Encrypted AES VPN tunnel between pfSense 2.3 and Ubiquiti EdgeRouter Lite

I recently retired my Draytek 2830 following a serious security flaw I discovered (that’s another post, stay tuned!) and took the plunge with a rather impressive looking Ubiquiti EdgeRouter Lite.

The other option was a rack mountable TP-Link TL-ER6020 although the maximum NAT throughput was only 180Mbps and it only had 128MB  DDR2 memory and no clear CPU specs, also the web interface looked tired and very restricted. Pound for pound the EdgeRouter was cheaper and has a better spec of anywhere up to and over 600Mbps, 512MB DDR2 memory and Dual‑Core 500 MHz, although it wasn’t rack mountable it was a no brainer with its modern web interface, also did I mention it can process 1 million packets per second?

The EdgeRouter also appeals to my inner nerd  (you can no doubt tell) as you can program it via web interface, command line or console connection and you can remove features you don’t need to boost performance. For example, it may only have 3 gigabit ports, but you can do whatever you like with them! In my case I have it configured as 1 WAN port and the other 2 ports are linked to two seperate LAN’s. I will write a full review when I get chance, but for now just take my word that it is the best router I have ever owned.

Anyway, to business!

Home Network

As before with the Draytek guide my home network is still double NAT’d but there isn’t a speed issue anymore. I do plan to eventually run everything via the EdgeRouter but first I need to install a few additional access points (I’m thinking a couple of airGateway-LR’s hidden in roof spaces will do, powered by PoE obviously!).

In the example below the home network subnet will be 192.168.100.x
and WAN address will be 1.2.3.4

Remote Network

The remote network is the same as before too – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x and WAN address will be 5.6.7.8

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely and under no circumstances use the example key!
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is. Anything to do with double NATing is in red, ignore this if your router is WAN facing.

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the EdgeRouter (or the Superhub in my case) 1.2.3.4
  • Enter a brieft description in the Description box – VPN to pfSense LAN
  • Select Peer identifer as KeyID tag then enter the WAN address of EdgeRouter (192.168.100.1) else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box – testing123
  • Set the DH Group to 14
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box – Home
  • Set PSF Key Group to 14
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box – Allow VPN Traffic
  • Press Save any hit Apply Changes

Configuring the EdgeRouter

First of all make sure you are running the latest firmware otherwise options may be missing and this may not go smoothly! Currently (March 2017) I’m running EdgeRouter Lite v1.9.1.

Configuring the EdgeRouter is pretty straight forward, you don’t need to do anything via command line or console (unless you really want to, knock yourself out!) – Go to VPN > IPSec Site-to-Site

  • First tick the box Show advanced options to show the encryption options
  • Under Global Options leave Automatically open firewall and exclude from NAT unless you want greater control over who can connect in
  • Under Site-to-site peers enter the Peer as the home WAN address – 5.6.7.8
  • Put a brief description in the Description box – Remote
  • In local IP enter any
  • For Encryption set AES-256
  • In Pre-shared secret enter the key set previously – testing123
  • Enter the Local subnet as 192.168.100.0/24
  • Enter the Remote subnet as 192.168.150.0/24

All being well you should end up with something like below:

Once everything is saved, head over to the pfSense IPSec Status page and hit connect if it hasn’t already established and  there you have it!

At this point you may be asking why did you uncheck the option to Automatically open firewall…, this is because I like to have greater control over what IP addresses are allowed access to my network.

To substitute this option I created a rule in the NAT section translating UDP port 4500 to the routers local IP address (192.168.100.1). In turn I set the Src Address Group of this rule to a list of predefined IP addresses, thus only allowing access to my networks and blocking the rest of the world.

 

 

 

Connect Directly to SunLuxy Camera Streams

For a while now I’ve used a cheap SunLuxy H.264 DVR as the heart of the CoopCam project and initially couldn’t get a direct link to the camera stream so had to screen captured the bog standard web interface using VLC and break the feed down into separate streams but recently after a fair bit of trial and error I discovered a much easier solution!

I had researched on and off for months, went through masses of trial and error with various software and ultimately found no solution but after being inspired again I headed to the DVR’s web interface to start from scratch. I stumbled across source code in a file called /js/view2.js that constructs an RTMP:// address to show live camera feeds through the web interfaces flash player – See snippet of code below:

dvr_viewer.ConnectRTMP(index, "rtmp://" + location.host, "ch" + index + "_" + (dvr_type=="main"?"0":"1") + ".264");

After removing the jargon the link came out as rtmp://dvraddress:port/ch#_#.264 with the first number being the channel you want to connect to (starting at 0) and the second being the stream (substream being 1 and main being 0)

I headed to VLC player, selected Open Network Stream and entered the following:

rtmp://192.168.0.100:81/ch0_0.264

Broken down you can see my DVR is on the local network as 192.168.0.100 at port 81  and that I wanted to view channel 1’s main stream, low and behold after a few seconds the camera started to play!

Notes

  • To convert the stream to something more useful you could use rtmpdump and ffmpeg on Linux systems – I’ll write another guide about that shortly
  • If you do something wrong and overload the DVR then you’ll hear a beep as the box reboots
  • If this works for you please comment your DVR make and model

Incoming search terms:

  • sunluxy stream
  • sunluxy vlc

Enable SSH on LinkStation Stock Firmware

Enabling SSH on the LinkStation is simpler than you might think and opens up a world of functionality (and nerdyness) that you never had before – All this with no firmware flashing which ultimately means no data loss and no risk of bricking your box.

My motivation to enable SSH came about when my older LinkStation (a 500GB HS-DHGL) was doing a Disk Backup to my newer one (a 2TB LS-WXL) and it just seemed to be taking forever. It turned out the backup had hung part way through and the only official way to fix this problem as listed on Buffalo’s support website was to reset the box back to factory settings – That’s a bit ridiculous in my opinion but there is a work around, see this post here for more information on how to unstick a backup.

The activation process is done by a program called ACP Commander which is a command line tool that can be a little confusing to work at times with its lack of user friendly interface (if you search for this online you’ll see what I mean) however by chance I came across a reworked version that has a decent interface and is fairly easy to use.

Enabling SSH

The following guide will assume that you are on the same network as your LinkStation and are able to access it freely as you normally would day-to-day,  also if you want to keep your warranty with Buffalo do not continue!

  • Download ACP Commander GUI for Windows (.EXE file)
  • Run your newly downloaded file and you should see a screen similar to the one below:
    lsunlock-1
  • Select your LinkStation IP address from where it says Select LinkStation, then enter your password where it says Admin password and press Enable SSH
  • After a couple of seconds you will be shown a SSH enabled OK! message as seen below:
    lsunlock-2
  • The next step is to set your root password for SSH, click Set root PW, type in a password and then press OK and you will see another message like the one below:
    lsunlock-4
  • Now head to your favourite SSH software and connect to your box! If all is well you will see something similar to this:
    lsunlock-5
  • That’s all you need to do to enable SSH!

Notes

  • This method is proven to work on both Windows and Mac for the following models/firmware: LS-WXL/v1.68, HS-DHGL/v2.11, LS-QVL/v1.64
  • Common out of the box commands include: top – process viewer, vi – text editor, cp – copy files, mv – move files
  • Mine and my friends newer LinkStations had HTOP installed – Epic!
  • Enabling SSH will no doubt void your warranty with Buffalo but who needs that anyway?!
  • I didn’t create the program recommended and take no credit for it
  • Finally, if you could let me know if you encounter any problems or can confirm if this works for other models I’d be grateful
  • Thanks to Callum for confirming this works on the LS-QVL and Michael for confirming this works on the TS-X/R5 with version 1.66 firmware

Incoming search terms:

  • ACP Commander for buffalo terastation
  • buffalo firmware 1 73 password
  • buffalo linkstation ssh
  • buffalo ls-xl root
  • buffalo ssh root
  • enabling remote SSH access for tera station

Upgrade Windows Phone 8.0 to 8.1 Before Main Release Using Developer Preview

Recently I lost my smartphone and after lots of searching decided to give up and buy a new phone. As I only really use my phone for checking emails, a little remote desktop access and the odd bit of mobile banking I didn’t need anything overkill and I fancied a change from Android so I went for a Windows based Nokia Lumia 520.

The Lumia 520 can be picked up for £69.00 on O2 pay as you go (as of 01/07/2014, see here) but I paid a little extra and got mine the same day. I was initially blown away by the Windows Phone operating system as it was better than expected and I couldn’t find any flaws. I’d setup my email, installed the mobile banking app and so on which lead me to my final task which was to install the Remote Desktop app. You’d think this would be a straight forward task installing a Microsoft product on something Microsoft powered but no, when heading to the Microsoft Store on the phone the Remote Desktop app wasn’t showing so I searched the Microsoft Store online and it came up saying that it wasn’t compatible with the Windows Phone 8.0 operating system that was currently on the phone.

I had three options, to cry in the corner, wait for the update to be released or to try upgrade the phone manually. After a little research the update was said to be released within the “…first two weeks of July…” but there was no exact date and I just couldn’t wait.

After more research it turns out that you can use a free app called Preview for Developers which allows you to basically get the update there and then instead of having to wait.

Upgrading Windows Phone 8.0 to 8.1

Below you’ll find a guide on how to upgrade the Windows Phone operating system. Please note that any changes you do here are irreversible and this will no doubt void your warranty.

  • First things first we need to create a free account with Microsoft’s App Studio using the link found here as this will give you access to the developer previews service and give you the magical updates – I used my main Microsoft account that’s linked to the phone to keep things simple
  • Once you’ve created the account go to Microsoft Store on the phone, search Preview for Developers and install the app
  • Once the app has installed launch it and you will be asked to accept the terms and conditions and login using the account details created previously
  • Next you’ll see information about what the app does and so on, all we need to do here is tick the box next to Enable Preview for Developers and press done
  • Now that’s enabled head to Settings > phone update and press check now and then follow the on screen instructions – You may need to repeat this process several times as it took me two updates to prepare the phone before the update to Windows 8.1 was offered
  • After a little while you will now be running Windows 8.1! – You can check this by viewing Settings > about > more information under the OS version heading

Notes

  • Make sure your phone is fully charged before attempting any updates as things could seriously go wrong otherwise!
  • As with anything in development stages things may be a little buggy so be aware that you may stumble across the odd glitch every now and again
  • Although not tested I assume the same steps will work for phones other than the Nokia Lumia 520, if you can confirm this I’d be grateful

Incoming search terms:

  • how to upgert windows phone 8 0 to8 1
  • upgrade 520 from 8 0 to 8 1
  • windows 8 1 product upgrade key for lumia 520

Remove Adverts from All 4 Roku App

Disclaimer

This post is for educational purposes only, it briefly describes a technique for removing the adverts from Channel 4’s on demand service. I won’t be providing any working examples and won’t be held liable whatever the outcome if you try this, this was just setup as a test one afternoon and then destroyed shortly after. Do so at your own risk.

Why even bother?

Now I love TV but I always end up forgetting and then having to catch up later using on demand services via my NowTV box, some services are great – like the BBC iPlayer – where as others – 4OD or All 4 – lack basic features like being able to resume where you left off without having to sit through the ads again.

This got me thinking, is it possible to get around the ads? Picture this… you are watching an hour long programme on your Roku (or NowTV) box, you have 10 minutes to go and you have to nip out. You come back hoping to pick up where you left off.. but oh no, something happened and now you have to watch from the begining OR fast forward until you get to an ad break, watch the ads, then fast forward again… its not good right? This has happened to me many a time!

A quick Google suggested this is not possible, but that wasn’t good enough for me.

How did you get it to work?

It took a bit of nerdy know how, a decent router and a publicly accessible Linux box.

Decent router – I was using a NowTV (watered down Roku) box, these don’t have the option to manually specify the DNS server addresses so you have to set the DNS servers in my router

Linux box – I used a CentOS 7 box running BIND and Apache, BIND responded to the DNS requests aiming everything at the Apache server

The basic idea is to redirect any requests to ‘known advertiser servers’ to your own server which is returning a single pixel instead of the advertisers video, and it did work really well:

As you can see above the same programme has ads and one does not. This method also removes the ad cue points so you are literally just served with the entire video – cool, huh?

Notes

  • This was just a test, please don’t lecture me about the importance of advertising and the revenue it generates
  • I only tested it with the Roku app, although I think it would have worked for the Xbox app too
  • I guess the same tecnique could be used to create a ‘super’ ad blocker that works with more than just on demand services

Incoming search terms:

  • all 4 without adverts

Virtualmin GPL on CentOS 5.8

Update: 08/03/2017: The following guide was originally written many moons ago for installing the Virtualmin GPL (free) control panel on CentOS 5.8 x86, however it will work exactly the same on the current version of CentOS (7.0).

The following guide will assume you are logged into your CentOS machine via command line, ready to enter the following commands.

First you will want select a temporary directory to Virtualmin installation file to. We will only use the downloaded file once so it’s pointless keeping it, so to free up space and put it in /tmp!

cd /tmp

Download the Virtualmin GPL installer:

wget http://software.virtualmin.com/gpl/scripts/install.sh

Run the installer:

sh install.sh

The installer will then launch and prompt you to approve if you’d like to proceed. Simply type “y” and press enter and the installation process will begin.

After a short while you will see a message saying the installation has been completed. You will then be able to login to installation of Virtualmin by heading to https://hostname-or-ipaddress:10000 using the root username and password.

Once logged in you will then be guided through a final configuration process, once completed the installation will be complete and ready for use. Another guide will be written soon to explain how to configure Virtualmin.

Notes

  • If you don’t already have a server to try this on check out DigitalOcean, they offer reliable good spec servers starting from $5 a month
  • Depending on your CentOS installation you may get an error message about the Perl package being missing. To resolve this run the following command in terminal and then relaunch the installer:
    • yum install perl -y

Incoming search terms:

  • InstallArchives|NerdKey

Sunluxy H.624 DVR Factory Reset

I had previously purchased two Sunluxy DVR’s for various projects (see CoopCam.co.uk to find out more) and was impressed with how easy they were get up and running, it was literally a straight forward task of fitting a hard drive and then setting and forgetting… literally… setting the admin password and then forgetting it.

Not to worry though, the user manual will have some helpful tips on what to do? Wrong! Poor translation meant the manual ended up in the bin, never mind the Internet will be able to help surely… maybe not. After much research I thought my box was going to end up living with the user manual in the bin but then I turned to good old fashioned trial and error as a last resort.

Factory Resetting the DVR

So lets get to the juicy bit! For the steps below you will need to be near your Sunluxy DVR but before you continue please be aware that this process will not only reset the admin password, it will also remove any settings entered previously such as network configuration, recording preferences and so on. The hard drive and all existing data will be left untouched.

  • First things first switch off your DVR. In my case there was a power switch on the back that I flicked, so far so good!
  • The next step is to hold the Back button (the one that lets you flick back to the previous menus – labelled with a back arrow, sometimes also labelled ESC) whilst switching the DVR back on, the button can be seen circled in the image below:

sunluxy_password_reset

  • After a short delay you will see that all lights apart from the power light go out and hear a beep, this means the DVR has reset itself  and will automatically restart so release the Back button and you will see the DVR begin to boot as normal
  • Once everything has loaded you will then be able to login to your DVR using the default username of admin and leaving the password field blank

Notes

  • In this example we used a Sunluxy branded DVR, however this process (or something very similar) should work with most generic H.624 DVR’s as well
  • The steps above assume your monitor is connected via the VGA connection, as Chris suggested in the comments below, try using the BNC connection if you have trouble with menus not showing
  • Finally, if you could let me know if you run into any problems or if the process works on other brands or models I’d be grateful

Incoming search terms:

  • h 264 dvr password reset null
  • how to reset h 264 dvr
  • reset password dvr h 264
  • h 264 network dvr admin password reset
  • sunluxy cloud
  • sunluxy password
  • factory password and username for sunluxy cctv
  • sunluxy dvr 7104
  • sunluxy dvr factory reset
  • sunluxy h 264 password reset