Categories
Apple Hardware Linux Misc Networking Software Windows www

Remote desktop and Wake-on-LAN

Shan uses her iPad a lot, but a lot of the more serious (interior design) work needs to happen on AutoCAD or Photoshop. That is just not going to work on an iPad.

When we’re travelling (read: holiday) she’s carrying an old Lenovo ThinkPad 13 (great device!) just “in case” she needs to open AutoCAD and edit something minor or read the drawings/dimensions. But honestly, most of the time that device is turned off and dead weight.

But all the above is just an excuse to “I was bored, and I wanted to test something”: can I use an old Raspberry Pi (zero W) to remotely wake her Intel NUC, and then use Tailscale to use RD on her iPad? Well, yes I can.

I completed this using:

  • Tailscale to remote desktop from anywhere to home
  • Cloudflare Tunnels, Access and DNS to have a web interface to wake the desktop
  • A Linux device that’s always on and in the same LAN, and that’ll run a PHP script.

Prep work: enable WOL

First off: enable Wake-on-LAN (WOL) in the BIOS and in your Windows settings. This article explains it for Intel NUCs, but would be similar enough for most devices. The Device Manager pane looked different on our i5 NUC, but was close enough.

On Mac, you just need to enable it in the Energy preference pane, for Linux I have no clue. ūü§∑‚Äć‚ôāÔłŹ

Second step: have a working Raspberry Pi (or any Linux device) in the same LAN. This device needs to be turned on 24/7, so use something that uses very little power.

I do have a more powerful RPi4 I wish I could've reused (running Docker and some other "serious" stuff; however it's currently in a different VLAN, and it's quite crucial the Linux device is in the same LAN as the device(s) you want to wake up), so I went with an old Raspberry Pi Zero W that was collecting dust (it used to run pwnagotchi).

On the Linux device, install etherwake. The command to run is quite simply etherwake aa:bb:cc:11:22:33 (= the ethernet MAC address of your device).

If this doesn’t wake your desktop, something is wrong and there’s no point continuing. Go and troubleshoot.

Install Tailscale and RD

On the (Windows) desktop and your iPad, install Tailscale. Login, and make sure it works by pinging from one to the other.

Then set up Remote Desktop on both (Windows, iPad). You should test and make sure you can properly connect using the LAN IP address and then the Tailscale IP address.

Fun fact: I create a DNS record for all my devices using Cloudflare DNS with the syntax of device-name.ts.yeri.be, so I don't need to ever remember IPs, and can easily ssh or ping devices without having to look up IPs. 
Cloudflare DNS screenshot, filtered on “ts”. I add both A and AAAA records (not shown in the screenshot)
Fun fact side track: I actually have a dynamic script that runs (on Linux) and creates hostname.ts.yeri.be for the Tailscale IP, hostname.wg.yeri.be based on the Wireguard IP, hostname.lan.yeri.be based on the LAN IP. This dyndns script runs every so often and updates IPs if needed. All this is running using Cloudflare DNS and their API. Super convenient.

Nginx, php and etherwake

I'm a 80s kid, so I'll use dirty PHP to run this script. I'm sure I'll go straight to hell for this, but yolo.

Install nginx and PHP (no need for MySQL and other stuff).

etherwake requires root to run (because it needs root access to create a weird magic ethernet packet). Create a file in /etc/sudoers.d/etherwake and add this line:

www-data ALL=(ALL) NOPASSWD: /usr/sbin/etherwake

This will allow www-data (nginx/php) to run /usr/sbin/etherwake using sudo, without password.

In /var/www/html/ create an index.php file with:

<html>
<head><title>Wake on Lan</title></head>
<body>
<p>Wake up <a href="mycooldesktop.php">My Cool Desktop</a>
</body>
</html>

And a mycooldesktop.php (or whatever) file with:

<?php
$output = shell_exec('sudo /usr/sbin/etherwake aa:bb:cc:11:22:33 2>&1');
echo "<pre>$output</pre>";
?>
<p><a href="..">Back</a></p>
It ain't pretty -- but it gets the job done. 

And be sure to edit the MAC address to match your desktop’s ethernet MAC address.

Cloudflare tunnels

Install Cloudflare Tunnel (via Zero Trust dashboard).

When creating a new tunnel, the dashboard will give you all needed commands to install the tunnel on your RPi — but be sure to select the right OS/architecture (arm64? arm? armhf?).

Easy.

And then point the tunnel to http://localhost. No need to mess around with SSL certs.

Lastly, set up Cloudflare Access (via the same Zero Trust dashboard): create a new application, and make sure only approved users can sign in (i.e.: using a pin code emailed to only approved emails).

I only allow access to my own emails, and my family, by using groups.

You can try it yourself via wol.superuser.one. You won’t get in. ūüôā

Optionally, but recommended: lock down Nginx to only allow connections from localhost (127.0.0.0/8 and ::1) if using Cloudflare Tunnels, or Cloudflare IPs if using port forwarding with Cloudflare Access in front. 
Love my design skills… But it gets the job done: click that link, and it’ll execute etherwake.

To recap

  • We used Tailscale to create a VPN network between the desktop and the iPad. The big benefit is that Tailscale works effortlessly across NAT networks without having to open ports,
  • We used Cloudflare DNS so we don’t need to remember hostnames :),
  • We used Cloudflare Tunnels to make sure the RPi web interface is accessible across NAT (without port forwarding) and from anywhere,
  • We used Cloudflare Acces and locked down access to the right people using ACLs,
  • We used etherwake running on a RPi to wake up devices that are hibernating or turned off.

And that’s it really.

PS: technically WoL works with WiFi, but when I enabled WoL on the WiFi adapter, the NUC refused to hibernate/sleep for more than a minute, and kept waking itself up. So, there seems to be some kind of trigger in my network that keeps waking it up. Also, not sure if WoL via WiFi would work if the device is turned off (as opposed to sleep or hibernate). I just ended up using ethernet. 

PPS: both Cloudflare Tunnels and Tailscale use Wireguard tech in the background, so that's really cool. 
Categories
Errors Hardware Misc Software Windows

Screen going black with AutoCAD (LT)

I am not sure what is the problem — I’ve upgraded Shan’s 27″ 2k monitor to a 32″ 4k monitor and AutoCAD LT recently updated from 2021 to 2022. Shan‘s been using a 2017 i5 NUC (NUC7i5BNB) with 32Gb RAM using the onboard GPU. Something that should be plenty for a bit of Windows, Chrome, Photoshop and AutoCAD LT.

For the past few weeks, several times a day her screen would black out for half a second or so and then everything should go back to normal. Sometimes it would happen several times in a row, sometimes it wouldn’t for hours on end.

I tried several things, including getting a 8k 120hz HDMI cable, using a usb-c to DP cable, changing the GPU vRAM minimum from 128Mb to 2048Mb (quite the hack, as it can’t be set in the bios — requires messing around in the registry. Wow.), updating all the drivers, updating the bios, making sure the NUC was properly ventilated and keeping cool (every full moon the NUC shuts down due to overheating in Singapore if I set the fan to ‘balanced’ instead of ‘cool’), and probably more. And because it happened so sporadically it was quite hard to debug (to the point I sometimes didn’t want to believe her as I couldn’t see it blacken out).

Shan was getting frustrated (which in turn means I get frustrated)… and I started looking at getting either an eGPU (I can get a free Nividia M6000, just need the enclosure, but the enclosure would be $$), an AMD Ryzen 5 or 7 NUC (no more Intel in this house, but also $$$), or some other refurb (massive) desktop some friend had lying around (HP z240 or something, zero $, but Shan would kill me for having this massive thing on her desk).

Turns out, the quick fix, was to simply disable hardware acceleration.

Run GRAPHICSCONFIG and uncheck hardware acceleration.

This is probably not ideal in the long run (hopefully it’s an issue with AutoCAD 2022 that is getting fixed, as opposed to the onboard Intel GPU getting messed up with AutoCAD).

When in doubt… Turn off hardware acceleration.

Categories
Linux Misc Networking Software Windows www

Belgian banks & SSL ‚ÄĒ part 3

EDIT: ING is now A- (not reflected in this blog post).
EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new¬†blog post later tonight.
EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. ūüėČ

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the¬†time to check everything again.

TL;DR: Only Argenta’s status changed for the better.

Those that did not change:

  • Rabobank: A+
  • Triodos: A+
  • Belfius: A-
  • BNP Paribas Fortis: A-
  • bpost bank: A-
  • AXA: B
  • beobank: B
  • CPH: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
    • BvB no longer supports secure renegotiation (which, afaik, it did before). However, it’s still rated as C, as this isn’t a real issue.
  • ING: F
  • Record Bank (internet banking): F

Those that did change:

  • Argenta (internet banking): F to B
    • No longer vulnerable to POODLE,
    • Support for protocol downgrade attacks prevention,
    • Still using SSL3 (obsolete and insecure),
    • Weak signature (SHA1),
    • RC4 cipher is supported (insecure),
    • No Forward Secrecy.

Still a little way to go for Argenta, but it’s on the right path.

Those that I hadn’t tested before:


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+):¬†no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no¬†Forward Secrecy.
  • BNP Paribas Fortis: (A-)¬†weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-)¬†weak signature (SHA1), no Forward Secrecy.

Grade B

  • Argenta:¬†no SSL on main page.
    • internet banking: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH:¬†no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC:¬†weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE¬†attack,¬†weak signature (SHA1), RC4 (insecure).
  • Bank Van Breda:¬†no SSL on main page.
    • internet banking: vulnerable to¬†POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation.
  • Ogone: payment¬†facilitator
    • weak signature (SHA1), RC4, vulnerable to POODLE, no Forward Secrecy

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ABK: SSL2 (insecure),¬†vulnerable to POODLE attack,¬†weak signature (SHA1), RC4 (insecure), no Forward Secrecy, no TLS 1.2.
  • ING:¬†vulnerable to POODLE attack,¬†SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • MeDirect Bank:¬†vulnerable to POODLE attack, OpenSSL CCS vulnerability (quite bad),
  • Record Bank:¬†no SSL on main page.
    • internet banking:¬†vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Also, shame on you ING. More than any other bank.

Categories
Linux Misc Networking Software Windows www

Belgian banks & SSL — part 2

I previously wrote about Belgian banks & SSL. Updated version (15/02/2015) here.

Going through my Google Analytics I noticed some noteworthy network¬†domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

Screen Shot 2015-02-01 at 01.35.01Screen Shot 2015-02-01 at 01.35.23Screen Shot 2015-02-01 at 01.35.34Screen Shot 2015-02-01 at 01.36.59Screen Shot 2015-02-01 at 01.37.32

There are a few more (Belgian) government institutions and universities, and the top in the list are¬†“(not set)” and “unknown”.

Clearly some people at the banks read the post during their work time. So it’s only fair to recheck the websites… Here goes:

Those that I hadn’t tested before:

  • CPH: B
  • Record Bank (internet banking): F

Those that did not change:

  • Rabobank: A+
  • Belfius: A-
  • AXA: B
  • beobank: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
  • ING: F
  • Argenta (internet banking): F

Those that did change:

  • Triodos:¬†A to A+
    • downgrade prevention correctly applied.
  • BNP Paribas Fortis:¬†F to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.
  • bpost bank:¬†F to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.

Huge thumbs up for these last three¬†banks! Well done, especially BNP & bpost! ūüôā

Keep on shaming the others.


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+):¬†no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no¬†Forward Secrecy.
  • BNP Paribas Fortis: (A-)¬†weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-)¬†weak signature (SHA1), no Forward Secrecy.

Grade B

  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH:¬†no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC:¬†weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE¬†attack,¬†weak signature (SHA1), RC4 (insecure).
  • Bank Van Breda:¬†no SSL on main page.
    • internet banking: vulnerable to¬†POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ING:¬†vulnerable to POODLE attack,¬†SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Argenta:¬†no SSL on main page.
    • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Record Bank:¬†no SSL on main page.
    • internet banking:¬†vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Categories
Linux Misc Networking Software Windows www

Belgian banks & SSL

Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.

Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.

Check SSL Labs for a full report, including what they actually did good (if anything).

Grade A

Grade B

  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC:¬†weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE¬†attack,¬†weak signature (SHA1), RC4 (insecure).
  • Bank Van Breda:¬†no SSL on main page.
    • internet banking: vulnerable to¬†POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • BNP Paribas Fortis: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • bpost bank: vulnerable to POODLE attack,¬†SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ING:¬†vulnerable to POODLE attack,¬†SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Argenta:¬†no SSL on main page.
    • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

PS: none of the domains support IPv6 (while expected, it would have been nice¬†— Belgium has the highest IPv6 adoption rate for end users, but almost no IPv6¬†websites or businesses).