Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

20Apr/160

Raspberry Pi: Wifi AP-client

raspberrypiwifi

You have a wifi connection but need an Ethernet connection or need to share it with several computers over Ethernet? That can be easily accomplished with a Raspberry Pi. Sometimes I need two different internet connection for testing different setups. In addition to my own internet connection there is community wifi in public areas in my apartment complex. Since I live right my the pool I can connect to that wifi at my window. To make it easy to use I wanted a router that I could use as my default gateway on any computer or server to access the secondary internet connection. To accomplish this I used a Raspberry Pi 2 with the latest version of Raspian.

Basic setup

I presume that people interesting in doing this kind of setup have the basic knowledge in setting up the Raspberry Pi, like expanding the file system and setting the root password. There are enough guides out there so I'm not going to cover that in this post. Instead we jump right into configuring the wifi. If you use a Raspberry Pi 3 you can use the built in wifi but this guide will work with any Raspberry Pi compatible dongle. Depending on the distance and quality of the signal you might need to opt for one with a better antenna.

If we run cat /etc/network/interfaces we can see that wlan0 refers to /etc/wpa_supplicant/wpa_supplicant.conf for configuration. So let's go ahead and edit that configuration file with sudo nano /etc/wpa_supplicant/wpa_supplicant.conf. The contents looks something like this:

country=GB
 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
 update_config=1

You can change the country to where ever you are but in most cases you can just leave it be. Some countries use different channels and might need additional configuration. I went with the basic GB even though I'm in the US and it works fine. Then we need to add the configuration for our network, just append it at the end. This guide is for a WPA2 secured network and you should not use anything else for security reasons.

network={
    ssid="xxxxxx"
    psk="xxxxxx"
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP
    auth_alg=OPEN
}

Here is a basic outline of what these parameters are for:

SSID - Name of the network you want to connect to.
PSK - Password for the network.
PROTO - RSN = WPA2, WPA = WPA1.
KEY_MGMT - WPA-PSK = Preshared key (regular wifi password setup), WPA-EAP = Authentication via enterprise authentication server.
PAIRWISE - CCMP = AES cipher (WPA2), TKIP = TKIP cipher (WPA1).
AUTH_ALG - OPEN = WPA2

Save that file and exit nano, now we can restart the connection and see that it works.

sudo wpa_action wlan0 stop
sudo ifup wlan0

It will take a while for the DHCP to finish. Then we can check the status in with sudo wpa_cli status. Now we want to make sure that the Raspberry Pi actually uses the internet connection from the wifi and not the local one. Also I want a static ip-address on the Raspberry Pi since it's going to be a router. In raspbian jessie this can't be done from /etc/network/interfaces anymore so we need to add these two lines to /etc/dhcpcd.conf.

interface eth0
static ip_address=192.168.0.2/24

This will make the IP-address 192.168.0.2, subnet mask will be 255.255.255.0 and the lack of default gateway will route all internet traffic over the wifi. I also disable ipv6 since my internal network uses that and I don't want any traffic to spill over that connection. sudo nano /etc/sysctl.conf and add this line at the end:

net.ipv6.conf.all.disable_ipv6 = 1

Then reload the settings and reboot the Raspberry Pi to get the new network settings.

sudo sysctl -p
sudo reboot

Setup forwarding

After reconnecting to the new ip-address we need to enable forwarding. sudo nano /etc/sysctl.conf again and add this line:

nnet.ipv4.ip_forward = 1

And then reload the settings

sudo sysctl -p

Configure IPtables

Then we need to setup iptables to take care of forwarding, NAT and also security.

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Setup NAT from internal network (eth0) out onto the wifi (wlan0).

sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

Allow all traffic from inside to outside.

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT[/bash]

Allow all established connection back in (let the response through).

sudo iptables -A INPUT -i lo -j ACCEPT

Allow loopback traffic. This is very important otherwise some services will not work on the Raspberry Pi.

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Allow ping from the local network.

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allow SSH from internal network.

sudo iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT

Allow webmin from local network (see below).

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow responses to traffic we initialized.

sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP

Lock it down, disallowing all traffic we didn't specify above

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent

We make the iptable rules we just added persistent after reboot, just answer yes on the questions in the install. The second command will make it persistent after reboot. If you change any iptable rules after this just run the command below to save them. A reference to iptables can be found here http://ipset.netfilter.org/iptables.man.html

sudo netfilter-persistent save

Now our new router is ready to rock! Just change the local clients default gateway to 192.168.0.2 and you will go out to the internet over the new connection.

Install additional packages

Since I'm going to use this for testing purposes I want quick access to config of iptables for example. For this I want to install webmin which is a web based UI for configuring different services on Linux systems. First we need to add the webmin repository to our sources list, so sudo nano /etc/apt/sources.list and add these two lines at the end.

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Install the repository key so the packages can be verified.

wget http://www.webmin.com/jcameron-key.asc
sudo apt-key add jcameron-key.asc

Then update and install.

sudo apt-get update
sudo apt-get install webmin

Now you can browse to https://192.168.0.2:10000 and login with your pi account. There are extensive documentation for this software online so I'm not going deeper into it in this post but it's an easy way to change the configuration of your box without the need to SSH into it each time. I also want speedtest-cli installed so I can test the speed of the connection. It's just a CLI implementation of the speedtest.net website so you can test the connection speed.

install speedtest-cli for testing as well

 

18Apr/160

H2testw – Test SD-cards

H2testw

SD-cards ware out over time. So every now and then you need to check them. One of my Kodi media players, running on a Raspberry Pi, just died on me and refused to start at all. Flashed a new SD-card and it booted right away. Since I use a centralized database for my media players the time to fix this was minimum. Then I put the faulty card away with my other cards and of course mixed them up....

So I had to test them to figure out which one was broken. The easy way to do this is with H2testw that writes data to the whole card and then verifies it. But there are an additional step, at least if your main use of SD-card is for singel board computers like me. You need to clear them and make sure there is only one partition. I have mentioned my favorite tool for this in the past, SDformater. That is the official tool from SD Association so it would be safe to say that it's the industry standard of doing this. Keep in mind that you need to use the "format size adjustment" option to clear all the partitions on the card. I've made a tool tip about SDformater before so please reference that for more information.

Then go ahead and download H2testw. It's very easy to use, it starts out in Dutch (the small sub sea country in Europe) but have a toggle for English. Then just select the "target" (your SD-card drive letter) and select "write + verify". The test takes a while depending on the speed and size of the card, it will fill the whole card with data and read it back again. This also gives you a good performance indicator for your SD-card.

10Apr/160

Pi: BtSync satellite – spin down hard drive

BtSync LCD Display

My BitTorrent satellite has finally synced my 6tb of data over the local network. The initial sync took several days but so far it seems to pretty quick picking up new files and syncing them. Before I move it to my office I want to make sure I get some peace and quite in the office. I need it to spin down the hard drive when not syncing data. I had the same issue with the BitTorrent Sync server in my apartment always spinning up my NAS but this was actually a bit different.

Since this node uses a USB-disk instead of the network shares on a NAS it can actually do some basic stuff, like indexing, without spinning up the drive. I don't know if it's due to the utilization of Truecrypt or if it's built in but there is some cache which allows the btsync daemon to list the files on disk without the disk spinning up. So I don't have to reconfigure the indexing intervall like I had to on the node uses the NAS. That is communicating over the network to the NFS shares of the NAS and it will spin up it's disk every time someone access it. So there I had to reset the sync intervall to 12 hours. But for my backup solution that will be just fine.

The second thing I was sure I had to change was my script for the LCD display. Since it's reads a JSON file with user credentials from the encrypted disk every 45 seconds I thought it would spin up the drive. No it also ended up cached somewhere and everything is working great at the moment. Have tested throwing new files in there and it synconices just fine! The disk spins up, writes the data and goes back to sleep again after 30 minutes.

To achieve this we need to use hdparm, if your on a Raspberry you need sudo before these commands:

apt-get install hdparm

Then we can run it from the command line:

hdparm - S120 /dev/sda1
/dev/sda:
setting standby to 120 (10 minutes)

To make it persistant after reboot just nano /etc/hdparm.conf, and add this at the end of the file:

/dev/sda1 {
spindown_time = 120
}

So this is the last step before I can move it to my office and really test out the GEO-location backup. Here is a list of the other posts about this:

6Apr/160

Pi: Python script for BtSync status LCD

BtSync LCD Display

Adding and LCD display to a Pi project can make it so much easier to use. Displaying current IP address and status of some task that you only have to interact with when something went wrong. In this example we have the 20x4 (20 characters x 4 lines) LCD status display of my BtSync Satellite that I built a while back. Since this box is going to sit on a DHCP network I wanted to display the IP-address so I know what to SSH against. I also wanted to display some status metrics about disk mounts, services and application specific performance counters.

In this scenario the box is running BtSync to keep an offsite encrypted backup off my NAS. For security reasons I have to SSH to the box after a power cycle or failure to enter the encryption key for the disk. That's why I want it to display it's current IP-address on the display. I also want to see the current status of the encryption mount, BtSync service and the upload/downloads going on. That way I know when I have to SSH into the box to sort something out.

So what does this script actually do? It runs an infinit loop until you kill the process. Every 45 seconds it checks the stuff that doesn't need updating all that often and every 3 seconds it checks the current status of the BtSync operations.

Every 45 seconds:

  • Check the current IP-address
  • Check if the Truecrypt volume is actually mounted
  • Check if the BtSync daemon is running

Every 3 seconds:

  • Checks number of files synced
  • Checks number of files to be synced
  • Checks the current download speed
  • Checks the current upload speed

Pre-Requirements

First you need to wire up the LCD, it differs a bit from model to model but there are ton of descriptions on pinouts if you Google your specific model. Then go ahead and run raspi-config or what ever equivalent your brand of Pi uses. Go under Advanced and enable I2C. Then we download some tools that we need:

sudo apt-get install i2c-tools python-dev libxml2-dev libxslt1-dev zlib1g-dev python-smbus

This will install all the things you need to communicate over the GPIO header to your LCD and also libraries needed for the features in the script. Then you can go ahead and download the script:

 wget -O https://raw.githubusercontent.com/kallsbo/PiBtSyncLCD/master/lcd_info.py

Configuration

There are a few configs you can do in the script, just use nano to edit the script file.

# Configuration - LCD
LCD_BUS = 2 # The bus that the LCD is connected to. (Raspberry Pi usually 1, Banana Pi usually 2 - can be checked with i2cdetect)
LCD_I2C_ADDR = 0x27 # I2C device address of the LCD, use i2cdetect to find your displays address
LCD_WIDTH = 20 # Number of characters that each line can handle
LCD_BACKLIGHT = 0x08 # On
#LCD_BACKLIGHT = 0x00 # Off

# Enviorment config
NETWORK_NIC = "eth0" # Network card used
TRUECRYPT_MOUNT_PATH = "/mnt/tc_disk" # path where the truecrypt disk is mounted
BTSYNC_SRV_NAME = "btsync" # name of the btsync service
BTSYNC_URL = "https://localhost:8888/gui/" # Web GUI address for btsync
BTSYNC_CRED_FILE = "/mnt/tc_disk/btsync_cred.json" # JSON file with btsync credentials

Script functions

If we first look at the main method it is simple enough. We run the lcd_init() function to initialize the LCD. All the LCD functions was forked from a script written by Matt Hawkins @ Raspberry Pi Spy. Then we set a simple update counter that keeps track of if the 45 second mark has been hit and if we should check the IP, mount and daemon status. It's initially set to 16 so it will run the first loop and the counter is reset. Then it pluses one for every 3 second run so whenever it's larger then 15 the 45 seconds has elapsed.

get_ip_address() - Simple function that takes the adapter name (eth0) as a parameter and then grabs the current IP-address of that adapter.

is_trucrypt_mounted() - Uses the os.path.ismount() function to check if the mount point is actually utilized by the Truecrypt drive.

get_btsync_cred() - Checks for the json file on the encrypted volume containing the UI username and password for BitTorrent Sync. I used this approach to keep the credentials safe. This function is executed every 45 seconds to make sure that the script get's the credentials when the disk get's mounted.

get_btsync_token() - Sends the initial request to the BitTorrent Sync UI (api) to get the token needed for all the requests to the API. This will also run every 45 seconds to make sure the token never times out and to counter any recycles of the web service.

Every three seconds the script checks if it has the credentials and token needed for the requests and if so runs the get_btsync_info().

get_btsync_info() - This function takes two parameters LLforSpeed and LLforFiles which stands for LCD Line. This value is used to display the information on the LCD panel row you like. It simply builds an url with the GLOBAL credentials and token and get the same json that the UI uses. Then parses it and get the total file count for downloaded files as well for files that are in the download queue. It also grabs the current upload and download speed and converts it to Mb/s and displays it on the LCD.

Credentials JSON file

This is just a plain JSON file containing the credentials. You can modify the script to hard code the credentials in the script but that will impact the security of the script. Here is an example of the credential files:

{
"BTSYNC_USR": "btuser",
"BTSYNC_PSW": ":wDHz56L.blDgM,3Jm"
}

Cred and final thoughts

This is a simple setup for keeping track of your BitTorrent Sync daemon. It can be modified to just display the current info about btsync and not care about Truecrypt and the other extras I implemented for the "satellite" build.

I want to give cred to, as mentioned before, Matt Hawkins for the LCD example scripts that my LCD code is based upon. Also want to thank all bloggers and forum users for the posts I have read to be able to do this. This was my first time ever to use the GPIO header on the Pi for anything else then pre-built stuff like touch displays.

Any questions or suggestions? Please comment! And please follow me on a social media of your choice for updates...

5Apr/160

Comcast Xfinity: Disable XfinityWiFi

disable-comcast-wifi-public-hotspot-5

Never liked the additional SSID xfinitywifi that my Comcast router broadcasts. What ever Comcast writes on their site of course it effects my bandwidth and my overall wifi performance. If you login to your customer pages at xfinity.com there is an option to disable it (outlined here). I also disabled my own wifi since the 2.4Ghz band is way to crowded where I live but still the wifi radio is running in the router and quite frankly I don't trust Comcast on this issue. So why not just disable it all together and especially if your not using it? If you are still using any $50 wifi router will give you much better performance so just use that instead!
Continue reading...

3Apr/160

Pi: Geo-location backup with BtSync

BtSync LCD Display

Building a geo-location backup for your NAS is a good idea! To spread the risk over two or more locations increases your backup value a lot. Most people confuse redundancy and backup. If you only have a USB-disk backup of your NAS it only protects you against hardware failure. If there is a fire or a break in you will still lose your data. A lot of people take a USB-disk to a second location, like their office, to mitigate this problem. But to be honest how often will that backup be done if you have to remember to bring the disk back and forth? We want automatic backups to our offsite location, in this case my office. So we are going to build a BitTorrent Sync "satellite"
Continue reading...

22Mar/168

OpenVPN performance on the Pi

Pi Pile

Setting up an OpenVPN router on the Pi is pretty straight forward but what about performance? How much performance do we lose by using the Raspberry Pi or the Banana Pi? I have been testing a few different models to see what the overall performance difference is. I also wanted to compare them against each other. OpenVPN is heavy on the CPU due to it's encryption, there are a lot of guides out there about turning the encryption of but why even use a VPN then? It all depends on what you use your VPN tunnel for and what kind of through put you actually need. In this test I have used all three main versions of the Raspberry Pi and a Banana Pi.

Continue reading...

19Mar/1611

Pi: Make a VPN gateway with UPnP port forwarding

raspberry-openvpn

Tunneling your traffic over an encrypted VPN can be good for both privacy concerns and circumventing geoblocking. If a service is only offered in a specific country or blocked at your current location. My use case is a bit of both. Currently living in the USA which is the biggest surveillance state on earth I want my traffic to originate from my home country, Sweden, where I know the law and whats allowed and not allowed. Avoiding the mighty force of the NSA completely can only be done by unplugging but at least it's a little bit better. Also several services I want to use is only offered in Sweden, like local Swedish news as an example. Both of these can be solved by setting up a VPN tunnel back Sweden!
Continue reading...

12Mar/164

Banana Pi: First run

BananaPi-A 45degree

Banana Pi was created to fill the need for more powerful hardware than the Raspberry Pi supplied. There are a lot of single board computers spinning of the Raspberry Pi success. Even though Raspberry Pi got the throne much thanks to it's simplicity and relatively ease of use, compared to for example the Odroid, it has been lacking hardware vice for some applications. Raspberry has maintained it's position thanks to it's growing community and further development. With the release of the Raspberry Pi 3 they have at least done a good catch up in terms of performance but are still lacking in other hardware areas.

The Banana Pi I used for the first time today is the very first Banana Pi. This particular one is a bit of a globe-trotter!  I ordered it from Chine over a year ago, while I was still living in Sweden. Un-boxed it, put it in it's case and put it away in a drawer. When a moved to California last year it got stuffed in one of the moving boxes and I finally had time to use it. Even though it's first generation and old it still leaves the Raspberry Pi behind in some ways. Back in the day the dual core 1Ghz processor was a step up from the Raspberry Pi so was the 1Gb memory that was twice the size of what the Raspberry offered at the time.

Putting the Banana Pi along side the Raspberry Pi 3 we see that Raspberry is back on the throne when it comes to performance. It has also added on board wifi and bluetooth which makes wonders for my bedroom Kodi install but the Banana Pi isn't beaten yet if you ask me. It still have a 1Gbit ethernet port while the Raspberry still only supplies you with 100Mbit. Why would this matter? When I started testing BitTorrent Syncing for my geo-location backup I ended up not using a Raspberry Pi for just that reason. Since my data was on a NAS the indexing of files over a 100Mbit connection was just to slow. In the end the 1Gbit ethernet connection on a Odroid-C1 performed so much better then the Raspberry Pi.

Another feature that I really like with the Banana Pi is the SATA port and SATA power connector included on the board. The ability to connect a SATA hard drive directly to the board without using USB opens up for some interesting implementations. In the end I really like Raspberry Pi and Odroid and Banana Pi.... They all share a great base to stand on and are good for different applications. The Raspberry Pi is my first choice for "mainstream" applications like Kodi, OpenVpn servers or Transmission bittorrent servers. But when it comes to building the little more specialized stuff there are other, and some times better, options out there.

When I did the first run of the Odroid (also over a year after I bought it!) I realized it was a bit more complicated then the Raspberry Pi. No sleek easy config tools already on the image. Not as much safety nets to prevent you from messing up your kernel etcetera. So taking out my Banana Pi I expected the same! First I realized that Raspbian is available for the Banana Pi as well! And the sleek easy, step by step setup and configuration was available as well!

bananian-config

If you have ever used the CLI config tool on the Raspberry Pi you will feel right at home! One addition that I really liked is that it forces you to change the root password, in my opinion that should be implemented on the Raspberry Pi as well! You would be amazed how many unsecure Raspberry Pi's there are connected to the internet with SSH ports available. When I first started looking into that I was actually surprised since this isn't something that the regular consumer buys and plugs in to there network.

The tool will also let you configure the following:

  • set your timezone
  • set your locale
  • set your hostname
  • set which hardware your on, Banana Pi - Banana Pro etc...
  • expand your root file system

Then just reboot the system and make sure that everything is up to date!

bananian-update
apt-get update
apt-get upgrade

From what I have read so far, and tested my self, you can more or less run anything on the Banana as you can do on the Raspberry. I'm really looking forward to setting up some implementation utilizing the SATA port. What are your thoughts on this feel free to comment either here or on Google+.

12Mar/160

SSL Error: Cannot verify server identity

Phone browsers have less trusted root and intermediate certificates than many desktop browsers. This can make your https site look good on the web but fail on mobile devices. Errors like "unable to verify the identity of the server" and others along those lines can show up. This is because the certification chain  can not be verified. Doesn't matter what supplier of SSL certificates you use they all end up in a few root certificates that are shipped with browsers and operating system as trusted certificates.

Many certificate re-sellers have their root certificates further down that chain than others. If the chain can't be traced back to a trusted certificate the warnings will show up. That will not effect the actual encryption of your website, self signed certificates for example still encrypts the traffic, but it will look bad. People can interpret that as a security risk, like a man in the middle attack, or as just low quality.

In this example I have setup a website on a Apache server with a certificate bought from GoDaddy. I haven't installed the intermediate  certificate. Any desktop browser can follow the chain, since it has a different set of trusted certificates, but the iPhone or Android devices can not since they don't have this certificate. There is a hole in the chain between our website certificate and the trusted one that the device have. By plugging that hole with a valid certificate that our certificate references and in turn references the trusted certificate that the device have we can complete the chain and get rid of the problem.

As mentioned above this example uses a Apache web server running on Linux and a GoDaddy certificate. The procedure will be different with other web servers and certificate suppliers but the principal is the same. When your certificate is delivered always check if there is intermediate certificates included.

So in the zip file that your GoDaddy certificate comes in there is a file named dg_bundle-g2-g1.crt, this is the certificate that your web site certificate is derived from and sits between that and the trusted certificate higher up in the chain.

So on my Apache server I bring up the file /etc/httpd/conf.d/vhost.conf

<VirtualHost 172.30.31.95:80>
    ServerAdmin webmaster@somesite.com
    DocumentRoot /var/www/html/somesite.com
    ServerName www.somesite.com
    ServerAlias somesite.com
    ErrorLog logs/somesite.com-error_log
    CustomLog logs/somesite.com-access_log common
</VirtualHost>
<VirtualHost 172.30.31.95:443>
    ServerAdmin webmaster@somesite.com
    DocumentRoot /var/www/html/somesite.com
    ServerName www.somesite.com
    ServerAlias somesite.com
    ErrorLog logs/somesite.com_ssl-error_log
    CustomLog logs/somesite.com_ssl-access_log common
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/somesite.com.pem
    SSLCertificateKeyFile /etc/pki/tls/certs/somesite.com.key
</VirtualHost>

As you can see we have two ports open, standard port 80 for http and https on port 443. The 443 have certificate along with it's private key configured. Upload the intermediate certificate to the server and copy it into the same folder (/etc/pki/tls/certs) as the other certificate files. Make sure that the apache server have access to it.

sudo chown -R root:www /var/www

Then add the bundle file in the ssl config in vhost.conf by adding this line just below the SSLCertificateKeyFile line.

SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt

Restart Apache

sudo service httpd restart

Now the certificate chain can be completed on the other devices as well and the error/warning will be gone!