Chris News https://blog.chrisnew.eu/ Tech, coffee and stuff Fri, 15 Apr 2022 17:03:43 +0000 en-US hourly 1 https://wordpress.org/?v=5.9.3 https://blog.chrisnew.eu/wp-content/uploads/2022/01/cropped-ava-32x32.jpeg Chris News https://blog.chrisnew.eu/ 32 32 More IPv6 in Bulgaria 🇧🇬 https://blog.chrisnew.eu/2022/04/more-ipv6-in-bulgaria/ Fri, 15 Apr 2022 16:50:22 +0000 https://blog.chrisnew.eu/?p=326 Finally an uptick in IPv6 eyeballs! Bulgaria went from < 1% to almost 10% in a few weeks.

Vivacom started to rollout IPv6 to their mobile subscribers.
Source: https://stats.labs.apnic.net/ipv6/AS8866

]]>
The Data Diode https://blog.chrisnew.eu/2022/04/the-data-diode/ Sat, 02 Apr 2022 16:08:00 +0000 https://blog.chrisnew.eu/?p=297 Continue reading "The Data Diode"

]]>
TL;DR: Create an Amazon S3 bucket which allows your application to only write to it. Don’t forget to enable versioning.

Recently we had to meet a compliance requirement at one of our projects where we needed to make sure that inactive data is no longer readable by our application. This isn’t just to make sure that our application prohibits the user access to that data, but also to make sure that any misconfiguration or a hacking attempt would never leak any data.

The idea: The Data Diode. A diode is an electronic component which only allows to let current flow in one direction.

At Amazon Web Services (AWS) we store data in Amazon S3 buckets. These buckets are basically virtual disks which are fast, reliable and allow a high level of flexibility.

Ideally your application uses AWS access keys which are restricted to a certain set of services and actions permitted at those services. For instance, to have read and write access to your hot data storage at Amazon S3.

You can also add ACL rules which allows to only write into a given bucket and prohibit any read or listing action. You can even allow other AWS accounts to write in your bucket.

We wrote a script which takes records older than 90 days, erases all data except data required to run some anonymized statistics and export them to our write-only Amazon S3 bucket.

That way we make sure that we never leak old data by accident or when we should get hacked. An attacker can only access the most recent data but never the old one. Not even when they got access to the AWS credentials.

One thing we considered is to enable versioning. In case an attacker was successful or our application would go rogue due to a bug we can restore any overwritten data.

I also recommend to use a separate AWS account to host your archive. That way you can make sure that not even an inside job has access to that data.

Are you interesting in implementing this in your company or project? Feel free to contact me!

]]>
WireGuard example setup https://blog.chrisnew.eu/2022/03/wireguard-example-setup/ Wed, 23 Mar 2022 20:15:50 +0000 https://blog.chrisnew.eu/?p=281 Continue reading "WireGuard example setup"

]]>
Not a deep dive into WireGuard itself, but how to setup and use it.

Scope of this blog post is to have an easy understandable how to guide to quickly setup a WireGuard VPN with dualstack support through NAT.

Less blah blah, more commands and configs.

Requirements:

  • Debian 11 (Linux 5.10+ kernel)
  • At least either a public IPv4 or IPv6 address
  • Around 30 minutes of your time and somewhat useful Linux skills

Step 1: Setting up the server side

Install wireguard-tools by using apt like this:

apt install wireguard-tools

For each device you’ll need a private public keypair.

Use the following command to generate both private and public keys:

wg genkey | tee privatekey | wg pubkey > publickey

That way you have a fresh pair of it in your current directory.

In case you are in an IDGAF about security mode, take these values:

  • Private: qKTH2AX0wCTYC315UOdzf1eUs6+1F1UI7yBGA21hEUc=
  • Public: LQA8GIRJAjeN0NweVSSnYxmV5DwP74JpDyu/jT1vCSY=

I highly effing recommend you dicing your own keys, though.

Moving on to the WireGuard config itself. We are going to create a config file and let systemd manage it as a service through the wg-quick@.service.

By this point you’ll need a private IPv4 subnet and a ULA IPv6 prefix.

For the sake of simplicity, I chose both for you:

  • IPv4: 100.123.42.0/24
  • IPv6: fd4e:80e:2adc::/64

Create the following file as /etc/wireguard/wg0.conf:

[Interface]
Address = 100.123.42.1/24
Address = fd4e:80e:2adc::1/64
PrivateKey = qKTH2AX0wCTYC315UOdzf1eUs6+1F1UI7yBGA21hEUc=
ListenPort = 51280

PostUp = iptables -t nat -I POSTROUTING -s 100.123.42.0/24 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -s 100.123.42.0/24 -j MASQUERADE

PostUp = ip6tables -t nat -I POSTROUTING -s fd4e:80e:2adc::/64 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -s fd4e:80e:2adc::/64 -j MASQUERADE

Next up you’ll need some sysctl tuning to allow your Linux server to act as a router.

Please create the following file as /etc/sysctl.d/50-forwarding.conf:

net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

Apply it by using this command: sysctl -p /etc/sysctl.d/50-forwarding.conf

Please make sure your iptables and ip6tables rules are in yolo mode which means the default policy for FORWARD is ACCEPT. That’s usually the default configuration anyway.

Enable and start the service: systemctl enable --now wg-quick@wg0

Step 2: Setup a client

Prerequisites for each client:

  1. Repeat the private and public key dance from above.
    1. The public key goes into the [Peer] section of your server config.
    2. The private key goes into the [Interface] section of your client config.
  2. Allocate an IP address per address family.
    1. The address with its prefix length goes in the AllowedIPs in your [Peer] section of your server config.
    2. The address with its prefix length goes in the Address in your [Interface] section of your client config.

Make sure you pick a unique key pair and IP addresses for each client.

Example values:

  • IPv4 address: 10.123.42.2/32
  • IPv6 address: fd4e:80e:2adc::2/128
  • Private key: gKqGRcQOCVhVqmN5e0QYkj7K7lhNStYig8EntNjDDEM=
  • Public key: 8Yku08ytK+3OGVi8RC2K5opM4PqF84VPZmW4xFH52CY=

Now go back to the /etc/wireguard/wg0.conf from step one and add the following lines:

[Peer]
PublicKey = 8Yku08ytK+3OGVi8RC2K5opM4PqF84VPZmW4xFH52CY=
AllowedIPs = 10.123.42.2/32, fd4e:80e:2adc::2/128

Restart the service: systemctl restart wg-quick@wg0

Get the hostname or the public IPv6 or public IPv4 address of your server. We need that now.

Now assemble the client config:

[Interface]
PrivateKey = gKqGRcQOCVhVqmN5e0QYkj7K7lhNStYig8EntNjDDEM=
Address = 100.123.42.2/32, fd4e:80e:2adc::2/128
MTU = 1280

[Peer]
PublicKey = LQA8GIRJAjeN0NweVSSnYxmV5DwP74JpDyu/jT1vCSY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wg0.example.net:51280
#Endpoint = [2001:db8::1]:51280
#Endpoint = 192.0.2.1:51280

Make sure to use the server’s public key in PublicKey in the [Peer] section and the correct address (again: the public one of your server) in Endpoint in the [Peer] section as well.

You can use the wireguard-tools and wg-quick on your Linux client as well. Just adapt the steps from step one without the sysctl things.

You can encode your config as a QR code and scan it in the official WireGuard Android app as well.

Good to know

  • On the client side: Instead of 0.0.0.0/0 and ::/0 you can use whatever and as many prefixes as you like and only route a few prefixes through the VPN.
  • On the server side: If you have prefixes routed to your WireGuard server, you can skip the NAT (iptables/ip6tables) configuration.
  • You can change the MTU, 1280 is recommended in unpredictable environments. To calculate it yourself: MTU = Outside MTU – 80. So on a 1500 Internet uplink you can use 1420 as MTU for the WireGuard interface. Consult the configuration or/and documentation your Internet connection to find the right value.
  • Make sure to properly safe guard your server using a firewall only allowing outbound connections. Theoretically your clients are exposed under certain circumstances.
  • Check out wg(8) for more information. It can do more things than outlined here.
]]>
Enroute to Sofia https://blog.chrisnew.eu/2022/01/sofia/ Tue, 25 Jan 2022 18:35:00 +0000 https://blog.chrisnew.eu/?p=274 ]]> Varna, 2021 https://blog.chrisnew.eu/2021/12/varna-2021/ Wed, 01 Dec 2021 13:03:00 +0000 https://blog.chrisnew.eu/?p=277 ]]> Frankfurt, 2021 https://blog.chrisnew.eu/2021/07/frankfurt-2021/ Sun, 04 Jul 2021 09:34:02 +0000 https://blog.chrisnew.de/?p=253 ]]> Copy a MySQL table https://blog.chrisnew.eu/2021/03/copy-a-mysql-table/ Tue, 02 Mar 2021 10:32:33 +0000 https://blog.chrisnew.de/?p=235 Not using this all too often, so here it is for me and everyone:

create table my_new_table like my_old_table;
insert into my_new_table select * from my_old_table;

An easy way to make a quick backup.

]]>
Increase VM storage on-line https://blog.chrisnew.eu/2020/07/increase-vm-storage-on-line/ Fri, 31 Jul 2020 09:01:49 +0000 https://blog.chrisnew.de/?p=203 Continue reading "Increase VM storage on-line"

]]>
Increase from 300 G to 400 G using the same storage, but leverage LVM on GPT inside the VM.

Host:

lvextend -L +100G /dev/mapper/guests--lolguest
virsh qemu-monitor-command lolguest info block --hmp
virsh qemu-monitor-command lolguest block_resize drive-virtio-disk0 400G --hmp

VM:

sgdisk -e /dev/vda
gdisk /dev/vda # <-- create partition 5
partprobe /dev/vda
pvcreate /dev/vda5
vgextend ubuntu-vg /dev/vda5
lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

Always watch out for paths, partition numbers and names!

]]>
How to get IP addresses? https://blog.chrisnew.eu/2020/07/how-to-get-ip-addresses/ Sat, 18 Jul 2020 12:24:57 +0000 https://blog.chrisnew.de/?p=198 Continue reading "How to get IP addresses?"

]]>
This article explains how to get your own IP addresses and why you might want them. I try to make it as information dense as possible.

You might ask yourself: “Don’t I get an IP address when I click a virtual server?”

That’s true, you will get an IP address, but that’s just one and it has been assigned by your hosting provider or ISP. This article will cover IP address ranges (a.k.a. netblocks or IP subnets).

So where does my ISP get their IP addresses from?

They are not arbitrarily chosen, they have been allocated the a regional Internet registry (short: RIR) such as ARIN, RIPE NCC, APNIC, LACNIC and AFRINIC.

These organizations manage their allocations they received from the IANA. Usually RIRs are managed as a non-profit association where everybody can become a member of.

What’s the difference between the IP address I get from my ISP and such an allocation?

That one single IP address is not portable. You cannot just use it somewhere else. Maybe your hosting provider allows you to re-use one IP with a different service (such as AWS and their Elastic IP addresses) within their service umbrella, but you can never use for instance an AWS Elastic IP in Google Cloud now.

The IP addresses which will be allocated to you by a RIR is considered portable in a sense of: You can decide where it should be used. However, portable is a distinct keyword within the RIR terminology. We will discuss this later.

Okay, got it. Can I get now my IP address from a RIR?

No. At least you won’t get just one IP address. You’ll get an allocation of at least a /24 for IPv4 and /48 for IPv6. This is due to the fact that this allocation sizes are the absolute minimum within the default-free zone.

Alright, give me a /24 and/or a /48 then!

I’ll explain the process for the RIPE NCC which serves the RIPE region.

A long time ago it was possible to get so called portable assignments, sometimes called portable address space. At RIPE theses are called ASSIGNED PI which stands for provider independent assignments. These are meant to end-users which do not want to become a member of the RIPE NCC. This translates to saving actual money. An assignment is usually 50 EUR per year while a full membership costs around 1,400 EUR a year.

This PI space is meant to be directly assigned to an end-user (you) and should never be aggregated by an ISP. That’s the portable keyword in the RIR terminology.

It is no longer possible to obtain an ASSIGNED IP assignment first hand. When the RIPE NCC started to allocate from their final /8 allocation they received from the IANA, they were no longer assigning portable address space for IPv4.

It is still possible to obtain an ASSIGNED IP assignment for IPv6 though.

Okay, why is not everyone using that portable address space then?

The policy states: You must not use that address space for your customers. It is meant for your own Internet connection which you’ll use within your organization.

Becoming a LIR allows you to manage your allocation address space more flexible. You also get way more address space. Although that applies only for IPv6. For IPv4 you’ll be placed on a waiting list and you will only get a /24 anymore.

Got it! But why do I need that now?

Like hinted earlier, it’s possible to use your address space with any ISP. At least theoretically. More and more hosting providers allow you to bring your own IP address space.

Besides the portability aspect, there is more to it:

  • You can build a high-available failover for your services and/or Internet connection with multiple upstreams. That’s called multihoming.
  • You can take your servers or deployments, migrate it to some other hoster without having the need to renumber all services. You can take your address space with you.
  • You can decide who will receive abuse emails. That’s relevant when you run services as Tor exit nodes, VPN exit nodes and email services.

Okay, hook me up. I want it!

You need a hosting service provider which actually supports that. I can fully recommend the following ones:

  • Vultr
    • You don’t need an ASN. IP space is sufficient enough.
    • Offering starts at 3.50 USD a month.
    • You can pay hourly.
  • vServer.site
    • You will need an ASN.
    • Offering starts at 10 EUR a month.
    • Highly capable customer support.

Secondly, you’ll need address space. Reach out to me, if you want a /48 PA space to start with! 😀

Don’t hestitate to book a meeting with me, if you need help applying with RIPE NCC to get your own address space.

]]>
Wake on LAN? Wake on WAN! https://blog.chrisnew.eu/2020/06/wake-on-lan-wake-on-wan/ Sat, 20 Jun 2020 23:36:34 +0000 https://blog.chrisnew.de/?p=175 Continue reading "Wake on LAN? Wake on WAN!"

]]>
I got a couple of small computers laying around which are more like development systems and mostly lab environments. However, these are not running 24/7 and since I’m traveling alot I’m not always close to those computers. Let me show you what Wake on LAN (WOL) is and how you can make it Wake on WAN over IPv6.

What’s Wake on LAN?

Wake on LAN is a pretty old mechanism which allows to turn on computers over your LAN. Network cards are in stand-by mode listening to packets containing a “magic” sequence. That sequence is six times 0xFF followed by 16 times the target MAC address.

Let’s assume your target MAC address is 00:11:22:33:44:55, that magic sequence would be this:

00000000: ffff ffff ffff 0011 2233 4455 0011 2233
00000010: 4455 0011 2233 4455 0011 2233 4455 0011
00000020: 2233 4455 0011 2233 4455 0011 2233 4455
00000030: 0011 2233 4455 0011 2233 4455 0011 2233
00000040: 4455 0011 2233 4455 0011 2233 4455 0011
00000050: 2233 4455 0011 2233 4455 0011 2233 4455
00000060: 0011 2233 4455

That magic sequence is easy to scan for while the computer is actually turned off. A full-blown IP stack is not required, but can be used as the transport mechanism. That fact is used by most WOL clients which will simply send a UDP packet to port 9 (“discard”) to the broadcast address.

Example: Wake on LAN

Like previously mentioned NICs are not implementing a full-blown IP stack which would request an IP address using DHCP and also not reacting to ARP. To workaround that issue, WOL packets are sent to the direct or limited broadcast address to force the client’s system to send a broadcast packet to the targeted layer 2 domain.

Sending a WOL packet using wakeonlan:

[~] wakeonlan -i 192.168.178.255 00:11:22:33:44:55 
Sending magic packet to 192.168.178.255:9 with 00:11:22:33:44:55

Looks like this on the wire:

00:54:29.120604 dc:71:96:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 144: 192.168.178.45.39040 > 192.168.178.255.9: UDP, length 102
	0x0000:  4500 0082 cd66 4000 4011 8686 c0a8 b22d
	0x0010:  c0a8 b2ff 9880 0009 006e e6fd ffff ffff
	0x0020:  ffff 0011 2233 4455 0011 2233 4455 0011
	0x0030:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0040:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0050:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0060:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0070:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0080:  4455

Going WAN

Going WAN is quite similar to that. Just use public IPv4 and you got it. The end.

Oh, you don’t have publicly routed IPv4 network for your internal means? Only one public IPv4 address? Well, add some DNAT to your SNAT, also known as portforwarding. That should work. But I don’t cover this in my tinkering since IPv4 is considered deprecated.

Going WAN via IPv6

It’s all easy and fun when you invoke wakeonlan within your LAN using IPv4. But unfortunately the real challenge begins when you want to use IPv6 instead. Like I do with IPv6-only networks.

[~] wakeonlan -i ff02::1 00:11:22:33:44:55
Can't call method "addr" on an undefined value at /usr/bin/wakeonlan line 117.

Turns out that wakeonlan does not support IPv6 at all. Anyway, that’s an easy fix which I proposed upstream already.

Now with proper IPv6 support, we can send Wake on LAN packets to proper IPv6 multicast addresses. No need to configure IPv4 anymore.

[~] wakeonlan -i ff02::1%wlp2s0 00:11:22:33:44:55                     Sending magic packet to ff02::1%wlp2s0 on port 9 with payload 00:11:22:33:44:55

We are still on LAN level though. And IPv6 doesn’t have the concept of direct broadcast addresses. Well, anything broadcast is unknown to IPv6.

But we can use a trick on our router using ip-neighbor to “assign” an IPv6 address to the broadcast MAC address making it defacto a direct broadcast address:

root@router:~# ip neighbor add 2001:db8::fdff:ffff:feff:ffff dev eth0 lladdr ff:ff:ff:ff:ff:ff nud permanent

I chose a host identifier which reassambles the broadcast MAC address as the EUI-64 version of it. You may choose whatever you like though.

By the way, don’t forget to put that command somewhere where it gets executed everytime your router boots up. Also you should firewall it to only allow port 9 or to only allow from your trusted source networks.

Anyway, using that trick we can finally send a UDP packet across the world to turn on our target computer:

[~] wakeonlan -i 2001:db8::fdff:ffff:feff:ffff 00:11:22:33:44:55
Sending magic packet to 2001:db8::fdff:ffff:feff:ffff on port 9 with payload 00:11:22:33:44:55

And we can see on the router, the packet has reached the broadcast destination:

root@router:~# tcpdump -i eth0 -n -e -x 'port 9'
[…]
23:17:34.083047 74:83:c2:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv6 (0x86dd), length 164: 2001:db8:1::1.39810 > 2001:db8::fdff:ffff:feff:ffff.9: UDP, length 102
[…]
	0x0020:  fdff ffff feff ffff 9b82 0009 006e dfd2
	0x0030:  ffff ffff ffff 0011 2233 4455 0011 2233
	0x0040:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0050:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0060:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0070:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0080:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0090:  0011 2233 4455

Finally, no need for IPv4 addresses anymore to do some Wake on LAN and it has even become Wake on WAN. 🙂

Wake on WAN goes mobile

I can fully recommend Wake On Lan by Mike Webb as a mobile WOL client. It supports IPv6, hostnames and a lot more cool stuff!

If you need help setting up your on-prem infrastructure and leverage existing technology to build something unique, don’t hestiate to book a meeting with me!

]]>