meta data for this page
  •  

Networking HowTos

Using Mobile Data

If your correct provider settings do not show up in Settings » Mobile » Mobile Data » Access Points, you can add a new one with the [+] button. Add a network name and your APN, e.g. Name: 3 internet APN: three.co.uk. The correct settings depend on your provider. If mobile data does not work, make sure that the “mobile data” toggle is turned on (this happens more often than you would think).

Connecting to the Mobian device

Connect to a running SSH server

This section explains how to connect to your Mobian device using a ssh server that you have installed on it. You should protect your ssh server to not allow logins via the numeric password if you want to remain safe.

via Wifi

If your pinephone is connected to your local Wifi and you have an SSH server running, try to access it with

ssh mobian@mobian

If that does not work out (e.g. because your network assigned the device a different hostname, you will need to find out the hostname/IP address to connect to.

via USB-C cable connected to another computer

It's possible to connect to Mobian with a similar end result as using adb shell with an Android device, but using the USB-C connection and SSH instead. When connecting a Mobian device to a Linux computer via the USB-C connection, a network interface is made available to the computer, and utilizing udev and NetworkManager an IP address is assigned to both. This allows connecting to Mobian via a hardwired SSH session, instead of having to rely on wifi (which may not be 100% reliable). These instructions are written with the PinePhone as the sample device, and Linux Mint as the host computer OS, but should work for other devices/OSes as well.

  1. Connect the PinePhone to the computer with a USB-C cable.
  2. Once connected, the system should create a network interface via NetworkManager. Learn the IP by issueing
    sudo ip address show dev usb0

    and looking for the IP address in the range of 10.66.0.XX (or install the graphical WhatIP tool).

  3. A connected Linux Desktop will automatically create a USB network connection.
  4. Once complete, it should be possible to SSH into Mobian at the IP address 10.66.0.XX using the username mobian, and the password 1234:
    ssh mobian@10.66.0.1
Network overlap with 10.0.0.0/8

When connecting a Mobian device to a computer via USB-C, Mobian is configured to use the IP address 10.66.0.1, in the subnet 10.0.0.0/8. This can cause an issue if Mobian is also connected to a wifi network which utilizes a subnet within the same 10.0.0.0/8 subnet. The configuration of the USB connection could be changed to use a different or smaller subnet, or a more specific route can be configured for the wifi connection to account for this special case. Here is how to add a persistent more specific route.

  1. Connect the Mobian device via USB-C to a computer, and SSH into it (see Connect via USB-C and SSH)
  2. Connect the Mobian device to the desired wifi network
  3. Identify the name of the wifi network in Network Manager
    $ nmcli connection
    NAME               UUID                                  TYPE      DEVICE 
    USB                a3ee13d7-85ce-4386-8ba9-419a67309692  ethernet  usb0   
    wifi-network-name  bfe0a288-f193-4eeb-ba00-7d6f15ec27f6  wifi      wlan0
  4. Add a more specific route for the destination network, using the wifi network's name and gateway IP address
    • $ sudo nmcli connection modify wifi-network-name +ipv4.routes "10.45.89.128/25 192.168.0.1" +ipv4.route-metric 25
    • 10.45.89.128/25 - This is the destination network, swap in whatever the desired network is
    • 192.168.0.1 - This is the gateway to use for that network, in this case it's the wifi network's gateway.
    • wifi-network-name - This is the name of the wifi network.
  5. Reload the connection configuration
    • $ sudo nmcli connection reload wifi-network-name
  6. It should now be possible to route packets to the destination network successfully over the wifi connection, instead of using the USB-C network connection.
    • The route table should look something similar to this:
    • $ ip route
      default via 192.168.0.1 dev wlan0 proto dhcp metric 25 
      10.0.0.0/8 dev usb0 proto kernel scope link src 10.66.0.1 metric 25 
      10.45.89.128/25 via 192.168.0.1 dev wlan0 proto static metric 25 
      192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.101 metric 25

Connection sharing/Tethering

It is possible to share your phone's mobile data with another device. Either create a wifi hotspot that others connect to, or use a USB cable to forward data.

Sharing mobile data through wifi hotspot

Visit the settings → Wifi. The “3 dot” menu will offer a “Turn On WiFi Hotspot…” entry, which is all that you should need to create a hotspot. Unfortunately in gnome-control-center 3.36, there is still a bug which requires you to go back to the bluetooth page (just enter it and leave it immediately again) and back to the Wifi section until it becomes enabled.

Stop the hotspot from the Wifi page in the settings app.

Hotspot: The geeky way

The geeky way to use the terminal to create a new hotspot connection with SSID `Pinephone` and Password `HotspotPassword` is:

sudo nmcli device wifi hotspot ifname wlan0 con-name Hotspot ssid Pinephone  password HotspotPassword

Hotspot: Tip

If you have installed old SD image and ran “apt upgrade” it's may be possible that this functionality does not work out of the box because a package was missing in old distribution, in this case try to install nftables package:

sudo apt install nftables

and re-share your data connection.

Bluetooth Personal Area Networking (PAN) Network Access Point

Far more power/battery efficient than sharing via WiFi hotspot; security is through Bluetooth pairing. (all Blueman GUI no scripting solution) It is also possible to script a headless automatic PAN solution, security through bluetooth pairing.

On the pinephone

sudo apt install blueman dnsmasq

From now on it should all be easy GUI clicks

  1. Open blueman(it is in the non-mobile friendly apps)
  2. view → plugins → (plugins window opens) check - NMPANSupport box(this should give you the required pand and DHCP support)
  3. Next, again in main blueman interface tap view → Local Services (The Local Services window pops up)
  4. Check - Network Access Point(NAP) box
  5. Bluetooth pair computer or other client device and choose network access point
  6. Connect client device to internet through the 'mobian' or 'mobian Network' option

Currently connects but does not route through the PP to internet in testing(though it is possible undocumented .conf and script edits by user may be the real problem), PP has working internet and debain client laptop pairs and establishes networking and DHCP to host PP, need to diagnose network bridging issue in PP and Blueman; Blueuman also needs to be optimized for mobile or functions added to Phosh network manager.

Work to get the bridging working is here, testing on a clean unmodified Mobian system is appreciated. https://forum.pine64.org/showthread.php?tid=16343

Sharing internet from your PC via USB

When connecting the PinePhone through the USB cable it creates a network the PC will join. The PinePhone has the IP address 10.66.0.1 fixed but the IP address of your PC will vary. Set up ip-forwarding on your PC and set up NAT on your outgoing internet interface:

sudo sysctl net.ipv4.ip_forward=1
sudo iptables -P FORWARD ACCEPT
DEV=$(ip route get 1 | grep -o 'dev .*' | cut -d ' ' -f 2)
sudo iptables -t nat -D POSTROUTING -o "$DEV" -j MASQUERADE 2> /dev/null || true
sudo iptables -t nat -A POSTROUTING -o "$DEV" -j MASQUERADE

Afterwards, on the PinePhone, e.g., through SSH to 10.66.0.1, you need to set the default route to be your PC's USB network interface, and you need to define a DNS server (here 1.1.1.1 from Cloudflare):

sudo ip route add default via "$(sudo arp -n | grep 10.66.0. | grep ether | cut -d ' ' -f 1)"
sudo resolvectl dns usb0 1.1.1.1
sudo resolvectl default-route usb0 true
echo 'nameserver 1.1.1.1' | sudo tee /etc/resolv.conf

When you disconnect the cable without rebooting any device, on reconnecting you only need to repeat the commands on the PinePhone to set up the default route again.

Connecting the Pinephone to windows via USB

As at 11/22/2021, Mobian is setup to connect using the ECM protocol (see https://en.wikipedia.org/wiki/Ethernet_over_USB), which works well with Linux, but Windows instead requires network devices to connect using the RNDIS protocol. The connection protocol can be modified through the kernel filesystem interfaces.

In Mobian run the following:

cd /sys/kernel/config/usb_gadget/g1

# stop the USB interface
echo "" | sudo tee UDC

# remove the old device
rm configs/c.1/ecm.usb0
rmdir functions/ecm.usb0

# create a new RNDIS device
mkdir functions/rndis.usb0
ln -s functions/rndis.usb0/ configs/c.1/

# start the interface
echo "musb-hdrc.4.auto" | sudo tee UDC

Note: these changes are temporary and the old device will be re-created on a reboot.

In Windows the Pinephone often be allocated the wrong driver. To allocate the correct driver:

  • Open device manager (search for “devices” in the start menu)
  • Find the device that corresponds to the Pinephone (it will appear when the Pinephone is plugged in, often with a yellow triangle indicating that it is not working correctly)
  • Right click on the device
  • Select “Update Driver”
  • Choose to select from local machine, and then to select from a list.
  • In the list choose “Network Adapters”, then choose “Microsoft”, then “RNDIS Compatible Internet Sharing Device”

Firewall

By default, Mobian has no listening services on any internet port and a firewall is not necessary. However when you install services, such as openssh, web servers and whatever, you might want to lock down your device using a firewall.

Mobian can use any firewall that is supported by Debian. Debian is currently introducing nftables and fades out iptables, but the latter still works (using nftables under the hood). One easy to use firewall is the uncomplicated firewall (UFW). It can be installed with sudo apt install ufw and can be enabled on a terminal with sudo ufw enable. Be careful though, when doing this over a SSH connection, you will lock yourself out :).

On my Mobian I got an error message ip6tables-restore v1.8.7 (nf_tables): Couldn't load match `rt':No such file or directory, which is most likely due to the not included kernel module (CONFIG_NFT_RT) but the firewall still worked fine.

Useful status output can be gathered by sudo ufw status and sudo ufw status verbose. Other useful commands are “ufw allow ssh” (check /etc/ufw/applications.d/ which applications are possible) or manually allow ports.

NOTE: If you prefer graphical apps, the package gufw allows to configure the firewall via a graphical application. However, it requires to have the “x11-xserver-utils” package installed (or it will crash), as it makes use of the “xhost” program in order to allow root to display any application on the screen.

nftables

Setting up nftables with a minimal set of rules (only allow ssh from WLAN, USB, and LAN) is rather easy. Install nftables apt-get install nftables, enable the service via systemctl enable nftables and configure the policy accordingly in /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input_ipv4 {
		# Ethernet (covers WLAN, LAN, USB)
		iiftype "ether" icmp type echo-request limit rate 5/second counter accept comment "ICMP ping"

        }

        chain input_ipv6 {
		# Ethernet (covers WLAN, LAN, USB, it does not cover MobileData)
		iiftype "ether" icmpv6 type echo-request limit rate 5/second counter accept comment "ICMPv6 ping"
		iiftype "ether" icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } counter accept comment "IPv6 icmp"
		iiftype "ether" ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter accept comment "dhcpv6"
        }

	chain input {
		type filter hook input priority 0; policy drop;
		iif "lo" accept comment "accept loopback"

		# stateful
		ct state vmap { established : accept, related : accept, invalid : drop }

		# split by IP version
		meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 }

		# Ethernet (covers WLAN, LAN, USB, it does not cover MobileData)
		iiftype "ether" tcp dport 22 counter accept comment "access to ssh"

             # dhcp when on hotspot mode
             iifname "wlan*" udp dport 67 counter accept comment "permit DHCP (bootps) while on HotSpot"
	}

	chain forward {
		type filter hook forward priority 0;

             # drop when abused
		iifname "wlan*" oifname "wlan*" counter drop comment "pp is not a relay"

		# hotspot mode
		iifname "wlan*" oifname "wwan*" counter accept comment "HotSpot traffic"
	}

	chain output {
		type filter hook output priority 0;
	}
}

table ip nat {
	chain postrouting {
		# type nat hook postrouting priority srcnat; policy accept;
		type nat hook postrouting priority 100; policy accept;
		# limit on public IPs
		iifname "wlan*" ip daddr { 1.0.0.0-9.255.255.255, 11.0.0.0-100.63.255.255, 100.128.0.0-126.255.255.255, 128.0.0.0-172.15.255.255, 172.32.0.0-192.167.255.255, 192.169.0.0-223.255.255.255 } oifname "wwan*" counter masquerade
	}
}

Once done, load the new policy set using systemctl restart nftables. If you encounter issues and suspect this is due to the firewall, flush the rules by running nft flush fuleset.

There seems to be a bug in nftables when it comes to listing the rules using nft list ruleset. It does not provide the “input interface type”.

Open Snitch, an outbound firewall is available at https://github.com/evilsocket/opensnitch/

VPN

Wireguard

Wireguard works well with mobian, although no graphical configuration is integrated.

In a terminal, enter the following command: apt install –no-install-recommends wireguard-tools. You can now use the wg-quick command to manage WireGuard tunnels.

Fortunately, NetworkManager, which manages network connections in mobian has automatic wireguard support natively built in, and it can be configured on the terminal! See this blogpost for details on how to set up wireguard support in NetworkManager.

Note: If there are still problems, it has been reported that the IPv6 configuration in wireguard can cause trouble and needs to be removed (see same issue linked to earlier). (Please update if this changes)

Alternative Wireguard method

If for some reason the method above, involving network-manager, appears to complex and/or doesnt work, one can install Wireguard and have it always-on using a non-network-manager method:

1/ generate a pair of keys using wg genkey, and create a /etc/wireguard/wg0.conf (with umask 077 in the folder)

[Interface] 
PrivateKey = xxxx (private_key)
[Peer]
PublicKey = yyyy (public_key)
EndPoint = x.y.z.a:port
AllowedIPs = 0.0.0.0/0

2/ using systemd, activate the interface using

sudo systemctl enable wg-quick@wg0

Should work for routing all communications from interfaces configured through network-manager

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”. (see the always great Arch wiki for more on this)

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

[vpn-secrets]
password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.

Privacy

Randomizing MAC address

If you want to dynamically use a different MAC address for your Wifi card (MAC spoofing), NetworkManager has everyting built in. The default value “randomization during Wi-Fi scanning” (wifi.scan-rand-mac-address=yes) changes the wifis MAC address when searching for available access points as to be less recognizable and trackable (and is therefore recommendable in general).

Create and edit the file: /etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

# Uncomment line below for much less anonymity. It'll generate a random MAC for each WiFi access point and use the same MAC every time. Not recommended for maximum privacy or anonymity. 
#wifi.cloned-mac-address=stable

[connection]
#Randomize MAC in ipv6 too!
ipv6.ip6-privacy=2

Depending on whether you want random MAC addresses for your ethernet connections (basically everything connected via USB) or the built in wifi, change the above settings. Possible useful values are random (create a new one on every connection), stable (create a random one and keep it), preserve (don't change anything, this is the default).

Last, restart NetworkManager:

 sudo systemctl restart NetworkManager.service

Check this useful GNOME blog post for more details. If this solution does not work well for you, there is the package macchanger to achive the same.

NetworkManager will still send your hostname to the DHCP server, compromising anonymity https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/584

A script providing better MAC randomization and more features is available at https://gitlab.com/Aresesi/wipri

Above (wipri) script also includes option (-w) to turn off the wifi radio (automatically) when you leave your saved network for x minutes (preventing identifier leaks: such as the sharing of saved SSID lists during wifi probe requests)