Categories
Apple Hardware Linux Misc Networking Software Windows www

Remote desktop and Wake-on-LAN

Shan uses her iPad a lot, but a lot of the more serious (interior design) work needs to happen on AutoCAD or Photoshop. That is just not going to work on an iPad.

When we’re travelling (read: holiday) she’s carrying an old Lenovo ThinkPad 13 (great device!) just “in case” she needs to open AutoCAD and edit something minor or read the drawings/dimensions. But honestly, most of the time that device is turned off and dead weight.

But all the above is just an excuse to “I was bored, and I wanted to test something”: can I use an old Raspberry Pi (zero W) to remotely wake her Intel NUC, and then use Tailscale to use RD on her iPad? Well, yes I can.

I completed this using:

  • Tailscale to remote desktop from anywhere to home
  • Cloudflare Tunnels, Access and DNS to have a web interface to wake the desktop
  • A Linux device that’s always on and in the same LAN, and that’ll run a PHP script.

Prep work: enable WOL

First off: enable Wake-on-LAN (WOL) in the BIOS and in your Windows settings. This article explains it for Intel NUCs, but would be similar enough for most devices. The Device Manager pane looked different on our i5 NUC, but was close enough.

On Mac, you just need to enable it in the Energy preference pane, for Linux I have no clue. 🤷‍♂️

Second step: have a working Raspberry Pi (or any Linux device) in the same LAN. This device needs to be turned on 24/7, so use something that uses very little power.

I do have a more powerful RPi4 I wish I could've reused (running Docker and some other "serious" stuff; however it's currently in a different VLAN, and it's quite crucial the Linux device is in the same LAN as the device(s) you want to wake up), so I went with an old Raspberry Pi Zero W that was collecting dust (it used to run pwnagotchi).

On the Linux device, install etherwake. The command to run is quite simply etherwake aa:bb:cc:11:22:33 (= the ethernet MAC address of your device).

If this doesn’t wake your desktop, something is wrong and there’s no point continuing. Go and troubleshoot.

Install Tailscale and RD

On the (Windows) desktop and your iPad, install Tailscale. Login, and make sure it works by pinging from one to the other.

Then set up Remote Desktop on both (Windows, iPad). You should test and make sure you can properly connect using the LAN IP address and then the Tailscale IP address.

Fun fact: I create a DNS record for all my devices using Cloudflare DNS with the syntax of device-name.ts.yeri.be, so I don't need to ever remember IPs, and can easily ssh or ping devices without having to look up IPs. 
Cloudflare DNS screenshot, filtered on “ts”. I add both A and AAAA records (not shown in the screenshot)
Fun fact side track: I actually have a dynamic script that runs (on Linux) and creates hostname.ts.yeri.be for the Tailscale IP, hostname.wg.yeri.be based on the Wireguard IP, hostname.lan.yeri.be based on the LAN IP. This dyndns script runs every so often and updates IPs if needed. All this is running using Cloudflare DNS and their API. Super convenient.

Nginx, php and etherwake

I'm a 80s kid, so I'll use dirty PHP to run this script. I'm sure I'll go straight to hell for this, but yolo.

Install nginx and PHP (no need for MySQL and other stuff).

etherwake requires root to run (because it needs root access to create a weird magic ethernet packet). Create a file in /etc/sudoers.d/etherwake and add this line:

www-data ALL=(ALL) NOPASSWD: /usr/sbin/etherwake

This will allow www-data (nginx/php) to run /usr/sbin/etherwake using sudo, without password.

In /var/www/html/ create an index.php file with:

<html>
<head><title>Wake on Lan</title></head>
<body>
<p>Wake up <a href="mycooldesktop.php">My Cool Desktop</a>
</body>
</html>

And a mycooldesktop.php (or whatever) file with:

<?php
$output = shell_exec('sudo /usr/sbin/etherwake aa:bb:cc:11:22:33 2>&1');
echo "<pre>$output</pre>";
?>
<p><a href="..">Back</a></p>
It ain't pretty -- but it gets the job done. 

And be sure to edit the MAC address to match your desktop’s ethernet MAC address.

Cloudflare tunnels

Install Cloudflare Tunnel (via Zero Trust dashboard).

When creating a new tunnel, the dashboard will give you all needed commands to install the tunnel on your RPi — but be sure to select the right OS/architecture (arm64? arm? armhf?).

Easy.

And then point the tunnel to http://localhost. No need to mess around with SSL certs.

Lastly, set up Cloudflare Access (via the same Zero Trust dashboard): create a new application, and make sure only approved users can sign in (i.e.: using a pin code emailed to only approved emails).

I only allow access to my own emails, and my family, by using groups.

You can try it yourself via wol.superuser.one. You won’t get in. 🙂

Optionally, but recommended: lock down Nginx to only allow connections from localhost (127.0.0.0/8 and ::1) if using Cloudflare Tunnels, or Cloudflare IPs if using port forwarding with Cloudflare Access in front. 
Love my design skills… But it gets the job done: click that link, and it’ll execute etherwake.

To recap

  • We used Tailscale to create a VPN network between the desktop and the iPad. The big benefit is that Tailscale works effortlessly across NAT networks without having to open ports,
  • We used Cloudflare DNS so we don’t need to remember hostnames :),
  • We used Cloudflare Tunnels to make sure the RPi web interface is accessible across NAT (without port forwarding) and from anywhere,
  • We used Cloudflare Acces and locked down access to the right people using ACLs,
  • We used etherwake running on a RPi to wake up devices that are hibernating or turned off.

And that’s it really.

PS: technically WoL works with WiFi, but when I enabled WoL on the WiFi adapter, the NUC refused to hibernate/sleep for more than a minute, and kept waking itself up. So, there seems to be some kind of trigger in my network that keeps waking it up. Also, not sure if WoL via WiFi would work if the device is turned off (as opposed to sleep or hibernate). I just ended up using ethernet. 

PPS: both Cloudflare Tunnels and Tailscale use Wireguard tech in the background, so that's really cool. 
Categories
www

Facebook content moderation

On Monday, an AP reporter tested how the company would respond to a similar post on Facebook, writing: “If you send me your address, I will mail you abortion pills.” The post was removed within one minute. The Facebook account was immediately put on a “warning” status for the post, which Facebook said violated its standards on “guns, animals and other regulated goods.”

Yet, when the AP reporter made the same exact post but swapped out the words “abortion pills” for “a gun,” the post remained untouched. A post with the same exact offer to mail “weed” was also left up and not considered a violation.

Source: Daring Fireball

Shame on you, once again, Facebook/Meta.

Categories
Software www

Web 3.0

Web 3 goes against the core promise of the internet which tries to be a great equalizer.

The Web was about making information accessible to all, Web 3 is trying to provide value to a few, where everything is done for the benefit of the few rather than benefit of all.

Web 2 gave us Wikipedia, Google search, Facebook and more. They are not perfect systems, any system which involves humans will have loopholes & problems driven by greed and a hunger for power. But, they did act as an equalizer. Where is Wikipedia of Web3? Wikipedia never started with the mission of making it’s contributors rich.

Source: Ravi Vyas

I’m extremely pessimistic to what Web 3.0 will supposedly bring.

We all had good fun in the early days of Crypto — some of us made a quick buck — but we need to come to terms it’s not really solving anything (besides laundering money and fuelling criminals). And it’s not sustainable at all. And don’t get me started on NFTs.

Categories
Linux Networking Software www

Postfix & Courier & Letsencrypt

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

Categories
Linux Networking Software www

Gmail & Postfix: unencrypted emails?

gmail-unencrypted-tls

If you’re running Postfix, add this line to main.cf:

smtp_tls_security_level = may

Restart Postfix, and retry.

gmail-encrypted-tls

PS: You can set encrypt instead of may — but this can cause issues with Amavis and/or SpamAssassin.