Compare commits
5 Commits
4d9d72d438
...
3c51a2a58f
Author | SHA1 | Date |
---|---|---|
KemoNine | 3c51a2a58f | |
KemoNine | fcb7049270 | |
KemoNine | 5797077dbe | |
KemoNine | 72ce0921b0 | |
KemoNine | cd55cd7511 |
|
@ -33,7 +33,6 @@ If you're not using the [link for beginners](for-beginners/README.md), the follo
|
|||
- [FirewallD (firewall/routing)](armbian/firewalld.md)
|
||||
- [Unbound (Non ISP DNS)](armbian/unbound.md)
|
||||
- VPN Options
|
||||
- [Private Internet Access (VPN)](armbian/vpn/pia.md)
|
||||
- [vpn.ac (VPN)](armbian/vpn/vpn_ac.md)
|
||||
- [VPN Autoconnect](armbian/vpn/vpn_autoconnect.md)
|
||||
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
Some misc notes on arduino-cli.
|
||||
|
||||
This is mostly UNTESTED. YMMV.
|
||||
|
||||
https://github.com/arduino/arduino-cli
|
||||
use arm32 + multiarch for version 0.3.6-alpha on arm64 hardware
|
||||
apt install gcc-avr
|
||||
arduino-cli core update-index
|
||||
arduino-cli config init
|
||||
nano -w ~/.arduino15/arduino-cli.yaml
|
||||
board_manager:
|
||||
additional_urls:
|
||||
- https://raw.githubusercontent.com/adafruit/arduino-board-index/gh-pages/package_adafruit_index.json
|
||||
- https://raw.githubusercontent.com/sparkfun/Arduino_Boards/master/IDE_Board_Manager/package_sparkfun_index.json
|
||||
- https://dl.espressif.com/dl/package_esp32_index.json
|
||||
|
||||
arduino-cli core update-index
|
||||
arduino-cli core install arduino:avr
|
||||
arduino-cli core install arduino:sam
|
||||
arduino-cli core install arduino:samd
|
||||
arduino-cli core install adafruit:avr
|
||||
arduino-cli core install adafruit:samd
|
||||
arduino-cli core install SparkFun:avr
|
||||
arduino-cli core install SparkFun:samd
|
||||
arduino-cli core install esp32:esp32
|
||||
arduino-cli core install esp8266:esp8266
|
|
@ -11,7 +11,7 @@ git clone https://github.com/slingamn/namespaced-openvpn.git
|
|||
cd namespaced-openvpn
|
||||
make install
|
||||
|
||||
/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth_pia.txt
|
||||
/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth.txt
|
||||
|
||||
ip netns list
|
||||
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
# Running a Raspberry Pi with USB based btrfs root filesystem
|
||||
|
||||
This is a very advanced configuration and here as a set of notes for the more daring users building remixes.
|
||||
|
||||
Please note: *you will need to change ```/dev/sda``` and ```/dev/sdb``` as well as any sizes and offsets to match your needs and approach*.
|
||||
|
||||
``` bash
|
||||
|
||||
dd if=/dev/sda of=/dev/sdb bs=1M
|
||||
parted /dev/sdb
|
||||
mkpart
|
||||
33G
|
||||
-1
|
||||
q
|
||||
mkfs.btrfs \
|
||||
-L writable \
|
||||
/dev/sdb3
|
||||
mkdir /mnt/new
|
||||
mkdir /mnt/orig
|
||||
mount /dev/sdb2 /mnt/orig
|
||||
mount -o autodefrag,compress,ssd,ssd_spread /dev/sdb3 /mnt/new
|
||||
rsync -aPr --delete-after /mnt/orig/ /mnt/new/
|
||||
nano -w /mnt/new/etc/fstab
|
||||
btrfs filesystem type && mount options
|
||||
mount /dev/sdb1 /mnt/new/boot/firmware
|
||||
nano -w /mnt/new/boot/firmware/config.txt /mnt/new/boot/firmware/cmdline.txt
|
||||
umount /mnt/orig
|
||||
pvcreate /dev/sdb2
|
||||
vgcreate misc /dev/sdb2
|
||||
lvcreate -C y -n swap.1 -L 1G misc
|
||||
lvcreate -n scratch -L 6G misc
|
||||
mkswap /dev/mapper/misc-swap.1
|
||||
mkfs.btrfs -L scratch /dev/mapper/misc-scratch
|
||||
mkdir /scratch
|
||||
nano -w /mnt/new/etc/fstab
|
||||
add lvm swap
|
||||
add lvm scratch
|
||||
|
||||
```
|
|
@ -1,236 +0,0 @@
|
|||
# Private Internet Access (PIA)
|
||||
|
||||
This is a **VERY** advanced topic with some creative tricks to simplify getting the config added to NetworkManager. You're on your own.
|
||||
|
||||
The author *strongly* recommends reading through this and adapting/tuning well ahead of any real need(s).
|
||||
|
||||
## Inspiration / Sources
|
||||
|
||||
- [http://blog.deadlypenguin.com/blog/2017/04/24/vpn-auto-connect-command-line/](http://blog.deadlypenguin.com/blog/2017/04/24/vpn-auto-connect-command-line/)
|
||||
- [https://forums.linuxmint.com/viewtopic.php?t=97187](https://forums.linuxmint.com/viewtopic.php?t=97187)
|
||||
- [https://unix.stackexchange.com/questions/301845/scripting-a-way-to-quickly-import-ovpn-files-to-networkmanager-on-ubuntu](https://unix.stackexchange.com/questions/301845/scripting-a-way-to-quickly-import-ovpn-files-to-networkmanager-on-ubuntu)
|
||||
- [https://www.privateinternetaccess.com/pages/client-support/](https://www.privateinternetaccess.com/pages/client-support/)
|
||||
|
||||
## Prep Work
|
||||
|
||||
Download PIA OpenVPN advanced configs, drop them in a good place on the filesystem and script import.
|
||||
|
||||
All files can be found Under ```Advanced OpenVPN SSL Restrictive Configurations``` on the main PIA website.
|
||||
|
||||
### Download PIA OpenVPN Template Files
|
||||
|
||||
``` bash
|
||||
|
||||
mkdir -p /etc/pia
|
||||
cd /etc/pia
|
||||
mkdir openvpn-strong
|
||||
cd openvpn-strong
|
||||
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
|
||||
unzip openvpn-strong.zip
|
||||
cd ..
|
||||
mkdir openvpn-strong-tcp
|
||||
cd openvpn-strong-tcp
|
||||
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
|
||||
unzip openvpn-strong-tcp.zip
|
||||
cd ..
|
||||
|
||||
```
|
||||
|
||||
### Add OpenVPN To Network Manager
|
||||
|
||||
``` bash
|
||||
|
||||
# NetworkManager Gnome is *required* to get a missing library on xenial
|
||||
# OMIT Gnome item if you can get away with it...
|
||||
|
||||
apt update
|
||||
apt install network-manager-openvpn
|
||||
|
||||
```
|
||||
|
||||
### Cleanup Files for Import
|
||||
|
||||
The cipher lines in the templates provided by PIA won't work 100% correctly on import. These commands will clean them up for import.
|
||||
|
||||
``` bash
|
||||
|
||||
cd /etc/pia
|
||||
cd openvpn-strong
|
||||
sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
|
||||
sed -i 's/sha256/SHA256/g' *.ovpn
|
||||
sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong/crl.rsa.4096.pem_g' *.ovpn
|
||||
sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong/ca.rsa.4096.crt_g' *.ovpn
|
||||
cd ..
|
||||
cd openvpn-strong-tcp
|
||||
sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
|
||||
sed -i 's/sha256/SHA256/g' *.ovpn
|
||||
sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong-tcp/crl.rsa.4096.pem_g' *.ovpn
|
||||
sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong-tcp/ca.rsa.4096.crt_g' *.ovpn
|
||||
cd ..
|
||||
|
||||
```
|
||||
|
||||
## Import / Setup
|
||||
|
||||
### Manual Import
|
||||
|
||||
Import the cleaned up, provided OpenVPN profiles. This will require intervention on your part after the profile is created in NetworkManager to ensure it can connect properly.
|
||||
|
||||
*Note: this assumes UDP profiles, tweak for the ```openvpn-strong-tcp``` directory if desired or necessary*
|
||||
|
||||
#### Initial Import / Edit
|
||||
|
||||
``` bash
|
||||
|
||||
nmcli connection import type openvpn file /etc/pia/openvpn-strong/[con_name].ovpn
|
||||
nmcli con show
|
||||
vim /etc/NetworkManager/system-connections/[con_name]
|
||||
|
||||
```
|
||||
|
||||
#### Adjustments/Necessary Verification
|
||||
|
||||
``` bash
|
||||
|
||||
id=PIA - [con_name]
|
||||
|
||||
[vpn]
|
||||
auth=SHA256
|
||||
cipher=AES-256-CBC
|
||||
password-flags=0
|
||||
user-name=[your_username]
|
||||
|
||||
[vpn-secrets]
|
||||
password=[your_password]
|
||||
|
||||
```
|
||||
|
||||
#### Update Profiles in NetworkManager
|
||||
|
||||
``` bash
|
||||
|
||||
# Reload For Changes
|
||||
nmcli connection reload [uuid_from_above]
|
||||
|
||||
# Connect
|
||||
nmcli con up [uuid_from_above]
|
||||
|
||||
```
|
||||
|
||||
### Scripted Import
|
||||
|
||||
Some automated imports based on how the ```ovpn``` files are normally imported via ```nmcli```
|
||||
|
||||
*Note: this assumes UDP profiles, you'll need to tweak this as you see fit for TCP*
|
||||
|
||||
#### Install ```uuidgen```
|
||||
|
||||
``` bash
|
||||
|
||||
apt update
|
||||
apt install uuid-runtime
|
||||
|
||||
```
|
||||
|
||||
#### Create List of VPN Endpoints
|
||||
|
||||
``` bash
|
||||
|
||||
cat > /etc/pia/server_list.txt << EOF
|
||||
us-west.privateinternetaccess.com=PIA - USA (West)
|
||||
us-east.privateinternetaccess.com=PIA - USA (East)
|
||||
us-midwest.privateinternetaccess.com=PIA - USA (Midwest)
|
||||
aus.privateinternetaccess.com=PIA - Australia (Sydney)
|
||||
austria.privateinternetaccess.com=PIA - Austria
|
||||
belgium.privateinternetaccess.com=PIA - Belgium
|
||||
ca-toronto.privateinternetaccess.com=PIA - Canada (Toronto) (East)
|
||||
ca-vancouver.privateinternetaccess.com=PIA - Canada (Vancouver) (West)
|
||||
fi.privateinternetaccess.com=PIA - Finland
|
||||
france.privateinternetaccess.com=PIA - France
|
||||
germany.privateinternetaccess.com=PIA - Germany
|
||||
hk.privateinternetaccess.com=PIA - Hong Kong
|
||||
in.privateinternetaccess.com=PIA - India
|
||||
japan.privateinternetaccess.com=PIA - Japan
|
||||
mexico.privateinternetaccess.com=PIA - Mexico
|
||||
nl.privateinternetaccess.com=PIA - Netherlands
|
||||
no.privateinternetaccess.com=PIA - Norway
|
||||
sg.privateinternetaccess.com=PIA - Singapore
|
||||
spain.privateinternetaccess.com=PIA - Spain
|
||||
sweden.privateinternetaccess.com=PIA - Sweden
|
||||
swiss.privateinternetaccess.com=PIA - Switzerland
|
||||
turkey.privateinternetaccess.com=PIA - Turkey
|
||||
uk-london.privateinternetaccess.com=PIA - UK (London)
|
||||
brazil.privateinternetaccess.com=PIA - Brazil
|
||||
EOF
|
||||
|
||||
```
|
||||
|
||||
#### Setup NeworkManager Profiles
|
||||
|
||||
Some fancy bash tricks to get the full list of NetworkManager PIA connections imported in one copy/paste.
|
||||
|
||||
*Note: You'll need to fill in ```[your_username]``` and ```[your_password]``` before running this block of commands.
|
||||
|
||||
``` bash
|
||||
|
||||
export PIA_USER="[your_username]"
|
||||
export PIA_PASSWORD="[your_password]"
|
||||
while read line;
|
||||
do
|
||||
desc=$(echo $line | cut -f2 -d'=')
|
||||
dns=$(echo $line | cut -f1 -d'=')
|
||||
file="/etc/NetworkManager/system-connections/$desc"
|
||||
|
||||
cat > "$file" <<EOF
|
||||
[connection]
|
||||
id=$desc
|
||||
uuid=`uuidgen`
|
||||
type=vpn
|
||||
permissions=
|
||||
secondaries=
|
||||
|
||||
[vpn]
|
||||
connection-type=password
|
||||
auth=SHA256
|
||||
password-flags=0
|
||||
remote=${dns}:1197
|
||||
cipher=AES-256-CBC
|
||||
comp-lzo=yes
|
||||
reneg-seconds=0
|
||||
remote-cert-tls=server
|
||||
ca=/etc/pia/openvpn-strong/ca.rsa.4096.crt
|
||||
dev=tun
|
||||
service-type=org.freedesktop.NetworkManager.openvpn
|
||||
username=${PIA_USER}
|
||||
|
||||
[vpn-secrets]
|
||||
password=${PIA_PASSWORD}
|
||||
|
||||
[ipv4]
|
||||
dns-search=
|
||||
method=auto
|
||||
|
||||
[ipv6]
|
||||
addr-gen-mode=stable-privacy
|
||||
dns-search=
|
||||
method=auto
|
||||
|
||||
EOF
|
||||
|
||||
chmod 600 "$file"
|
||||
|
||||
done < /etc/pia/server_list.txt
|
||||
|
||||
systemctl restart NetworkManager
|
||||
nmcli con show
|
||||
|
||||
```
|
||||
|
||||
## Testing VPN (Post Setup)
|
||||
|
||||
Go to each link below and verify you're safe.
|
||||
|
||||
- [https://www.privateinternetaccess.com/pages/whats-my-ip/](https://www.privateinternetaccess.com/pages/whats-my-ip/)
|
||||
- [http://dnsleak.com/](http://dnsleak.com/)
|
||||
- [http://ipv6leak.com/](http://ipv6leak.com/)
|
||||
- [http://emailipleak.com/](http://emailipleak.com/)
|
|
@ -8,8 +8,6 @@ The author *strongly* recommends reading through this and adapting to other serv
|
|||
|
||||
## Inspiration / Sources
|
||||
|
||||
This is an adaptation of the [PIA](pia.md) setup but for vpn.ac instead.
|
||||
|
||||
- [https://vpn.ac/ovpn](https://vpn.ac/ovpn)
|
||||
|
||||
## Prep Work
|
||||
|
|
|
@ -15,7 +15,7 @@ Some basic setup for auto-connecting a *specific* VPN connection. You'll need/wa
|
|||
|
||||
``` bash
|
||||
|
||||
# Get UUID for PIA endpoint you want as a default
|
||||
# Get UUID for endpoint you want as a default
|
||||
nmcli con show
|
||||
mkdir /etc/autovpn
|
||||
# Setup the default so it can be used via autovpn script (see below)
|
||||
|
|
|
@ -43,3 +43,95 @@ dkms install zfs/0.7.13
|
|||
systemctl enable zfs-import-cache zfs-import.target zfs-mount zfs-share zfs.target
|
||||
|
||||
```
|
||||
|
||||
## Monitor For Common Problems
|
||||
|
||||
For some reason the Pine64 and SOPine can have problems with "clock jumps" (ie. jumping forward 95 years) due to kernel bugs. They can also have major IO stalls when writing heavily to micro-sd cards, so much so the board becomes basically non-responsive for many minutes (upwards of 10).
|
||||
|
||||
The below Monit configuration and setup will monitor for both events and reboot the board in the event either happens. Currently this seems to be the least-worst option for recovery.
|
||||
|
||||
### Monit Install / Initial Config
|
||||
|
||||
``` bash
|
||||
|
||||
apt install monit
|
||||
nano -w /etc/monit/monitrc
|
||||
set mail-format { from: user@domain.tld }
|
||||
set alert admin@domain.tld
|
||||
set mailserver mail.domain.tld port 587
|
||||
username "user@domain.tld" password "apassword"
|
||||
using tls
|
||||
set httpd port 2812 and
|
||||
allow admin:apassword
|
||||
allow guest:guest readonly
|
||||
#with ssl { # enable SSL/TLS and set path to server certificate
|
||||
# pemfile: /etc/ssl/certs/monit.pem
|
||||
#}
|
||||
|
||||
```
|
||||
|
||||
|
||||
### Monit Monitor for large clock jumps forward
|
||||
|
||||
```/usr/local/bin/check_clock_jump.py```
|
||||
|
||||
``` python
|
||||
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import datetime
|
||||
import sys
|
||||
|
||||
FORMAT_STRING = '%Y-%m-%d %H:%M:%S'
|
||||
MAX_TIME_JUMP = datetime.timedelta(days=90)
|
||||
CACHE_FILE = '/var/cache/last_time.check'
|
||||
|
||||
current_time = datetime.datetime.now()
|
||||
last_time = current_time
|
||||
|
||||
try:
|
||||
with open(CACHE_FILE, 'r') as f:
|
||||
last_time = datetime.datetime.strptime(f.read().strip(), FORMAT_STRING)
|
||||
except FileNotFoundError:
|
||||
pass
|
||||
|
||||
timedelta = current_time - last_time
|
||||
if timedelta > MAX_TIME_JUMP:
|
||||
sys.exit(1)
|
||||
|
||||
with open(CACHE_FILE, 'w') as f:
|
||||
f.write(current_time.strftime(FORMAT_STRING))
|
||||
|
||||
sys.exit(0)
|
||||
|
||||
```
|
||||
|
||||
``` bash
|
||||
|
||||
chmod a+x /usr/local/bin/check_clock_jump.py
|
||||
cat > /etc/monit/conf.d/check_clock_jump.conf <<EOF
|
||||
check program check_clock_jump with path /usr/local/bin/check_clock_jump.py
|
||||
if status != 0
|
||||
then exec "/bin/systemctl reboot"
|
||||
as uid "root" and gid "root"
|
||||
EOF
|
||||
|
||||
systemctl restart monit
|
||||
|
||||
```
|
||||
|
||||
### Monit monitor for ```card_busy_detect status: 0xe00``` kernel errors
|
||||
|
||||
``` bash
|
||||
|
||||
cat > /etc/monit/conf.d/card_busy_detect.conf <<EOF
|
||||
# From docs: On startup the read position is set to the end of the file and Monit continues to scan to the end of the file on each cycle.
|
||||
check file kernel path /var/log/kern.log
|
||||
if content = ".*card_busy_detect status: 0xe00.*"
|
||||
then exec "/bin/systemctl reboot"
|
||||
as uid "root" and gid "root"
|
||||
EOF
|
||||
|
||||
systemctl restart monit
|
||||
|
||||
```
|
||||
|
|
Reference in New Issue