Tuesday 8 November 2022

Wireguard on Raspberry Pi. 3 problems after install

System:  Raspberry Pi Model B Rev 2, Raspbian GNU/Linux 10 (buster), public ipv4 and ipv6

The install was simple with pivpn (see https://docs.pivpn.io/install/):

curl -L https://install.pivpn.io | bash

After that, I was left with three problems, two of which related to my system set up and one seemed to be an install problem.

1. I configured wireguard to use the dns server on the the same computer.  Clients could not use it.  This needed a change to /etc/bind/named.conf.option.  I needed to add the network that used by wireguard to "trusted" ie 10.157.73.0/24

acl "trusted" {
        90.155.48.128/27;
        81.187.211.32/28;
        2001:8b0:7c:1::/64;
        localhost;
        10.157.73.0/24;
 };
 

Because of this in the configuration.

allow-recursion {
trusted;
};

2. I run fail2ban.  I added the wireguard network to /etc/fail2ban/jail.d/mychanges.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 10.157.73.0/24
 

3. At this point, ipv6 was working from my macbook.  I could see this as I run a bash script that pings various places.  It was obvious that my macbook could not ping outside my local network using ipv4.




 

 

This was getting beyond my level of competence but I ferreted around and Googled and discovered a bad line in nftables:

chain POSTROUTING {
   type nat hook postrouting priority srcnat; policy accept;
   oifname "eth0" ip saddr 10.185.2.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   }

10.185.2.0/24 is incorrect.

Then I discovered

pivpn debug

And that found the error and put in the correct line.

 chain POSTROUTING {
   type nat hook postrouting priority srcnat; policy accept;
   oifname "eth0" ip saddr 10.157.73.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   oifname "eth0" ip saddr 10.185.2.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   }



Clients

I did not have any problems with clients.   WireGuard, Official WireGuard VPN client from the Mac App Store for my Macbook and WireGuard from the F-droid site for Android.


IPV6

I've just noticed that, although the end endpoint on the Mac app is configured to be "Endpoint = strigosus.clifford.ac:51820" in edit mode, it is "90.155.48.158:51820" when just viewed.  Something to be looked at.  And the ipv6 address on the server is "fd11:5ee:bad:c0de::2/64" which looks a bit ominous.  And my website, http://clifford.ac, hosted on another Pi, shows ipv4 in the top corner when viewed through the vpn tunnel.


 


Friday 8 April 2022

Škoda Octavia key fob battery

 The car told me to replace the battery in the keyfob.  I did and it didn't work.  I put the old battery back in and it didn't work.  Not even the flashing light on the keyfob itself.

I read on "the internet" that someone had had a similar problem and the fob needed a Panasonic battery.  I was very sceptical but bought some Panasonics.  It worked!

Wednesday 14 August 2019

Apache2 default-ssl.conf

I go to https://niblick.uk in a browser and it wasn't using default-ssl.conf.  By enabling and disabling virtual hosts it seems that it was using clifford-ssl.conf although there is no trace of niblick.uk in that file.

I copied default-ssl.conf to 000-default-ssl.conf, enabled that and disabled the original on the dubious analysis that 'c' comes before 'd' and the non-ssl conf file starts with 000.

This appears to have been successful.

This is on a Raspberry Pi running buster

Server version: Apache/2.4.38 (Raspbian)
Server built:   2019-04-07T18:15:40

Saturday 27 July 2019

systemd problems on Raspian Buster - radicale, isc-dhcp-server, sshd, apache2

After reboot, radicale and isc-dhcp-server don't start.  Or, rather, radicale starts and then exits.

apache2 and sshd ports have been configured so that ssh over port 80 to a separate ip number is possible

sshd starts but not all ports are assigned

Jul 27 14:51:04 arcticus sshd[536]: error: Bind to port 22 on 2001:8b0:7c:1::154 failed: Cannot assign requested address.
Jul 27 14:51:04 arcticus sshd[536]: error: Bind to port 22 on 90.155.48.154 failed: Cannot assign requested address.
Jul 27 14:51:04 arcticus sshd[536]: error: Bind to port 443 on 2001:8b0:7c:1::136 failed: Cannot assign requested address.
Jul 27 14:51:04 arcticus sshd[536]: error: Bind to port 80 on 2001:8b0:7c:1::136 failed: Cannot assign requested address.
Jul 27 14:51:04 arcticus sshd[536]: Server listening on 90.155.48.136 port 443.
Jul 27 14:51:04 arcticus sshd[536]: Server listening on 90.155.48.136 port 80.
Jul 27 14:51:04 arcticus sshd[536]: Server listening on 81.187.211.34 port 22.
Jul 27 14:51:04 arcticus sshd[536]: Server listening on 2001:8b0:7c:1::138 port 22.
Jul 27 14:51:04 arcticus sshd[536]: error: Bind to port 22 on 90.155.48.138 failed: Cannot assign requested address.


apache 2 fails to start

The radicale, isc-dhcp-server and apache2 problems are detectable using "systemctl show" as the failure is detectable

LoadState=loaded
ActiveState=active
SubState=exited

I've created a root cron job to run, probably,  once a day, to check and restart if neccessary, the services

For example, for radicale

#!/bin/bash
# Run with root crontab once each day
# --------------------------------------------------------------------------
# radicale shows on reboot:
# LoadState=loaded
# ActiveState=active
# SubState=exited
/bin/echo "Checking radicale"
/bin/systemctl show radicale.service | /bin/grep -i SubState=running
radicale_rc=${?}
if [[ ${radicale_rc} -ne 0 ]]; then
/bin/echo "radicale not running"
/bin/systemctl restart radicale.service
/bin/systemctl show radicale.service | /bin/grep -i SubState=running
radicale_rc=${?}
if [[ ${radicale_rc} -eq 0 ]]; then
/bin/echo "radicale running"
fi
else
/bin/echo "radicale running"
fi

It is more difficult to check the sshd error as sshd is started.  I'm using a rather dirty hack of checking if apache2 is running and, if not, restart sshd.



Sunday 14 July 2019

Sendmail problems with Raspbian Buster

"5.7.0 Authentication required" error in Thunderbird on my Macbook when trying to use Sendmail on my Pi for outgoing mail.  Also Alpine in a ssh shell would not send.

By comparing the setup with my exist PI, I eventually discovered that libsasl2-modules was not installed.

Labels: , , , , , ,

Multiple ipv4 and ipv6 addresses without /etc/network/interfaces on Raspberry Pi Raspian Buster

I decided to avoid /etc/network/interfaces with a new install on a Pi 3 and use dhcpcd.

Found searching the internet that I needed an entry in /etc/rc.local

ifconfig eth0:1 add 2001:8b0:7c:1::136
ifconfig eth0:1 90.155.48.136
ifconfig eth0:2 81.187.211.34

Labels: , , , , , , ,

Wednesday 8 May 2019

multiple ipv4 and ipv6 addresses in /etc/network/interfaces on Raspberry Pi

I have been very frustrated trying to set up multiple ipv4 and ipv6 address on one interface, in this instance, eth0.

alan@strigosus ~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:cb:6c:98 
          inet addr:90.155.48.158  Bcast:90.155.48.159  Mask:255.255.255.224
          inet6 addr: 2001:8b0:7c:1::136/64 Scope:Global
          inet6 addr: 2001:8b0:7c:1::158/64 Scope:Global
          inet6 addr: fe80::ba27:ebff:fecb:6c98/64 Scope:Link
          inet6 addr: 2001:8b0:7c:1::45/64 Scope:Global
          inet6 addr: 2001:8b0:7c:1::44/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70787 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9720366 (9.2 MiB)  TX bytes:16787070 (16.0 MiB)

eth0:1    Link encap:Ethernet  HWaddr b8:27:eb:cb:6c:98 
          inet addr:81.187.211.44  Bcast:81.187.211.47  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:2    Link encap:Ethernet  HWaddr b8:27:eb:cb:6c:98 
          inet addr:81.187.211.45  Bcast:81.187.211.47  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:3    Link encap:Ethernet  HWaddr b8:27:eb:cb:6c:98 
          inet addr:90.155.48.136  Bcast:90.155.48.159  Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:4    Link encap:Ethernet  HWaddr b8:27:eb:cb:6c:98 
          inet addr:90.155.48.134  Bcast:90.155.48.159  Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:677569 (661.6 KiB)  TX bytes:677569 (661.6 KiB)



The solution I found to work was to have one alias for each ip

This is my /etc/network/interfaces


auto lo eth0  eth0:1 eth0:2 eth0:3 eth0:4 eth0:5 eth0:6 eth0:7 eth0:8

iface lo inet loopback

# strigosus
# Pi Also for dhcp
iface eth0 inet static
address 90.155.48.158
netmask 255.255.255.224
gateway 90.155.48.129


# idaeus
# Pi
iface eth0:1 inet static
address 81.187.211.44
netmask 255.255.255.240
gateway 81.187.211.33


# ns-rosifolius
# for dns
iface eth0:2 inet static
address 81.187.211.45
netmask 255.255.255.240
gateway 81.187.211.33


# ns-sieboldii
# for dns
iface eth0:3 inet static
address 90.155.48.136
netmask 255.255.255.224
gateway 90.155.48.129


# ellipticus
# Pi. For sshd port 80
iface eth0:4 inet static
address 90.155.48.134
netmask 255.255.255.224
gateway 90.155.48.129


# strigosus
# Pi.
iface eth0:5 inet6 static
address 2001:8b0:7c:1::158/64
gateway 2001:8b0:7c:1:1e74:dff:fe51:4749


# idaeus
# Pi
iface eth0:6 inet6 static
address 2001:8b0:7c:1::44/64
gateway 2001:8b0:7c:1:1e74:dff:fe51:4749


# ns-rosifolius
# for dns
iface eth0:7 inet6 static
address 2001:8b0:7c:1::45/64
gateway 2001:8b0:7c:1:1e74:dff:fe51:4749
# gateway 2001:8b0:7c:1:1e74:dff:fe51:4749
# # netmask 64


# ns-sieboldii
# for dns
iface eth0:8 inet6 static
address 2001:8b0:7c:1::136/64
gateway 2001:8b0:7c:1:1e74:dff:fe51:4749


This also worked on my new Pi with Raspian Stretch after disabling dhcpcd.  I wanted to do this as the new Pi is to be my new everything server.


Sunday 26 June 2016

Second referendum

I have no objection to a second referendum regarding leaving or staying in the European Union but with one proviso.  All the people who voted to leave but really wanted to stay in the Union are not fit to take part in a decision that decides the fate of everyone else so they would be excluded from voting in the second referendum.  This should be easy to implement as the people concerned appear to have already generated a list.

To keep the excluded happy during the referendum period, perhaps there could be a second questionnaire.  This could take the form of, say, a list of clothing manufacturers for whom the excluded prefer to display free advertising on their clothes.  The manufacturers could bid for tick boxes on the voting slip and proceeds would be given to the N.H.S.

Saturday 12 December 2015

Handicap Blues

I was having a really good start to the summer, including 23 points in a 9 hole stableford that cut my Congu handicap by 2.  So I went from 25.5 in June to 22.1 at the beginning of August.

Then a small operation followed by an 8 week golf hiatus.

Three not very good nine hole games in the UK then off to Barbados for the winter.

My handicap index in Barbados was 19.2 so played off 20 at Rockley and that was far too low for my post-op. ability.  The first game knocked a very good game from last January out of my 20 so my playing handicap went up by one, but that was still far too low. Most of my good scores were in the latter half of my 20 scores so played off 21 for a month.

There are indications I am getting back into the swing of things.  On Thursday, I drove past the yellow marker on the first fairway for the first time this winter.  On Tuesday, I scored 2 under handicap but, as it knocked a "3 under" off my record, I expect my handicap to go up to 25 at tomorrow's weekly recalculation.

The next score to drop of my handicap index is now a 4 under, the last remaining score from last March.

So, with getting my game back and with last winter's scores all gone, hopefully my handicap has topped out and I can try to get it down again.

Thursday 11 September 2014

Strange game of golf today.  Scored only 10 points in a 9 hole stableford and 5 of those were on one hole.

Thursday 6 June 2013

Contactless card from Metro Bank


Metro Bank won't give me a contactless card so I want to cut the wires.  Presumably the loops around the chip are to pick up power but there seems to be something coming out to the right.  Is that the rfid chip to the right of the main chip?

I am thinking that if I cut through the card across the wireless logo, I should be able to disable it.  But I must buy something first to do a before and after test.

Thursday 8 November 2012

The Ark Animal Welfare Society Barbados, book sale

Books are heavy to take on holiday.  In Barbados, on the first Tuesday of every month, is The Ark Animal Welfare Society book sale outside the Big B supermarket at Worthing.  The books are 4 or 5 BBD - read then donate back next month is a good idea.

The Ark Animal Welfare Society Barbados























Friday 7 September 2012

Spamassassin on my Raspberry Pi

Waiting for a spam email to be sent to the domain on my Rasperry Pi to test Spamassassin. Perhaps if I put the email address here, it will be harvested a lot quicker by the spam 'bots. 

alan@mundungus.org


Sunday 2 September 2012

Squirrel mail (the login page at least) and https on the Rasperry Pi

https://mundungus.org/squirrelmail/src/login.php


Thursday 23 August 2012

ipv6 on raspberry pi

There is now a webserver on my Raspberry Pi

http://idaeus.clifford.ac/ 

ipv6 on Raspberrry Pi

I can now ssh to my Pi using ipv6.

ipv6 on Raspberrry Pi

I had to put

ipv6

into /etc/modules to enable ipv6.

This is using 2012-08-16-wheezy-raspbian.zip.

Thursday 26 April 2012

Photographs at Fine Art America


Art Prints

Tuesday 2 August 2011

Free loan at Kiva

I've made a free loan (financed by Kiva) at http://kiva.org/invitedby/alan3949

Monday 28 March 2011

Walking directions from Guildford to Lifton

Wednesday 2 February 2011

Facebook, https and ipv6

I wasn't able to set up secure browsing on Facebook using the old internet but, when logged in using ipv6 https://www.v6.facebook.com/Alan.Clifford, I was allowed to. On the legacy, ipv4 internet again, I was still set up to use https.

Chat seems to be no longer available on the Facebook site under the old internet but that doesn't matter; I use ipv6 at home and have Facebook chat set up in Adium anyway.

Saturday 15 January 2011

Theft of photos by deep linking



Stealing photographs from my website by deep linking is not without its perils.






Wednesday 5 January 2011

Flash and auto iso on the Nikon D7000

The way auto iso and flash interact on the D7000 seems to have changed since the D80. And the new algorithm seems to make a complete pig's breakfast of the job.

Here are 3 photographs, all taken at f5.6, 30th sec.
The first is without auto iso and flash. Iso is 100.
The second is auto iso and no flash. Iso is 2200.
The third is auto iso and flash. Iso is again 2200. You can see the shadows from the overhead domestic lighting and it seems the camera is trying to use a mixture of lighting, squelches the flash and puts up the iso instead. But the white balance for the mixed lighting does not appear to work. And the iso is ridiculously high.

I've taken another photograph where the camera has decided to use f8 and iso 6400, 6400 being the maximum iso I've allowed. That seemed to have been a very daft choice for a combination of settings.

The algorithm seems all wrong to me.






















Sunday 5 October 2008

Man fined for taking photo of woman being sick

Article in The Scotsman

There seems to have been three crimes committed here.

The sheriff is there to uphold the law; he is not there to abuse existing laws to impose his own morality on the public. The photographer did not breach the peace and was not behaving in a disorderly manner but the sheriff is trying to use these laws to bring in a "right to privacy" law by the back door. He should be dismissed from his post.

It appears that the photographer was assaulted by the friends. Why weren't they prosecuted?

Presumably the police arrested the photographer. It looks like a case of wrongful arrest to me.

Labels:

Wednesday 3 September 2008

Nikon photo contest international email problem resolved

I emailed Nikon. I had a couple of replies from various parts of Nikon and they fixed the dns problem immediately. Well done Nikon.

Labels: , , ,

Monday 1 September 2008

Nikon photo contest international email problem

The process to send your photos to this contest starts with filling in a web form with your email address and a password. They then send you an email with a website URL.

Unfortunately, although I can see from my mail server log that they attempted to email me, their email was rejected by my mail server because they sent from a non-existent domain:

Sep 1 20:38:16 malander sm-mta[22038]: m81JcGjv022038: ruleset=check_mail, arg1=, relay=mailx.photohighway.co.jp [211.13.226.3], reject=553 5.1.8
... Domain of sender address sys.npci@2008-09.nikon-npci.com does not exist
Sep 1 20:38:17 malander sm-mta[22038]: m81JcGjv022038: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA-v6, relay=mailx.photohighway.co.j
p [211.13.226.3]


Maybe this is happening all over the world at this very moment and, if you don't have access to the mailserver logs, you wouldn't know why you didn't receive the email from Nikon.

After browsing my list of logins, I discovered that I already had been through this process about three years ago so they already have a (different) email address and password for me. But I am a bit reluctant to use it as they might try to email me again!


Labels: , , ,

Wednesday 19 March 2008

Photography in public places

Austin Mitchell has tabled an Early Day Motion concerning attempts to restrict lawful photography in public places in the UK. Please email or write to your MP (your MP can be found using your postcode here) asking him or her to support the motion.

The text of the motion is:

"That this House is concerned to encourage the spread and enjoyment of photography as the most genuine and accessible people's art; deplores the apparent increase in the number of reported incidents in which the police, police community support officers (PCSOs) or wardens attempt to stop street photography and order the deletion of photographs or the confiscation of cards, cameras or film on various specious ground such as claims that some public buildings are strategic or sensitive, that children and adults can only be photographed with their written permission, that photographs of police and PCSOs are illegal, or that photographs may be used by terrorists; points out that photography in public places and streets is not only enjoyable but perfectly legal; regrets all such efforts to stop, discourage or inhibit amateur photographers taking pictures in public places, many of which are in any case festooned with closed circuit television cameras; and urges the Home Office and the Association of Chief Police Officers to agree on a photography code for the information of officers on the ground, setting out the public's right to photograph public places thus allowing photographers to enjoy their hobby without officious interference or unjustified suspicion."

Wednesday 26 September 2007

Have the euro MP's replied?

First off the starting blocks is Caroline Lucas of the greens. Just an acknowledgement from Cath Miller, Constituency Co-ordinator and Researcher, but certainly top marks for politeness.

An email to my Euro MPs about .eu domains

I followed the proposal over the years, and the eventual set up, of the .eu domain and was hoping to acquire clifford.eu. Unfortunately, this was acquired by a company called Direct Electronics inc, which appears to be a UK subsiduary of an American company.

I did feel it was wrong that a company could buy the name during the "sunrise" period rather than it being made to take its chance with individuals like me. But, OK, that was the rule, even if I think it was a bad rule. But I really object to the fact that clifford.eu is not actually being used. I guess that it was bought precisely for that purpose - to stop it being used. (This is verifiable because there is no DNS for the domain). So an American company has bought a .eu domain, is not using it, and is preventing a EU citizen, me, from using it!

All of the above does not break any .eu rules but what was the point of setting up the .eu domain just for companies to buy .eu domains and not use them? It would be interesting to find out what proportion of .eu names are being abused in this manner and how much tax payers' money has been wasted on setting up the .eu infrastructure just so companies can stop the .eu names from being used.

An alternative domain name would have been ahc.eu, ahc being my initials. http://ahc.eu is a website offering the domain name for sale. Again, this is not against the rules but, again, seems to have made the setting up of the .eu domain a pointless waste of time. I wonder how many .eu domain names come into this category?

Being a keen photographer, a domain like f8.eu would have been perfect for my website of photographs. So what is occupying this domain name at the moment? It's a page of click-through advertisements and again, the name is offered for sale. No rules broken but a pointless waste of time to have set up the .eu domain for click-through advertisement pages. I wonder how many .eu domains come into this category. How much tax money was used to set up all of this pointless infrastructure?

Tuesday 10 July 2007

Amex and Halifax bank prevent payment

I am trying to pay my Amex account with my Halifax debit card. I reach this point on the Amex website:

"Please note: For added security your debit card issuer requires to authenticate your debit card details. You will be sent to your issuer's site temporarily. Once the authentication is completed you will be returned to the American Express site to continue your payment process."

On the website I am taken to, I am only given the option of clicking on a button that forces me to agree to their conditions of use. (I can't give the exact wording as the Amex website has gone into nightly update mode and I can't get back to the Halifax sponsored site). I do not want to agree to their conditions of use as they require a unique password and a unique user name and

"You are responsible for keeping your password and username secret. You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or let anyone else know your password or username ..." Strewth, I have about 100 of those and could not possibly agree.

Next step is to telephone the Halifax. I am told that authentication is an optional service, they cannot do anything and I should contact Amex. I ring Amex. They tell me that I can no longer use the website to pay my bill but I can pay over the telephone.

"OK," I say, "I'd like to pay my bill." Unfortunately, that was not possible as their computers were busy.