LATEST NEWS

Recent Videos - Star Citizen

Recent Videos - Star Citizen

#/etc/favlink

Slackware Linux

Setting up WireGuard VPN on UniFi Dream Machine Pro (UDM Pro)

Having access to my home network from anywhere is the key to have my arsenal on demand. Be it for a quick look in a text file on my pc, or to remotely troubleshoot my devices, I should be able to access them when the time comes. But accessibility comes with a significant risk of security.  No one should ever expose their private network without any layer of security. I have seen most successful attack originating from the internet is due to low security or no security at all.

It is advisable to have some layer of security to mitigate the risk and implement a layer 2 VPN for the connection. I have used OpenVPN previously but WireGuard is all the buzz now. My setup is very simple, which I will be setting up my UDM Pro as the WireGuard server and my phones as the clients.

Before you proceed, you must have a good understanding of networking to be able to understand how and why the configuration is done as is. This diagram visualizes what my setup is.

Installing WireGuard Kernel Mode for UDM Pro

Open an SSH connection to your UDM Pro, and download the latest wireguard-kmod. Please check the link below if you do not know how to enable SSH on the UDM Pro

UniFi – UDM: How to Login to the Dream Machine using SSH

You can download the files from here https://github.com/tusc/wireguard-kmod/releases

# curl -LJo wireguard-kmod.tar.Z https://github.com/tusc/wireguard-kmod/releases/download/v5-28-21/wireguard-kmod-05-28-21.tar.Z

When the download completes, run this to extract the contents to /mnt/data

# tar -C /mnt/data -xvzf wireguard-kmod.tar.Z

cd into /mnt/data/wireguard and run the script setup_wireguard.sh once the extraction is complete.

# ./setup_wireguard.sh
loading wireguard...

This will basically will symlink to the wg binaries and /etc/wireguard and load the kernel modules. You should see something like this in dmesg.

wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

To be able to make it persistent across reboot, you have to run the script on boot. You need to do this in the UniFi OS directly running the below command.

# unifi-os shell

Download udm-boot_1.0.5_all.deb, install it and exit.

# curl -L https://udm-boot.boostchicken.dev -o udm-boot_1.0.5_all.deb
# dpkg -i udm-boot_1.0.5_all.deb
# exit

Back on the UDM Pro, copy the WireGuard boot script into the /mnt/data/on_boot.d/ folder. This will run on every boot, and bring up wg0 interface.

# curl -LJo /mnt/data/on_boot.d/10-wireguard.sh https://github.com/k-a-s-c-h/unifi/blob/main/on_boot.d/10-wireguard.sh

For more info, please refer here. UDM Pro on-boot-script

Configuration

Configuration is quite easy compared to other setups.  There is a sample file provided, and you can use that as a start.

# cp /etc/wireguard/wg0.conf.sample /etc/wireguard/wg0.conf
# vi /etc/wireguard/wg0.conf

You will need to generate the key using included wg bin.

Generate the keypair for UDM Pro first

# wg genkey | tee udmprivatekey | wg pubkey > udmpublickey

And generate the keypair for my phone

# wg genkey | tee phoneprivatekey | wg pubkey > phonepublickey

The contents of the files are the key for both configurations.

As I mentioned earlier, my setup only for my phone to access my home network. My wg0.conf on UDM Pro looks like this.

[Interface]
Address = 172.16.20.1 #the LAN interface IP on UDM Pro
PrivateKey = udmprivatekey #contents of udmprivatekey
ListenPort = 44333 #port to listen for connection

[Peer]
PublicKey = phonepublickey #contents of phonepublickey
AllowedIPs = 172.16.20.0/24 #my local network subnet

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

That’s the basic config needed for the server part (UDM Pro).

Some of you may find this is hard, so you would better off using this config generator

https://www.wireguardconfig.com/

Generate and overwrite wg0.conf

 

 

Starting the tunnel

Run this in the terminal

# wg-quick up wg0

and it should show up something like this

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.16.20.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

You can also check the status using wg

# wg
interface: wg0
public key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
private key: (hidden)
listening port: 44333

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
endpoint: 10.243.45.111:44334
allowed ips: 10.10.10.2/32
latest handshake: 2 seconds ago
transfer: 11.65 MiB received, 151.40 MiB sent
persistent keepalive: every 25 seconds

Stop tunnel

To stop the tunnel, run

# wg-quick down wg0

Before you start connecting,  you need to allow incoming wireguard packet through the configured listen port, which in my case is 44333, you can change it to suit your environment.

Depending on your UDM Pro UI, you need to configure a firewall rule on you WAN LOCAL. Please refer here how to get there.

UniFi-UDM-USG-Introduction-to-Firewall-Rules

Configure it like this. You need to add a new port group.

1. Create a new custom firewall rule

2. Add a new port group.

Configuring peer devices

For easy config on the phone, you can generate a qr code and scan it by running this

qrencode -t ansiutf8 </etc/wireguard/wg0.conf

On the phone, install WireGuard app and scan the barcode.

It will look like something like this.

WireGuard App

Well, that’s it. You now have a running a secure tunnel to your home network.

Additional options

Multi WAN failover

If you have multiple WAN uplink, you can use this script to failover to which WAN connection is available.

10-wireguard_failover.sh

This goes into /mnt/data/on_boot.d folder.

slack

Hi all, this is some guide on how you can install slackware on your ARM device.

This is based on the documents by Stuart Winter on installing slackware on ARM devices.

check it out here..Installing Slackware on ARM device

Slackware ARM

There’s also an update on arm.slackware.com site, says that alienBOB is working on Slackware ARM hard float port….

Slackware ARM hard float port now in progress
By mozes on 02-Apr-2013

Eric Hameleers (alienBOB of the Slackware Core team) has begun a 32-bit ARM hard float port of Slackware. This port will allow Slackware users to maximise the performance of the newest ARM devices (ARMv7 and greater). The project is currently focusing on supporting the Samsung 2012 ARM Chromebook.

See Eric’s ARM blog for progress.

So i guess later on the whole process might be a little simple than the previous one. here’s the link to his blog.

OK basically this is just to share how I compiled dsniff 2.4 in my box.

wget http://monkey.org/~dugsong/dsniff/beta/dsniff-2.4b1.tar.gz
tar -zxf dsniff-2.4b1.tar.gz cd dsniff-2.4
./configure
./make

during make, I encountered this error.

Error

./sshow.c:226: error: (Each undeclared identifier is reported only once
./sshow.c:226: error: for each function it appears in.)
./sshow.c: In function 'server_to_client':
./sshow.c:274: error: 'CLK_TCK' undeclared (first use in this function)

Below is the fix.

You have to use CLOCKS_PER_SEC instead of CLK_TCK.

According to /usr/include/time.h, CLK_TCK is the “obsolete POSIX.1-1988 name” for CLOCKS_PER_SEC.

Please also change this.The function arp_cache_lookup does not use the correct interface when running under Linux .. it always uses interface “eth0”.

cd to dsniff-2.4, find arp.c and edit the following:

strncpy(ar.arp_dev, "eth0", sizeof(ar.arp_dev));

to

strncpy(ar.arp_dev, "wlan0", sizeof(ar.arp_dev));

Save the file and recompile dsniff.

hehe…tadi bos aku suh try test celcom broadband nye speed. So aku pun try la *censored* dlm windows. Slow gile… 0.1Mbps je kot download. Pastu la ni nak try lak online guna Slack.

Simple jek nak online broadband gune linux. Konsep dia sama dgn PPP punya connection. Since aku guna Slackware 13, aku try nak guna wvdial je utk connect.


nak install wvdial ni korang kene install dulu wvstream library. Aku guna build dari slackbuild je.

http://slackbuilds.org/repository/13.0/libraries/wvstreams/

chmod +x wvstreams.Slackbuild
./wvstreams.Slackbuild

Jangan lupa donlod wvdial lak.

http://slackbuilds.org/repository/13.0/network/wvdial/

chmod +x wvdial.Slackbuild
./wvdial.Slackbuild

I was setting up samba to allow my shares available for windows users. However, i got frustated when if failed to start. I was wondering what could cause it since from previous 12.2 slack it was ok.

The error:

bash-3.1# /etc/rc.d/rc.samba start
Starting Samba:
/usr/sbin/smbd -D
/etc/rc.d/rc.samba: line 11: 24728 Aborted (core dumped) /usr/sbin/smbd -D
/usr/sbin/nmbd -D
/etc/rc.d/rc.samba: line 11: 24729 Aborted (core dumped) /usr/sbin/nmbd -D

I started checking the logs in /var/log/samba/* and tried to dismantle through the errors.

[2009/09/04 15:48:13,0] smbd/server.c:main(1210)
smbd version 3.2.13 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/09/04 15:48:13,0] lib/messages_local.c:messaging_tdb_init(96)
ERROR: Failed to initialise messages database: No such file or directory
[2009/09/04 15:48:13, 0] lib/messages.c:messaging_init(204)
messaging_tdb_init failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2009/09/04 15:48:13,0] lib/util.c:smb_panic(1670)
PANIC (pid 24728): Could not init smbd messaging context
[2009/09/04 15:48:13,0] lib/util.c:log_stack_trace(1774)
BACKTRACE: 6 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7d29724]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7d29881]
#2 /usr/sbin/smbd(smbd_messaging_context+0x64) [0xb7f6785f]
#3 /usr/sbin/smbd(main+0x6ac) [0xb7f69651]
#4 /lib/libc.so.6(__libc_start_main+0xe5) [0xb762d6a5]
#5 /usr/sbin/smbd [0xb7b12921]
[2009/09/04 15:48:13,0] lib/fault.c:dump_core(201)
dumping core in /var/log/samba/cores/smbd

core dump? oh shit, not another bug… damn.. It made me disbelief as it was working fine before….

I did numerous test to pin down the root cause.

Then i realized that the problem lies in the smb.conf file. I checked the /etc/samba/smb.conf  file. I run testparm to check what could be the problem.

bash-3.1# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[shared]"
Loaded services file OK.
ERROR: lock directory file:///var/cache/samba does not exist
ERROR: pid directory file:///var/run does not exist
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
(input truncated.....)
bash-3.1#

What the f u ck man! I knew it when i first saw it. The file:// is appending at every directory configurations.

I quickly remove every occurance of  file:// and restarted samba and hell yeah! It resolve the problem.

bash-3.1# /etc/rc.d/rc.samba start
Starting Samba:  /usr/sbin/smbd -D
                 /usr/sbin/nmbd -D
bash-3.1#

How the hell does the config change like that?

Well, its kde4 samba setting bug…damn..should have go through *all bug lists* first.. hahahah

The fix would be in KDE 4.3.0. However if you have the sources, just update with the latest SVN.

http://websvn.kde.org/?view=rev&revision=998002

refer here

https://bugs.kde.org/show_bug.cgi?id=200436

https://bugzilla.samba.org/show_bug.cgi?id=6548