Fj Graf

Author: fjgraf

  • Ansible and System Updates

    apt update
apt install ansible
apt install software-properties-common

    Setup passwordless authentication with the servers you want to manage

    This is useful if you want to automate processes via ssh without intervening by having to input the password to the remote server.

    sshcopy-id user@ip_address

    Setup passwordless sudo commands

    In the server you want to manage with ansible, you’ll have to allow the sudo user to execute commands without a password. Since in this example we want to automate the updates-upgrades of the system, each time ansible sends the order to do an apt update (or other command with superuser privileges) the sudo password will be asked demanding a human interaction and ansible will not be able to successfully send the order to the remote server. There are 2 ways to do this. One is by typing visudo in debian to ope the configuration file /etc/sudoers and the other ways is by creating a new file inside /etc/sudoers.d/[name of your sudo user]. Once inside that file we need to add the following line:

    # Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
admin ALL=(ALL) NOPASSWD: ALL

    If you want to be less permissive and only allow certain commands to be executed without a password these are the ones used in the playbooks in this example:

    # Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
Cmnd_Alias UPDATE_PKGS = /usr/bin/apt update, \
                          /usr/bin/apt upgrade, \
                          /usr/bin/apt dist-upgrade, \
                          /usr/bin/apt autoremove, \
                          /usr/bin/apt autoclean, \
admin ALL=(ALL) NOPASSWD: UPDATE_PKGS

    Define where your ansible files are going to be placed

    Given that this example will be tested in proxmox, I will locate them in /etc/ansible if is not created by defect. Furthermore, having the ansible configuration directtory in the main sever will ensure comms with all vms running inside unless the server is shut down.

    Create an inventory file that includes your Proxmox VMs (or other servers you want to manage). For example, /etc/ansible/hosts:

    Make sure your vms have a static ip!

    [proxmox_vms]
vm1 ansible_host=192.168.1.101 ansible_ssh_user=admin
vm2 ansible_host=192.168.1.102 ansible_ssh_user=admin

    Test your connectivity with the hosts:

    ansible all -m ping

    1. Daily Tasks Playbook: daily_tasks.yml

    ---
- name: Daily Maintenance Tasks
  hosts: webservers
  become: yes
  tasks:
    - name: Update the apt package cache
      apt:
        update_cache: yes

    - name: Clean up unused packages
      apt:
        autoremove: yes

    - name: Clear out outdated package files
      apt:
        autoclean: yes

    2. Monthly Tasks Playbook: monthly_tasks.yml

    ---
- name: Monthly Maintenance Tasks
  hosts: webservers
  become: yes
  tasks:
    - name: Upgrade all installed packages (standard)
      apt:
        upgrade: safe  # Upgrades packages without removing any

    - name: Full upgrade of all installed packages (including system upgrades)
      apt:
        upgrade: dist  # Allows removal of obsolete packages and installation of new dependencies

    3. Emergency Security Updates Playbook: security_updates.yml

    ---
- name: Urgent Security Upgrades
  hosts: webservers
  become: yes
  tasks:
    - name: Update the apt package cache
      apt:
        update_cache: yes

    - name: Upgrade only security updates
      apt:
        upgrade: dist  # Upgrades security updates only

    Create a simple bash script to manage the urgent security upgrades and make it executable:

    nano /etc/ansible/security_updates.sh

    #!/bin/bash
# Check for security updates
SECURITY_UPDATES=$(apt list --upgradable 2>/dev/null | grep -i security)
if [ -n "$SECURITY_UPDATES" ]; then
echo "Security updates available. Running the Ansible playbook."
ansible-playbook -i /etc/ansible/hosts /etc/ansible/security_upgrades.yml
else
echo "No security updates available."
fi

    chmod +x /etc/ansible/security_updates.sh

    Cron Jobs for Execution

    Now, here are the cron jobs to schedule the execution of these playbooks:

    1. Daily Maintenance Tasks: Run every day at 2 AM.
    0 2 * * * ansible-playbook -i /etc/ansible/hosts.ini /etc/ansible/daily_tasks.yml >> /var/log/ansible_daily.log 2>&1

    2. Monthly Maintenance Tasks: Run on the first Saturday of every month at 2 AM.

    0 2 * * 6 [ "$(date +\%d)" -le 7 ] && ansible-playbook -i /etc/ansible/hosts.ini /etc/ansible/monthly_tasks.yml >> /var/log/ansible_monthly.log 2>&1

    3. Emergency Security Updates: Run daily at 3 AM (or adjust as needed) using a script that checks for security updates.

    0 3 * * * /etc/ansible/security_updates.sh >> /var/log/ansible_security.log 2>&1  # Ensure the correct script name

    The end

  • Freedombox – Installation & Setup (Two ways)

    There are mainly two ways to get a Freedombox running. The first one would be to install Debian first and then the Freedombox package or the alternative to download the Freedombox image designed for your desired system.

    1- Install Debian

    Ideally you won’t need a desktop environment to run your debian with freedombox installed as all management tasks are done via its web interface.

    Give sudo privileges to your user account. Change to root user:

    su -

    usermod -aG sudo user

    Reboot your system for the changes to apply.

    Configure power management

    Disable auto sleep-hibernate otherwise otherwise your server might go to sleep in 20 mins regardless of what you have chosen in your power management settings. The reason is because when your server reboots next time and you log in only remotely, the power settings will default to system-wide options. We don’t want that to happen when managing a remote server specially if you want to have also a desktop environment. Let’s play safe and disable the relevant power management options:

    sudo systemctl mask sleep.target suspend.target suspend-then-hibernate.target hibernate.target hybrid-sleep.target

    Update your package list and system upgrades

    sudo apt-get update && sudo apt upgrade

    Install freedombox package.

    sudo DEBIAN_FRONTEND=noninteractive apt-get install freedombox

    or if you want to configure slapd and get your secret (a random string you have to use post installation in the freedombox web install)

    sudo apt install freedombox

    Open a web browser and go to the local ip address of your server. Finish the installation. Enter the secret password provided during the installation, log in and start installing apps. Recommended to start with wordpress to get your domain working with your new self hosted home page.

    Ensure the secondary ssd (if you have one installed) is configured to be auto mounted with the same drive id if your server reboots. Log in to plinth and go to cockpit –> drives. This is where the backups are going to be stored. Change the options to enable auto mounting and changing the name of the permanent mount to something easier like /media/root/backup.

    Log in to plinth

    Setup automatic Backups before anything else.

    Obtain an ssl certificates for your domain (if you bought one) or get a free domain at ddns.freedombox.org

    Log in to your DNS service provider and map your domain name to the public ip of your edge router. Use ‘curl ifconfig.me’ for Linux and Windows or ‘Invoke-RestMethod ifconfig.me’ for windows to know your public ip. Freedombox also provides a free domain of your choice like yourdomain.fbx.one or domain.freedombox.rocks.

    Go to system –> Configure. Remove you first domain and type the other one you have. Update the configuration. You should loose connection to the freedombox site momentarily . Log back in with your private ip address and go to Configure –> Let’s Encrypt and click to obtain the certificate for your second domain. If you have your dns records setup correctly, both domain names should reach your freedombox.

    Go to system –> Let’s Encrypt and click “obtain” to get your certificate. Now you should go to your_domain instead of the ip address. If you have more subdomains now its the time to get those certificates as well.

    If you want to get your free domain:
    Go to system –> Dynamic DNS Client and complete the information required but first visit ddns.freedombox.org and create an account. The information to access that account will be necessary to configure your ddns settings.

    Install Packages

    Other necessary packages might be needed depending on the services your server will provide.

    1. mariadb-server – Necessary to install other packages like wordpress. The installation will also configure phpmyadmin to manage the databases in the web browser.
    2. php8.2 – Check for more updated available versions.
    sudo apt install mariadb-server php8.2 php8.2-imagick php-imagick php8.2-intl

    Install Freedombox from a predefined image

    Go to https://freedombox.org/download/ and select the qemu image to install it in a Proxmox virtual machine. In this example we’ll choose the quemu/kvmamd64. Copy the download link address to use it later.

    Import qcow2 disk to VM

    Overview: Create a vm with parameters you want. The disk will be detached and deleted later so you have attach the qcow2 disk to it. Download the qcow2 image to your proxmox then move the virtual disk to the location where the virtual disks are stored for your VMs. You have to assign the id number of the vm of interest to the disk when doing the import. Proxmox won’t be able to download the image using its own agent to pull the image to the default destination folder because its compressed. Instead, open a shell in proxmox and go to the following location and download it using wget and decompress using [xz -d image_file.xz].

    Default folder of downloaded iso images: /var/lib/vz/template/iso/

    Now you are able to import the image to your VM (make sure your vm does not have a any disks to avoid any confusion)

    qm importdisk [vm id number] freedombox-bookworm_all-amd64.qcow2 local-lvm

    Back in Proxmox web UI, select the VM you just created and attach the disk to the VM in the hardware section and continue in options and make it bootable. After that you can turn on the VM to access its web interface to complete the setup process. Once finished its ready to use and install apps.

    Done.

    Sources:
    https://wiki.debian.org/FreedomBox/Manual

  • USB Mass Storage Devices compatibility – OpenWRT

    To enhance compatibility with USB 3.0 mass storage devices on OpenWRT, you may need to install specific kernel modules and packages. Here are the general steps to maximize compatibility:

    Install USB Support Packages:

    • opkg update opkg install kmod-usb-core kmod-usb2 kmod-usb-storage

    Install USB 3.0 Driver:

    USB 3.0 support may require additional kernel modules. Install the appropriate package based on your hardware. For many systems, the kmod-usb3 package is relevant:

    opkg install kmod-usb3

    Install File System Support:

    Ensure that your OpenWRT device supports the file systems commonly used by USB storage devices, such as vfat (FAT32) and ext4. Install the relevant file system packages:

    opkg install kmod-fs-vfat kmod-fs-ext4

    Install USB Utilities:

    • opkg install usbutils

    Reboot Your OpenWRT Device:

    • reboot

    Check for USB Device Recognition:

    • lsusb

    With that you should be able to see the device in the list of usb connected devices.

    Keep in mind that the package names and availability may vary based on the specific OpenWRT version and the hardware architecture of your device. Verify the compatibility of packages with your OpenWRT version and target hardware.

    If you encounter issues or have specific hardware requirements, consider checking the OpenWRT forums or documentation for device-specific recommendations and community support.

  • Wake On Lan

    List the interfaces on your system for proper identification. The ip command will inform the names and states of them.

    ip a

    Execute ethtool with the name of the interface that must be configured to wake on lan.

    sudo ethtool [interface]

    To enable WOL on an interface (non-persistent) type:

    sudo ethtool -s [interface] wol g

    To make a persistent change in the interface edit the /etc/network/interfaces.d/eth0 (or modify the global interface config file /etc/network/interfaces):

    auto eth0
iface eth0 inet dhcp
     ethernet-wol g

    OR

    auto eth0
iface eth0 inet dhcp
     post-up ethtool -s [interface] wol g

    Another way is to edit the main configuration file and add the following instruction at the end of the file:

    post-up /usr/sbin/ethtool -s [interface] wol g

    The post-up command will trigger the execution of the ethtool command on the selected interface after the interface has been initialized.

    etherwake, wakeonlan, gwakeonlan

    Wake-on: g means it is enabled.

  • Wireguard

    Using WireGuard on Debian involves several steps, including installing the WireGuard package, configuring the interface, and setting up the necessary keys. Here’s a basic guide to help you set up WireGuard on Debian using the command line:

    Install WireGuard:

    Update the package list and install wireguard:

    sudo apt updatesudo apt install wireguard

    Generate WireGuard Keys:

    Generate a private and public key pair for the server:

    wg genkey | sudo tee /etc/wireguard/privatekey-server | wg pubkey | sudo tee /etc/wireguard/publickey-server

    Generate a private and public key pair for the client:

    wg genkey | sudo tee /etc/wireguard/privatekey-client | wg pubkey | sudo tee /etc/wireguard/publickey-client

    Confirm that your keys are only available for the root user by checking the file permissions (chmod 600).

    Configure WireGuard Server:

    Create a configuration file for the WireGuard interface (e.g., /etc/wireguard/wg0.conf) and edit it with your preferred text editor:

    sudo nano /etc/wireguard/wg0-server.conf

    Add the following configuration, replacing placeholders with your actual IP addresses, private keys, and port numbers:

    [Interface]
Address = 10.0.0.1/24 # Server IP address
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820 

[Peer]PublicKey = CLIENT_A_PUBLIC_KEY 
AllowedIPs = 10.0.0.2/32 # Client A IP address 
PersistentKeepalive = 25
[Peer]PublicKey = CLIENT_B_PUBLIC_KEY 
AllowedIPs = 10.0.0.3/32 # Client B IP address 
PersistentKeepalive = 25

    Replace SERVER_PRIVATE_KEY and CLIENT_PUBLIC_KEY with the corresponding keys generated earlier.

    Start the WireGuard Server Interface:

    Start the WireGuard interface:

    sudo wg-quick up wg0-server

    Enable the interface to start on boot:

    sudo systemctl enable wg-quick@wg0-server

    Client Configuration:

    Create a configuration file for the client (e.g., /etc/wireguard/wg0-client.conf):

    [Interface] Address = 10.0.0.2/32 # Client IP address (As assigned by the server) 
PrivateKey = CLIENT_PRIVATE_KEY 

[Peer] 
PublicKey = SERVER_PUBLIC_KEY 
Endpoint = SERVER_PUBLIC_IP:51820 # A domain name can be setup here as well
AllowedIPs = 10.0.0.0/24 # Allow traffic for the assigned subnet

    Replace CLIENT_PRIVATE_KEY, SERVER_PUBLIC_KEY, and SERVER_PUBLIC_IP with the corresponding keys and server’s public IP or domain name.

    Import the client configuration into the WireGuard client.

    Start the WireGuard Client Interface:

    Start the WireGuard interface:

    sudo wg-quick up wg0-client

    Enable the interface to start on boot:

    sudo systemctl enable wg-quick@wg0-server

    Notes:

    • Adjust firewall settings to allow traffic on the WireGuard port (default is 51820).
    • Adjust routing and forwarding if you want the server to act as a gateway.
    • Always consider security best practices, especially when handling private keys.

    This is a basic setup, and you may need to customize it based on your specific requirements and network topology. Always refer to the official WireGuard documentation for comprehensive details and updates.

  • Debian + Apache + mariadb + letsencrypt + wordpress

    Step 1: Update Your System

    First, make sure your system is up-to-date.

    sudo apt update
sudo apt upgrade -y

    Step 2: Install Apache

    Install Apache web server.

    sudo apt install apache2 -y

    Enable and start the Apache service.

    sudo systemctl enable apache2
sudo systemctl start apache2

    Step 3: Install MariaDB

    Install MariaDB server.

    sudo apt install mariadb-server mariadb-client -y

    Secure the MariaDB installation.

    sudo mysql_secure_installation

    Follow the prompts to:

    • Set a root password
    • Remove anonymous users
    • Disallow root login remotely
    • Remove test databases
    • Reload privilege tables

    Step 4: Create a Database for WordPress

    Log into MariaDB.

    sudo mysql -u root -p

    Run the following SQL commands to create a database and a user for WordPress.

    CREATE DATABASE wordpress_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'strong_password';
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wordpress_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

    Step 5: Install PHP

    Install PHP and necessary extensions.

    sudo apt install php libapache2-mod-php php-mysql php-mbstring php-xml php-zip php-gd php-curl -y

    Step 6: Configure PHP for Large File Uploads

    Edit the PHP configuration file.

    sudo nano /etc/php/*/apache2/php.ini

    Change the following settings:

    upload_max_filesize = 128M
post_max_size = 128M
max_execution_time = 300
max_input_time = 300

    Step 7: Restart Apache

    After making changes to the PHP configuration, restart Apache.

    sudo systemctl restart apache2

    Step 8: Download and Install WordPress

    Navigate to the web directory /var/www/

    Download the latest version of WordPress.

    wget https://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
Or if it's a zip file
unzip latest.zip
rename the wordpress site with the domain of your wabsite
mv wordpress mysite.com

    You might want to keep the wordpress compressed file untill next version comes up.

    From here you should be ready to go to the local ip address in your browser and finish the installation process of wordpress. If the wordpress installation opens and after putting the information to access to the database you just created for wordpress it does not connect, you will have to enter that information manually like is shown in the next step.

    Step 9: Configure WordPress

    Navigate to folder /var/www/mysite.com and create a WordPress configuration file from the sample file. Make a copy of the sample file and edit the new copy as shown below:

    cp wp-config-sample.php wp-config.php

    Edit the wp-config.php file.

    sudo nano wp-config.php

    Add your database details with the details you chose when you created the database in step 4:

    define('DB_NAME', 'wordpress_db');
define('DB_USER', 'wordpress_user');
define('DB_PASSWORD', 'strong_password');
define('DB_HOST', 'localhost');

    Step 10: Set Permissions

    Set proper permissions for the WordPress files or better yet for this purpose to the www directory.

    sudo chown -R www-data:www-data /var/www/
sudo find /var/www/ -type d -exec chmod 750 {} \;
sudo find /var/www/ -type f -exec chmod 644 {} \;

    Step 11: Enable Apache Rewrite Module

    Enable the rewrite module.

    sudo a2enmod rewrite

    Step 11: Disable the default apache website

    sudo a2dissite 000-default.conf

    Step 12: Restart Apache Again

    Restart Apache to apply all changes.

    sudo systemctl restart apache2

    Step 13: Complete WordPress Installation

    Open a web browser and navigate to your server’s IP address. Follow the on-screen instructions to complete the WordPress installation.

    Step 14: Secure Your Server

    1. Install UFW (Uncomplicated Firewall)
    sudo apt install ufw -y
sudo ufw allow 22
sudo ufw allow 80sudo ufw allow 443sudo ufw enable
    1. Configure SSL with Let’s Encrypt

    If you have a domain name purchased or one for free, here is how to get the certificates from letsencrypt but first make sure to map your public ip address to the server running apache. Also you need to create at least a basic configuration file for mysite.com.

    Navigate to /etc/apache2/sites-available. Create and edit the configuration for mysite.com file by copying the following lines:

    nano mysite.com.conf

    <VirtualHost *:80>
       ServerName mysite.com
       Redirect permanent / https://mysite.com/
       RewriteEngine on
       RewriteCond %{SERVER_NAME} =mysite.com
       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
       ServerName mysite.com

       DocumentRoot /var/www/mysite.com

       <Directory /var/www/mysite.com>
           Options Indexes FollowSymLinks
           AllowOverride All
           Require all granted
       </Directory>

 #      SSLEngine on
 #          SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem
 #          SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
 #          Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

    NOTE: I’ve left commented the lines corresponding to SSL because when you reload the apache service in the next step it will fail because the certificates are not yet present. Using the command certbot –apache will automatically add the necessary lines in the configuration file.

    Enable the site:

    sudo a2ensite mysite.com.conf

    Reload apache

    sudo systemctl reload apache2.service

    Install Certbot.

    sudo apt install certbot python3-certbot-apache -y

    Obtain an SSL certificate.

    sudo certbot --apache
Or

sudo certbot certonly --apache -d mywebsite.com

    Follow the prompts to set up HTTPS.

    1. Regular Updates and Backups

    Set up a cron job for automatic updates.

    sudo crontab -e

    Add the following line for daily updates:

    @daily apt update && apt upgrade -y

    Happy Blogging!

  • Haproxy.cfg configuration for acme challenge – openwrt

    Updated configuration file for haproxy in openwrt. The acme-challenge was improved by having dedicated acls for each webserver containing a list of their own domains to redirect certbot traffic to another dedicated backend where those domains get their ssl certificates. Normal https traffic is redirected to individual backends.

    global
        daemon
        nosplice

defaults
        log global
        mode http
        option httplog
        log 127.0.0.1:514 local0
        log /var/log/haproxy.log local0
        timeout client 30s
        timeout connect 30s
        timeout server 30s

frontend stats
        bind *:9000  # You can choose any port you prefer
        mode http
        stats enable
        stats uri /haproxy  # You can customize the URI path
        stats realm HAProxy\ Statistics
        stats auth username:password  # Choose a secure username and password

frontend http_in
        mode http
        option httplog
        bind *:80

        # Rate limiting
        stick-table type ip size 1m expire 10m store gpc0
        http-request track-sc0 src
        http-request deny if { src_conn_cur gt 100 }  # Limit to 100 requests per IP

        # Allow ACME challenge requests to bypass redirect
        acl acme_challenge path_beg /.well-known/acme-challenge/
        acl webserver_A_hosts hdr(host) -i site.one site.two
        acl webserver_B_hosts hdr(host) -i site.three site.four

        http-request redirect scheme https unless acme_challenge
        use_backend acme_backend_A if acme_challenge webservers_A_hosts
        use_backend acme_backend_B if acme_challenge webservers_B_hosts

        option forwardfor
        # Enhanced security headers
        http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
        http-response add-header Content-Security-Policy default-src\ 'self'
        http-response add-header X-Content-Type-Options nosniff
        http-response add-header X-Frame-Options DENY
        http-response add-header X-XSS-Protection "1; mode=block"

frontend https_in
        mode tcp
        option tcplog
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        # Track session data for rate limiting
        stick-table type ip size 100k expire 30m
        tcp-request content track-sc0 src
        # Use backend based on SNI
        use_backend %[req_ssl_sni,lower,word(1,:)]_tls

# Backend for ACME challenges
backend acme_backend_A
        mode http
        option httpchk
        default-server inter 3s fall 3 rise 2
        server webserver_A 192.168.1.10:80 check

backend acme_backend_B
        mode http
        option httpchk
        default-server inter 3s fall 3 rise 2
        server webserver_B 192.168.3.10:80 check

# Normal HTTPS traffic to backends

backend site.one_tls
        mode tcp
        option ssl-hello-chk
        server site.one 192.168.1.154:443 check

backend site.two_tls
        mode tcp
        option ssl-hello-chk
        server site.two 192.168.1.55:443 check

backend site.three_tls
        mode tcp
        option ssl-hello-chk
        server site.three 192.168.3.77:443 check

    Explanation of Configuration:

    • Global Section: Configures global parameters for HAProxy. daemon allows HAProxy to run in the background, while nosplice prevents it from splicing connections, which can help with HTTP processing.
    • Defaults Section: Sets default logging options, timeout settings for client connections, server responses, and logs to both a remote syslog server and a local log file.
    • Frontend stats: Provides a web interface for HAProxy statistics, requiring a username and password for access. This helps administrators monitor traffic and performance.
    • Frontend http_in: Handles incoming HTTP requests, implements rate limiting to prevent abuse, and manages redirects to HTTPS while allowing certain paths (like ACME challenges) to bypass this redirection.
    • Frontend https_in: Manages incoming HTTPS traffic in TCP mode, utilizing SSL/TLS features. It inspects SSL handshakes to route requests based on the SNI field, allowing flexibility for multiple domains.
    • Backends: Each backend corresponds to a specific service or site. Health checks are configured to ensure that requests are only routed to healthy servers, and different backends are used based on the requested hostname or path.
    • Security Headers: Adding security headers helps to protect against various web vulnerabilities, such as clickjacking and XSS, enhancing the security of the web applications served.
    • Forwarding Client IPs: The option forwardfor directive, when uncommented, allows HAProxy to append the original client’s IP address to the X-Forwarded-For header. This preserves client visibility for backend servers, enhancing logging, analytics, and functionalities that rely on the original client IP. Consider enabling this if your backend services require access to client IP information.

  • sshuttle – Transparent proxy server for VPN over SSH

    To create a hassle-free vpn connection to a remote server you need to expose port 22 in the target device. In these examples It is assumed that the remote server is either your edge device, directly connected to an edge device (like a main router) and in a DMZ or or receiving forwarded ssh traffic from your edge device.

    First, start a ssh tunnel session with the edge machine:

    sshuttle -r [user@ipaddress(edge-device)] [192.168.5.0/24 (internal server's subnet)) --dns

    For ssh port other than the default 22 type:

    sshuttle -r [user@ipaddress(edge-device):port] [192.168.5.0/24 (internal server's subnet)) --dns

    You will be asked for your local user’s password and then the password of the user of the edge device to create the vpn connection. Once that’s done, the message “Connected to server” should be shown. From here on, you can open a web browser and type the local ip address of an internal device that belongs to the subnet you specified in the previous command. For example a Proxmox administration webUI behind the router can be accessible without having to configure port forward in the router (edge device). You can log in securely without having to expose this internal server to the internet. The —dns flag is to avoid leaking your dns requests to your ISP and instead forcing it to go through the created tunnel.

    The --dns option in sshuttle is used to capture and forward DNS traffic through the SSH tunnel. When you include the --dns option in your sshuttle command, it means that DNS queries originating from your local machine will also be routed through the established SSH tunnel.

    Here is another variant which allows you to specify a desired network interface.

    sshuttle -r user@ssh_server_ip_or_hostname 192.168.5.0/24 -i enp9s0 --dns
    • -r user@ssh_server_ip_or_hostname: Specifies the remote SSH server.
    • 192.168.5.0/24: Specifies the target subnet you want to route through the SSH tunnel.
    • -i enp9s0: Specifies the network interface you want to capture traffic from.
    • --dns: Specifies that DNS traffic should also be routed through the tunnel.

    Including the --dns option is particularly useful if you want to ensure that DNS queries are encrypted and go through the same secure connection as your other network traffic. This can be relevant for privacy and security considerations.

    Keep in mind that when using --dns, it may affect your ability to resolve DNS queries locally if the DNS server on the remote network is not reachable or not configured correctly. Ensure that the DNS server specified in the remote network is accessible and properly configured.

  • Configure partition table, format and auto mount disks. MBR – EXT4

    Connect the External HDD: Ensure that your external HDD is connected to your Debian system.

    Identify the Device: Use the lsblk or fdisk -l command to identify the device name of your external HDD. It will typically be something like /dev/sdX, where X is a letter assigned to the drive.

    lsblk

    Partition the Drive with MBR: Use the fdisk command to create an MBR partition on the external HDD.

    sudo fdisk /dev/sdX

    Once inside the fdisk program do the following:

    Type o and press Enter to create a new empty DOS partition table (MBR).

    Type n and press Enter to create a new partition.

    Choose the default values for the start and end sectors to use the entire disk.

    Type t and press Enter to set the partition type. Choose 83 for Linux.

    Type w and press Enter to write the changes and exit.

    Create the ext4 Filesystem: After creating the partition, use the mkfs.ext4 command to create an ext4 filesystem.

    mkfs.ext4 /dev/sdX1

    Replace /dev/sdX1 with the actual partition identifier you created in the previous step.

    Label the Filesystem (Optional): You can optionally label the ext4 filesystem for easier identification. Replace NEW_LABEL with the desired label for your filesystem. That can for example be the model of the hard disk or it’s purpose.

    e2label /dev/sdX1 NEW_LABEL

    Mount the Filesystem: Create a directory where you want to mount the hard disk and mount the filesystem.

    It would be a good idea to create the folder using the same name as the label of the hard disk’s partition.

    sudo mkdir /media/LABEL sudo mount /dev/sdX1 /media/LABEL

    Adjust the mount point (/media/LABEL) according to your preference.

    Now, your external HDD should be formatted with MBR and have an ext4 filesystem. If you want the drive to be automatically mounted on boot, you may need to add an entry to the /etc/fstab file which is show below.

    Automounting disk with fstab

    Identify the UUID of the Partition: Use the blkid command to identify the UUID of the partition on your external HDD. The UUID uniquely identifies the partition, and using it in /etc/fstab helps avoid issues if the disk order changes.

    Replace /dev/sdX1 with the actual partition identifier.

    sudo blkid /dev/sdX1

    Take note of the PTUUID number without quotes. It should look something like this: “c381c2aa-044b-415a-b901-2a6a374b2591“.

    Edit the /etc/fstab file: Open the /etc/fstab file in a text editor using a command like sudo nano or sudo vim. Add a new line with the following information:

    UUID=your_partition_uuid /media/LABEL ext4 defaults 0 2

    Replace your_partition_uuid with the UUID you obtained in the first step, and adjust the mount point (/media/LABEL) if needed.Example using nano:

    sudo nano /etc/fstab

    Add the line to automount the disk with default values:

    UUID=c381c2aa-044b-415a-b901-2a6a374b2591 /media/LABEL ext4 defaults 0 2

    Or with more specific options:

    UUID=c381c2aa-044b-415a-b901-2a6a374b2591 /media/LABEL ext4 rw,relatime,nofail,errors=remount-ro 0 2
    1. rw:
      • Stands for “read-write.”
      • This option allows both read and write operations on the filesystem. It specifies that the filesystem should be mounted with read and write permissions.
    2. relatime:
      • This option stands for “relative atime.”
      • With relatime, the access time of files is updated only if the current access time is earlier than the modification time or the inode creation time. It’s an optimization over the traditional atime update mechanism, helping to reduce write operations to the filesystem.
    3. nofail:
      • This option indicates that if the filesystem cannot be mounted, the failure should not be considered fatal to the system boot process. If the device is not present or there are issues with the filesystem, the system will continue booting without the specified filesystem being mounted.
    4. errors=remount-ro:
      • Specifies the action to be taken in case of errors on the filesystem.
      • If errors are encountered, the filesystem will be remounted in read-only mode (ro). This is a safety measure to prevent further potential damage and data loss in case of filesystem errors.
    5. 0 2:
      • These are the dump and pass fields, respectively.
        • The dump field (0) indicates whether the filesystem should be backed up using the dump command. A value of 0 means no automatic backup.
        • The pass field (2) is used by the fsck command to determine the order in which filesystems are checked at boot time. A value of 2 typically means the filesystem will be checked after the root filesystem.

    In summary, the options in your /etc/fstab entry specify that the filesystem should be mounted with read-write permissions, use relative atime for optimization, not be considered critical for system boot (nofail), remount in read-only mode in case of errors, and be checked after the root filesystem during the boot process.

    Press Ctrl + X to save, press Y to confirm changes, and press Enter to exit.

    Create the Mount Point (if not already created): If you haven’t created the mount point earlier, create it using:

    sudo mkdir /media/LABEL

    Remember to create the folder with the name of the label of your hard drive for easy identification.

    Mount All Filesystems in /etc/fstab: To mount all filesystems listed in /etc/fstab, you can use the following command:

    sudo mount -a

    To auto mount as a non root user

    To automount a disk with specific user permissions using /etc/fstab, you can utilize the user and noauto options along with the uid, gid, and umask options.

    1. Determine the UID and GID of the user you want to mount the disk as. You can find this information by running the following commands:
    id -u username
id -g username
    1. Determine the UUID of the disk you want to mount. You can find this information using the blkid command:
    sudo blkid
    1. Edit the /etc/fstab file using a text editor:
    UUID=your_disk_uuid /mnt/mount_point filesystem defaults,user,noauto,uid=your_user_id,gid=your_group_id,umask=022 0 0

  • Easy WAN-LAN speed test over cli

    The following two debian tools makes it very easy to accurately measure your internet connection speed as well as in your LAN.

    Measuring internet connection speed

    sudo apt install speedtest-cli

    Run it by typing:

    speedtest-cli

    Measuring LAN connection speed

    sudo apt install iperf3

    Run the server in one device which will be listening for the client to establish a connection.

    iperf3 -s

    In your other network device install iperf3 and run the client against the server:

    iperf3 -c [server's ip address]

    Results should show up promptly