Networking

How to allow your EtherPad to be included in IFrames using nginx

In our previous post A modern Docker-Compose config for Etherpad using nginx as reverse proxy we showed how to create a simple, reliable Etherpad installation.

However, if you want to include Etherpads on external websites, you’ll see connection refused errors like

Refused to display 'https://etherpad.nemeon.eu/p/Test123' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

and the Etherpad iframe won’t load.

In order to fix this, we’ll add a line to the nginx config in . Using this approach, you’ll need to list all the domains that are allowed to include the Etherpad (https://gather.town in this example).

The line to add is

add_header "X-Frame-Options" "Allow-From https://gather.town";

which needs to be added inside the location / { ... } block. Full example for the location / block:

location / {
    proxy_pass http://localhost:17201/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_redirect default;
    add_header "X-Frame-Options" "Allow-From https://gather.town";
}

Full nginx config example:

server {
    server_name  etherpad.mydomain.de;
    access_log off;
    error_log /var/log/nginx/etherpad.mydomain.de-error.log;

    location / {
        proxy_pass http://localhost:17201/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_redirect default;
        add_header "X-Frame-Options" "Allow-From https://gather.town";
    }

    listen [::]:443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/etherpad.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/etherpad.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}

server {
    if ($host = etherpad.mydomain.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen [::]:80; # managed by Certbot
    server_name  etherpad.mydomain.de;
    return 404; # managed by Certbot
}

How it works

The etherpad backend, which is reverse-proxied inside nginx, will add a X-Frame-Options: sameorigin header, effectively disallowing iframes from other domains. Using the add_header clause, nginx will overwrite this value with Allow-From https://gather.town. The browser will only see Allow-From https://gather.town, allowing iframe inclusion from the listed domains.

Posted by Uli Köhler in Networking, nginx

How to switch on/off ALL3073v2WLAN using HTTP (JSON API)

The ALL3073v2WLAN provides a JSON API to switch on or off the power for the attached device.

In order to enable 230V power for the attached device, use this URL (HTTP GET request):

http://IP-Address-of-ALL3073/xml/jsonswitch.php?id=1&set=1

In order to disable 230V power for the attached device, use this URL (HTTP GET request):

http://IP-Address-of-ALL3073/xml/jsonswitch.php?id=1&set=0

Note that id=1 will always stay the same since 1 is the ID of the actor controlling the power, just set=0 or set=1 are different,

Posted by Uli Köhler in Electronics, Networking

Allnet ALL3073v2WLAN hardware & software info

The ALL3073V2WLAN Ethernet + Wifi-controllable power supply allows access to its Linux system via SSH, so I have extracted some info about hardware and software to aid developers in using it to its full potential

Linux kernel version:

[[email protected] bin]# uname -a
Linux ALL3073.allnet.local 3.18.23 #10 Wed Jul 13 17:27:27 CEST 2016 mips GNU/Linux

CPU info:

[[email protected] bin]# cat /proc/cpuinfo
system type             : MediaTek MT7688 ver:1 eco:2
machine                 : ALLNET MT7688WM ALL3072V2
processor               : 0
cpu model               : MIPS 24KEc V5.5
BogoMIPS                : 385.84
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16 dsp
shadow register sets    : 1
kscratch registers      : 0
package                 : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

Network interfaces:

[[email protected] bin]# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0F:C9:19:1B:ED
          inet addr:192.168.1.140  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1923 errors:0 dropped:0 overruns:0 frame:0
          TX packets:496 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:468344 (457.3 KiB)  TX bytes:181861 (177.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0F:C9:19:1B:EC
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1946 errors:0 dropped:7 overruns:0 frame:0
          TX packets:496 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:498422 (486.7 KiB)  TX bytes:181861 (177.5 KiB)
          Interrupt:5

ra0       Link encap:Ethernet  HWaddr 00:0F:C9:19:1B:ED
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5147 (5.0 KiB)  TX bytes:0 (0.0 B)
          Interrupt:6

As you can see, in the standard configuration (with DHCP enabled in my case), the wireless interface ra0 is bridged to eth0. Note that while the ALL3073v2WLAN has two RJ45 jacks, only the LAN jack is an ethernet jack. The CON jack.

The flash is 32MB:

[[email protected] bin]# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                29.7M     22.6M      7.1M  76% /
tmpfs                    29.7M         0     29.7M   0% /dev/shm
tmpfs                    29.7M    100.0K     29.6M   0% /tmp
tmpfs                    29.7M     60.0K     29.7M   0% /run

RAM is 64 MB:

[[email protected] bin]# free -m
             total         used         free       shared      buffers
Mem:            59           39           19            0            0
-/+ buffers:                 39           19
Swap:            0            0            0

Binaries available on the system:

[[email protected] bin]# ls -1
[@
[[@
agentxtrap*
[email protected]
avahi-browse*
[email protected]
avahi-publish*
[email protected]
[email protected]
avahi-resolve*
[email protected]
[email protected]
avahi-set-host-name*
[email protected]
[email protected]
[email protected]
[email protected]
call.sh*
chattr*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
curl*
[email protected]
[email protected]
dbus-cleanup-sockets*
dbus-daemon*
dbus-launch*
dbus-monitor*
dbus-run-session*
dbus-send*
dbus-uuidgen*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
encode_keychange*
[email protected]
envsubst*
[email protected]
file*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
getconf*
gettext*
gettext.sh*
[email protected]
[email protected]
hostapd_cli*
[email protected]
i2cdetect*
i2cdump*
i2cget*
i2cset*
iconv*
[email protected]
[email protected]
ipcr[email protected]
[email protected]
iwinfo*
jshn*
[email protected]
[email protected]
ldd*
[email protected]
[email protected]
[email protected]
lsattr*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
mmc*
net-snmp-create-v3-user*
nettle-hash*
nettle-lfib-stream*
ngettext*
[email protected]
[email protected]
ntpdate*
ntpq*
[email protected]
openssl*
[email protected]
[email protected]
[email protected]
pcregrep*
pcretest*
[email protected]
php-cgi*
pkcs1-conv*
ppsctl*
ppsfind*
ppstest*
ppswatch*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
sexp-conv*
[email protected]
[email protected]
[email protected]
[email protected]
snmpbulkget*
snmpbulkwalk*
snmpdelta*
snmpdf*
snmpget*
snmpgetnext*
[email protected]
snmpnetstat*
snmpset*
snmpstatus*
snmptable*
snmptest*
snmptranslate*
snmptrap*
snmpusm*
snmpvacm*
snmpwalk*
sntp*
[email protected]
sqlite3*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
uci*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
uuidgen*
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
xmlcatalog*
xmllint*
[email protected]
[email protected]
[email protected]

As is evident by the presence of uci, the ALL3073v2WLAN appears to be running some type of OpenWRT distribution. Note however, that opkg and many other OpenWRT commands are not present on the ALL3073v2WLAN.

Due to the kernel version being 3.18.23, it appears that the ALL3073v2WLAN is running OpenWRT 15.05 Chaos Calmer. This might allow using standard OpenWRT packages (with manual installation, however) to add more functionality, but I have not tested that so far.

Posted by Uli Köhler in Networking

How to find out if a certificate has an elliptic curve or an RSA key

You can use openssl to find out if your certificate is using an elliptic curve (e.g. ECDSA) or an RSA key using the following command, replacing cert.pem by the path of your certificate:

openssl x509 -noout -text -in cert.pem | grep -i "ecPublicKey" > /dev/null ; if [ $? -ne 0 ]; then echo "No elliptic curve key" ; else echo "Elliptic curve key"; fi

If the certficate’s key is an elliptic curve key, it will print:

Elliptic curve key

If the certficate’s key another type of key like a RSA key, it will print:

No elliptic curve key

How it works

First we tell OpenSSL to print info about the certificate:

openssl x509 -noout -text -in cert.pem

Then we grep for ecPublicKey. This is because for elliptic curve keys, the output of the aforementioned openssl command contains

Subject Public Key Info:
    Public Key Algorithm: id-ecPublicKey
        Public-Key: (384 bit)
        pub:

whereas for RSA keys it looks like this:

Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus:

The grep command is piped to /dev/null since we’re not interested in its output but only in its return code (which is available as $? in the shell). grep returns a return code of 0 if and only if it finds at least one match in the input. Otherwise, it has a return code of 1. In our case, this means that we’ll get a return code of 0 if ecPublicKey appears anywhere in the output. We assume that this string will only ever occur in the Subject Public Key Info: section. While in theory it is possible that ecPublicKey appears in some user-defined fields of the certificate, this is extremely unlikely to happen and could be mitigated by using a regular expression in grep

We can then use this bash snippet:

if [ $? -ne 0 ]
then
    # TODO insert code if grep does NOT find anything
else
    # TODO insert code if grep finds at least one line
fi

which we use like this:

if [ $? -ne 0 ]; then echo "No elliptic curve key" ; else echo "Elliptic curve key"; fi

i.e. depending on the return code of grep, we will print the correct message.

Posted by Uli Köhler in Networking

How to find public key type of SSL/TLS X.509 certificate using OpenSSL

Use the following command to print, replacing cert.pem by the path of your certificate:

openssl x509 -noout -text -in cert.pem | grep -i "Public Key Info" --after 3

Example output:

Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus:

 

Posted by Uli Köhler in Networking

How to fix certbot unrecognized arguments: –dns-cloudflare-credentials on Ubuntu

Problem:

You are trying to request a Let’s Encrypt certificate using certbot, but instead you see an error message like

certbot: error: unrecognized arguments: --dns-cloudflare-credentials /root/.secrets/cloudflare.ini

Solution:

Install the required package. This is the solution if you have installed python3-certbot as an apt package:

sudo apt -y install python3-certbot-dns-cloudflare

This is the solution if you have installed certbot as a snap:

sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

 

Posted by Uli Köhler in Networking

How to activate HTTP2 on pfsense haproxy

Go to the HAProxy frontend settings. For each individual frontend (not just the primary frontend), scroll down or search for alpn using the on-page search. You should see:

Paste or append this content there:

alpn h2,http/1.1

It should now look this this:

Now Save the settings and reload HAProxy.

After you reload the pages for which you just activated HTTP/2 using Ctrl+F5, you should have a HTTP2 connection.

Posted by Uli Köhler in Networking

How to fix Synology NFS mounting with 000 permissions (Permission denied)

Problem:

You have mounted a shared directory on your Synology NAS using NFS. The mount succeds, but when you try to access the mount point (e.g. ls /nas) you see a Permission denied error even if running as root.

Solution:

Go into the Synology NAS web UI, go into control panel, go to shared folder edit the permissions for the shared folder you’re trying to access (right click => edit)

You likely have checked the No access checkbox for the admin user. Uncheck it, then click OK on the bottom right.

Now your NFS share should work again (even without remounting).

Posted by Uli Köhler in Networking

OpenWRT OpenVPN client config for pfsense Site-to-Site VPN

OpenWRT client config

This is the OpenVPN config I use for connecting an OpenWRT router to a pfsense, providing interconnectivity between both LANs.

nobind
persist-key
cipher AES-256-CBC
dev tun
ifconfig 10.22.51.2 10.22.51.1
keepalive 10 60
port 1194
proto udp4
compress
remote myid.myfritz.net
resolv-retry infinite
route 192.168.100.0 255.255.255.0
verb 5
auth SHA512
<secret>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
97aae54ce3e22128c0efba9043a6ba07
03dc5a68399a7e7f65ab6d7cdc390729
a1f72e665fe7cf300edccb1555df56ff
3d2386942c7b78cf1676c5734834ea18
2c2ba33523e3278a84efe168dd160fd4
3c0205a0335765b80881cfb915e9b3de
097a63ee5321a31540c51a628ab95d0e
4f40657351125526120a1a83ec8af043
3ddbb859a6c8e2d36797ba5a983dd223
5ecea38941b8af992492887e6d361ccc
a41f1a3993f2c24011b2a3026b71c82d
12d301cb346de19dcaa550886b5dd0c0
9b4d6bd0ca7415a42e4ffa10fe39659e
e9ad0ff1edcfa2d62c3e3db2834f0da5
fe8e4c332325a195c537551a6f1a0ff5
c5bd5d7b038c7a9df9c8d28cb33ef4b0
-----END OpenVPN Static key V1-----
</secret>

where:

  • 10.22.51.0/24 is the VPN transfer net (IPv4 tunnel network in the pfsense), hence 10.22.51.2 is the IP address of the OpenWRT client and 10.22.51.1 is the IP address of the pfsense (i.e. OpenVPN server)
  • 1194 is the port to connect to (I use only UDP VPNs for most setups)
  • myid.myfritz.net is the domain name of the pfsense, which is (in this case) running behind a FritzBox router using a myfritz dynamic DNS server
  • <secret> is the static key that is configured in the pfsense.

pfsense config

See pfsense-OpenWRT-OpenVPN-Config.pdf for the entire pfsense config.

The most important aspects are to:

  • Generate a new static key (DO NOT use my example key) and use the same key for both the pfsense server config and the OpenWRT config
  • Use the same port in both the OpenWRT client config and the pfsense server config
  • Set Compression to Disable Compression, retain compression packet framing [compress] (since we don’t have a comp directive in the client config)
  • Set Server mode to Peer to Peer ( Shared Key )
  • Add appropriate firewall rules to enable access to the OpenVPN server (i.e. allow incoming traffic on WAN on port 1194 UDP if you’re using that port
Posted by Uli Köhler in Networking

How use OpenVPN static key in inline mode (<secret>)

Instead of using a directive like

secret static.key

in your OpenVPN config, you can also use an inline key:

<secret>
// Copy & paste OpenVPN static key here !!
</secret>

A full example OpenVPN config looks like this:

nobind
persist-key
cipher AES-256-CBC
dev tun
ifconfig 10.92.11.2 10.92.11.1
keepalive 10 60
port 1194
proto udp4
remote mydomain.net
resolv-retry infinite
route 192.168.9.0 255.255.255.0
secret /dev/urandom
verb 5
auth SHA512
<secret>
#
# 2048 bit OpenVPN static key
#
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
97aae54ce3e22128c0efba9043a6ba07
03dc5a68399a7e7f65ab6d7cdc390729
a1f72e665fe7cf300edccb1555df56ff
3d2386942c7b78cf1676c5734834ea18
2c2ba33523e3278a84efe168dd160fd4
3c0205a0335765b80881cfb915e9b3de
097a63ee5321a31540c51a628ab95d0e
4f40657351125526120a1a83ec8af043
3ddbb859a6c8e2d36797ba5a983dd223
5ecea38941b8af992492887e6d361ccc
a41f1a3993f2c24011b2a3026b71c82d
12d301cb346de19dcaa550886b5dd0c0
9b4d6bd0ca7415a42e4ffa10fe39659e
e9ad0ff1edcfa2d62c3e3db2834f0da5
fe8e4c332325a195c537551a6f1a0ff5
c5bd5d7b038c7a9df9c8d28cb33ef4b0
-----END OpenVPN Static key V1-----
</secret>

 

Posted by Uli Köhler in Networking

How to generate OpenVPN static key

Generate an OpenVPN static key and save it to static.key:

openvpn --genkey --secret static.key

The key looks like this:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
97aae54ce3e22128c0efba9043a6ba07
03dc5a68399a7e7f65ab6d7cdc390729
a1f72e665fe7cf300edccb1555df56ff
3d2386942c7b78cf1676c5734834ea18
2c2ba33523e3278a84efe168dd160fd4
3c0205a0335765b80881cfb915e9b3de
097a63ee5321a31540c51a628ab95d0e
4f40657351125526120a1a83ec8af043
3ddbb859a6c8e2d36797ba5a983dd223
5ecea38941b8af992492887e6d361ccc
a41f1a3993f2c24011b2a3026b71c82d
12d301cb346de19dcaa550886b5dd0c0
9b4d6bd0ca7415a42e4ffa10fe39659e
e9ad0ff1edcfa2d62c3e3db2834f0da5
fe8e4c332325a195c537551a6f1a0ff5
c5bd5d7b038c7a9df9c8d28cb33ef4b0
-----END OpenVPN Static key V1-----

 

Posted by Uli Köhler in Networking

How I mount my Synology NAS shared folders as NFS

I have configured my Synology NAS to use NFS4 and NFSv4.1. For certain fixed IP addresses, I have allowed passwordless mounting of specific NFS shares:

This is my mount line in /etc/fstab

10.1.2.3:/volume1/myfolder /mnt/myfolder nfs async,soft,auto 0 0

where:

  • 10.1.2.3 is the IP address of the NAS in the VPN
  • myfolder is the name of the Synology share

This configuraton has been verified to work even when connecting via an OpenVPN connection that connects to a DSL client with an IP address that changes every 24 hours, leading to a disconnect of about 30 seconds. However, you should still test it in your specific configuration.

Posted by Uli Köhler in Networking

How to fix OpenWRT opkg Failed to send request: Operation not permitted

Problem:

When running opkg update or other opkg commands in OpenWRT, you see these error messages:

Failed to send request: Operation not permitted

Full log example:

Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/kmods/4.14.209-1-b84a5a29b1d5ae1dc33ccf9ba292ca1d/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/kmods/4.14.209-1-b84a5a29b1d5ae1dc33ccf9ba292ca1d/Packages.gz

[...]

Solution:

This problem is typically caused by no DNS servers being set.

First, check if you have internet access using

ping 1.1.1.1

The output should look like this (otherwise, you have no internet access):

[email protected]:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=59 time=36.078 ms
64 bytes from 1.1.1.1: seq=1 ttl=59 time=33.538 ms
64 bytes from 1.1.1.1: seq=2 ttl=59 time=33.350 ms

Now try to ping techoverflow.net:

[email protected]:~# ping techoverflow.net
ping: bad address 'techoverflow.net'

This verifies that you have internet connectivity but no DNS.

Now go into LuCI, go to Network/Interfaces and edit each interface. Set

1.1.1.1

and

1.0.0.1

This might not be possible for some interfaces since they have a different IP address configuraton (in that case, just proceed with the other interfaces). The configuration for the interface should now look like this:

Don’t forget to Save & Apply!

After that, retry opkg update which should now look like this:

[email protected]:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/kmods/4.14.209-1-b84a5a29b1d5ae1dc33ccf9ba292ca1d/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading http://downloads.openwrt.org/releases/19.07.5/targets/ath79/generic/kmods/4.14.209-1-b84a5a29b1d5ae1dc33ccf9ba292ca1d/Packages.sig
Signature check passed.
[...]

 

Posted by Uli Köhler in Networking

How to fix OpenWRT Failsafe mode SSH port 22: Connection refused

Problem:

You are trying to connect to your OpenWRT router in failsafe mode using SSH using ssh 192.168.1.1, but you see this error message:

ssh: connect to host 192.168.1.1 port 22: Connection refused

Solution:

First, check if you have the correct IP configuration:

  • Ensure your computer is ONLY connected to the Ethernet interface connected to OpenWRT
  • Ensure you have set the Ethernet port to the static IP 192.168.1.1 , netmask 255.255.255.0 (prefix length 24), gateway none or 192.168.1.1

Ping 192.168.1.1 to verify your IP configuration:

ping 192.168.1.1

Example output:

[email protected]:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=1.20 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=1.35 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=1.14 ms

Then, try connecting again using SSH:

ssh [email protected]

If you’re still getting a

ssh: connect to host 192.168.1.1 port 22: Connection refused

you are running an old OpenWRT version. SSH in failsafe mode is only supported since OpenWRT 15.05. For older versions, use telnet to connect:

telnet 192.168.1.1

and you should see a root shell:

elnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.19.4 (2013-03-14 11:28:31 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (12.09, r36088)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
[email protected](none):/#

 

Posted by Uli Köhler in Networking

How to generate random IPv6 addresses in a given network using Python

This code generates random IPv6 addresses in a given network using Python’s ipaddress module:

import ipaddress
import random

def random_ipv6_addr(network):
    """
    Generate a random IPv6 address in the given network
    Example: random_ipv6_addr("fd66:6cbb:8c10::/48")
    Returns an IPv6Address object.
    """
    net = ipaddress.IPv6Network(network)
    # Which of the network.num_addresses we want to select?
    addr_no = random.randint(0, net.num_addresses)
    # Create the random address by converting to a 128-bit integer, adding addr_no and converting back
    network_int = int.from_bytes(net.network_address.packed, byteorder="big")
    addr_int = network_int + addr_no
    addr = ipaddress.IPv6Address(addr_int.to_bytes(16, byteorder="big"))
    return addr

# Usage example
print(random_ipv6_addr("fdce:4879:a1e9::/48"))
# Prints e.g. fdce:4879:a1e9:e351:1a01:be9:4d9a:157d

It works by first converting the IPv6 network address to binary and then adding a random host number. After that, it will be converted back to an IPv6Address object.

Posted by Uli Köhler in Networking, Python

How to get hostmask/netmask for given prefix length in Python

In order to get the host mask for e.g. a /112 IPv6 prefix, use:

import ipaddress
# Get netmask for a /112 prefix
ipaddress.IPv6Network("::/112").netmask

# Get host mask for a /112 prefix
ipaddress.IPv6Network("::/112").hostmask

 

Posted by Uli Köhler in Networking, Python

Bitwise operation with IPv6 addresses and networks in Python

Python3 features the easy-to-use ipaddress library providing many calculations. However, bitwise boolean operators are not available for addresses.

This post shows you how to perform bitwise operations with IPv6Address() objects. We’ll use the following strategy:

  1. Use .packed to get a binary bytes() instance of the IP address
  2. Use int.from_bytes() to acquire an integer representing the binary address
  3. Perform bitwise operations with said integer
  4. Use result.to_bytes(16, ...) to convert back the integer to a bytes() array in the correct byte order
  5. Construct an IPv6Address() object from the resulting byte array.

Python code:

import ipaddress

def bitwise_and_ipv6(addr1, addr2):
    result_int = int.from_bytes(addr1.packed, byteorder="big") & int.from_bytes(addr2.packed, byteorder="big")
    return ipaddress.IPv6Address(result_int.to_bytes(16, byteorder="big"))

def bitwise_or_ipv6(addr1, addr2):
    result_int = int.from_bytes(addr1.packed, byteorder="big") | int.from_bytes(addr2.packed, byteorder="big")
    return ipaddress.IPv6Address(result_int.to_bytes(16, byteorder="big"))

def bitwise_xor_ipv6(addr1, addr2):
    result_int = int.from_bytes(addr1.packed, byteorder="big") ^ int.from_bytes(addr2.packed, byteorder="big")
    return ipaddress.IPv6Address(result_int.to_bytes(16, byteorder="big"))

Example usage:

a = ipaddress.IPv6Address('2001:16b8:2703:8835:9ec7:a6ff:febe:96b1')
b = ipaddress.IPv6Address('2001:16b8:2703:4241:9ec7:a6ff:febe:96b1')

print(bitwise_and_ipv6(a, b)) # IPv6Address('2001:16b8:2703:1:9ec7:a6ff:febe:96b1')
print(bitwise_or_ipv6(a, b)) # IPv6Address('2001:16b8:2703:ca75:9ec7:a6ff:febe:96b1')
print(bitwise_xor_ipv6(a, b)) # IPv6Address('0:0:0:ca74::')

Similarly, you can use the code in order to manipulate IPv6Network() instances:

a = ipaddress.IPv6Network('2001:16b8:2703:8835:9ec7:a6ff:febe::/112')
b = ipaddress.IPv6Network('2001:16b8:2703:4241:9ec7:a6ff:febe::/112')

print(bitwise_and_ipv6(a.network_address, b.network_address)) # IPv6Address('2001:16b8:2703:1:9ec7:a6ff:febe:0')
print(bitwise_or_ipv6(a.network_address, b.network_address)) # IPv6Address('2001:16b8:2703:ca75:9ec7:a6ff:febe:0')
print(bitwise_xor_ipv6(a.network_address, b.network_address)) # IPv6Address('0:0:0:ca74::')

Note that the return type will always be IPv6Address() and never IPv6Network() since the result of the bitwise operation doesn’t have any netmask associated with it.

Besides .network_address you can also use other properties of IPv6Address() instances like .broadcast_address or .hostmask or .netmask.

Posted by Uli Köhler in Networking, Python

How to fix OpenVPN “TLS Error: cannot locate HMAC in incoming packet from …”

Problem:

Your OpenVPN clients can’t connect to your OpenVPN server and the server log shows an error message like

TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:187.100.14.13:41874 (via ::ffff:25.16.25.29%xn0)

Solution:

You have enabled a TLS key (tls-auth option) in your OpenVPN configuration, but your client does not know that it should use the additional layer of authentication.

The server is looking for the HMAC in the incoming packets but can’t find it.

Either disable the tls-auth option in your server config. The config line will look like

tls-auth /var/etc/openvpn/server2.tls-auth 0

or

Enable the correct tls-auth configuration in your client. Remember that you also need to share the correct key.

Posted by Uli Köhler in Networking, OpenVPN, VPN