A word of warning about Kimsufi and ESXi

Kimsufi are well known for offering cheap dedicated servers and over the years I’ve had no problems until recently.

I purchased a KS-5 for running VMware ESXi on, it was a fairly good spec Xeon with 16GB of ram and 2TB disk space for about £30 a month plus a one time setup fee. It was quickly provisioned which was great, but after logging into my account I found a problem – There was no obvious place to order additional IPv4 addresses which rendered the server completely useless to me. I was prompted to select an operating system, so I did thinking this would make ordering IP addresses possible, but still nothing.

I contacted support immediately and asked if ordering additional IP addresses was possible, and if not to cancel and refund my account. They responded in a nut shell saying its not possible, and that because I’d installed the VMware template that they provided they wouldn’t refund me which was annoying, they also implied that because the service was so cheap I should be grateful and suggested using their sister brand SoYouStart, amusing.

Luckily I paid with PayPal so I opened a dispute and got my money back. It’s not about the money though, its about Kimsufi not making the facts clear and then fobbing you off. I’d usually recommend them, but not anymore.

I’ve since found a better provider, Online.net offering similar spec servers capable of running ESXi with, wait for it, the option to order additional IP addresses! Amazing.

Upgrade Windows Phone 8.0 to 8.1 Before Main Release Using Developer Preview

Recently I lost my smartphone and after lots of searching decided to give up and buy a new phone. As I only really use my phone for checking emails, a little remote desktop access and the odd bit of mobile banking I didn’t need anything overkill and I fancied a change from Android so I went for a Windows based Nokia Lumia 520.

The Lumia 520 can be picked up for £69.00 on O2 pay as you go (as of 01/07/2014, see here) but I paid a little extra and got mine the same day. I was initially blown away by the Windows Phone operating system as it was better than expected and I couldn’t find any flaws. I’d setup my email, installed the mobile banking app and so on which lead me to my final task which was to install the Remote Desktop app. You’d think this would be a straight forward task installing a Microsoft product on something Microsoft powered but no, when heading to the Microsoft Store on the phone the Remote Desktop app wasn’t showing so I searched the Microsoft Store online and it came up saying that it wasn’t compatible with the Windows Phone 8.0 operating system that was currently on the phone.

I had three options, to cry in the corner, wait for the update to be released or to try upgrade the phone manually. After a little research the update was said to be released within the “…first two weeks of July…” but there was no exact date and I just couldn’t wait.

After more research it turns out that you can use a free app called Preview for Developers which allows you to basically get the update there and then instead of having to wait.

Upgrading Windows Phone 8.0 to 8.1

Below you’ll find a guide on how to upgrade the Windows Phone operating system. Please note that any changes you do here are irreversible and this will no doubt void your warranty.

  • First things first we need to create a free account with Microsoft’s App Studio using the link found here as this will give you access to the developer previews service and give you the magical updates – I used my main Microsoft account that’s linked to the phone to keep things simple
  • Once you’ve created the account go to Microsoft Store on the phone, search Preview for Developers and install the app
  • Once the app has installed launch it and you will be asked to accept the terms and conditions and login using the account details created previously
  • Next you’ll see information about what the app does and so on, all we need to do here is tick the box next to Enable Preview for Developers and press done
  • Now that’s enabled head to Settings > phone update and press check now and then follow the on screen instructions – You may need to repeat this process several times as it took me two updates to prepare the phone before the update to Windows 8.1 was offered
  • After a little while you will now be running Windows 8.1! – You can check this by viewing Settings > about > more information under the OS version heading

Notes

  • Make sure your phone is fully charged before attempting any updates as things could seriously go wrong otherwise!
  • As with anything in development stages things may be a little buggy so be aware that you may stumble across the odd glitch every now and again
  • Although not tested I assume the same steps will work for phones other than the Nokia Lumia 520, if you can confirm this I’d be grateful

A Sticky Problem with Glue Records and 1&1 Internet

Recently I had a tidy up with my hosting infrastructure which involved moving a slave DNS server from one IP address to another. The easy part was setting up the server and changing the existing DNS A record to point to the new IP address, the fun started when it came to updating the Glue record held with 1&1.

If you weren’t already aware a Glue record is something set by the domain registrar (1&1 in this case) that points directly to the server where the domains DNS records are kept. This makes it possible  to have domain names with nameservers that are a subdomain of itself, for example nerdkey.co.uk could point to ns1.nerdkey.co.uk and ns2.nerdkey.co.uk.

The last time I’d update Glue records with 1&1 was a good few years ago, but it was a simple case of logging into the control panel, searching for the domain and then heading to the record for subdomain, hitting an edit button and then changing the existing A record IP address for a new one but it wasn’t that easy this time round.

After a little trial and error and a lot of head scratching it seems that since they rolled out their new control panel it just isn’t possible anymore to set or update Glue records – you could see the records don’t get me wrong, just not update them. Not to worry though, their technical support team will be able to update the records, right? WRONG! I emailed them several times, making things as clear as possible whilst at the same time thinking that their support advisers would be savvy enough to understand terms used within the industry they work in, didn’t go too well.

In a nutshell, here is the correspondence between us:

  • [Me] – Outlined the domain, that I wanted Glue records updating and the exact subdomains and IP addresses
  • [Them] – Asked me to confirm if these changes has already been made as my website was working fine (not what I asked?)
  • [Me] – Sent a slightly reworded version of the first, again outlining the essential details and that it hadn’t been updated
  • [Them] – Confirmed that website was working fine again, asked me to clear my cache and reply with any error messages (did they even read the email?)
  • [Me] – Sent a similar email along the lings of the first and second stating that they are the domain registrar and this is something they need to do, again included essential details
  • [Me] – Emailed them to see if any updates available
  • [Them] – Replied asking me to confirm that I wanted the NS2 record updated as well (because the last emails didn’t state that?)
  • [Them] – Responded saying the nameservers may possibly need to be reverted back to them for this to work, but they used a special “tool” instead and said to wait up to 48 hours
  • [Them] – Replied this morning (after the domain was transferred and Glue set correctly with a different provider) saying that everything is now set correctly

Enough was enough, it got to a point where I’d given them over a weeks worth of my time and they’d done little more then send me a few standard responses and ask for confirmation which was already given. My last attempt to gain faith in them involved changing the nameservers back to them to see if it would work and allow me to set the records, it partly did – I managed to set the NS1-4 subdomains to the correct A records then updated the domains nameservers to another provider temporarily straight after to avoid any downtime and left it a few hours. I came back a few hours later and tried to set the nameservers back to ns1-4.koserver.co.uk but got an error message saying the nameservers weren’t registered and found out that the update to the temporary nameservers hadn’t taken affect, slowly grinding my entire hosting network to a halt – great!

I know I hadn’t waited the standard propagation times, but given the past experience and useless support and the fact that everything was slowly grinding to a halt, it was time to transfer. After research I’d narrowed things down to two providers – I wanted to give Name.com a try, but as their system for transferring in .UK’s wasn’t automated I abandoned that plan and went for NameCheap. Within an hour the domain was with them and Glue records were set through the control panel and things are slowly coming back online.

In all my years of website hosting I have never had such a catastrophic outage, aside from looking into a second domain to host nameservers all my domains with 1&1 will be transferred elsewhere.

So in summary, if you know what you’re doing don’t go with 1&1. You’ll be treated like an idiot and just wasting your time throwing emails back and forth with them. They don’t really read your emails and the fact they removed such a critical feature without telling anyone speaks volumes in my opinion, I mean they still have an old support article on how to set Glue records, obviously doesn’t work though. It is a shame, but that’s life.

 

pfSense on SonicWALL SRA 4200

By now if you haven’t already guessed, I like to tinker! Couple that with the fact I have a few saved sellers on eBay that keep me surround with EoL hardware and it quickly becomes a dangerous situation for my wallet.

My latest find is a pair of SonicWALL SRA 4200’s, my ultimate goal is to get pfSense installed and revive these beasts. As it stands the units both work as “Secure Remote Access” servers, they don’t include any licenses for the included OS, so are kinda useless, but normally they’d be dedicated VPN servers for massive companies with millions of employees that need to connect in and from remote locations.

I’ve only been playing with them for a couple of hours so far but I’ve managed to get pfSense installed. There are two issues at the moment which I’ve yet to resolve:

  1. There’s a driver issue with the network cards, so the setup wizard can’t detect any NIC’s and can’t continue
  2. By default it wants to boot off the internal CF card, so I have to manually keep changing it to boot of my USB flash drive – If you remove the CF card completely the unit doesn’t even attempt to boot, it beeps twice then powers off so there’s some sort of security mechanism in place

So how did I get this far?

Well it was fun! I started by trying to get console output to my ancient Dell laptop (which has an ACTUAL serial port,  woah!).

I bought a run of the mill RJ45 to DB9 cable but that didn’t work, so I had to get my soldering iron out and knock something up – See original diagram here or pictures below:

As you can see from above, whilst I did get output it was AFTER P.O.S.T. so in other words, it was output from the SonicWALL operating system and of no use to me.

Next I went to extremes and tried changing on the AMIBIOS chip for a spare I had floating around from the WatchGuards, not a lot happened so it was back to square one.

After that I went on a pin hunt and noticed “VGA” markings and then a set of 15 pins, I didn’t expect it to work but I hooked up a monitor and had output!

 

I couldn’t get into a “classic” BIOS screen, although here’s what I found through trial and error:

  • Mashing F5/F8 takes you to slightly different FreeDOS screens
  • Mashing F11 takes you to a familiar looking boot device menu screen

The unit is running Wind River’s VxWorks operating system, which looks pretty cool, although I had never heard of it until now.

I installed pfSense 2.3.5 (x86) by connecting a CD drive to one of the internal SATA headers, connected a 16GB Sandisk Flash Drive to one of the USB ports and then mashed F11 and selected the disk drive.

What followed was the familiar installation screens of pfSense – Notice how the colours keep changing, it was loose cables or artistic flare, I’ll let you decide!

What’s next?

Well, this was just a bit of fun but when I get chance I’ll look at sorting the network card drivers out and see if I can re-purpose the CF card, worst case I’ll move the USB drive inside the chassis and make the CF card the second boot device.

Encrypted AES VPN tunnel between pfSense 2.3 and Draytek 2830

For a long time now I’ve managed several VMware ESXi servers and for easy management I’ve created a local area network on each making backups, monitoring and the usual sysad tasks a breeze.

The icing on the cake is that I recently swapped from m0n0walll to pfSense and went about setting up a lan to lan VPN tunnel to my home network, so now I can access everything locally as if I was on the same network.

Home Network

My home network uses a Draytek 2830 connected to a Virgin Media Superhub. Unfortunatley the Draytek is getting on a little bit now and doesn’t have the processing power to deal with my 100mbit connection speed, so I’ve had to double NAT the network using the Superhub in router mode and then DMZ everything towards the Draytek.

This isn’t a bad thing though as all the “dumb” wireless devices (mobile phones, Roku’s, Nest thermostat, etc) connect direct to the Superhub whilst my home server and everything crucial connect via the Draytek. All in all I get 70mbit through the Draytek on average and there’s plenty of bandwidth left for the devices connected to the Superhub.

In the example below the home network subnet will be 192.168.100.x

Remote Network

The remote network is pretty simple, they are all setup the same apart from x is a different number based on the virtual host name – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the Draytek (or the Superhub in my case)
  • Enter a brieft description in the Description box
  • If you are double NAT’d like me select Peer identifer as KeyID tag then enter the WAN2 address of Draytek else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box
  • Set PSF Key Group to 2
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box
  • Press Save any hit Apply Changes

Configuring the Draytek

Now it is time to configure the Draytek – Go to VPN and Remote Access > LAN to LAN

For Common Settings:

  • Enter a Profile Name
  • Tick Enable this profile
  • Make sure Call Direction is set to Both

For Dial-Out Settings:

  • Set type of server to IPSec Tunnel
  • Enter the Remote WAN IP in the Server IP/Hostname for VPN box
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method set it to High (ESP)AES with Authentication
  • Under Advanced set IKE phase 1 propsal to AES256_SHa1-G14 and IKE phase 2 proposal to AES256_SHA1 then press OK

For Dial-In Settings:

  • Set the Allowed Dial-In Type to IPSec Tunnel
  • Tick the box to Specify Remote VPN Gateway and enter the remote network WAN IP
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method untick all apart from High (ESP) – AES

Under TCP/IP Netowrk Settings:

  • Set Remote Network IP as the remote network subnet – 192.168.150.0

Hit OK at the very bottom to save the profile, leave it a few seconds and it should connect. If it doesn’t connect automatically, head to the IPSec Status page in pfSense and hit Connect manually

Install EPEL Repository on CentOS 7 (x64)

The simple one line command below will enable the EPEL repository on CentOS 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

Once ran you will see confirmation that it has been installed successfully, that’s it!

Notes

  • You can find out more about the EPEL repository here
  • If you don’t already have a server, I’d strongly recommend starting with DigitalOcean

Icecast PHP Stats

A recent project of mine called Coop Cam uses several live video streams served by an Icecast server at different mount points which works great, but I found there was no real solution to simply display how many viewers were actually watching the live streams.

I put together a basic PHP code that reads the Icecast XML stats file and retrieves the current overall viewers (or listeners as its officially known) of all available mount points.

Code

// get the stats xml file //
$output = file_get_contents('http://admin:[email protected]:8000/admin/stats');

// explode to make the magic happen //   
$listeners = explode('',$output);
$listeners = explode('',$listeners[1]);

// output to the world //
echo "Currently <b>$listeners[0]</b> people are watching the live stream!";

Once you have amended the admin password, server name and port the code above will then connect to your server and read the /admin/stats XML file. From here it will literally pick out the content shown between the <listeners></listeners> tags and that then becomes the $listeners[0] variable, simply place this wherever you want to display the amount of current viewers.

Notes

  • This code may or may not work depending on if your hosting provider allows the file_get_contents function – In my case I use my own dedicated servers and it works without issue, if you have any problems I’m sure I can sort something for you!
  • You can show the amount of sources, file connections and so on by amending the code to reflect the correct tags – A full list of tags can be seen by visiting the youricecastservername.com:8000/admin/stats page
  • You can find a live working example of this script here or actually see it in place here
  • Finally, you can download the script by clicking here