28 Mar

BGP Additional Paths

BGP routers only advertise the best path to their neighbors. When a better path is found, it replaces the current path. Advertising a path and replacing it with a new path is called an implicit withdraw.

Since we only advertise the best path, a lot of other possible paths are unknown to some of the routers. We call this path hiding.

Extra notes on additional path command syntax:

  • neighbor neighbor-id additional-paths send: We use this to configure the router so it sends multiple BGP paths to a neighbor.
  • neighbor neighbor-id additional-paths receive: If you have a neighbor that sends multiple paths, that’s nice but you still have to configure your local router that it wants to receive multiple paths.
  • bgp additional-paths select : you receive a bunch of paths from your neighbor but you can still configure your router which of these paths you actually want to use.
  • bgp additional-paths install: this tells the router to actually install a backup path that you selected with the “bgp additional-paths install” command.
  • neighbor neighbor-id advertise additional-paths: This configures your router which additional-paths you want to advertise to a neighbor. “all” means all additional-paths.

Reference:
https://networklessons.com/bgp/bgp-additional-paths
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/irg-additional-paths.html

18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]

07 Feb

Installing Guacamole on Raspberry Pi

Guacamole is a clientless remote desktop gateway. After successful implementation of this system on some PCs, now I want to use this on a Raspberry Pi 3 B+. Following is how I do the installation on Raspbian system.

OS Version: Raspbian GNU/Linux 9 (stretch)
  1. Upgrade the system:
$ sudo apt-get update
$ sudo apt-get upgrade
  1. Install the required dependencies:
$ sudo apt-get install libcairo2-dev
$ sudo apt-get install libjpeg62-turbo-dev
$ sudo apt-get install libpng12-dev
$ sudo apt-get install libossp-uuid-dev
  1. Install the optional packages:
$ sudo apt-get install libavcodec-dev libavutil-dev libswscale-dev
$ sudo apt-get install libpango1.0-dev
$ sudo apt-get install libssh2-1-dev
$ sudo apt-get install libtelnet-dev
$ sudo apt-get install libvncserver-dev
$ sudo apt-get install libpulse-dev
$ sudo apt-get install libssl-dev
$ sudo apt-get install libvorbis-dev
$ sudo apt-get install libwebp-dev
  1. Download Guacamole Server and Client packages:
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.14.tar.gz
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-client-0.9.14.tar.gz
  1. Build and install the server:
$ tar xzf guacamole-server-0.9.14.tar.gz
$ cd guacamole-server-0.9.14
$ ./configure --with-init-dir=/etc/init.d
$ make
$ sudo make install
$ sudo update-rc.d guacd defaults
$ sudo ldconfig
  1. Build the client:
$ sudo apt-get install maven
$ tar xzf guacamole-client-0.9.14.tar.gz
$ cd guacamole-client-0.9.14
$ mvn package
  1. Install jetty9 servlet container:
$ sudo apt-get install jetty9
  1. Deploy Guacamole:
$ sudo cp guacamole/target/guacamole-0.9.14.war /var/lib/jetty9/webapps/guacamole.war
$ sudo mkdir -p /etc/guacamole/extensions
$ sudo cp extensions/guacamole-auth-noauth/target/guacamole-auth-noauth-0.9.14.jar /etc/guacamole/extensions/.
  1. Copy following text and save it as “/etc/guacamole/guacamole.properties”
#    Guacamole - Clientless Remote Desktop
#    Copyright (C) 2010  Michael Jumper
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml
  1. Copy following text and save it as “/etc/guacamole/noauth-config.xml”
<configs>
    <config name="pi" protocol="vnc">
        <param name="hostname" value="localhost" />
        <param name="port" value="5900" />
    </config>
</configs>
  1. Copy following text and save it as “/etc/guacamole/user-mapping.xml”. The password is “raspberry”.
<user-mapping>
    <authorize 
    username="pi"
    password="b89749505e144b564adfe3ea8fc394aa"
    encoding="md5">
        <connection name="pi">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5900</param>
        <param name="swap-red-blue">false</param>
        <param name="enable-audio">true</param>
        </connection>
    </authorize>
</user-mapping>
  1. Install x11vnc VNC-Server:
$ sudo apt-get install x11vnc
  1. Copy following text and save it as “~/.config/autostart/x11vnc.desktop”
[Desktop Entry]
Name=X11 VNC
Comment=Remotedesktop Server
Exec=x11vnc -forever -nopw -rfbport 5900 -display :0
Terminal=false
Type=Application
X-MATE-Autostart-enabled=true
Comment[de_DE]=Remotedesktop Server
  1. Restart Raspberry Pi:
$ sudo reboot

At this point guacamole should be automatically started at system boot. You can try to open it from a web-browser, the address is “<ip-address>:<port>/guacamole”. On my network it looks like this “192.168.178.100:8080/guacamole”.

In case you use headless system (Raspberry Pi without display attached) and you have poor display resolution, you can set the parameters in “/boot/config.txt” from this:

#framebuffer_width=1280
#framebuffer_height=720

#hdmi_force_hotplug=1

to this (for full HD resolution):

framebuffer_width=1920
framebuffer_height=1080

hdmi_force_hotplug=1

Restart the system and that’s it. Have fun!

Reference: http://www.m-opensolutions.com/?p=936

Incoming search terms:

  • guacamole on pi
  • install guacamole server on raspberry pi
  • raspberry guacamole
  • raspbian desktop x86 guacamole
06 Feb

Odroid HC2 Heat Issue

The infamous heat issue with the Odroid HC2 is here. My simple solution is simply by plugging in cheap USB fan to the bottom of the case (I put my HC2 vertically for better heat dissipation). Below is the result.

CPU thermal reduction
3.5 HDD thermal reduction

And for the sake of comparison, here’s the CPU thermal reading for my RPi2 with no cooling (and running Node JS + Munin server)

Raspberry Pi 2 in a case, no fan

Incoming search terms:

  • odroid hc2 fan
  • odroid hc2 openwrt
06 Feb

TP-Link Smart Plug Monitoring

I found a great web based monitoring tools for this smart plug, and I will share my method running this tools in Raspberry Pi (with DietPi).

Read more about this tool here: https://github.com/jamesbarnett91/tplink-energy-monitor

There are few method to run this, but I found that using Node+NPM is the easiest for this platform.

apt install git npm
git clone https://github.com/jamesbarnett91/tplink-energy-monitor && cd tplink-energy-monitor
npm install
npm start

Once installed and run, go to http://server-ip:3000