Advanced Network Configuration and Management Guide for Ubuntu Server 22.04

Tyler Maginnis | January 18, 2024

UbuntuNetworkingNetplanFirewallVPNVLAN

Need Professional Ubuntu Server Support?

Get expert assistance with your ubuntu server support implementation and management. Tyler on Tech Louisville provides priority support for Louisville businesses.

Call Now: (202) 948-8888 Email for Quote

Same-day service available for Louisville area

Advanced Network Configuration and Management Guide for Ubuntu Server 22.04

Network configuration is fundamental to server administration. This comprehensive guide covers everything from basic Netplan configuration to advanced networking features like VLANs, bonding, and VPN setup on Ubuntu Server 22.04.

Prerequisites

  • Ubuntu Server 22.04 LTS installed
  • Root or sudo access
  • Basic understanding of networking concepts
  • Physical or virtual network interfaces available

Understanding Ubuntu's Network Stack

Netplan Overview

Ubuntu 22.04 uses Netplan as the default network configuration abstraction. It generates configuration for either NetworkManager or systemd-networkd.

/etc/netplan/
├── 00-installer-config.yaml    # Default configuration
└── 99-custom.yaml             # Custom configurations

Basic Network Configuration

View Current Configuration

# Show network interfaces
ip addr show
ip link show

# Show routing table
ip route show

# Show DNS configuration
systemd-resolve --status

# Current Netplan configuration
cat /etc/netplan/*.yaml

Static IP Configuration

sudo nano /etc/netplan/00-installer-config.yaml

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
        search:
          - example.com

Multiple IP Addresses

network:
  version: 2
  ethernets:
    enp0s3:
      dhcp4: no
      addresses:
        - 192.168.1.100/24
        - 192.168.1.101/24
        - 10.0.0.100/24
      routes:
        - to: default
          via: 192.168.1.1
        - to: 10.0.1.0/24
          via: 10.0.0.1

Apply Configuration

# Test configuration
sudo netplan try

# Apply configuration
sudo netplan apply

# Debug mode
sudo netplan --debug apply

Advanced Interface Configuration

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
    enp0s8:
      dhcp4: no
  bonds:
    bond0:
      dhcp4: no
      interfaces:
        - enp0s3
        - enp0s8
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      parameters:
        mode: active-backup
        primary: enp0s3
        mii-monitor-interval: 100
        gratuitious-arp: 5

Bond Modes

# Different bonding modes
parameters:
  mode: balance-rr    # Round-robin (mode 0)
  mode: active-backup # Active-backup (mode 1)
  mode: balance-xor   # XOR (mode 2)
  mode: broadcast     # Broadcast (mode 3)
  mode: 802.3ad       # LACP (mode 4)
  mode: balance-tlb   # Adaptive transmit load balancing (mode 5)
  mode: balance-alb   # Adaptive load balancing (mode 6)

VLAN Configuration

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
  vlans:
    vlan10:
      id: 10
      link: enp0s3
      addresses:
        - 10.10.10.100/24
    vlan20:
      id: 20
      link: enp0s3
      addresses:
        - 10.20.20.100/24

Bridge Configuration

network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s3:
      dhcp4: no
  bridges:
    br0:
      dhcp4: no
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      interfaces:
        - enp0s3
      parameters:
        stp: true
        forward-delay: 15

Firewall Configuration (UFW)

Basic UFW Commands

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status verbose

# Allow SSH
sudo ufw allow 22/tcp
sudo ufw allow ssh

# Allow specific port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Allow port range
sudo ufw allow 6000:6007/tcp

# Allow from specific IP
sudo ufw allow from 192.168.1.100 to any port 22

# Allow subnet
sudo ufw allow from 192.168.1.0/24

# Deny specific IP
sudo ufw deny from 10.0.0.5

# Delete rule
sudo ufw delete allow 80/tcp
sudo ufw status numbered
sudo ufw delete 2

Advanced UFW Rules

# Rate limiting
sudo ufw limit ssh/tcp

# Application profiles
sudo ufw app list
sudo ufw allow 'Nginx Full'

# Logging
sudo ufw logging on
sudo ufw logging medium

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw default allow routed

UFW with NAT and Port Forwarding

# Edit before.rules
sudo nano /etc/ufw/before.rules

# Add NAT table rules (at the beginning)
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port forwarding
-A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080

# NAT for outgoing traffic
-A POSTROUTING -s 192.168.1.0/24 -o enp0s3 -j MASQUERADE

COMMIT

# Enable IP forwarding
sudo nano /etc/ufw/sysctl.conf
# Uncomment: net/ipv4/ip_forward=1

VPN Configuration

WireGuard VPN Setup

Install WireGuard

sudo apt update
sudo apt install wireguard -y

Generate Keys

# Generate private key
wg genkey | sudo tee /etc/wireguard/server_private.key
sudo chmod 600 /etc/wireguard/server_private.key

# Generate public key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

# Generate client keys
wg genkey | tee client_private.key
cat client_private.key | wg pubkey > client_public.key

Server Configuration

sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Enable and Start WireGuard

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

# Start WireGuard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

# Check status
sudo wg show

OpenVPN Setup

Install OpenVPN

sudo apt install openvpn easy-rsa -y

Setup CA

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

# Edit vars
nano vars
# Set:
# export KEY_COUNTRY="US"
# export KEY_PROVINCE="CA"
# export KEY_CITY="SanFrancisco"
# export KEY_ORG="MyOrg"
# export KEY_EMAIL="admin@example.com"
# export KEY_OU="MyOrgUnit"

# Build CA
./easyrsa init-pki
./easyrsa build-ca nopass

Generate Server Certificate

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key

Server Configuration

sudo nano /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3

Network Performance Tuning

Kernel Network Parameters

sudo nano /etc/sysctl.conf

# Network performance tuning
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq

# Connection tracking
net.netfilter.nf_conntrack_max = 131072
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 30

# Security
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

Apply Settings

sudo sysctl -p

Network Monitoring and Troubleshooting

Essential Tools

# Install network tools
sudo apt install net-tools ethtool iftop nethogs iperf3 tcpdump nmap traceroute mtr-tiny -y

Interface Statistics

# Interface stats
ip -s link show

# Detailed interface info
ethtool enp0s3
ethtool -S enp0s3

# Real-time bandwidth
iftop -i enp0s3
nethogs enp0s3

Connection Monitoring

# Active connections
ss -tuln
ss -tupn

# Connection statistics
netstat -s

# Track connections
sudo conntrack -L

Network Diagnostics

# Test connectivity
ping -c 4 google.com
ping6 -c 4 google.com

# Trace route
traceroute google.com
mtr google.com

# DNS lookup
dig google.com
nslookup google.com
host google.com

# Port scanning
nmap -p 22,80,443 192.168.1.100

Packet Capture

# Basic capture
sudo tcpdump -i enp0s3

# Capture to file
sudo tcpdump -i enp0s3 -w capture.pcap

# Filter by port
sudo tcpdump -i enp0s3 port 80

# Filter by host
sudo tcpdump -i enp0s3 host 192.168.1.100

# Verbose output
sudo tcpdump -i enp0s3 -vvv -X

IPv6 Configuration

Enable IPv6

network:
  version: 2
  ethernets:
    enp0s3:
      dhcp4: yes
      dhcp6: yes
      addresses:
        - "2001:db8::100/64"
      gateway6: "2001:db8::1"
      nameservers:
        addresses:
          - "2001:4860:4860::8888"
          - "2001:4860:4860::8844"

IPv6 Firewall Rules

# Allow ICMPv6
sudo ufw allow proto ipv6 from any to any port 58

# Allow specific IPv6 address
sudo ufw allow from 2001:db8::100 to any port 22

Network Namespace Management

Create Network Namespace

# Create namespace
sudo ip netns add myns

# List namespaces
sudo ip netns list

# Execute in namespace
sudo ip netns exec myns ip addr show

# Add interface to namespace
sudo ip link add veth0 type veth peer name veth1
sudo ip link set veth1 netns myns

Quality of Service (QoS)

Traffic Control with tc

# Add root qdisc
sudo tc qdisc add dev enp0s3 root handle 1: htb default 30

# Add classes
sudo tc class add dev enp0s3 parent 1: classid 1:1 htb rate 1000mbit
sudo tc class add dev enp0s3 parent 1:1 classid 1:10 htb rate 500mbit ceil 800mbit
sudo tc class add dev enp0s3 parent 1:1 classid 1:20 htb rate 300mbit ceil 600mbit
sudo tc class add dev enp0s3 parent 1:1 classid 1:30 htb rate 200mbit ceil 400mbit

# Add filters
sudo tc filter add dev enp0s3 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:10
sudo tc filter add dev enp0s3 protocol ip parent 1:0 prio 1 u32 match ip dport 443 0xffff flowid 1:10

Best Practices

  1. Documentation: Document all network configurations
  2. Backup: Keep backups of network configuration files
  3. Testing: Always test with netplan try before applying
  4. Security: Implement proper firewall rules
  5. Monitoring: Set up network monitoring
  6. Updates: Keep network tools and drivers updated
  7. Redundancy: Implement network redundancy where critical

Troubleshooting Common Issues

No Network Connectivity

# Check interface status
ip link show
sudo systemctl status systemd-networkd

# Check configuration
sudo netplan --debug generate
sudo journalctl -u systemd-networkd

DNS Resolution Issues

# Check DNS settings
systemd-resolve --status
cat /etc/resolv.conf

# Test DNS
dig @8.8.8.8 google.com

Performance Issues

# Check for errors
ip -s link show
ethtool -S enp0s3 | grep -i error

# Check negotiated speed
ethtool enp0s3 | grep Speed

Conclusion

This guide covered comprehensive network configuration and management on Ubuntu Server 22.04. From basic Netplan configuration to advanced features like VLANs, bonding, and VPN setup, you now have the tools to implement robust networking solutions. Remember to always test configurations before applying them in production and maintain proper documentation of your network setup.