2017年7月4日火曜日

DDNS Site-to-Site IPsec VPN by Ubiquiti Networks EdgeRouter ER-X

I've been using ER-X from Ubiquiti Networks for more than half year. It is covered with metal chassis and its functionality is as solid as it looks, though it is cheaper than $50. One is used in my house and the other is used in my parents' house.

Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.

To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.



As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.

When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.

Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24,  DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24,  DDNS of WAN:site1.example.net

Preparing RSA key on the both side

In CLI of both site, run the following command to generate RSA key.
ubnt@site0:~$ generate vpn rsa-key bits 4096

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated
The public portion of the key is:

SOME_VERY_LONG_STRING
You need to copy the SOME_VERY_LONG_STRING to your local text file.


Register the public key of the counter part

 On site0,
configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site1 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE1
commit

On site1,

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site0 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE0
commit

Open Firewall for remote site

Surprisingly, packets from the remote site come via pppoe0 (or whatever an interface you use to connect the internet). Usually an interface which is used for the internet connection has the most strict rules, so a rule to accept such packet is necessary. (configure, commit, and save are omitted in the following lists).

On site0,
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite1
set firewall name WAN_LOCAL rule 60 destination address 192.168.20.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.30.0/24
On site1,
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite0
set firewall name WAN_LOCAL rule 60 destination address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.20.0/24

Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.

 Configure other VPN settings

On site0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site1.example.com authentication id site0
set vpn ipsec site-to-site peer site1.example.com authentication mode rsa
set vpn ipsec site-to-site peer site1.example.com authentication remote-id site1
set vpn ipsec site-to-site peer site1.example.com authentication rsa-key-name site1
set vpn ipsec site-to-site peer site1.example.com connection-type initiate
set vpn ipsec site-to-site peer site1.example.com description ToSite1
set vpn ipsec site-to-site peer site1.example.com ike-group FOO0
set vpn ipsec site-to-site peer site1.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site1.example.com local-address any
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site1.example.com tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer site1.example.com tunnel 1 remote prefix 192.168.30.0/24

On site1,
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site0.example.com authentication id site1
set vpn ipsec site-to-site peer site0.example.com authentication mode rsa
set vpn ipsec site-to-site peer site0.example.com authentication remote-id site0
set vpn ipsec site-to-site peer site0.example.com authentication rsa-key-name site0
set vpn ipsec site-to-site peer site0.example.com connection-type initiate
set vpn ipsec site-to-site peer site0.example.com description ToSite0
set vpn ipsec site-to-site peer site0.example.com ike-group FOO0
set vpn ipsec site-to-site peer site0.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site0.example.com local-address any
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site0.example.com tunnel 1 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer site0.example.com tunnel 1 remote prefix 192.168.20.0/24

The setting in brown color is what I found necessary to connect each other.

Good luck! 

2017年7月2日日曜日

DNS Hosting and DDNS of changeip.com

Recently I registered some domain and want to use it for Dynamic DNS.
I googled for DDNS services which allows to use my own  domain.
Some service costs more than $10 / month, which seems to be for business purpose.


I found ChangeIP offers DNS hosting for $9 / year and DDNS for $6 / year which is cheapest service I could find for using my own domain.

I hit a trouble that my domain was not shown on their WEB control panel even after paid fee and delegated authority to DNS serves of changeip.com.
I asked via their support ticket, they answered promptly and fixed my problem.
Of course  no issue is better, but still quick and correct support is impressive.


Overall

I'm satisfied with the service. I hope more people use the service, then their business succeeds and I can keep using the  service in the good price 😄

Pros:

  • Competitive price ($9/year for DNS hosting and $6/year for DDNS of the domain)
  • Rapid DDNS update (TTL is 30sec which I've never seen in free DDNS services)
  • Quick support
  • Useful knowledge base 

Cons:

  • Wizard  or easy tutorial for initial setting does not exist
    • Knowledge base is good, but standard manual is helpful.

2016年9月19日月曜日

RISC-V on JCPU

RISC-V is attracting attention from uses recently especially after acquisition of ARM by Softbank.

Specification of RISC-V is well documented. I found its ISA is very simple and suitable for high performance micro architecture; no flag is necessary for conditional branch.

I saw "Hello world" of RISC-V on JCPU within a day!. Although only user mode  32bit integer instructions are implemented, I don't see any difficulty to support further instructions.

The biggest hurdle I'm struggling is version up of LLVM. Afte LLVM-3.6, OldJIT is removed and only MCJIT is available. The MCJIT does not allow adding function to module once a module is translated. It is crucial for my use. I need to build module for each code block of target program.
The change takes time, which is not available for me ;-)

During writing a test bench of RISC-V, I found very easy-to-use elf load library ELFIO. It really is handy because header-only style and written in C++.

2014年11月17日月曜日

When zpool create command fails

When try to create pool on whole disk but a partition, zpool command automatically creates partition.
But sometimes the command fails and emits the following error message.
the kernel failed to rescan the partition table: 16
cannot label 'sdc': try using parted(8) and then provide a specific slice: -1

As described in ArchWiki, that is because udev fails to create the device file within 1 second.

The ArchWiki proposes to slow down the disk by parallel read.
I found another way which is much stable.


strace command traps syscalls and dump the parameters of syscalls to stderr.
cstream command lets you limit throughput.
So limit the stderr by cstream slows down the zpool.
strace zpool create /dev/sda /dev/sdb tank |& cstream -b 64 -t 2048

If the command is too slow, then increase the throughput to 8K or 16K.

2014年10月24日金曜日

SoftEther VPN on Gentoo

SoftEther VPN is an opensource VPN client/server software, which supports multiple vpn protocols like their own protocol, L2TP/IPsec, OpenVPN, and MS-SSTP. Its client and server software runs on multiple platform including Window, Linux and BSD. Simply saying it's awesome.

Maybe because the software is originally developed on Windows, some part of its behavior is not unix-style.
  • logs are saved in the same directory as the binary locates
  • config file is saved in the same directory as the binary locates

And no ebuild in the gentoo portage exists. That's why I make my portage overlay.
It is available at my github repository.

The ebuild includes several patches that I think not appropriate to merged in mainline.
  1. pid file and log file are saved in /var/run and /var/log/softeher respectively.
  2. disable override /proc/sys/kernel/threads-max setting
  3. activate all features including X.509 authentication that are disabled on original source

How to use my overlay: 

  • emerge layman
  • enable the line of "overlay_defs" in /etc/layman/layman.cfg
  • wget https://raw.githubusercontent.com/yTakatsukasa/misc/master/layman/yutetsu.xml -O /etc/layman/overlay/yutetsu.xml
  • layman -a yutetsu

How to install softether-vpn

After my overlay is enabled,
# emerge softether-vpn
# rc-update add vpnserver
# /etc/init.d/vpnserver start
Then configure the vpnserver. I recommend to use Server Management program on windows to configure the server.

2014年9月25日木曜日

Changing the permission of /dev/nvidia* on Gentoo Linux

To use CUDA on Gentoo, just emerge nvvidia-cuda-sdk is sufficient.
After installing the driver and sdk, /dev/nvidia* will be found.

These device files has 660 permission and belong to video group.
So if users are a member of video group, no problem.

If you want to use the device file from other groups, you have to change the permission.
Here is what I did.


1) edit /etc/modprobe.d/nvidia.conf
  change the line starts with "options nvidia NVreg_DeviceFileMode=", from NVreg_DeviceFileMode=432 to NVreg_DeviceFileMode=0666

2) chmod +x /opt/bin/nvidia-modprobe

3) reboot

Then you will find /dev/nvidia* have permissioin 666.

2013年10月10日木曜日

PATCH for SystemC-2.3 to keep the module hierarchy in VCD

As I have posted to SystemC Forum I wrote a small patch to keep the module hierarchy in VCD.
The patch modifies a PoC simulator to treat signal name as a dot-separated path.
VCD Hierarchy Manipulator is no more necessary.

How to get the patch

Please see my github page or simply wget it.

How to apply

% tar zxvf systemc-2.3.0.tgz
% cd systemc-2.3.0
% patch -p0 <  ../sc_vcd_trace.patch
% ./configure --any-options
% make
% make install 
 

How to Use

No need to modify the SystemC model. All you need to do is just rebuild your design with the patched systemc library. You will get the VCD as a following screen shot.

If you want to disable this feature, set an environmental variable SC_VCD_NO_HIERARCHY.


Feedbacks

I only tested with a small example. Any feedback is welcome.