FreedomBox on LXC

Pre-Requesitites - Setup LXC on your Linux System

  • Underprivileged LXC has been setup, with user mappings, network mappings
Templates for LXC can be found here:
- https://us.images.linuxcontainers.org/images/

How To Steps include:
- Download Template (Debian unstable in this example)
- Configure Freedombox on LXC container
- Setup static ip to portforward easy
- Enable port forwarding

Steps:

> lxc-create --name debunstable-freedombox -t download            

Interactive added these options when prompted:


Distribution: 
debian
Release: 
sid
Architecture: 
amd64
(should download image)

> systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start debunstable-freedombox  --logfile $HOME/lxc_freedombox.log --logpriority DEBUG

> lxc-ls --fancy
confirm running ->

NAME                   STATE   AUTOSTART GROUPS IPV4      IPV6 UNPRIVILEGED 
debunstable-freedombox RUNNING 0         -      10.0.3.53 -    true         


attach to instance:

lxc-attach --name  debunstable-freedombox
root@debunstable-freedombox:/# apt update
root@debunstable-freedombox:/# DEBIAN_FRONTEND=noninteractive apt install snapd freedombox systemd syslog-ng mariadb-server -y
root@debunstable-freedombox:/# vi /etc/network/interfaces

You can use the following commands to help you find gateway and ip address:

# ip addr
# ip route

example:
Replace auto eth0 dhcp to this: 

yours will be specific to your network

auto eth0
  iface eth0 inet static
    address 10.0.3.53
    netmask 255.255.255.0
    gateway 10.0.3.1

root@debunstable-freedombox:/# systemctl restart networking.service

root@debunstable-freedombox:/#  echo nameserver 1.1.1.1 > /etc/resolv.conf
replace 8.8.8.8 with your favorite name server 

root@debunstable-freedombox:/#  exit
root@host> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o $WAN -j MASQUERADE

# Dont' forget to forward your ports
root@host> echo 1 > /proc/sys/net/ipv4/ip_foward 
root@host> iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 6677 -j DNAT --to 10.0.3.53:443

Log in and follow the instructions including getting the secret key

I think it’s better, and possibly also easier to use a bridge configuration.
(Freedombox being separatately connected to the network, so no additional port forwarding on the host, and not introducing to send every new internet request into google nameserver logs.)

https://wiki.debian.org/LXC#Unprivileged_container also has more detailed info to set up lxc then in Installing Yunohost in unprivileged LXC on Debian before installing freedombox (FreedomBox/Hardware/Debian - Debian Wiki).

Oops, there is also some experience in a section ** Misc : installing Freedombox in a LXC ** in:

I’m not a fan of bridge…
I like it completely segrated with a firewall in case I open any services to public… I think you can lock it down more no?

Don’t you have a firewall/router in front of the host, anyway? Using a bridge and separate IPs allows to use a single dhcp server, and use default ports (like http ports 80 and 443) to all the IPs without conflicts (at least locally if behind a NAT).

But it could be that the iptables that the freedombox usually manages locally don’t work in an LXC container?

If needed it may still be possible to configure some bridge based packet filtering on the host.

It really depends on your setup I have several docker instances on this instance . Many services some being proxies to other ports .
For my setup it works well if ppl only require an easier setup :slight_smile: