay, let's hook it up, unplug your machine first...
...and with the power cord plugged in we can see the green light from the router working as expected :)
Now, plug your client computer into the router's LAN with a network cable and disconnect any wifi you got running on that machine. Now you should get a 192.168.8.X address through dhcp and be able to point your browser to 192.168.8.1 to start configure the router.
Okay, all set, now point your browser to http://192.168.8.1 and turn off the router's wifi, choose a strong password for your router...
Step 1 Turn wifi off
Step 2 Upgrade router firmware
Plug your internet WAN cable into the router's WAN port (yellow cable here). I get up to 5 public dynamic IPs (dhcp assigned) from my ISP where I do this setup. The router will automatically get a public IP and now I can upgrade the router online...
Step 3 Set your timezone
Step 4 Configure VPN Server
We have two options here, using OpenVPN or WireGuard. Looking at the OpenVPN option we can see that only SHA-1 is available as an encryption option and SHA-1 is considered weak nowadays...
Let's set up a WireGuard server instead, although it is in beta release at the moment. Click through the wizard, I entered my client machine name in as the name for the WireGuard client. Then copy the plain text information into a text file. We will need it later when configuring the client.
Step 5 Install and configure a WireGuard VPN Client
Time to install a WireGuard client, I will do this with the Tunsafe client for Windows. Unplug the LAN cable from the Router and your client machine leaving only the WAN connected to the router (yellow cable in pic). Enable your internet connection again for the client (wifi or cable connection) so that we can download the Tunsafe software and try to access our router from the outside through WireGuard VPN :)
Now point your browser to https://tunsafe.com and download the Tunsafe client, install both the Client and the Tunsafe-TAP Ethernet Adapter...
Start the Tunsafe client and click Edit Config. Now you will see the default config file, copy your config from the text file we saved before. Alter 10.0.0.2/32 to 10.0.0.2/24 since Tunsafe can't handle /32, and save the new configuration file. The Endpoint is your router's public IP address.
Now, try to connect by pressing Connect
I got this error message at first: UdpSocketWin32::Write error 0xC000023D
It turns out I had to reset winsock. To do that open an elevated command prompt:
and type: netsh winsock reset and hit Enter. Reboot the computer and then try connecting again.
Nice it works now :) Let's point our browser to http://192.168.8.1 once again, yes it should work now with traffic going through the VPN connection...and Voila it does! Let's check the VPN Server page:
Now it is time for configuring IPMI...
Step 6 Connect LAN cable and configure IPMI
Start by connecting a patch cable between the Router LAN and the dedicated IPMI GbE LAN port, like this, green cable, I will use a shorter one later on when this server gets rack mounted, to keep it nice and tidy...
Now we can see that the IPMI interface got the IP 192.168.8.144, however I want the address to always be 192.168.8.2 for the IPMI interface so let's configure a static infinite dhcp lease with this address instead. Go to More Settings -> Advanced and login to that web interface with your router password, then choose Network -> DHCP and DNS. Scroll down and enter 192.168.8.2 and infinite as lease time and click Save & Apply.
For the IPMI interface to get the new IP address you will have to unplug and re-plug the LAN cable so that the new address is picked-up. Then point your browser to http://192.168.8.2 and you will be greeted with the IPMI web interface.
You can click to "Allow popups from this site" in chrome, then login with the default Username: ADMIN Password: ADMIN
We can see that we got no readings here, but that is because my server is shutdown at the moment :)
Now, change the password to a new strong password, I recommend you to not use the same as for the router for security reasons, should the router password get compromised. I also set the Network config to be Dedicated LAN since I don't want the Shared NCSI nor Fail Over mode enabled.
Upgrade your IPMI firmware if you are not on the latest already.
That's it, now the only thing left to do is to configure the router with a public static ip later on when this server goes to co-location hosting, and of course the same goes for one of the nics that will be used for ssh, http etc. I will guard that interface with the internal Ubuntu firewall and maybe set up nic teaming as well using both nics.
Remember to regularly update the router and the IPMI firmware when/if new stable releases are out, especially the router since WireGuard is in beta at the moment.
That's all folks, now time to grab some coffee!