VPN’s and Gmail acess via Thunderbird

I recently signed up for a PIA VPN – which is great – I added a second router to my network and end created a subnet, and configured the router to connect solely to  PIA VPN.

It means that any PC/Laptop/Device attached to that router – by wire or via wireless has a degree of anonymity on the net, this is great for surfing, but for an email less so, why ? you ask.

As soon as I fired up Thunderbird it started to connect to my email providers (gmail) and was blocked, at the same time , I received emails to my other devices advising that my email may be compromised  as someone had attempted to sign on in a different location to my other signons.. it was a PITA to sort as you have to confirm via multi-factor that it was indeed a legitimate logon.

So as I have a small network , I looked for various solutions to allow me to continue using Thunderbird while not causing teh alerts from gmail.

At first I spent a day setting up a nginx webserver to run roundcube on a remote machine on my network, this proved to not be suitable as I have more than one imap based email provider and more that 1 account with each of them .

So I started to look at proxy’s , long story short I selected TinyProxy which in Archlinux is started via systemd and has a simple-ish configuration file , located at /etc/tinyproxy.

my final configuration file looks like this

 changes from defaults are commented
User tinyproxy
Group tinyproxy
Port 8080   # <em><< the port that tinyproxy listens on</em>
Listen 192.168.1.101 <em>#<< the address that is assigned to tinyproxy' physical interface</em>
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1   # client's network/subnet address
Allow 192.168.1.201/24
Allow 192.168.1.0/24
Allow 192.168.2.0/24
Allow 192.168.2.100/24
ViaProxyName "tinyproxy"
ConnectPort 443  # the port of SSL connections that are allowed
ConnectPort 563
ConnectPort 587
ConnectPort 993
ConnectPort 465

You also need to add rules to your firewall to allow both tcp and upd traffic on port 8080, I use shorewall so added the following to /etc/shorewall/rules

ACCEPT net fw tcp 8080 -
ACCEPT net fw udp 8080 -

and then restarted shorewall

shorewall restart

now that the proxy is ready to be used , we can tell Thunderbird about it, to do this open up Preferences> Advanced >network & disk-space > connect. and configure  a manual proxy for both HTTP ans SSL , leave SOCKS blank.

as the proxy on my network is on 192.168.1.101 and port 8080 , I just entered in that detail to the spaces as required.

so now I have a VPN’d machine , where the email client connects in the same locality as the rest of my devices

so far its working ok, I have had no warnings/alerts from gmail

Hope this helps someone somewhere

Jase

Advertisements
VPN’s and Gmail acess via Thunderbird

OpenWRT for guests

This morning I finally got round to setting up a guest wireless network on my OpenWRT router (a TP-Link TL WDR-3600 v1.5)

The goal of the guest wireless was to provide my kids friends with a connection they can use with their (mostly PAYG) smartphones

This was relatively simple as I followed the guide on the OpenWRT wiki

The only real difference I made was to select OpenDNS FamilyShield for the guest network.

So now I have a guest network that is safe for all to use.

If you have a router that is capable of having a Guest network and want to set up a guest wifi network in brief the steps taken (at your own risk) are:

login to the OpenWRT router

Navigate to: Network > WiFi >
click Add on the radio entry you want to have the guest network on (if you have 2.4Ghz and 5Ghz Radios , its normally the 2.4Ghz radio that carries the guest network)

Configure the new wireless entry , create a "guest" entry under the "network" section and make sure you set up encryption / change the name of guest wireless ssid.

Then Navigate to : Network > Interfaces >
Click on the edit button for "guest" and change the protocol to "Static address" fill in the ip address for the interface , (avoid 192.168.1.1 or 10.0.0.1 as these may be reserved already or in the future). I chose 10.0.0.5 (this will result in guests having an ip of 10.0.0.100-150) and set a Netmask from the dropdown, this where you add any alternate DNS lookups (I added 208.67.222.123 and 208.67.220.123). Make sure you enable DHCP and lower the lease time to an Hour.

Click on the firewall settings tab within the "Guest" interface
Create a "Guest" firewall zone.

Then Navigate to: Network > Firewall and Click Edit on the "Guest" Zone
Change "Input" to "Reject" and mark the Wan entry in the "allow forward to destination zone"

At this point Click "Save and Apply" , but we are not done yet, now you have a network that goes nowhere we need to set up 2 firewall rules.

One rule for DNS and another for DHCP.

Navigate to: Network > Firewall >traffic rules
Locate the subsection titled "open ports on router"

rule 1 DNS:
set a name for the first rule eg:"GuestDNS" select "TCP+UDP" in the protocol dropdown and external port "53". and click "add", and then "edit" to configure this rule.
In the "source Zone" select "Guest" and "input(device)" in Destination Zone
and save

rule2 DHCP:
Set a name for the rule "GuestDHCP" select "UPD" in teh protocol dropdown and external port "67-68" and click "add", and then "edit" to configure this rule
In the "source Zone" select "Guest" and "input(device)" in Destination Zone
and save

Check there are no unsaved changes (in Chaos Calmer there is a green "unsaved Changes" button in the top-right of the Luci webpage, click that and make sure all changes are saved

after all changes are saved reboot the router, and you are done

OpenWRT for guests

is kmailservice5 ruining your Plasma5 experience?

After a good friend had a whinge about “mailto:” links in Konsole not opening up in Thunderbird, I checked my install to , and yes when you click an email address in Konsole it launched “kmailservice5” which just sat there consuming CPU cycles and not much else, seemingly without a timeout too.

Its important to note that I have an ArchLinux install , with a “minimal”ish Plasma5 desktop environment.

After much searching (xdg-open xdg-email mimetypes etc), I found the solution.

It is NOT a Plasma5 issue (…Surprise!!…)

The solution (well, my solution) is to start up Thunderbird, click on edit, then preferences, and check that Thunderbird is set to being the default email client… yeah, its that simples, should have looked there much earlier

Hopefully when someone searches for “disable kmailservice5” this post will be of use

*** click for further update ***

Jase

is kmailservice5 ruining your Plasma5 experience?

Upgraded/Updated(?) to Chaos Calmer

I have just successfully upgraded my OpenWRT powered TL-WDR3600 from Barrier Breaker to Chaos Calmer.

I Downloaded the “sysupgrade.bin” version of the firmware, logged in went to system>backup/flash firmware kept the tick in place to keep settings and flashed the update…

Then the lights went off and only 3 came on… feeling of slight panic set in , had I bricked the router? (again)

I waited for a while (5 minutes or so, and thought damn it , and switched the router off and then after a short wait on….

After what seemed to be an age, all the lights came on , I logged back in , and SUCCESS!!

Model: TP-Link TL-WDR3600 v1
Firmware Version: OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)
Kernel Version: 3.18.20

Lovin’ having an OpenWRT Router

Jase

Upgraded/Updated(?) to Chaos Calmer

Of bricked routers and recovery

This is the epic tale of flashing a TP-Link TL-WDR3600

I was excited, the router I had ordered from Amazon had arrived, I knew after LOTS of research that I was going to Flash a compatible alternative firmware on it, I had looked at DD-WRT, Gargoyle-Router, SuperWrt, ofmodemsandmen but had decided to go for OpenWRT as I thought it would represent a nice learning curve that I could learn from installing and configuring.

I waited for the kids to be in bed , then I started after reading the warnings about being careful, I had located the correct OpenWRT firmware and downloaded it ready, I had been in two minds about whether I could be bothered actually updating the the stock firmware, but thought “what the heck lets do it!”, later this action would pay off, big-time.

So I updated to the latest stock firmware , and after a thorough restart and factory reset had a clean router ready for OpenWRT, every thing went smoothly it was about 2230 at this point , and my two youngest had decided to have a loud conversation/disagreement on something, I was due to start configuring , but wanted to connect to my ISP first , so I had selected LAN, and changed the setting to PPPoE , the kids got louder, so I hastily confirmed the setting and went through to the room to quiet them down as it was late.

It was just as I reached my desk that I realised, I had selected LAN, not WAN! and as it was confirmed , it had changed , I tried many ways to get back into the settings and but was unable to get in access, no LAN, WLAN, SHH or telnet connection was possible, so I stared , almost in tears of stupidity at my recently purchased paperweight with lights…

Unbricking a TP-Link TL-WDR3600

I had bricked my brand new router, it was not a nice feeling, and I was caught in a mix of anger and a state of panic. Then just as I was trying to think of a way to claim under the warranty , I remembered, one of the functions that the latest stock firmware had given the router.

TFTP recovery mode!!

I got my phone and googled for OpenWRT TL-WDR3600 recovery , there was a section on the OpenWRT wiki for recovering the router in this circumstance, however it was not 100% clear what to do , as the section ended with (paraphrasing here) – “once you see this behaviour place the renamed file in to tftp root ”

I did not fully understand , however after reconnecting via the previous router I installed both tcpdump and tftp-hpa, the following is a condensed/abridged version of how I managed to get the router re-flashed with the latest stock firmware to enable the re-flashing of OpenWRT.

 pacman -S tcpdump tftp-hda 

I then reconnected to the LAN1 port with the router off, then typed

tcdummp -ni enp3s0 arp

then switched the router on while holding the reset/wps button, releasing when the wps light come on (its the one end that that looks like refresh/reload arrows) at this point you should see

ARP, Request who-has 192.168.0.66 tell 192.168.0.86, length 46

which confirms that the router is looking for a TFTP server with a file , but times out as its not able to see where it should be (at 192.168.0.66)

so now you have to have a TFTP server running with the firmware available at the TFTP server root. knowing that my pc would need to have the right IP address I changed it and made it ready.

ip addr add dev <ethernetdevice> 192.168.0.66/24

ip link set <ethernetdevice> up 

After trying what follows a few times with the OpenWRT firmware and failing , I decided to try the stock firmware. however as the firmware had the word “boot” in it , I had to “trim” the firmware as per the OpenWRT wiki.

dd if=downloaded_firmware_with_boot_in_name.bin of=wdr3600v1_tp_recovery.bin skip=257 bs=512 

I then needed to put the recovery firmware into the “root” of teh TFTP server,

cp /wdr3600v1_tp_recovery.bin /srv/tftp/

and then started the TFTP server

 systemctl start tftpd 

then with the router OFF I used the following as noted in the OpenWRT wiki

tcpdump -npi enp3s0 udp

Then once again while holding the wps button turned on the router, releasing the button once the wps arrows light came on.

Then after a flurry of lights , the router restarted !

I quickly stopped the TFTP server

systemctl stop tftpd

I then waited for the lights to settle and launched Firefox and logged into the router stock firmware! , at this point it was 0200hours and time for bed.

I was able to re-complete and configure the Flash to OpenWRT the following day. (today)

I really, really hope that my Tale helps others in a similar position, and serves as a warning not to rush or be distracted by other things while flashing firmware in a device

Jase

Of bricked routers and recovery

pacman what package depends on what listing

ok very quick entry as I found this interesting nugget on the arch forums and thought it pretty neat (many thanks to harryNID for the original post found here)

pacman -Qi | sed '/^Depends On/,/^Required By/{ s/^Required By.*$//; H; d }; /^Name/!d; /^Name/{ n;x;}'| sed '/^$/s//=============================================================================/'

Its a nice pacman enquiry that gives very helpful output

Jase

pacman what package depends on what listing

dnscrypt-proxy, ArchLinux and overwritten .service files

Did you update your arch system only to find that your dnscrypt-proxy.service file was over written – again?

Mine was, as were some other folks, so after a google , and a reread of the ArchLinux wiki page for systemd spotted this

/usr/lib/systemd/system/: units provided by installed packages
/etc/systemd/system/: units installed by the system administrator

So any changes to the default .service files should be placed /etc/systemd/system/ and not written to the /usr/lib/systemd/system/ as that will be over written by the application each time it is upgraded.

As I had already corrected the dnscrypt-proxy.service file I could just copy over to the correct location, to do this I

#cp /usr/lib/systemd/system/dnscrypt-proxy.service /etc/systemd/system/

and then to be sure the systemd symlinks were all correct I stopped/disabled/enabled and restarted the dnscrypt-proxy systemd unit

# systemctl stop dnscrypt-proxy.socket
# systemctl disable dnscrypt-proxy.service
Removed symlink /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket.
Removed symlink /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service.
# systemctl enable dnscrypt-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service to /etc/systemd/system/dnscrypt-proxy.service.
Created symlink from /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket to /usr/lib/systemd/system/dnscrypt-proxy.socket.
# systemctl start dnscrypt-proxy.socket

The difference being is that I now have an editable dnscrypt-proxy file in /etc/systemd/system/ and not a symlink to the defaults in /usr/lib/systemd/system which are over written as part of the upgrade/install process.

Has it worked?, I will post back when it next updates and confirm this works.

EDIT: 8th September 2015 -just updated two other machines without loss of the dnscrypt-prox settings , so yeah this works

Jase

dnscrypt-proxy, ArchLinux and overwritten .service files