OpenWrt-based XMPP server

This document describes how to build an OpenWrt-based XMPP server. We build on top of OpenWrt because of the distribution’s simplicity and small size. Here we assume that the server will run within the confines of a Xen hypervisor.

Establish the VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host the XMPP server:

  1. Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
  2. Uncompress the image and place it at /var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
  3. Write the following at /etc/xen/vm-prosody.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):
name    = "prosody"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on the VM:

  1. Set the root password: passwd.
  2. Remove unnecessary packages:
opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
        logd \
        luci-app-firewall \
        luci-lib-ip \
        luci-lib-jsonc \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
        luci-mod-admin-full \
        luci-base \
        luci \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
        uhttpd
  1. Configure networking by writing /etc/config/network:
config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname eth0
        option proto dhcp
  1. Install the necessary software:
opkg update
opkg install \
        freifunk-watchdog \
        prosody \
        zoneinfo-core \
        zoneinfo-northamerica
  1. Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring the Prosody chat server

  1. /etc/prosody/certs/example.com.cert: Concatenate your certificate, the immediate certificate, and the root certificate to produce etc/prosody/certs/example.com.cert.

  2. /etc/prosody/certs/example.com.key: Place your private key in etc/prosody/certs/example.com.key.

  3. /etc/prosody/prosody.cfg.lua (replace example.com):

admins = { }

modules_enabled = {
        "roster";
        "saslauth";
        "tls";
        "dialback";
        "disco";
        "private";
        "vcard";
        "legacyauth";
        "version";
        "uptime";
        "time";
        "ping";
        "pep";
        "register";
        "posix";
};

allow_registration = false;

pidfile = "/var/run/prosody/prosody.pid";
        
ssl = { 
        key = "/etc/prosody/certs/example.com.key";
        certificate = "/etc/prosody/certs/example.com.cert";
        c2s_require_encryption = true;
        s2s_require_encryption = true;
}

log = {
        { levels = { "error" }; to = "syslog";  };
        { levels = { "error" }; to = "file"; 
                filename = "/var/log/prosody/prosody.err";  };
        { levels = { min = "info" }; to = "file"; 
                filename = "/var/log/prosody/prosody.log";  };
}

VirtualHost "example.com"
        enabled = true
  1. Set the ownership of Prosody’s sensitive files using chown prosody /etc/prosody/certs/*, and set the permissions on these files with chmod 600 /etc/prosody/certs/*.
  2. For each prosody user, prosodyctl register USERNAME example.com PASSWORD, replacing USERNAME, PASSWORD, and example.com. (Use LDAP?)

Configure the host firewall

  1. /etc/config/firewall:
config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input DROP
        option output ACCEPT
        option forward DROP

# Allow Jabber client-to-server connections from LAN.
config rule
        option target ACCEPT
        option src lan
        option proto tcp
        option dest_port 5222

# Allow Jabber server-to-server connections from LAN.
config rule
        option target ACCEPT
        option src lan
        option proto tcp
        option dest_port 5269

Configure basic system settings

  1. /etc/config/system:
config system
        option hostname prosody.flyn.org
        option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0
  1. /etc/config/freifunk-watchdog:
config process
        option process dropbear 
        option initscript /etc/init.d/dropbear
  1. /etc/config/dropbear:
config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port         '22'
Assistant Professor

My research interests include free and open source software, system security, and network security.