Categories
Linux Networking Software

Running WireGuard in a Docker container (RPi)

This follows the my two other posts about WireGuard.

Most of this can be copied from the amd64 post — with a minor change for making it work on RPi4. This is the full git repo (including both rpi and amd64).

The main difference is in the run.sh file. The installation is a bit different and we’ll need to install the Raspberry Pi kernel headers.

WireGuard is also installed from testing instead of Debian backports.

Note that for older RPi’s (ie gen 1) you’ll need to compile from scratch.

Categories
Linux Networking Software

WireGuard

This is the first post of several. Next posts will focus on running WireGuard inside a Docker container on amd64 Linux and a Raspberry Pi.

I’ve been running WireGuard for a few months now and I’ve been loving it.

I first started using it about a year ago when in China — OpenVPN was once again being actively blocked and it was driving me nuts. Overnight I set up a DigitalOcean server in Singapore and ran WireGuard from it — both my phone and laptop were able to actively bypass the GFW and (at that time) surf the internet freely once more. As WireGuard gains popularity, I am sure the GFW will start detecting it — it’s a quiet but not a stealthy protocol.

Since then I’ve dug quite a bit deeper in WireGuard and am really looking forward to what it’s going to bring.

WireGuard differentiates itself to be an extremely simple VPN server (which can make getting started and debugging a bit more challenging) — but it wants to seamlessly work together with existing tools. One of the main features still missing is for example running a DHCP server on the server and dynamically assigning IPs (like oVPN does).

WireGuard network
Simplified diagram of my network. Using static routing my clients can access the WireGuard network even without running WireGuard directly. (Some of) my containers are also able to access the network, this allows me to run Resilio Sync over WireGuard. It’s using one big subnet to create one big LAN.

It’s also pretty cool because any node can both be a server and a client at the same time. In my setup I am running two servers: one running at home in Singapore on a RPi4 (1Gbit fiber connection) and one on a virtual machine in Amsterdam (1Gbit as well). The RPis at my parents are connected to the server in Amsterdam, my iPad and phones are connected to the server in Singapore. If I am in Europe I might switch over and let my iDevices connect to the AMS server instead.

WireGuard and traffic shaping
Click to enlarge.
Bandwidth stats from Resilio Sync, transferring several big files. We can clearly see a speed increase (from 2-5mb/s to 11mb/s) when routing the exact same traffic over WireGuard. Traffic shaping at its best.

The example above clearly shows speed gains by cloaking the traffic in UDP packets. The shared folder has only two nodes (sender and receiver) and shows several big files being transferred from Amsterdam to Singapore. Resilio Sync uses the Bittorrent protocol, something ISPs generally hate and tend to slow down as much as they can — thanks Starhub.

Wireguard also allows the client to decide what to route through the server: only the VPN LAN traffic, or a whole subnet, or 0.0.0.0/0? So for my iPhone I for example route all traffic through VPN to avoid hotel/airport/… WiFi’s to mine/log/scan my data. For my laptop I have two configs, one to only connect to the LAN, but another that routes all my traffic through the VPN if I want to avoid exposure or circumvent censoring.

Note that I am not running WireGuard to remain anonymous and I’ll definitely leak some information — just trying to minimise and remain in control of what I leak. This is not a Tor replacement.

Categories
Apple Linux Networking Software VM

Box — Docker shell server

A couple of months ago I had the great idea to set up a shell server in Docker. Simply because my docker skillz were quite rusty and a shell server was something I actually genuinely needed.

Shell servers… so 2005. I remember in the good old IRC days people asking for (free) shell servers to run their eggdrop and stuff. OMG am I getting old? Anyhow…

I ssh quite often. I manage quite a few servers (~15?) and routers that require me to login and do some random stuff. I also work on a laptop quite often and that means closing the lid and moving around.

First of all, mosh is amazing and allows you to stay connected via ssh, even with crappy (airport/hotel) internet as well as moving around networks — that solves half the problem. If you are not using it, start using it now!

Second, during my datacenter technician days at Google we used to have a “jump server” — a shell server that allowed us to bridge the corporate network and ssh into prod machines. Doubt that’s still used nowadays, but the idea stuck. I wanted something similar to ssh from, wherever I was, and easily connect to my servers. And as the network the shell server is running on is stable, I only need to use mosh to the shell server. Thereafter, the connection very rarely dies.

And I guess, third, I recently purchased an iPad Pro and I really need to have my local “dev” environment with my git repo that I edit quite frequently but iPadOS isn’t really your average computer, and doesn’t even have a proper terminal. This is my experiment to make iPadOS work as a main computer when on the move.

Enter box — Docker shell server

I’ve copied over the files I use to this example repo, and added some comments. Mind you that this repo acts as a proof of concept and isn’t kept up to date, as I have my own private repo — but this should give you a good idea on how to set up your own shell server with Docker.

start.sh — this is a simple script that I execute when I first run or need to update the container. I execute the same file on two different servers: Liana, my Raspberry Pi at home and Ocean, my server in Amsterdam.

zsh.sh — this installs what I care about for zsh. This could be part of the Dockerfile but for some reason I separated it. ¯\_(ツ)_/¯

git.sh — this clones my Git repos so I can edit and commit stuff from the shell server.

run.sh — this file is launched by Dockerfile at the end and executes what matters: the ssh daemon. It also adds a Wireguard route and executes the scripts above.

Dockerfile — this installs everything I need and configures the whole thing. I’ve added tons of comments that should get you going.

I am also cloning misc and homefiles as submodules in files/ — but you should change this to something that works for you. See the Dockerfile for more info.

Categories
Linux Networking Software

CIFS: mount error(13): Permission denied

You’ve just updated your Raspberry Pi (or whatever Linux) and you’re noticing your CIFS (smb) mounts aren’t getting auto mounted anymore. You curse and start noticing this error:

# mount -t cifs //192.168.1.100/public -o username=public,password=public sam/
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

The solution is to add after -o username=X,password=Y the following: sec=ntlm; thus it becomes -o username=X,password=Y,sec=ntlm.

You can do the same in fstab:

//192.168.1.100/public /mnt/sam/ cifs domain=TIETE,username=public,password=public,sec=ntlm 0 0

No idea why it’s suddenly required, but whatevs.

Categories
Hardware Linux Networking Software

Raspberry Pi & @Flightradar24

In a couple of lines: how to get FR24 (+ dump1090) to work on your Raspberry Pi.

Be sure to have the right hardware: flightradar24.com/dvbt-stick and … obviously … a RPi.

I got a NooElec from Amazon because I didn’t have the patience to wait for something (that might not work) from AliExpress.

As root:

apt-get update && apt-get install cmake gcc pkg-config libusb-1.0 make git-core libc-dev
git clone git://git.osmocom.org/rtl-sdr.git
cd rtl-sdr
mkdir build
cd build
cmake ../ -DINSTALL_UDEV_RULES=ON
make && make install
ldconfig
cd ../..

And be sure to Blacklist the normal driver:

echo "blacklist dvb_usb_rtl28xxu" > /etc/modprobe.d/dvb-t.conf

And at this point you should reboot.

As regular user (screen part is no longer needed as the new FR24 program will automatically launch and execute it for you):

git clone https://github.com/MalcolmRobb/dump1090.git
cd dump1090
make
ln -s dump1090 /bin/
screen -dmS dump ./dump1090 --interactive --net --net-beast --net-ro-port 31001 --net-http-port 8888
cd ..

Now get the FR24 software. In case you get a 404, get the latest version here new Raspberry Pi version is here, Linux (AMD64 & ARMv7) is here.
You can get your long & lat here.
Follow the updated howto on the page. The underlying code is no longer relevant.

wget https://web.archive.org/web/20141002002531/https://dl.dropboxusercontent.com/u/66906/fr24feed_arm-rpi_242.tgz
tar xvzf fr24feed*
./fr24feed_arm-rpi_242 --signup

I’ll ask a couple of questions (answer them correctly):

Step 1/5 - Enter Latitude (DD.DDDD)
$:50.927358
Step 2/5 - Enter Longitude (DD.DDDD)
$:4.399928
Step 3/5 - Enter your email address ([email protected])
$:[email protected]
Step 4/5 - Enter your the hostname of the data feed (leave empty for localhost)
$:
Step 5/5 - Enter your the port number of the data feed (leave empty for 30003)
$:

Validating form data...OK

The closest airport found is 'Brussels Airport (ICAO:EBBR IATA:BRU)' near Brussels.

Latitude: 50.901379
Longitude: 4.484444
Country: Belgium

Flightradar24 may, if needed, use your email address to contact you regarding your data feed.

Would you like to continue using these settings?

(yes/no)$:yes

[...].

It will give you a key (and e-mail it to you) after a couple of minutes. Keep this key, as it’s important.

That’s it. As dump1090 is already running, all you have to do is start flightradar and you’re good to go.

This is the script I use to start it all (in screen, allowing me to check it). As normal user:

nano -w flightradar.sh

And copy paste the following (+ edit the variables):

#!/bin/bash
KEY=YOUR-KEY-EDIT-THIS
DIR=/home/PATH-TO-YOU-SCRIPT

pro script

cd $DIR

Start dump1090

cd dump1090

I run on port 8888 because 8080 is taken on my rasp

THIS IS NO LONGER NEEDED

#screen -dmS dump ./dump1090 --interactive --net --net-beast --net-ro-port 31001 --net-http-port 8888
cd ..

Start Flightradar24

screen -dmS flightradar24 ./fr24feed_arm-rpi_242 --fr24key=$KEY

And run: chmod +x flightradar.sh

To start the script, simply run ./flightradar.sh, and check what’s happening with screen -r dump or screen -r flightradar.

To auto start this script at boot time, I edit rc.local as root:

nano -w /etc/rc.local

And add the following at the end but BEFORE exit 0:

su yeri -c /home/yeri/flightradar.sh

Obviously, modify the path and the user it should run under (in this case as “yeri”).

PS: Be sure to signup again every time you move your Raspberry around (the coords seem to be hardcoded in the key).
PPS: You can get Premium access here now: flightradar24.com/premium (and check fancy graphs about your “radar”).