15 May 2020
Let's think about a little scenario here:
You already have a infrastructure to build and deploy debian packages.
And Debian packages are your main way of distributing things.
Your internal python project obviously also packaged as a debian package.
But not all of the needed dependencies are available in the official package repositories.
What now? we need to package some python packages ourselves!
Which is surprisingly straight forward.
First you need stdeb and devscripts:
sudo apt-get install python3-stdeb devscripts
Then you need to find the git repo of the missing python dependency.
Most pip packages have the official repository linked somewhere.
After cloning the most of the work is done by stdeb.
We can run setup.py like this:
python3 setup.py --command-packages=stdeb.command debianize
This will create the debian folder and most of the configuration.
A few changes I usually do is chaining the format from quilt to git in debian/source/format.
And the second thing we need to do by hand is update the Build-Depends: in debian/control.
At least add git-core and all the python packages needed to build and test the package.
To get inspiration what this could be check install_requires and tests_require in setup.py.
Install all build dependencies by hand or use mk-build-deps.
And test build it with:
Last but not least I like to add some tmp files to .gitignore.
.pybuild/
debian/debhelper-build-stamp
debian/files
debian/<PKG-NAME>.debhelper.log
debian/<PKG-NAME>.postinst.debhelper
debian/<PKG-NAME>.prerm.debhelper
debian/<PKG-NAME>.substvars
debian/<PKG-NAME>/
Thats it, write your Jenkins/Gitlab/Whatever CI script to build and publish your newly created debian package.
23 Apr 2020
This is how I configured my OpenVPN site-to-site tunnel between a MikroTik hEX S
and my apu4c2 running OPNsense.
The setup looks something like this:
+--------------+
| |
+-->+ The Internet +<-+
| | | |
| +--------------+ |
| |
| |
| |
| |
+---------------------------+--+ +----+------------------------------+
| Opensense (acting as server) | | MikroTik hEX S (acting as client) |
| | | |
| IP: 192.168.1.0/24 | | IP: 192.168.2.0/24 |
| DDNS: opnsense.example.com | | DDNS: mikrotik.example.com |
+------------------------------+ +-----------------------------------+
OPNsense server configuration
Lets start to setup the OPNsense part which will act as a server.
Certificate
First we need to create certificates under System > Trust > Authorities.
There we can create a new CA to self signed certificates for your sever and client.
With the new CA we can create 2 certificates in System > Trust > Certificates.
Hint: Think about the lifetime of these certificates,
the default of 2 years where not enough for me.
And plan to rotate CA, client and server certificate before they expire.
The first certificate we create is the on for the OpenVPN server.
The important options are:
The options for the server cert:
Methode: Create an internal Certificate
Certificate authority: the one you just created
Type: Server Certificate
Common Name: opnsense.example.com
The second certificate we will create is the client certificate.
The important options are:
Methode: Create an internal Certificate
Certificate authority: the one you just created
Type: Client Certificate
Common Name: mikrotik.example.com
-> Use the export as .p12 format we will use this later!
OpenVPN server
The next step is to setup a OpenVPN sever.
Luckily for us OPNsense provides OpenVPN out of the box.
So we just go to VPN > OpenVPN > Servers and configure a OpenVPN server.
The important options are:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Peer Certificate Authority: the CA you created
Server Certificate: the server cert
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: 10.0.8.0/24 (or a other unused IP range)
IPv4 Local Network: 192.168.1.0/24
IPv4 Remote Network: 192.168.2.0/24
Compression: No Preference
The last thing is to ensure that OpenVPN creates a internal route.
Without this OpenVPN would drop the packages coming from our client.
(see OpenVPN FAQ)
To do this we need to create a client specific override in VPN > OpenVPN > Client Specific Overrides.
The important options are:
Common name: mikrotik.example.com (needs to match your client certificate)
IPv4 Local Network: 192.168.1.0/24
IPv4 Remote Network: 192.168.2.0/24
Last but not least you need to think about the firewall settings.
You need a rule that allows traffic on your wan interface on the OpenVPN server port for TCP.
And by default all traffic from OpenVPN would be dropped,
so you need a similar rule like on your LAN interface,
where you allow all traffic or create specific rules for your site to site connection.
MikroTik client configuration
If you haven't already download the client certificate as .p12.
Why? So disappointing. But you can still do that on your OPNsense in System > Trust > Certificates.
OpenVPN client
Now we can import the client certificate.
To do this you need to upload it to Files.
And then it is available in System > Certificates where you can click Import and select it.
After that you should have 2 new certificates in System > Certificates
ending in p12_0 and p12_1. (You can rename them if you want)
With that out of the way we can configure in PPP our OpenVPN client.
Click on Add New > OVPN Client.
The important options are:
Connect To: opnsense.example.com
User: (doesn't matter but can not be empty)
Certificate: (the one with .p12_0)
Auth: sha1
Cipher: aes 256
(Update Updated params)
Logs & Debugging
No matter how hard I try usually something is not working.
This is why this section exist.
This are a few tips how to figure out why and what is not working in this setup.
MikroTik
By default there are not may logs.
To enable debug logs:
/system logging add topics=ovpn,debug
OPNsense
And on server side I like to run the process by hand to see all output directly on stdout.
To do that we need to be root.
To find the correct process we can do this:
# ps aux | grep openvpn
root 61373 0.0 0.3 1061388 6192 - Ss 7Mar20 0:50.15 /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
root 79177 0.0 0.4 1061388 7152 - Ss 22:33 0:08.81 /usr/local/sbin/openvpn --config /var/etc/openvpn/server3.conf
As you can see I have 2 OpenVPN processes running but only on of the is
started with a server config to this is the process which I'm interested in.
Now that we know that our config file is /var/etc/openvpn/server3.conf,
we can stop the OpenVPN server in the UI.
Open the config file and remove the line daemon in the config file.
Now we are ready to start the process by hand:
/usr/local/sbin/openvpn --config /var/etc/openvpn/server3.conf
This way you see all logs on the console instant.
Versions
These are the versions I used at the time of writing this post.
OPNsense:
OPNsense 20.1.2-amd64
FreeBSD 11.2-RELEASE-p17-HBSD
LibreSSL 3.0.2
MiroTik hEX S:
RouterOS v6.45.8 (long-term)
Thanks
And a special thanks to @gmanual,
who created a similar setup with pfSense.
And to lewish for creating asciiflow.
29 Mar 2020
I am in the fortuned situation to have a fiber7 directly to my home.
This means unfortunately goodbye to my apu4d2 board from pcengines.
Because I couldn't figure out why the performance was capt at ~300 Mbps.
And there is no way to connect a sfp module without a media convert to a apu board.
Which is a extra device meaning an extra thing which can fail.
So I asked @wauwuff for recommendations on what to get.
An this is why I got the MikroTik hEX S.
Here are the specs I was most excited about:
- first of all @wauwuff promised me that it would deliver 1Gbits speed
- Passive PoE up to 57V out port
- SFP port
- price point
What this means for me is that I can reduce from Router, PoE injector and Media converter to
just one device, the hEX S.
The Good
The Hardware is amazing. Don't get me wrong it is a plastic box.
If you are not the type to get exited by a plastic box don't get your hopes up.
But it is a plastic box which delivered on all the things I hopped it would.
Most important of all it is capable to do 1Gbits.
The Bad
For some reason I wasn't able to connect to the router because the password wasn't reset properly.
The bright side of that? It's time to figure out how the reset works.
Which is not that hard if you can follow written instructions (Netinstall).
Obviously I failed my first 2 attempts. Because reading is hard.
On big downside of this process for me is that it is windows software.
The Ugly
The software, with one small exceptions.
DDNS was super easy to setup.
/ip cloud set ddns-enabled=yes
/ip cloud print
Everything else was and is a pain to setup and configure.
The software UX is less than ideal.
The problem is not the the UI, which is not pretty but who cares.
What do I mean by this?
Mostly the software is built around functions and not workflows.
Let's take OpenVPN as example to set it up you need to navigate
through at least 3 sub-menus to configure.
This is on top of a OpenVPN implementation which is very limited.
No UDP, LZO compression and limited Cryptography support.
In general many things which should be in the same place are very disconnected.
And then there are minor issue.
I needed to force PoE to power my Ubnt access point like this:
/interface ethernet poe set ether5 poe-out=forced-on
As well as the Terminal which has a weird auto-completion feature
which completes without pressing tab.
30 Aug 2019
This is an continuation of Podcasting With Pulse.
Building darkice
Years ago when I first compiled darkice it was complicated to get
it compiled and running with mp3 support.
Amazingly darkice still exists and it's easier than ever to compile
it with mp3 support.
The first step is to get the latest (darkice-1.5.tar.gz) version
from www.darkice.org. And unpack it.
tar xf ~/Downloads/darkice-1.5.tar.gz -C .
And to get it with mp3 support just install the headers.
sudo dnf install gcc gcc-c++ lame-devel pulseaudio-libs-devel
And then build it.
(Make sure you see something like checking for lame library at /usr ... found at /usr and
checking for libpulse-simple libpulse... yes on configure)
./configure
make
make install
Start a stream
And to make life even simpler I created 2 scripts to setup the interfaces and start the stream.
setup-stream.sh
#!/bin/sh
pactl load-module module-remap-source master=alsa_input.usb-Focusrite_Scarlett_Solo_USB-00.analog-stereo master_channel_map=front-left,front-right channels=2 channel_map=mono,mono
pactl load-module module-null-sink sink_name=stream sink_properties=device.description="Streaming"
pactl load-module module-loopback source=alsa_output.usb-Focusrite_Scarlett_Solo_USB-00.analog-stereo.monitor sink=stream latency_msec=1
pactl load-module module-loopback source=alsa_input.usb-Focusrite_Scarlett_Solo_USB-00.analog-stereo.remapped sink=stream latency_msec=1
start-stream.sh
#!/bin/sh
darkice -c stream.cfg
Now podcasting is just:
./setup-stream.sh
./start-stream.sh
27 May 2019
I read How to enable Core Performance Boost on AMD platforms?.
Which lead me to the question did I upgrade my apu board bios.
And the answer is a conclusive maybe.
So here are the steps to upgrade a apu board bios
on OPNsense (or basically every FreeBSD).
To check the current bios version there is a tool called dmidecode.
# dmidecode -t bios
Scanning /dev/mem for entry point.
SMBIOS 2.7 present.
Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
Vendor: coreboot
Version: v4.9.0.3
Release Date: 03/08/2019
ROM Size: 8192 kB
Characteristics:
PCI is supported
PC Card (PCMCIA) is supported
BIOS is upgradeable
Selectable boot is supported
ACPI is supported
Targeted content distribution is supported
BIOS Revision: 4.9
Firmware Revision: 0.0
The next step is to check https://pcengines.github.io/
for new bios versions.
Now it is very important to download the correct bios version which matches
your hardware version.
And then just one flashrom command is needed (this needs root permissions):
# pkg install flashrom
# fetch https://3mdeb.com/open-source-firmware/pcengines/apu3/apu3_v4.9.0.5.rom
# flashrom -w apu3_v4.9.0.5.rom -p internal
flashrom v1.0 on FreeBSD 11.2-RELEASE-p9-HBSD (amd64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 4, resolution: 2ns).
coreboot table found at 0x7eed0000.
Found chipset "AMD FCH".
Enabling flash write... OK.
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
Now you can reboot and enjoy your new bios!
A common issue is that the the mainboard tag does not match
the tag in the rom file:
This coreboot image (PC Engines:apu3) does not appear to
be correct for the detected mainboard (PC Engines:PCEngines apu3).
Aborting. You can override this with -p internal:boardmismatch=force.
If that happens make sure you downloaded the right rom file and then force it:
# flashrom -w apu3_v4.9.0.3.rom -p internal:boardmismatch=force
flashrom v1.0 on FreeBSD 11.2-RELEASE-p9-HBSD (amd64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 4, resolution: 2ns).
coreboot table found at 0x77fae000.
Found chipset "AMD FCH".
Enabling flash write... OK.
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) mapped at physical address 0x00000000ff800000.
This coreboot image (PC Engines:apu3) does not appear to
be correct for the detected mainboard (PC Engines:PCEngines apu3).
Proceeding anyway because user forced us to.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.