Raspberry Pi 3 Model B & archLinuxARMでVPNサーバ構築【失敗】

はじめに

　みなさんご存知のシングルボードコンピュータ「Raspberry Pi 3 Model B」にarchLinuxARMをインストールしてL2TP/IPsecなVPNサーバを構築失敗するまでのまとめです。
　archLinuxARMに採用されているkernel-4.14だと動かないようです。kernelが修正されるのを待つか，ほかのOSに乗り換えるか考えます。

Raspberry PiでVPNサーバを構築するに至った経緯

1. 外出先でも自宅内ネットワークにアクセスできたら便利だなぁ
2. そういやQNAP製のNASにVPNサーバ入っていたから使ってみるかぁ
3. なんか挙動おかしくない？VPNサーバ起動するたびにconfigリセットされるんだけど…
4. 仕方ないから空いているマシンにLinux入れてL2TP/IPsec環境つくる。もちろん動く。
5. 電気代が気になり始めるのと，愛猫の家内パトロールの動線上にマシンがあるので心配になる。
6. そうだ，シングルボードコンピュータでよくね？（YAMAHA RTX1200の玉数も増えているのでそれでもいいんですが，ロマンが無くて）

免責事項

• 本エントリは可能な限り正確な情報を提供するように努めていますが，必ずしも正確性を保証するものではありません。また，本エントリの閲覧・利用によって発生した損害については一切の責任を負いかねます。
• 本エントリに記載されている情報について，予告無く内容が変更・削除される場合がありますのでご容赦ください。
• 本エントリに記載されている会社名，製品名はそれぞれ各社の商標および登録商標です。

前提条件やら何やら

シングルボードコンピュータの選定

　世の中にはRaspberry Piのほか，Tinker BoardやBananaPiといったシングルボードコンピュータが多数出ており，正直どれを使うか悩みました。それぞれ長短あるとは思いますが，シングルボードコンピュータを利用するのは今回始めてなので，情報量の多いRaspberry Piを選択。
　OSについてはDebianベースという手も考えましたが，どうせならということでArchLinuxでやってみることにします。

準備するもの

　今回，都内に用事があったこともあり，アキバで現物を見ながら以下のアイテムを揃えました。価格については購入当時の価格であるため，最新状況はご自身でご確認ください。
　買ったもの
　　- Raspberry Pi 3 Model B @秋月電子さん（5,200円）
　　- Raspberry Pi B+用ヒートシンクセット¹@秋月電子さん（120円）
　　- Premium Raspberry Pi Enclosure(908-4218)@マルツ秋葉原2号店さん（1,209円）
　　- SUPER TALENT 16GB MicroSDHCカード²@浜田電機さん（1,900円）
　手元にあったもの
　　- ACアダプタ（USB Micro-Bで5.0V/3.0A出力できるもの）
　　- MicroSDカードリーダ（USB接続）
　　- LANケーブルとかHUB
　　- インターネットにつながった適当なLinuxマシン
　　　★f2fs-tools, bsdtarがインストールされていない場合はインストールしてください。
　あれば便利なもの
　　- 竹のピンセット（ヒートシンクを装着する際に利用）

ネットワーク構成

　こんな感じのネットワークに仕上げます。Raspberry Pi上のVPNサーバを経由してNAS等にアクセスしたりなどなど。ブロードバンドルータのWAN側インタフェースにはグローバルIPアドレスが割り振られています。

環境構築

1. Raspberry Piの組み立て

　まずはRaspberry Piを箱から取り出し，ヒートシンクを装着します。指でも普通に装着することはできますが，竹のピンセットでつまんで装着すると，「俺いま電子工作やってるっ！」っていう気分を味わえます。
　そしてケースにはめ込むだけ。2分もかからないくらいです。

2. archLinuxのインストール

archLinuxをMicroSDカードにインストールします。この作業はLinuxマシン上で行います。

2.1. パーティション作成とフォーマット

　【1】 LinuxマシンにMicroSDカードリーダを接続し，買ってきたMicroSDカードを挿入します。
　【2】 コンソールを立ち上げ，fdisk -l を実行し，MicroSDカードがどのデバイスに割り当てられたか確認する。この場合，/dev/sdd に割り当てられていることがわかります。

console

root@kali:~# fdisk -l

　　～省略～

Disk /dev/sdd: 14.8 GiB, 15918432256 bytes, 31090688 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdd1        8192 31090687 31082496 14.8G  c W95 FAT32 (LBA)

　【3】 パーティションを作成します³。

console

root@kali:~# fdisk /dev/sdd

Welcome to fdisk (util-linux 2.30.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): o
Created a new DOS disklabel with disk identifier 0x9affc7fd.

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-31090687, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-31090687, default 31090687): +128M

Created a new partition 1 of type 'Linux' and of size 128 MiB.

Command (m for help): t
Selected partition 1
Hex code (type L to list all codes): c
Changed type of partition 'Linux' to 'W95 FAT32 (LBA)'.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 2
First sector (264192-31090687, default 264192): 
Last sector, +sectors or +size{K,M,G,T,P} (264192-31090687, default 31090687): 

Created a new partition 2 of type 'Linux' and of size 14.7 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@kali:~# 

　【4】作成したパーティションのフォーマットを行います。/bootになる/dev/sdd1はvfat形式でフォーマット，その他の領域はf2fs形式でフォーマットします。

console

root@kali:~# mkfs.vfat /dev/sdd1
mkfs.fat 4.1 (2017-01-24)

console

root@kali:~# mkfs.f2fs /dev/sdd2

	F2FS-tools: mkfs.f2fs Ver: 1.7.0 (2016-07-28)

Info: Debug level = 0
Info: Label = 
Info: Trim is enabled
Info: Segments per section = 1
Info: Sections per zone = 1
Info: sector size = 512
Info: total sectors = 30826496 (15052 MB)
Info: zone aligned segment0 blkaddr: 256
Info: format version with
  "Linux version 4.13.0-kali1-amd64 (devel@kali.org) (gcc version 6.4.0 20171026 (Debian 6.4.0-9)) #1 SMP Debian 4.13.10-1kali2 (2017-11-08)"
Info: Discarding device
Info: This device doesn't support BLKSECDISCARD
Info: This device doesn't support BLKDISCARD
Info: Overprovision ratio = 1.640%
Info: Overprovision segments = 249 (GC reserved = 129)
Info: format successful

　【5】フォーマットが完了したら適当なポイントにマウントします。

console

root@kali:~# mkdir -p /root/archLinux/boot
root@kali:~# mkdir -p /root/archLinux/root
root@kali:~# mount /dev/sdd1 /root/archLinux/boot
root@kali:~# mount -t f2fs /dev/sdd2 /root/archLinux/root
root@kali:~# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   32G  0 disk 
├─sda1   8:1    0   30G  0 part /
├─sda2   8:2    0    1K  0 part 
└─sda5   8:5    0    2G  0 part [SWAP]
sdd      8:48   1 14.8G  0 disk 
├─sdd1   8:49   1  128M  0 part /root/archLinux/boot
└─sdd2   8:50   1 14.7G  0 part /root/archLinux/root
sr0     11:0    1 1024M  0 rom  

2.2. MicroSDカードへの展開

　今回利用するarch Linux ARMは「ARMv8 Raspberry Pi 3」です。OSのイメージはarchlinuxarm.orgからダウンロードします。

　【1】適当なディレクトリにarchlinuxarm.orgからOSイメージをダウンロードします。念のため一緒にチェックサムもダウンロードし，md5sumコマンドでファイルが壊れていないか確認します。

console

root@kali:~# wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-3-latest.tar.gz
root@kali:~# wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-3-latest.tar.gz.md5
root@kali:~# md5sum -c ArchLinuxARM-rpi-3-latest.tar.gz.md5
ArchLinuxARM-rpi-3-latest.tar.gz: 完了

　【2】ダウンロードしたOSイメージファイルをmount済みのMicroSDカードに展開します。

console

root@kali:~# bsdtar -xpf ArchLinuxARM-rpi-3-latest.tar.gz -C /root/archLinux/root
bsdtar: Ignoring malformed pax extended attribute
bsdtar: Ignoring malformed pax extended attribute
bsdtar: Ignoring malformed pax extended attribute
bsdtar: Ignoring malformed pax extended attribute
bsdtar: Error exit delayed from previous errors.
root@kali:~# sync

　　このとき，「Ingoring malformed pax extended attribute」と「Error exit delayed from previous errors.」のメッセージが出力されますが，気にしなくて良いようですので作業を継続します。

console

root@kali:~# mv /root/archLinux/root/boot/* /root/archLinux/boot
root@kali:~# sync

　　以上で基本的にインストールは終わりで，umountした後にMicroSDカードをRaspberry Piに挿入，電源投入すればよいのですが，先にいくつか設定をしておきます。

2.3. 電源投入前のちょっとした設定

　/etc/fstabの設定

console

root@kali:~# vi /root/archLinux/root/etc/fstab

　以下2行を追加して保存。

/etc/fstab

/dev/mmcblk0p2  /       f2fs    defaults,noatime,discard 0      0
tmpfs   /tmp    tmpfs   nodev,nosuid,size=2G    0       0

　カーネルコマンドの設定

console

root@kali:~# vi /root/archLinux/boot/cmdline.txt

　 以下2行を追加（当方環境ではファイル新規作成）して保存。

cmdline.txt

rootfstype=f2fs
ipv6.disable=1

　OS設定ファイルの修正

console

root@kali:~# vi /root/archLinux/boot/config.txt

　以下1行を追加して保存

config.txt

dtparam=sd_overclock=100

　f2fs向けfsckの設定（何もさせない）

console

root@kali:~# cp /root/archLinux/root/bin/true /root/archLinux/root/sbin/fsck.f2fs

　以上でOSのインストールが完了しました。umountしてRaspberry PiのMicroSDカードスロットに挿入し，Raspberry PiとHUBをLANケーブルでつなぎ終わったら電源入れましょう。ディスプレイは不要。

console

root@kali:~# umount /root/archLinux/root
root@kali:~# umount /root/archLinux/boot

　電源を投入したら，DHCPでIPアドレスを取得するので，割り当てられたIPアドレスをブロードバンドルータの管理画面で確認。確認が終わったら，sshでつなぎましょう。デフォルトのユーザID/パスワードはalarm/alarmです。
　参考までに起動直後のdmesgとlscpu, df, freeの結果を貼り付けておきます。

dmesgの結果

[alarm@alarm ~]$ dmesg
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.14.11-1-ARCH (builduser@leming) (gcc version 7.2.1 20171128 (GCC)) #1 SMP Wed Jan 3 19:09:42 MST 2018
[    0.000000] Boot CPU: AArch64 Processor [410fd034]
[    0.000000] Machine model: Raspberry Pi 3 Model B
[    0.000000] efi: Getting EFI parameters from FDT:
[    0.000000] efi: UEFI not found.
[    0.000000] cma: Reserved 64 MiB at 0x0000000036800000
[    0.000000] On node 0 totalpages: 242688
[    0.000000]   DMA zone: 3792 pages used for memmap
[    0.000000]   DMA zone: 0 pages reserved
[    0.000000]   DMA zone: 242688 pages, LIFO batch:31
[    0.000000] random: fast init done
[    0.000000] percpu: Embedded 22 pages/cpu @ffff80003b381000 s51608 r8192 d30312 u90112
[    0.000000] pcpu-alloc: s51608 r8192 d30312 u90112 alloc=22*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 238896
[    0.000000] Kernel command line: console=ttyS1,115200 console=tty0 root=PARTUUID=9affc7fd-02 rw rootwait smsc95xx.macaddr=b8:27:eb:bb:ab:f1
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)
[    0.000000] Memory: 859544K/970752K available (12348K kernel code, 2292K rwdata, 5372K rodata, 1472K init, 797K bss, 45672K reserved, 65536K cma-reserved)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     modules : 0xffff000000000000 - 0xffff000008000000   (   128 MB)
[    0.000000]     vmalloc : 0xffff000008000000 - 0xffff7dffbfff0000   (129022 GB)
[    0.000000]       .text : 0xffff000008080000 - 0xffff000008c90000   ( 12352 KB)
[    0.000000]     .rodata : 0xffff000008c90000 - 0xffff0000091e0000   (  5440 KB)
[    0.000000]       .init : 0xffff0000091e0000 - 0xffff000009350000   (  1472 KB)
[    0.000000]       .data : 0xffff000009350000 - 0xffff00000958d200   (  2293 KB)
[    0.000000]        .bss : 0xffff00000958d200 - 0xffff000009654818   (   798 KB)
[    0.000000]     fixed   : 0xffff7dfffe7fd000 - 0xffff7dfffec00000   (  4108 KB)
[    0.000000]     PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000   (    16 MB)
[    0.000000]     vmemmap : 0xffff7e0000000000 - 0xffff800000000000   (  2048 GB maximum)
[    0.000000]               0xffff7e0000000000 - 0xffff7e0000ed0000   (    14 MB actual)
[    0.000000]     memory  : 0xffff800000000000 - 0xffff80003b400000   (   948 MB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] ftrace: allocating 44427 entries in 174 pages
[    0.000000] Hierarchical RCU implementation.
[    0.000000]  RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4.
[    0.000000]  Tasks RCU enabled.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] arch_timer: WARNING: Invalid trigger for IRQ2, assuming level low
[    0.000000] arch_timer: WARNING: Please fix your firmware
[    0.000000] arch_timer: cp15 timer(s) running at 19.20MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x46d987e47, max_idle_ns: 440795202767 ns
[    0.000006] sched_clock: 56 bits at 19MHz, resolution 52ns, wraps every 4398046511078ns
[    0.000203] Console: colour dummy device 80x25
[    0.000780] console [tty0] enabled
[    0.000818] Calibrating delay loop (skipped), value calculated using timer frequency.. 38.40 BogoMIPS (lpj=192000)
[    0.000851] pid_max: default: 32768 minimum: 301
[    0.001151] Security Framework initialized
[    0.001172] Yama: becoming mindful.
[    0.001321] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes)
[    0.001359] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes)
[    0.003020] ASID allocator initialised with 65536 entries
[    0.003136] Hierarchical SRCU implementation.
[    0.006308] EFI services will not be available.
[    0.006717] smp: Bringing up secondary CPUs ...
[    0.007320] Detected VIPT I-cache on CPU1
[    0.007379] arch_timer: WARNING: Invalid trigger for IRQ2, assuming level low
[    0.007381] arch_timer: WARNING: Please fix your firmware
[    0.007395] CPU1: Booted secondary processor [410fd034]
[    0.008094] Detected VIPT I-cache on CPU2
[    0.008130] arch_timer: WARNING: Invalid trigger for IRQ2, assuming level low
[    0.008132] arch_timer: WARNING: Please fix your firmware
[    0.008143] CPU2: Booted secondary processor [410fd034]
[    0.008798] Detected VIPT I-cache on CPU3
[    0.008829] arch_timer: WARNING: Invalid trigger for IRQ2, assuming level low
[    0.008832] arch_timer: WARNING: Please fix your firmware
[    0.008842] CPU3: Booted secondary processor [410fd034]
[    0.008965] smp: Brought up 1 node, 4 CPUs
[    0.009131] SMP: Total of 4 processors activated.
[    0.009150] CPU features: detected feature: 32-bit EL0 Support
[    0.009322] CPU: All CPU(s) started at EL2
[    0.010832] devtmpfs: initialized
[    0.016914] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.016961] futex hash table entries: 1024 (order: 5, 131072 bytes)
[    0.020221] pinctrl core: initialized pinctrl subsystem
[    0.021293] DMI not present or invalid.
[    0.021744] NET: Registered protocol family 16
[    0.025031] cpuidle: using governor ladder
[    0.025189] cpuidle: using governor menu
[    0.025967] vdso: 2 pages (1 code @ ffff000008c95000, 1 data @ ffff000009355000)
[    0.025996] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.027625] DMA: preallocated 256 KiB pool for atomic allocations
[    0.028107] Serial: AMBA PL011 UART driver
[    0.030859] uart-pl011 3f201000.serial: could not find pctldev for node /soc/gpio@7e200000/uart0_gpio32, deferring probe
[    0.047122] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.048354] ACPI: Interpreter disabled.
[    0.049251] vgaarb: loaded
[    0.050254] SCSI subsystem initialized
[    0.050456] libata version 3.00 loaded.
[    0.050737] usbcore: registered new interface driver usbfs
[    0.050806] usbcore: registered new interface driver hub
[    0.050909] usbcore: registered new device driver usb
[    0.051104] usb_phy_generic phy: phy supply vcc not found, using dummy regulator
[    0.051683] EDAC MC: Ver: 3.0.0
[    0.052021] dmi: Firmware registration failed.
[    0.052646] Advanced Linux Sound Architecture Driver Initialized.
[    0.053198] NetLabel: Initializing
[    0.053216] NetLabel:  domain hash size = 128
[    0.053230] NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
[    0.053324] NetLabel:  unlabeled traffic allowed by default
[    0.053819] clocksource: Switched to clocksource arch_sys_counter
[    0.181091] VFS: Disk quotas dquot_6.6.0
[    0.181218] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.181680] simple-framebuffer 3eaf0000.framebuffer: framebuffer at 0x3eaf0000, 0x10a800 bytes, mapped to 0xffff000009800000
[    0.181717] simple-framebuffer 3eaf0000.framebuffer: format=a8r8g8b8, mode=656x416x32, linelength=2624
[    0.188882] Console: switching to colour frame buffer device 82x26
[    0.195108] simple-framebuffer 3eaf0000.framebuffer: fb0: simplefb registered!
[    0.198878] pnp: PnP ACPI: disabled
[    0.211096] NET: Registered protocol family 2
[    0.215565] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
[    0.219472] TCP bind hash table entries: 8192 (order: 5, 131072 bytes)
[    0.223407] TCP: Hash tables configured (established 8192 bind 8192)
[    0.227462] UDP hash table entries: 512 (order: 2, 16384 bytes)
[    0.231371] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
[    0.235572] NET: Registered protocol family 1
[    0.239994] RPC: Registered named UNIX socket transport module.
[    0.243954] RPC: Registered udp transport module.
[    0.247840] RPC: Registered tcp transport module.
[    0.251624] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.255447] PCI: CLS 0 bytes, default 128
[    0.255652] Unpacking initramfs...
[    0.628139] Freeing initrd memory: 4808K
[    0.632653] kvm [1]: 8-bit VMID
[    0.636239] kvm [1]: IDMAP page: 1c7d000
[    0.639626] kvm [1]: HYP VA range: 800000000000:ffffffffffff
[    0.644370] kvm [1]: Invalid trigger for IRQ4, assuming level low
[    0.647662] kvm [1]: virtual timer IRQ4
[    0.650909] kvm [1]: Hyp mode initialized successfully
[    0.731679] workingset: timestamp_bits=46 max_order=18 bucket_order=0
[    0.742045] zbud: loaded
[    0.748452] NFS: Registering the id_resolver key type
[    0.751554] Key type id_resolver registered
[    0.754555] Key type id_legacy registered
[    0.757424] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.760606] SGI XFS with ACLs, security attributes, no debug enabled
[    0.788036] NET: Registered protocol family 38
[    0.791167] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 245)
[    0.797383] io scheduler noop registered
[    0.800554] io scheduler deadline registered
[    0.804107] io scheduler cfq registered (default)
[    0.807164] io scheduler mq-deadline registered
[    0.810191] io scheduler kyber registered
[    0.813398] io scheduler bfq registered
[    0.816711] atomic64_test: passed
[    0.826300] ipmi message handler version 39.2
[    0.838201] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.842983] console [ttyS1] disabled
[    0.846080] 3f215040.serial: ttyS1 at MMIO 0x0 (irq = 61, base_baud = 31250000) is a 16550
[    1.685375] console [ttyS1] enabled
[    1.692925] msm_serial: driver initialized
[    2.557374] bcm2835-rng 3f104000.rng: hwrng registered
[    2.566816] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    2.579288] libphy: Fixed MDIO Bus: probed
[    2.588445] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.598253] ehci-pci: EHCI PCI platform driver
[    2.605858] ehci-platform: EHCI generic platform driver
[    2.614275] ehci-orion: EHCI orion driver
[    2.621377] ehci-msm: Qualcomm On-Chip EHCI Host Controller
[    2.630184] tegra-ehci: Tegra EHCI driver
[    2.637496] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.647019] ohci-pci: OHCI PCI platform driver
[    2.654820] ohci-platform: OHCI generic platform driver
[    2.663579] uhci_hcd: USB Universal Host Controller Interface driver
[    2.674069] usbcore: registered new interface driver uas
[    2.682991] usbcore: registered new interface driver usb-storage
[    2.692516] usbcore: registered new interface driver ums-alauda
[    2.701871] usbcore: registered new interface driver ums-cypress
[    2.711122] usbcore: registered new interface driver ums-datafab
[    2.720185] usbcore: registered new interface driver ums_eneub6250
[    2.729361] usbcore: registered new interface driver ums-freecom
[    2.738293] usbcore: registered new interface driver ums-isd200
[    2.747028] usbcore: registered new interface driver ums-jumpshot
[    2.755817] usbcore: registered new interface driver ums-karma
[    2.764207] usbcore: registered new interface driver ums-onetouch
[    2.772719] usbcore: registered new interface driver ums-realtek
[    2.781021] usbcore: registered new interface driver ums-sddr09
[    2.789143] usbcore: registered new interface driver ums-sddr55
[    2.797161] usbcore: registered new interface driver ums-usbat
[    2.805052] usbcore: registered new interface driver usbserial
[    2.812747] usbcore: registered new interface driver usbserial_generic
[    2.821054] usbserial: USB Serial support registered for generic
[    2.830184] mousedev: PS/2 mouse device common for all mice
[    2.840631] device-mapper: uevent: version 1.0.3
[    2.847334] device-mapper: ioctl: 4.37.0-ioctl (2017-09-20) initialised: dm-devel@redhat.com
[    2.860083] sdhci: Secure Digital Host Controller Interface driver
[    2.868364] sdhci: Copyright(c) Pierre Ossman
[    2.875428] Synopsys Designware Multimedia Card Interface Driver
[    3.023873] sdhost-bcm2835 3f202000.mmc: loaded - DMA enabled (>1)
[    3.032615] sdhci-pltfm: SDHCI platform and OF driver helper
[    3.103948] mmc1: SDHCI controller on 3f300000.sdhci [3f300000.sdhci] using PIO
[    3.123208] ledtrig-cpu: registered to indicate activity on CPUs
[    3.132810] dmi-sysfs: dmi entry is absent.
[    3.143891] hidraw: raw HID events driver (C) Jiri Kosina
[    3.150965] mmc1: queuing unknown CIS tuple 0x80 (2 bytes)
[    3.152663] mmc1: queuing unknown CIS tuple 0x80 (3 bytes)
[    3.154366] mmc1: queuing unknown CIS tuple 0x80 (3 bytes)
[    3.157415] mmc1: queuing unknown CIS tuple 0x80 (7 bytes)
[    3.187330] usbcore: registered new interface driver usbhid
[    3.190988] mmc0: host does not support reading read-only switch, assuming write-enable
[    3.192977] mmc0: new high speed SDHC card at address 59b4
[    3.193500] bounce: isa pool size: 16 pages
[    3.193654] mmcblk0: mmc0:59b4       14.8 GiB
[    3.235524] usbhid: USB HID core driver
[    3.243583] bcm2835-mbox 3f00b880.mailbox: mailbox enabled
[    3.243785]  mmcblk0: p1 p2
[    3.259126] mmc1: new high speed SDIO card at address 0001
[    3.261442] drop_monitor: Initializing network drop monitor service
[    3.261711] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.261717] Initializing XFRM netlink socket
[    3.262479] NET: Registered protocol family 10
[    3.271878] Segment Routing with IPv6
[    3.271976] mip6: Mobile IPv6
[    3.271987] NET: Registered protocol family 17
[    3.272182] Key type dns_resolver registered
[    3.273080] registered taskstats version 1
[    3.273238] zswap: loaded using pool lzo/zbud
[    3.295600] Key type big_key registered
[    3.304036] Key type encrypted registered
[    3.307742] 3f201000.serial: ttyAMA0 at MMIO 0x3f201000 (irq = 72, base_baud = 0) is a PL011 rev2
[    3.310736] raspberrypi-firmware soc:firmware: Attached to firmware from 2017-12-01 16:16
[    3.311879] OF: /soc/usb@7e980000: could not get #phy-cells for /phy
[    3.311923] dwc2 3f980000.usb: 3f980000.usb supply vusb_d not found, using dummy regulator
[    3.311999] dwc2 3f980000.usb: 3f980000.usb supply vusb_a not found, using dummy regulator
[    3.426622] dwc2 3f980000.usb: DWC OTG Controller
[    3.435218] dwc2 3f980000.usb: new USB bus registered, assigned bus number 1
[    3.446035] dwc2 3f980000.usb: irq 41, io mem 0x3f980000
[    3.455268] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    3.465884] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    3.477038] usb usb1: Product: DWC OTG Controller
[    3.485588] usb usb1: Manufacturer: Linux 4.14.11-1-ARCH dwc2_hsotg
[    3.495810] usb usb1: SerialNumber: 3f980000.usb
[    3.504873] hub 1-0:1.0: USB hub found
[    3.512524] hub 1-0:1.0: 1 port detected
[    3.521757] hctosys: unable to open rtc device (rtc0)
[    3.530982] ALSA device list:
[    3.537729]   No soundcards found.
[    3.548885] Freeing unused kernel memory: 1472K
[    3.953930] usb 1-1: new high-speed USB device number 2 using dwc2
[    4.214140] usb 1-1: New USB device found, idVendor=0424, idProduct=9514
[    4.224187] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[    4.235575] hub 1-1:1.0: USB hub found
[    4.242666] hub 1-1:1.0: 5 ports detected
[    4.583878] usb 1-1.1: new high-speed USB device number 3 using dwc2
[    4.691212] F2FS-fs (mmcblk0p2): Mounted with checkpoint version = 49
[    4.714363] usb 1-1.1: New USB device found, idVendor=0424, idProduct=ec00
[    4.724800] usb 1-1.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[    5.290707] systemd[1]: System time before build time, advancing clock.
[    5.329028] systemd[1]: systemd 236 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN default-hierarchy=hybrid)
[    5.361465] systemd[1]: Detected architecture arm64.
[    5.385843] systemd[1]: Set hostname to <alarm>.
[    5.967315] random: crng init done
[    6.031104] systemd[1]: Reached target Swap.
[    6.043477] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[    6.063895] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[    6.085988] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[    6.106054] systemd[1]: Reached target Paths.
[    6.121341] systemd[1]: Created slice User and Session Slice.
[    6.136510] systemd[1]: Created slice System Slice.
[    6.637117] systemd-journald[257]: Received request to flush runtime journal from PID 1
[    6.669108] systemd-journald[257]: File /var/log/journal/9f831bd18bfd4c90beb68e2831145697/system.journal corrupted or uncleanly shut down, renaming and replacing.
[    7.524293] bcm2835-wdt 3f100000.watchdog: Broadcom BCM2835 watchdog timer
[    7.600575] i2c-bcm2835 3f805000.i2c: Could not read clock-frequency property
[    7.800955] smsc95xx v1.0.6
[    7.906674] smsc95xx 1-1.1:1.0 eth0: register 'smsc95xx' at usb-3f980000.usb-1.1, smsc95xx USB 2.0 Ethernet, b8:27:eb:bb:ab:f1
[    7.929377] usbcore: registered new interface driver smsc95xx
[    7.946000] brcmfmac: brcmf_fw_map_chip_to_name: using brcm/brcmfmac43430-sdio.bin for chip 0x00a9a6(43430) rev 0x000001
[    7.963927] Registered IR keymap rc-cec
[    7.964320] rc rc0: RC for vc4 as /devices/platform/soc/3f902000.hdmi/rc/rc0
[    7.964791] input: RC for vc4 as /devices/platform/soc/3f902000.hdmi/rc/rc0/input0
[    7.999106] usbcore: registered new interface driver brcmfmac
[    8.014747] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
[    8.014768] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
[    8.015819] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
[    8.016143] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
[    8.016320] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
[    8.016636] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
[    8.016885] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
[    8.017140] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
[    8.041814] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
[    8.041855] checking generic (3eaf0000 10a800) vs hw (0 ffffffffffffffff)
[    8.041859] fb: switching to vc4drmfb from simple
[    8.107484] smsc95xx 1-1.1:1.0 eth0: hardware isn't capable of remote wakeup
[    8.107838] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    8.130418] brcmfmac: brcmf_c_preinit_dcmds: Firmware version = wl0: Aug  7 2017 00:46:29 version 7.45.41.46 (r666254 CY) FWID 01-f8a78378
[    8.165074] Console: switching to colour dummy device 80x25
[    8.172638] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
[    8.179693] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    8.186558] [drm] Driver supports precise vblank timestamp query.
[    8.213321] Console: switching to colour frame buffer device 90x30
[    8.244757] vc4-drm soc:gpu: fb0:  frame buffer device
[    8.290139] FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[    9.549390] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    9.565251] smsc95xx 1-1.1:1.0 eth0: link up, 100Mbps, full-duplex, lpa 0xC5E1

dfの結果

[alarm@alarm ~]$ df -h
Filesystem      Size  Used Avail Use% Mounted on
dev             420M     0  420M   0% /dev
run             455M  260K  455M   1% /run
/dev/mmcblk0p2   15G  1.1G   14G   8% /
tmpfs           455M     0  455M   0% /dev/shm
tmpfs           455M     0  455M   0% /sys/fs/cgroup
tmpfs           2.0G     0  2.0G   0% /tmp
/dev/mmcblk0p1  128M   60M   69M  47% /boot
tmpfs            91M     0   91M   0% /run/user/1000

lscpuの結果

[alarm@alarm ~]$ lscpu
Architecture:        aarch64
Byte Order:          Little Endian
CPU(s):              4
On-line CPU(s) list: 0-3
Thread(s) per core:  1
Core(s) per socket:  4
Socket(s):           1
Model:               4
BogoMIPS:            38.40
Flags:               fp asimd evtstrm crc32 cpuid

freeの結果

[alarm@alarm ~]$ free
              total        used        free      shared  buff/cache   available
Mem:         931360       60276      491768         260      379316      856004
Swap:             0           0           0

3.各種ソフトウェアのセットアップ

　ここからがメインの作業。VPNサーバを構築するにあたっていろいろと作業を行います。sshでログインし，root権限で作業を行います。慎重に。

localeの設定

[root@alarm ~]# nano /etc/locale.gen

en_US.UTF-8 UTF-8とja_JP.UTF-8 UTF-8を探し出してコメントアウトを外し，保存。

[root@alarm ~]# locale-gen
Generating locales...
  en_US.UTF-8... done
  ja_JP.UTF-8... done
Generation complete.
[root@alarm ~]# echo LANG=en_US.UTF-8 > /etc/locale.conf
[root@alarm ~]# export LANG=en_US.UTF-8
[root@alarm ~]# localectl set-keymap us
[root@alarm ~]# localectl status
   System Locale: LANG=en_US.UTF-8
       VC Keymap: us
      X11 Layout: us
       X11 Model: pc105+inet
     X11 Options: terminate:ctrl_alt_bksp

タイムゾーン, ntpの設定

console

[root@alarm ~]# ln -sf /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
[root@alarm ~]# nano /etc/systemd/timesyncd.conf

「NTP=」の行のコメントを外し，以下を設定

timesyncd.conf

NTP=ntp1.jst.mfeed.ad.jp ntp2.jst.mfeed.ad.jp ntp3.jst.mfeed.ad.jp

ネットワーク設定の変更

　ホスト名の設定（ioriと命名 ※うちの愛猫の名前）

console

[root@alarm ~]# echo iori > /etc/hostname

　IPアドレスはDHCPで取得せず静的に。また，IPv6も利用しない。

console

[root@alarm ~]# nano /etc/systemd/network/eth0.network

eth0.network

[Match]
Name=eth0
Host=iori

[Network]
Address=10.160.73.50/24
Gateway=10.160.73.1
DNS=('10.160.73.1','8.8.8.8','8.8.4.4')
IPForward=yes
LinkLocalAddressing=no
IPv6AcceptRA=no

一度再起動。

archLinuxARMアップデート

console

[root@iori ~]# pacman -Syu
:: Synchronizing package databases...
 core                     186.4 KiB   621K/s 00:00 [######################] 100%
 extra                      2.3 MiB  2.45M/s 00:01 [######################] 100%
 community                  3.8 MiB  1928K/s 00:02 [######################] 100%
 alarm                     43.3 KiB   173K/s 00:00 [######################] 100%
 aur is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (7) argon2-20171227-2  cryptsetup-2.0.0-5  e2fsprogs-1.43.8-1
             iw-4.14-1  linux-aarch64-4.14.12-1  linux-api-headers-4.14.8-1
             xfsprogs-4.14.0-1

Total Download Size:    60.36 MiB
Total Installed Size:  113.85 MiB
Net Upgrade Size:        0.22 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 linux-api-headers-4...   909.4 KiB  1399K/s 00:01 [######################] 100%
 argon2-20171227-2-a...    29.0 KiB   415K/s 00:00 [######################] 100%
 cryptsetup-2.0.0-5-...   318.3 KiB   816K/s 00:00 [######################] 100%
 e2fsprogs-1.43.8-1-...   955.1 KiB  1566K/s 00:01 [######################] 100%
 iw-4.14-1-aarch64         63.2 KiB   452K/s 00:00 [######################] 100%
 linux-aarch64-4.14....    57.4 MiB  3.39M/s 00:17 [######################] 100%
 xfsprogs-4.14.0-1-a...   790.1 KiB  1881K/s 00:00 [######################] 100%
(7/7) checking keys in keyring                     [######################] 100%
(7/7) checking package integrity                   [######################] 100%
(7/7) loading package files                        [######################] 100%
(7/7) checking for file conflicts                  [######################] 100%
(7/7) checking available disk space                [######################] 100%
:: Processing package changes...
(1/7) upgrading linux-api-headers                  [######################] 100%
(2/7) installing argon2                            [######################] 100%
(3/7) upgrading cryptsetup                         [######################] 100%
(4/7) upgrading e2fsprogs                          [######################] 100%
(5/7) upgrading iw                                 [######################] 100%
(6/7) upgrading linux-aarch64                      [######################] 100%
>>> Updating module dependencies. Please wait ...
(7/7) upgrading xfsprogs                           [######################] 100%
:: Running post-transaction hooks...
(1/4) Updating linux-aarch64 initcpios
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'default'
  -> -k 4.14.12-1-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.14.12-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> WARNING: No modules were added to the image. This is probably not what you want.
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'fallback'
  -> -k 4.14.12-1-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.14.12-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
(2/4) Creating temporary files...
(3/4) Arming ConditionNeedsUpdate...
(4/4) Updating the info directory file...

　今回構築するVPNサーバはL2TP/IPsecということで，strongSwanとxl2tpdの組み合わせで構築することにします。使用するバージョンは以下の通りです。
　- strongSwan ：5.6.1
　- xl2tpd :1.3.10

strongSwanのインストールと設定

console

[root@iori ~]# pacman -S strongswan
resolving dependencies...
looking for conflicting packages...

Packages (1) strongswan-5.6.1-2

Total Download Size:   0.95 MiB
Total Installed Size:  3.59 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 strongswan-5.6.1-2-...   974.1 KiB  1476K/s 00:01 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) installing strongswan                        [######################] 100%
Optional dependencies for strongswan
    libnm-glib: for networkmanager support
    mariadb: MySQL support
    ruby: Ruby support
    python: Python support
    openldap: LDAP support
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...

console

[root@iori ~]# nano /etc/ipsec.conf

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.
conn IKE_BASE
        rekey=yes
        keylife=20m
        keyingtries=1
        rekeymargin=3m
        ikelifetime=60m
        keyexchange=ikev1
        dpddelay=300s
        dpdaction=clear
        esp=aes256-sha1,aes128-sha1!
        ike=aes256-sha1-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!

conn L2TP_SERVER
        auto=add
        also=IKE_BASE
        type=transport
        authby=secret
        left=10.160.73.50
        leftauth=psk
        leftsubnet=0.0.0.0/0
        leftprotoport=17/1701
        right=%any
        rightsubnet=0.0.0.0/0
        rightauth=psk

console

[root@iori ~]# nano /etc/ipsec.secrets

/etc/ipsec.secrets

: PSK "事前共有鍵"

xl2tpdのインストールと設定

console

[root@iori ~]# pacman -S xl2tpd
resolving dependencies...
looking for conflicting packages...

Packages (2) ppp-2.4.7-4  xl2tpd-1.3.10-1

Total Download Size:   0.31 MiB
Total Installed Size:  1.06 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 ppp-2.4.7-4-aarch64      272.7 KiB   940K/s 00:00 [######################] 100%
 xl2tpd-1.3.10-1-aarch64   48.8 KiB  4.76M/s 00:00 [######################] 100%
(2/2) checking keys in keyring                     [######################] 100%
(2/2) checking package integrity                   [######################] 100%
(2/2) loading package files                        [######################] 100%
(2/2) checking for file conflicts                  [######################] 100%
(2/2) checking available disk space                [######################] 100%
:: Processing package changes...
(1/2) installing ppp                               [######################] 100%
(2/2) installing xl2tpd                            [######################] 100%
:: Running post-transaction hooks...
(1/2) Creating temporary files...
(2/2) Arming ConditionNeedsUpdate...

console

[root@iori ~]# nano /etc/xl2tpd/xl2tpd.conf

/etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 10.160.73.50
port = 1701
access control = no
debug avp=no
debug network=no
debug packet=no
debug state=no
debug tunnel=no

[lns default]
ip range = 10.160.73.10-10.160.73.20
local ip = 10.160.73.50
length bit = yes
refuse pap = yes
refuse chap = yes
require authentication = yes
name = l2tp
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
pass peer=yes

console

[root@iori ~]# nano /etc/ppp/options.l2tpd.lns

/etc/ppp/options.l2tpd.lns

name l2tp
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
ms-dns 8.8.8.8
nodefaultroute
novj
mtu 1400
mru 1400
proxyarp
mrru 1400
novjccomp
nobsdcomp
lcp-echo-failure 3
lcp-echo-interval 60

console

[root@iori ~]# nano /etc/ppp/chap-secrets

/etc/ppp/chap-secrets

"ユーザ名" "l2tp" "パスワード" *

最後にstrongSwanとxl2tpdを再起動して設定ファイルの内容を反映します。lsofコマンドでxl2tpdがUDP/1701ポートで起動しているか確認しておくのも良いかと思われます。

console

[root@iori ~]# ipsec start
[root@iori ~]# systemctl start xl2tpd
[root@iori ~]# lsof -i:1701
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xl2tpd  3461 root    3u  IPv4  25667      0t0  UDP iori:l2f

おわりに

　冒頭でも記載しましたが，結局ここまでやって接続できませんでした。kernel-4.14の修正まち。
　https://bugs.archlinux.org/task/56605
　https://bugzilla.redhat.com/show_bug.cgi?id=1526203
　https://github.com/libreswan/libreswan/issues/140

1. ヒートシンクが入った袋にはRaspberryPi B+用ヒートシンクと記載ありますがサイズはぴったりです。 ↩

2. MLC採用なのでちょっと気になって購入しました。MLCでないMicroSDでも問題ないと思います。 ↩

3. OSの設定によってはautomountされている場合があるかもしれないのでfdiskの前に確認しておいたほうが良いでしょう。 ↩