Agilicus Connector – NanoPI R2S

NanoPI R2S

NanoPI R2S

Simple Embedded System with Agilicus Connector

NanoPi R2S Background

The NanoPI R5S has 2 x Gigabit Ethernet, 1GiB of RAM, and 32GB of eMMC storage. With its large passive heatsink it is an ideal platform to use as a small router. It also makes an ideal platform to run the Agilicus Connector.

The NanoPi R2S will run several operating systems (Ubuntu, Armbian, OpenWRT). In this document we discuss using it with OpenWRT.

Installing OpenWRT

As received, the NanoPi R2S will (usually) be running FriendlyWRT. You may feel free to use this, however it has some security flaws. Agilicus recommends using the native OpenWRT build. You may build it yourself, or obtain from the OpenWRT Project.

267cb5d7 image
  1. Connect your laptop to the LAN ports (furthest to the USB-C power connector).
  2. Open a browser to http://192.168.2.1/
  3. Sign in as ‘root’, password ‘password’
  4. Navigate to ‘System/eMMC Tools’
  5. Download (on your laptop) https://downloads.openwrt.org/releases/23.05.3/targets/rockchip/armv8/openwrt-23.05.3-rockchip-armv8-friendlyarm_nanopi-r2s-squashfs-sysupgrade.img.gz
  6. Select ”Choose File’ and the file you just downloaded
  7. Select ‘Upload and Write’
  8. Wait approximately 90 to 120 seconds

At this stage you are running the Agilicus-supplied OpenWRT image.

2e822959 image
7999e14d image
d95df461 image
4905dfb9 image

Agilicus Connector Install

Using the Agilicus administrative portal, create a new connector. Use the ‘Linux’ instructions, copy.

In the OpenWRT admin interface (http://192.168.2.1/), select ‘Services/Terminal’. Sign in as root and the password you selected. Paste (shift-insert).

At this time the connector should be installed and you may close the terminal.

24b5a7dc image
8bfda54e image

You may wish to enable access to this router via the Agilicus AnyX platform (notably SSH and Admin web interface).

NOTE: DHCP Server Enable

Depending on your use, you may wish to have a DHCP server on the LAN ports, you can enable this under ‘Network/Interfaces/LAN’. You may also configure your desired IP range here.

It is appropriate to have a DHCP server on these LAN ports if this is an isolated network. If you are connecting to a larger network with an existing DHCP server, you probably wish to instead change the protocol on the LAN ports to DHCP Client.

3a0fb06e image
1e4619ff image

NOTE: Time Sync (NTP)

Modern cryptography requires clock sync and accuracy on all devices. Typically this is performed via Network Time Protocol, however, in some environments this is blocked (e.g. HTTPS-only outbound).

If your clock is not sync’d (see System/Time Synchronisation menu), you might be able to use a local NTP server. If not, you can enable an HTTPS-based sync as below:

service htpdate enable
service htpdate start

This is going to use the Agilicus API to provide an HTTP-based (over HTTPS port 443) time service. Configuration can be observed in /etc/config/htpdate:

config htpdate 'htpdate'
	option enabled 0
	list server 'https://api.agilicus.com'
	option proxy_host ''
	option proxy_port '8080'
	option debug 0
	option sanity_check 1
	#list option '-4'

Security Hardening

Web Terminal Disable

f00fff0e image

Once you have installed the Agilicus Connector, we recommend disabling the web terminal. On ‘Services/Termina’, select the config tab and remove the check-box beside ‘Enable’.

You may re-enable the web terminal later if you need it. However, we recommend using SSH instead for future command-line access.

The web terminal operates on a secondary TCP port (7681) and is not needed for normal operation.

SSH Setup

94a026d2 image

Agilicus recommends disabling password access to SSH in favour of SSH Keys.

On System/Administration, the SSH Access tab, uncheck ‘Password authentication’ and uncheck ‘Allow root logins with password’.

The rationale here is that password stuffing and guessing is a thing. Eventually someone will guess your l33t-hax0r password. Removing any ability to use passwords reduces the risk. In some controls environments any passwords can be disallowed.

dc2dee2c image

Once you have disabled password access, we recommend adding a SSH Key. Agilicus recommends using ed25519 SSH keys since they are smaller and more secure. Add your public key to the router here and place the private key (with passphrase!) in your SSH Agent on your desktop.

SSH keys are not only more secure, but also more convenient.

One downside to note: the Agilicus web interface for SSH is not currently compatible with SSH keys. If you wish to have SSH access to this device via the Agilicus Profile web interface, keep password on.

Firewall

At this stage, configure the firewall and NAT settings to suit on each of the interfaces. If the Agilicus Connector is providing Service Forwarder services, remember to open this ports on the router too.

We can check which ports are listening by running netstat -nlpt as below. Things with 0.0.0.0:PORT are available from outside the device. Things listening on 127.0.0.1, fe80::, ::1, etc, are locally bound only. In the example below, ‘uhttpd’ (the admin web interface), ‘dropbear’ (SSH) and ‘ttyd’ (the web terminal) are the only things listening.

root@agilicus-nanopi-r5:/# netstat -nlpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2403/uhttpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1049/dropbear
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2403/uhttpd
tcp        0      0 172.16.0.224:53         0.0.0.0:*               LISTEN      1029/dnsmasq
tcp        0      0 172.17.0.1:53           0.0.0.0:*               LISTEN      1029/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1029/dnsmasq
tcp        0      0 0.0.0.0:7681            0.0.0.0:*               LISTEN      3942/ttyd
tcp        0      0 :::443                  :::*                    LISTEN      2403/uhttpd
tcp        0      0 fe80::582e:8eff:fed2:3090:53 :::*                    LISTEN      1029/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      1029/dnsmasq
tcp        0      0 fe80::3400:a4ff:fe92:b43d:53 :::*                    LISTEN      1029/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1049/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      2403/uhttpd
tcp        0      0 2607:fea8:1c43:a103::d67d:53 :::*                    LISTEN      1029/dnsmasq
tcp        0      0 fc01::3:582e:8eff:fed2:3090:53 :::*                    LISTEN      1029/dnsmasq
tcp        0      0 2607:fea8:1c43:a103:582e:8eff:fed2:3090:53 :::*                    LISTEN      1029/dnsmasq
tcp        0      0 fc01:0:0:3::d67d:53     :::*                    LISTEN      1029/dnsmasq

Sample Configuration: Connect to Local HTTP + SSH

This walk through shows an example of how, once the connector is installed (as per above), configuration of an HTTP and SSH interface to this local device. Once these are configured you could use the firewall to disable all external access. The high level steps are:

  1. Create Connector (Agilicus Admin)
  2. Install Connector (NanoPi Web Terminal)
  3. Create SSH Resource (Agilicus Admin)
  4. Create Web Resource (Agilicus Admin)
  5. Assign Web Resource Permission (Agilicus Admin)
  6. SSH to NanoPi from Agilicus Profile (Agilicus Profile)
  7. Open Web Interface to NanoPi (Agilicus Profile or direct)

OK, let’s get started. This will take approximately 5 minutes.

Learn More?

📧 Contact

📅 Book a Meeting

↗ Try Agilicus AnyX

❓ FAQ

🛈 Email: support@agilicus.com

Return to Product Guide 📚

Related