Pro-tip: Notice I’m using the cloudflare DNS servers rather than the ISP-provided ones. The Comcast DNS servers have gone down on me before and their performance is generally lacking.
My concern was if the bridged router can’t contact IPv6 addresses, the same is probably true for the devices that are connecting through it.
I found the solution in this thread on the OpenWrt forums. While it’s easy to statically assign an IPv4 address, along with a default gateway and DNS server – for IPv6 it’s easiest to set up another lan interface specifically for IPv6 that gets it’s IPv6 address (and routes) automatically from the upstream router – rather than assigning it statically.
The TL;DR version of this post is to add this to your network config:
Configuring IPv6 Bridging through the Web Interface
To do the same thing above via LuCI – the OpenWrt web interface, here’s how. Initially on the Network -> Interfaces page, ou can see my IPv4 lan with the wan ports disabled:
Click “Add new interface…”
Name it “lan6” and choose the DHCPv6 client protocol. For the interface, select the @lan alias. Then click Create Interface. You’ll be brought to a second screen.
All I had to do on this page was change the “Request IPv6-prefix” value to disabled. No need to change anything on the other tabs – the defaults are fine.
Now the Status -> Overview page on my bridged router looks like this:
Now I can ping IPv6 addresses from the command line on my bridged router:
root@ap2:~# ping -c 2 ipv6.google.com
PING ipv6.google.com (2607:f8b0:4009:807::200e): 56 data bytes
64 bytes from 2607:f8b0:4009:807::200e: seq=0 ttl=115 time=17.884 ms
64 bytes from 2607:f8b0:4009:807::200e: seq=1 ttl=115 time=17.351 ms
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 17.351/17.617/17.884 ms
One of my 2021 goals is to better understand IPv6 concepts (at least as well as I can understand IPv4). If there’s any *nix configurations I find helpful along the way, I’ll post ’em here.
Before I began, I thought I should see if there’s a newer OpenWrt version my router can run. I always start on the Supported Devices page of the wiki, but on this visit I was treated to a warning:
If you read the 4/32 warning, the crux of the matter is that there may not be enough RAM to run OpenWrt without crashing. And the small flash area means possibly not having enough room to install LuCI, the web interface, and the packages to access LuCI via HTTPS. Also, there’s this:
Previous versions of OpenWrt (such as earlier versions of 17.01.x, 15.05.x “Chaos Calmer” and prior) contain now-known security vulnerabilities in the kernel, wireless implementation, and/or application code. […] In many cases, these known vulnerabilities are being actively targeted, potentially including by advanced, likely state-sponsored or state-affiliated actor or actors.
Ugh, I was using one of those older versions, and now I’m paranoid (as I should be) that my router could be used as a tool by nation-states to do their bidding. Nicely, there’s a link on the supported devices page titled “I want to buy a router which is supported by OpenWrt.” It links to their supported hardware table, pre-filtered by units that can run the latest stable version of OpenWrt – 19.07.4 at time of writing.
I spent some time browsing this list compared to what was available at my local Micro Center. I tried to find one that had the best OpenWrt support with the fewest known issues, and landed on the TP-Link C7 AC1750 for $70. If I like this one after a month or so, I’m going to buy another for better coverage.
OpenWrt ddns-scripts install
With the hardware choice out of the way, I installed OpenWrt 19.07.4. Then I needed to add support for Dynamic DNS. Go to System -> Software in the Web UI (LuCI). Click Update lists…, then type ddns in the filter input and press <Enter> to filter the list. The packages to install to use nsupdate.info are ddns-scripts_nsupdate and luci-i18n-ddns-en (or whatever language package you need):
Installing those will also install their dependencies, such as the base ddns-scripts and luci-app-ddns. Once they’re installed, reboot your router and you’ll have a Services -> Dynamic DNS menu.
You might see the menu before rebooting, but you’ll likely get this error if you try to visit it:
/usr/lib/lua/luci/controller/ddns.lua:116: attempt to index field '?' (a nil value)
Following it will lead you to a hints page and let you know you need to install a couple more packages: curl and bind-host. Follow the same installation process as above. After they’re installed, the Hints section will go away.
DNS Configuration
The only configuration you have to do at your DNS provider is add a CNAME record for the domain you want to use:
your.domain.com CNAME yourdomain.nsupdate.info
Then when you go to nsupdate.info, on the Overview page click Add Host and put in the subdomain (example: yourdomain from above) in the Name field, then select nsupdate.info under Domain:
Conveniently, after creating your new host entry, nsupdate.info will print your update secret and include specific configuration parameters for OpenWrt:
OpenWrt Configuration
You can use the configuration info from nsupdate.info, but it’s just as easy to paste the info into the LuCI panel. It’s worth noting that you only need to generate one host and host secret at nsupdate.info, but you’ll have two separate configurations in OpenWrt for IPv4 and IPv6.
In OpenWrt’s Dynamic DNS page, click Edit on the myddns_ipv4 row. The first thing you’ll want to do is update the DDNS Service provider to nsupdate.info and click Change provider:
Only then can you enter all of the information from nsupdate.info:
Enter your nsupdate.info FQDN in all of these fields:
Lookup Hostname
Domain
Username
Then put your secret in the Password field. Check both Enabled and Use HTTP Secure, then add /etc/ssl/certs to Path to CA-Certificate. Click Save & Apply, then repeat the same process with the same info for the other myddns_ipv6 entry.
From the Dynamic DNS overview page in OpenWrt, click the Start buttons for each row under Process ID Start / Stop. This only needs to be done once when you’re done configuring Dynamic DNS.
Test
Starting the Dynamic DNS process in OpenWrt should trigger your first update at nsupdate.info. You can see it easily on the Overview page:
If it all worked, your IPv4 and IPv6 address should be updated, hopefully with a green TLS indicator noting that it was done securely. If there are any problems, the numbers under Faults will increase – C for Client, S for Server.
If there are problems, you can see API messages on nsupdate.info by clicking on your hostname to get further details. You can also view detailed logs in OpenWrt by clicking Edit on the myddns_ipv4 or myddns_ipv6 rows. Then click the Log File Viewer tab and click the Read / Reread Log File button.
I was able to configure this in under an hour, hopefully you find it useful. Let me know if you have any troubles getting things to work.
The Nerdery’s Overnight Website Challenge is coming up again. I will be participating for my 5th year. I’ve had some good years and some bad. I’ve used software that I love and software that I’ve hated. I’ve been on teams that were finalists, one that won the event, and others that weren’t close to the podium but had a great time.
By now, I think most of the webchallenge web pros are seasoned veterans, but none-the-less I’d like to share some of my pro tips – if only for self-documentation. You should first take care of yourself before, during, and after the event. But when it comes to your team, the short story is: Be Prepared. The long story? Do as much as you can ahead of time, not the day of the event.
This is sort of an esoteric concept, but very important none-the-less. Your non-profit is going to come to the event with some goals in mind. Your team should have some goals in mind as well, and with any luck, the overlap will be pretty good.
Some team goals:
If there are programming customizations outside the realm of “out-of-the-box” solutions, limit large custom programming undertakings to just one (1). You’re better off having one killer feature or integration point than two that partially function. Custom programming stuff is inevitable because your non-profit probably uses some CRM (Client Relationship Manager) that no one has ever heard of. Be aware that if you send two members of your team down a rabbit hole on a task like this, you may not see them until the next morning. Don’t count on this task being done. In fact you may want to mitigate the feature set so that it works “good enough” for the presentation / demonstration. Know what will cause the feature to “blow up” – and don’t do those things during your demo!
Launch a new site at the end of 24hrs. This seems obvious, but it really requires restraint on both the web team and non-profit’s behalf. Too often, one or both sides gets caught up in certain feature or aspect of the site that prevents the site from launching at the end of the contest. Be willing to accept that the site may not be 100% feature or content complete, and instead relish the fact that the baseline product now looks and acts as a solid foundation for the future.
Hardware
Server
This is the base of everything everyone on your team will be working with. Whether it is a hosted server in a data center, or a laptop that you bring to the challenge, have it set up for everyone on your team.
I would like to warn teams in advance not to count on whatever in-kind hosting has been donated to the event. In the past, this is VISI. VISI used to be the bee’s knees back in 1999 when they had the best DSL service in town. VISI had been bought and sold so many times since then, I’m not sure what was left from the original. Needless to say, their hosting left something to be desired. I don’t know how well ipHouse will be meeting the need. But don’t be surprised if your donated virtual private server is CentOS5 with 256mb of RAM and PHP 5.1.6 installed with no clear upgrade path. It may be no better for Ruby, Python, and .NET environments.
Your non-profit may have a host that they already like and is usable. However you can’t count on that so you should always have a Plan B (or Plan C). If someone on your team has a host where they can easily create a new web-root for development and testing, you should have it prepared and at the ready.
OpenWrt + Dnsmasq
This has been sort of a “secret sauce” for our team. Our server is on a laptop local to our team. We use an OpenWrt router with Dnsmasq that everyone on the team connects to. No one has to create host entries to connect to the laptop/server and it’s consistent for everyone. At the end of the competition, we simply give our presentation from our laptop/server since we can take it anywhere.
Software
Are you using a CMS? My team uses WordPress, so we like to come prepared with every plugin and theme pre-installed that we’d normally recommend for any client. Deleting unused extras at the end only takes about 5 minutes.
Version Control
Some people still feel that using version control is going to slow their team down. You’re doing it wrong – which probably means you’re doing it wrong at your day job. Do everyone a favor and learn the concepts of version control and have your team all agree to which you’ll use. Subversion or Git are both fine choices. We will be using Git as GitHub – they’ve been an event sponsor in the past (plus Git is pretty rad).
For those who you may have to drag kicking-and-screaming into the world of version control, you can set up a network share on your server where all changes are automatically committed. This may take up more setup time than it’s worth, so I instead recommend teaching your team to fish with whatever tool(s) everyone agreed upon.
Great kid, don’t get cocky!
There’s one last thing I want to address is about winning. I’ve done it. I did it on a team where I didn’t like our technical leader nor the software he had chosen for the team (thanks for asking!). This would make any developer unhappy. In short, it was not fun.
This blog post from the 2011 contest has some good tips from a winning team (and some bad), you’ll have to view the cached version here: Andy Blogs It – look for How we won the Overnight Website Challenge -or- How you can win next year. Much of the last 1/3rd should be ignored in regards to technology choices and especially in regards to technology opinions. Go ahead, read it. I’ll wait. Being of infinite wisdom, Andy’s blog was on Posterous and is no longer available. I’ll give you the cliffs notes: he gives a bunch of good tips at the beginning and then proceeds to diss PHP and WordPress amongst other things.
Would I go and publicly insult team Ruby.MN because Ruby is for hippies? No way. Am I going to try and convince the Drupal team that WordPress is better because it has bigger market share? Absolutely not. We all do what we do because it’s what we like and what we know. Similarly, if you find yourself on a team where you don’t like what you’re doing – jump ship! The Overnight Website Challenge will only bring you satisfaction if you enjoy what you’re doing.
The OpenWrt router isn’t strictly necessary. You could, of course do the dynamic DNS updates with a cheap Linux firewall, but I’ll cover the configuration for OpenWrt.
The file naming conventions used here are for a BIND installation on Debian. Your distribution may use a different naming convention, however, the concepts should be the same.
On the DNS server (as root):
# dnssec-keygen -C -a HMAC-MD5 -b 512 -n HOST sub.domain.com.
You can use your domain name (or subdomain) as the key name if you’d like. That’s what I did in this example – it helps me keep things straight. The -C switch is for compatibility mode since it’s likely the nsupdate binary on OpenWrt will be older than the BIND installation on your DNS server. The contents of the key file will look something like this:
I like to keep BIND’s key configuration in a separate file to make sure it doesn’t get overwritten with software upgrades, so I created a file called /etc/bind/keys.conf. Using the MD5 from the key file (the cryptic string(s) that ends in ‘==’, after the sets of numbers), create a keys.conf file:
Then in /etc/bind/named.conf, add this at the top:
include "/etc/bind/keys.conf";
In my /etc/bind/named.conf.local (which has all of the zones actually hosted on the server), the zone for the domain I want to make dynamic has the following:
zone "domain.com" IN {
type master;
file "/etc/bind/db.domain";
update-policy {
grant sub.domain.com. name sub.domain.com. A TXT;
};
notify no;
};
You would substitute your domain for “domain.com” and “sub.domain.com,” and have your own zone file in a different file named after your domain (/etc/bind/db.yourdomainname).
The “update-policy” section is the part that is added. The first parameter to the “grant” statement is the name of the key, and the “name” parameter is the domain name – which I’ve made the same in this case. There’s nothing different about /etc/bind/db.domain than any of my other zone db files, except it’s owned by the “bind” user & group — that way when it receives a DNS update, it can change the file (dynamically!).
Also the /etc/bind directory should be owned by group “bind” so that it can create /etc/bind/db.domain.jnl — a journal file BIND will use.
OpenWrt Configuration
Install the “bind-client” package on your OpenWrt router. I like to use the LuCI web interface. In LuCI you can find it by searching under the software administration menu.
SCP the private & key files you created on your DNS server to your OpenWrt router. I keep my DNS files in root’s home directory: /root.
Create a hotplug file to update the DNS when the WAN interface obtains an address. Put it in /etc/hotplug.d/iface/30-nsupdate:
[ "$INTERFACE" != "wan" ] && ( [ "$ACTION" != "ifup" ] || [ "$ACTION" != "update" ] ) && exit 0
rdate -s time.nist.gov
include /lib/network
scan_interfaces
config_get ipaddr wan ipaddr
echo "server your.bindserver.com
zone domain.com
update delete sub.domain.com A
update add sub.domain.com. 86400 A $ipaddr
show
send" | nsupdate -k /root/Ksub.domain.com.+157+54658.key -v
Again, Replace “domain.com” with the name of your zone, and “sub.domain.com” with the name of your dynamic domain (they could be named the same). Replace “your.bindserver.com” with the name or IP of your DNS server. The rdate command is in there to make sure your time is set correctly before running nsupdate. BIND will complain if the time difference between the client & server differs too much. While only the key file is referenced in the script, both files need to be present (usually in the same directory as each other) for nsupdate to make a valid request.
You can (and should) test the script without disrupting your network connection by SSHing into your OpenWrt router and running the following command:
Often BIND will complain about time, permissions, auth keys, etc. Running the test above is the best way to find out what’s going on. If there’s no output, the update probably went through. Try to ping your dynamic domain name and see if all is well.
At home I have what some may call a “back-office” server. Technically it’s in the laundry room, but it does all sorts of home automation type stuff: record TV, download files, store and play music, distribute files, run backups, etc. I may do a post on it later, but the gist is that it’s running Ubuntu Server with a bunch of disk drives.
Far and above, it’s main purpose in life is being a file server. There are several ways to connect to it: Samba (Windows file sharing), NFS (Unix Network File System). The server also runs SSH (Secure Shell) for terminal access – which can also be used a pass-through for secure local and remote file sharing.
Windows shares don’t have options to change ports, SSH does – and internet service providers often block Windows file sharing ports both for their own customers safety and to CYOA (cover your [their] own a$$) regarding file sharing. SSH, however, can be run on any port and it’s secure. I simply set up a firewall rule on my router (OpenWrt) to pass SSH traffic to my file server.
Why not use “the cloud?”
I firmly believe that by putting your files in “the cloud” (whether it be with Google, Apple, Amazon, Dropbox, etc.) you lose a little freedom. That doesn’t mean I don’t use any of those services, I just use them selectively. For the record Dropbox is a great service that works cross-platform and you’ll get some extra space if you sign up using this link.
Connecting with SSHFS in Linux
The simplest way to connect to another computers file-system using SSHFS is to do it through the UI using the Nautilus file manager. This is default file manager for several Linux distributions. In Ubuntu with Unity, click the folder icon in the launcher to bring a Nautilus window showing your home folder. From Nautilus you can click the file menu and choose Connect to Server…
Which will bring up a dialog where you can input the info for your SSH server. Change the Type drop-down to “SSH” and you’ll see all of these options:
Once you’ve connected, you’ll have a folder on the left side of Nautilus (under Network) that you can click on to browse files on the file server. You can right click the folder and choose Add Bookmark which will make it a breeze to connect to again and again:
You’ll notice I have two folders under “Bookmarks”: sshfs-Local and sshfs-Remote. I set up an additional connection for when I’m away from home which uses my outside IP and port I set up on my firewall/router.
Nautilus uses the GVFSFUSE (filesystem in userspace) module to mount the remote drive. To make it easy to access from the command line I created a symbolic link from ~/Documents/sshfs-Local-Documents to my SSHFS directory. All of the GVFS mounts (on Ubuntu 12.04 and earlier) can be found in your ~/.gvfs folder. Mine is linked as such:
justin@lappy64:~$ ls -l ~/Documents/sshfs-Local-Documents
lrwxrwxrwx 1 justin justin 72 Oct 17 2011 /home/justin/Documents/sshfs-Local-Documents -> /home/justin/.gvfs/SFTP for justin on ghettivo/srv/home/justin/Documents
Starting with Ubuntu 12.10, the GVFS mounts are in /var/run/user. So my symlink in 12.10 looks like:
justin@lappy64:~$ ls -l ~/Documents/sshfs-Local-Documents
lrwxrwxrwx 1 justin justin 82 Nov 1 09:44 /home/justin/Documents/sshfs-Local-Documents -> /var/run/user/justin/gvfs/sftp:host=ghettivo,user=justin/srv/home/justin/Documents
Connection with SSHFS in Windows
To connect to the same files using Windows, there’s Dokan SSHFS. I will say that at the moment this library is a little buggy, but it will work in a pinch. I get the feeling that it probably works better in 32-bit windows, but I don’t have any claims to back that up – I just know it’s a bit unstable in 64-bit windows.
Since Dokan is a .NET application, you’ll need to install a couple of things (maybe 3), slightly better than installing a Java application 😉
There’s a small chance that you have the latest “Redistributable Package” already on your Windows computer, so you can maybe skip it, but honestly it doesn’t hurt to install.
Once you’ve got everything installed you can run DokanSSHFS.exe to connect to your SSHFS drive: