jason schaefer . com

"arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."

Category: Uncategorized

  • Install coturn for nextcloud STUN and TURN services

    The nightmare that is NAT: Network Address Translation. We require TURN: Traversal Using Relays around NAT and STUN: Session Traversal Utilities for NAT. These servers facilitate the connections between clients, navigating around NAT, for voice and video communications*. In this implementation we assume the coturn server will be publicly routeable (have a public ip).

    install coturn

    apt-get install coturn

    enable it

    vi /etc/default/coturn
TURNSERVER_ENABLED=1

    Fixup the turnserver config. I recommend using “/” to search through your config and uncomment the following items, this keeps your original config as close to stock as possible. It does have the downside of being a pain to read, see my grep trick below to help with that.

    vi /etc/turnserver.conf

fingerprint
use-auth-secret
static-auth-secret=[some long password]
realm=example.com
total-quota=100
stale-nonce
cert=/etc/letsencrypt/live/example.com/cert.pem
pkey=/etc/letsencrypt/live/example.com/privkey.pem
syslog
no-multicast-peers
no-cli
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780

    Here is a description of each parameter at coturns github

    grep out all the comments and whitespace so you can see what is enabled and confirm your config is correct

    grep -v ^# /etc/turnserver.conf |grep .

    Use letsencrypt with turnserver

    We will use the same certs as we are using for Nextcloud. See my post on installing Nextcloud server.
    The letsencrypt directory needs to be opened up for coturn to use it. The best way to do this is add turnserver to the group ssl-cert and then allow this group access to the certs. First fixup the group

    usermod -a -G ssl-cert turnserver

    Keep the owner as root and change the group to ssl-cert. Then change the group to have read and execute permissions.

    chown root:ssl-cert /etc/letsencrypt/live/ /etc/letsencrypt/archive/

chmod g+rx /etc/letsencrypt/archive/ /etc/letsencrypt/live/

    Additionally, the private key is only read and writeable by root as shown below.

    #confirm perms are not ok
ls -l /etc/letsencrypt/archive/example.com/privkey1.pem
-rw------- 1 root root  241 Nov 22 17:49 privkey1.pem

    Change owner (chown) and change mode (chmod) for the privkey1.pem. Future renewed keys will continue with these set permissions. So privkey2.pem will also have “-rw-r—– root ssl-cert”.

    chown root:ssl-cert /etc/letsencrypt/archive/example.com/privkey1.pem

chmod g+r /etc/letsencrypt/archive/example.com/privkey1.pem

#confirm perms are good
ls -l /etc/letsencrypt/archive/example.com/privkey1.pem
-rw-r----- 1 root ssl-cert 241 Nov 22 17:49 privkey1.pem

    Verify and test. Look through the log for coturn after a restart. Press “G” to go to the end of log and then scroll back up to see any errors from your last restart.

    journalctl restart coturn
journalctl -u coturn

    run the turnutils client against the server. This package is part of coturn
    First test turn://

    turnutils_uclient -p 3478 -W [static-auth-secret] -v -y example.com

    and then turns:// (-S)

    turnutils_uclient -p 3478 -W [static-auth-secret] -v -y example.com -S

    The end of this connection should look like this:

    8: : Total transmit time is 4
    8: : Total lost packets 0 (0.000000%), total send dropped 0 (0.000000%)
    8: : Average round trip delay 93.400000 ms; min = 88 ms, max = 104 ms
    8: : Average jitter 3.700000 ms; min = 0 ms, max = 13 ms

    Now we add this server to Nextcloud, under Administration Settings -> Talk
    set STUN to “example.com:port”
    set to TURN to “turn: and turns:” | “example.com” | “[static-auth-secret]” | “UDP and TCP”

    Look for the green check mark to see that it works

    * Here is a description of how TURN and STUN work from Nextclouds documentation

    Talk tries to establish a direct peer-to-peer (P2P) connection, thus on connections beyond the local network (behind a NAT or router), clients do not only need to know each others public IP, but the participants local IPs as well.Processing this, is the job of a STUN server. As there is one preconfigured for Nextcloud Talk that is operated by Nextcloud GmbH, for this case nothing else needs to be done.

But in many cases, especially in combination with firewalls or symmetric NAT, a direct P2P connection is not possible, even with the help of a STUN server. For this a so called TURN server needs to be configured additionally.

Nextcloud Talk will try direct P2P in the first place, use STUN if needed and TURN as last resort fallback. Thus to be most flexible and guarantee functionality of your Nextcloud Talk instance in all possible connection cases, you would want to setup a TURN server.

  • Wireguard VPN on VyOS

    The commands vary depending on the version of VyOS. These instructions are for the rolling release 1.3.0

    ssh to your router and start from the run terminal vyos@myGW:~$

    and begin with generating keys

    generate wireguard default-keypair

    This creates the public and private keys that will automatically be used by wireguard /config/auth/wireguard/default/private.key and public.key

    You can create the peer pub/priv keys on vyos or someplace else. If you do it on vyos follow these steps

    sudo su -

    wg genkey | tee /config/auth/wireguard/jason.privatekey | wg pubkey > /config/auth/wireguard/jason.publickey

    exit

    Now enter the configuration mode of Vyos to setup a wireguard interface

    vyos@myGW:~$ configure
    vyos@myGW#

    set interfaces wireguard wg0 address 10.22.211.1/24
    set interfaces wireguard wg0 port 51820
    cat /config/auth/wireguard/jason.publickey

    G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

    set interfaces wireguard wg0 peer jason pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=

    set interfaces wireguard wg0 peer jason allowed-ips 10.22.211.10/32

    set interfaces wireguard wg0 peer jason persistent-keepalive 15

    commit; save

    This is what the wireguard config should look like:

    vyos@myGW# show interfaces wireguard 

    wireguard wg0 {
     address 10.22.211.1/24
     peer jason {
         allowed-ips 10.22.211.10/32
         persistent-keepalive 15
         pubkey G8w+5qjq0hZVfoYOfgdmLp584oJ8UZFGRBMHQjPrqyA=
     }
     port 51820
 }


    Open the port on the firewall     to allow wireguard traffic to reach the router.
    modify the rule number so you don’t overwrite an existing rule.

    set firewall name wan-local rule 60 description "allow wireguard"
set firewall name wan-local rule 60 action accept
set firewall name wan-local rule 60 destination port 51820
set firewall name wan-local rule 60 protocol udp

    Now lets setup the client peer

    run show wireguard keypairs pubkey default

    UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=

    cat /config/auth/wireguard/jason.privatekey
    QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

    Create a text file on your peer like so:

    [Interface]
Address = 10.22.211.10/32
PrivateKey = QE8L380rji7YQRAFUbcpD2qmKWiQsJ5Z0DntJHkSC1s=

[Peer]
PublicKey = UkG68hbH7IrXCYkJsyH+gQotttwlpggXL9PoQda7qxg=
Endpoint = [wireguard-server-ip-or-hostname]:51820
#AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.9.8.0/24, 10.254.245.0/24

PersistentKeepalive = 25

    Save this file as something.conf
    Connect to your new wireguard VPN with wg-quick (or whichever client you need)
    sudo wg-quick /path/to/something.conf

    done;

  • Public Key Authentication in OpenWRT using dropbear sshd

    UPDATE: The easiest way to do this is through the web interface (LuCI). System -> Administration -> SSH-Keys. Paste your public key (~/.ssh/id_rsa.pub) and click “Add key”

    I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root account that is very secure and use my public key to authenticate. Convenient and secure? What a concept!!
    Since this is dropbear and not openssh the typical ~/.ssh/authorized_keys file doesn’t work. Instead you need the authorized_keys file to be in /etc/dropbear/

    This is how I do it quickly and efficiently.

    Using the ssh-copy-id command to copy your public key to the remote devices authorized_keys. This is the same you would do to copy your public key to your server or such. Thanks to Sam for turning me onto this most valuable tool.

    From your local user account (must have a public/private key, see ssh-keygen if you need to generate keys)

    $ ssh-copy-id root@192.168.1.1

    enter current password, the following will display if you entered password correctly

    Now try logging into the machine, with "ssh 'root@192.168.1.1'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

    now ssh to the device and move the authorized_keys to dropbear directory

    $ ssh root@192.168.1.1
root@192.168.1.1's password:

    root@MyOpenWrt:~# mv /root/.ssh/authorized_keys /etc/dropbear/

    verify the permissions are 600

    root@MyOpenWrt:~# ls -l /etc/dropbear/
-rw-------    1 root     root          394 Apr 24 20:09 authorized_keys

    logout and ssh back to 192.168.1.1. This time it will ask for your ssh key passphrase instead of the root password. $ ssh root@192.168.1.1
    Enter passphrase for key ‘/home/jason/.ssh/id_rsa’:

    If you would like to login without ssh asking for your passphrase you can use ssh-agent to store your identity. Use ssh-add to add to ssh-agent.

    $ ssh-add
Enter passphrase for /home/jason/.ssh/id_rsa:

    Now ssh to 192.168.1.1 again, this time it doesn’t ask for a password!

    $ ssh root@192.168.1.1
BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
Backfire (10.03.1, r29592) ------------------------
* 1/3 shot Kahlua    In a shot glass, layer Kahlua
* 1/3 shot Bailey's  on the bottom, then Bailey's,
* 1/3 shot Vodka     then Vodka.
---------------------------------------------------
root@MyOpenWrt:~#

    Voilà!

    You can also do this via the luci web interface. Its actually very easy. Copy your ~/.ssh/id_rsa.pub and paste it into “System” -> “Administration” -> “SSH-Keys” and then “Save & Apply”. Done