Chris News https://blog.chrisnew.de/ Tech, coffee and stuff Sun, 04 Jul 2021 10:21:44 +0000 en-US hourly 1 https://wordpress.org/?v=5.7.2 https://blog.chrisnew.de/wp-content/uploads/2021/07/cropped-1516588344440-32x32.jpeg Chris News https://blog.chrisnew.de/ 32 32 Frankfurt, 2021 https://blog.chrisnew.de/2021/07/frankfurt-2021/ Sun, 04 Jul 2021 09:34:02 +0000 https://blog.chrisnew.de/?p=253 ]]> Copy a MySQL table https://blog.chrisnew.de/2021/03/copy-a-mysql-table/ Tue, 02 Mar 2021 10:32:33 +0000 https://blog.chrisnew.de/?p=235 Not using this all too often, so here it is for me and everyone:

create table my_new_table like my_old_table;
insert into my_new_table select * from my_old_table;

An easy way to make a quick backup.

]]>
Increase VM storage on-line https://blog.chrisnew.de/2020/07/increase-vm-storage-on-line/ Fri, 31 Jul 2020 09:01:49 +0000 https://blog.chrisnew.de/?p=203 Continue reading "Increase VM storage on-line"

]]>
Increase from 300 G to 400 G using the same storage, but leverage LVM on GPT inside the VM.

Host:

lvextend -L +100G /dev/mapper/guests--lolguest
virsh qemu-monitor-command lolguest info block --hmp
virsh qemu-monitor-command lolguest block_resize drive-virtio-disk0 400G --hmp

VM:

sgdisk -e /dev/vda
gdisk /dev/vda # <-- create partition 5
partprobe /dev/vda
pvcreate /dev/vda5
vgextend ubuntu-vg /dev/vda5
lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

Always watch out for paths, partition numbers and names!

]]>
How to get IP addresses? https://blog.chrisnew.de/2020/07/how-to-get-ip-addresses/ Sat, 18 Jul 2020 12:24:57 +0000 https://blog.chrisnew.de/?p=198 Continue reading "How to get IP addresses?"

]]>
This article explains how to get your own IP addresses and why you might want them. I try to make it as information dense as possible.

You might ask yourself: “Don’t I get an IP address when I click a virtual server?”

That’s true, you will get an IP address, but that’s just one and it has been assigned by your hosting provider or ISP. This article will cover IP address ranges (a.k.a. netblocks or IP subnets).

So where does my ISP get their IP addresses from?

They are not arbitrarily chosen, they have been allocated the a regional Internet registry (short: RIR) such as ARIN, RIPE NCC, APNIC, LACNIC and AFRINIC.

These organizations manage their allocations they received from the IANA. Usually RIRs are managed as a non-profit association where everybody can become a member of.

What’s the difference between the IP address I get from my ISP and such an allocation?

That one single IP address is not portable. You cannot just use it somewhere else. Maybe your hosting provider allows you to re-use one IP with a different service (such as AWS and their Elastic IP addresses) within their service umbrella, but you can never use for instance an AWS Elastic IP in Google Cloud now.

The IP addresses which will be allocated to you by a RIR is considered portable in a sense of: You can decide where it should be used. However, portable is a distinct keyword within the RIR terminology. We will discuss this later.

Okay, got it. Can I get now my IP address from a RIR?

No. At least you won’t get just one IP address. You’ll get an allocation of at least a /24 for IPv4 and /48 for IPv6. This is due to the fact that this allocation sizes are the absolute minimum within the default-free zone.

Alright, give me a /24 and/or a /48 then!

I’ll explain the process for the RIPE NCC which serves the RIPE region.

A long time ago it was possible to get so called portable assignments, sometimes called portable address space. At RIPE theses are called ASSIGNED PI which stands for provider independent assignments. These are meant to end-users which do not want to become a member of the RIPE NCC. This translates to saving actual money. An assignment is usually 50 EUR per year while a full membership costs around 1,400 EUR a year.

This PI space is meant to be directly assigned to an end-user (you) and should never be aggregated by an ISP. That’s the portable keyword in the RIR terminology.

It is no longer possible to obtain an ASSIGNED IP assignment first hand. When the RIPE NCC started to allocate from their final /8 allocation they received from the IANA, they were no longer assigning portable address space for IPv4.

It is still possible to obtain an ASSIGNED IP assignment for IPv6 though.

Okay, why is not everyone using that portable address space then?

The policy states: You must not use that address space for your customers. It is meant for your own Internet connection which you’ll use within your organization.

Becoming a LIR allows you to manage your allocation address space more flexible. You also get way more address space. Although that applies only for IPv6. For IPv4 you’ll be placed on a waiting list and you will only get a /24 anymore.

Got it! But why do I need that now?

Like hinted earlier, it’s possible to use your address space with any ISP. At least theoretically. More and more hosting providers allow you to bring your own IP address space.

Besides the portability aspect, there is more to it:

  • You can build a high-available failover for your services and/or Internet connection with multiple upstreams. That’s called multihoming.
  • You can take your servers or deployments, migrate it to some other hoster without having the need to renumber all services. You can take your address space with you.
  • You can decide who will receive abuse emails. That’s relevant when you run services as Tor exit nodes, VPN exit nodes and email services.

Okay, hook me up. I want it!

You need a hosting service provider which actually supports that. I can fully recommend the following ones:

  • Vultr
    • You don’t need an ASN. IP space is sufficient enough.
    • Offering starts at 3.50 USD a month.
    • You can pay hourly.
  • vServer.site
    • You will need an ASN.
    • Offering starts at 10 EUR a month.
    • Highly capable customer support.

Secondly, you’ll need address space. But my company got you covered here. We provide Internet resources as a starter kit.

]]>
Wake on LAN? Wake on WAN! https://blog.chrisnew.de/2020/06/wake-on-lan-wake-on-wan/ Sat, 20 Jun 2020 23:36:34 +0000 https://blog.chrisnew.de/?p=175 Continue reading "Wake on LAN? Wake on WAN!"

]]>
I got a couple of small computers laying around which are more like development systems and mostly lab environments. However, these are not running 24/7 and since I’m traveling alot I’m not always close to those computers. Let me show you what Wake on LAN (WOL) is and how you can make it Wake on WAN over IPv6.

What’s Wake on LAN?

Wake on LAN is a pretty old mechanism which allows to turn on computers over your LAN. Network cards are in stand-by mode listening to packets containing a “magic” sequence. That sequence is six times 0xFF followed by 16 times the target MAC address.

Let’s assume your target MAC address is 00:11:22:33:44:55, that magic sequence would be this:

00000000: ffff ffff ffff 0011 2233 4455 0011 2233
00000010: 4455 0011 2233 4455 0011 2233 4455 0011
00000020: 2233 4455 0011 2233 4455 0011 2233 4455
00000030: 0011 2233 4455 0011 2233 4455 0011 2233
00000040: 4455 0011 2233 4455 0011 2233 4455 0011
00000050: 2233 4455 0011 2233 4455 0011 2233 4455
00000060: 0011 2233 4455

That magic sequence is easy to scan for while the computer is actually turned off. A full-blown IP stack is not required, but can be used as the transport mechanism. That fact is used by most WOL clients which will simply send a UDP packet to port 9 (“discard”) to the broadcast address.

Example: Wake on LAN

Like previously mentioned NICs are not implementing a full-blown IP stack which would request an IP address using DHCP and also not reacting to ARP. To workaround that issue, WOL packets are sent to the direct or limited broadcast address to force the client’s system to send a broadcast packet to the targeted layer 2 domain.

Sending a WOL packet using wakeonlan:

[~] wakeonlan -i 192.168.178.255 00:11:22:33:44:55 
Sending magic packet to 192.168.178.255:9 with 00:11:22:33:44:55

Looks like this on the wire:

00:54:29.120604 dc:71:96:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 144: 192.168.178.45.39040 > 192.168.178.255.9: UDP, length 102
	0x0000:  4500 0082 cd66 4000 4011 8686 c0a8 b22d
	0x0010:  c0a8 b2ff 9880 0009 006e e6fd ffff ffff
	0x0020:  ffff 0011 2233 4455 0011 2233 4455 0011
	0x0030:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0040:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0050:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0060:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0070:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0080:  4455

Going WAN

Going WAN is quite similar to that. Just use public IPv4 and you got it. The end.

Oh, you don’t have publicly routed IPv4 network for your internal means? Only one public IPv4 address? Well, add some DNAT to your SNAT, also known as portforwarding. That should work. But I don’t cover this in my tinkering since IPv4 is considered deprecated.

Going WAN via IPv6

It’s all easy and fun when you invoke wakeonlan within your LAN using IPv4. But unfortunately the real challenge begins when you want to use IPv6 instead. Like I do with IPv6-only networks.

[~] wakeonlan -i ff02::1 00:11:22:33:44:55
Can't call method "addr" on an undefined value at /usr/bin/wakeonlan line 117.

Turns out that wakeonlan does not support IPv6 at all. Anyway, that’s an easy fix which I proposed upstream already.

Now with proper IPv6 support, we can send Wake on LAN packets to proper IPv6 multicast addresses. No need to configure IPv4 anymore.

[~] wakeonlan -i ff02::1%wlp2s0 00:11:22:33:44:55                     Sending magic packet to ff02::1%wlp2s0 on port 9 with payload 00:11:22:33:44:55

We are still on LAN level though. And IPv6 doesn’t have the concept of direct broadcast addresses. Well, anything broadcast is unknown to IPv6.

But we can use a trick on our router using ip-neighbor to “assign” an IPv6 address to the broadcast MAC address making it defacto a direct broadcast address:

root@router:~# ip neighbor add 2001:db8::fdff:ffff:feff:ffff dev eth0 lladdr ff:ff:ff:ff:ff:ff nud permanent

I chose a host identifier which reassambles the broadcast MAC address as the EUI-64 version of it. You may choose whatever you like though.

By the way, don’t forget to put that command somewhere where it gets executed everytime your router boots up. Also you should firewall it to only allow port 9 or to only allow from your trusted source networks.

Anyway, using that trick we can finally send a UDP packet across the world to turn on our target computer:

[~] wakeonlan -i 2001:db8::fdff:ffff:feff:ffff 00:11:22:33:44:55
Sending magic packet to 2001:db8::fdff:ffff:feff:ffff on port 9 with payload 00:11:22:33:44:55

And we can see on the router, the packet has reached the broadcast destination:

root@router:~# tcpdump -i eth0 -n -e -x 'port 9'
[…]
23:17:34.083047 74:83:c2:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv6 (0x86dd), length 164: 2001:db8:1::1.39810 > 2001:db8::fdff:ffff:feff:ffff.9: UDP, length 102
[…]
	0x0020:  fdff ffff feff ffff 9b82 0009 006e dfd2
	0x0030:  ffff ffff ffff 0011 2233 4455 0011 2233
	0x0040:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0050:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0060:  0011 2233 4455 0011 2233 4455 0011 2233
	0x0070:  4455 0011 2233 4455 0011 2233 4455 0011
	0x0080:  2233 4455 0011 2233 4455 0011 2233 4455
	0x0090:  0011 2233 4455

Finally, no need for IPv4 addresses anymore to do some Wake on LAN and it has even become Wake on WAN. 🙂

Wake on WAN goes mobile

I can fully recommend Wake On Lan by Mike Webb as a mobile WOL client. It supports IPv6, hostnames and a lot more cool stuff!

]]>
Subsetting CRXN into the real Internet https://blog.chrisnew.de/2020/06/subsetting-crxn-into-the-real-internet/ Sun, 31 May 2020 22:31:57 +0000 https://blog.chrisnew.de/?p=154 Continue reading "Subsetting CRXN into the real Internet"

]]>
Recently I looked into deavmi’s project named CRXN where he’s leveraging yggdrasil’s peer-to-peer VPN routing mechanism to build an overlay network using IPv4. Since several of my online services are not connected to yggdrasil, I was wondering if it’s possible to just NAT64 CRXN into IPv6. Sure it worked quite fine, I’ll show you how we pulled that off.

Shitty pro-tip: You can also use this instruction to expose your super secured enterprise network to the public. Instead of yggdrasil you use your corporate VPN.

UPDATE: I had to setup mss clamping. Check the last paragraph how I did it. I also fixed some errata in my systemd service file.

Internet numbers first

First we need a /32 IPv4 assignment from deavmi which is used routed on top of yggdrasil. I got 10.5.0.1/32 assigned. Also we need atleast a /96 IPv6 assignment to our Linux VM (Debian 10) which is acting as a router here. I picked 2a04:5b80:300:4::/64 for this.

For IPv6 I’m natively connected to the Internet. The CRXN IPv4 is routed on-top of yggdrasil to my publickey there.

Install tayga and yggdrasil

Install yggdrasil from its website and tayga using apt. Pretty much straight-forward.

Unfortunately tayga on Debian is not providing a template unit file. So I needed to create one loosely based on that from CentOS/RHEL:

[Unit]
Description=Simple, no-fuss NAT64
After=syslog.target network.target
[Service]
PIDFile=/run/tayga-%i.pid
LimitCORE=infinity
Type=simple
PrivateTmp=true
ExecStart=/usr/sbin/tayga --pidfile /var/run/tayga-%i.pid -d --config /etc/tayga/%i.conf
[Install]
WantedBy=multi-user.target

For my purpose here I could have used the Debian standard, but I’m sure I’ll do something else using tayga in the future. So let’s keep it clean from the get go.

Setting up tayga and yggdrasil

Let’s begin with yggdrasil. First we need to configure some peers to make it work and then we need to configure the overlay routing. Both happens in /etc/yggdrasil.conf.

After we configured some peers, we can enable the tunnel routing like this:

  IfName: ygg

… some parts skipped …

  TunnelRouting:
  { 
    # Enable or disable tunnel routing. 
    Enable: true

… some parts skipped …
 
    # IPv4 subnets belonging to remote nodes, mapped to the node's public  
    # key, e.g. { "a.b.c.d/e": "boxpubkey", ... } 
    IPv4RemoteSubnets: {
        "10.0.0.0/8": "6fa497818044d164d7f895a69e4678f03d99820b23c1912970e9255910bd8308"
    }
 
    # IPv4 subnets belonging to this node's end of the tunnels. Only traffic  
    # from these ranges will be tunnelled. 
    IPv4LocalSubnets: [
        "10.5.0.1/32"
    ]
  }

Note the 10.0.0.0/8 which is the CRXN and also note the local subnet which is our assignment and also note the publickey in remote subnets which is deavmi’s. Also note the interface name I specified. It will be important later.

Next up we need to configure tayga to provide some mapping from IPv6 to IPv4 and vice-versa. You’ll note that I’m using 100.100.0.0/16 here as I’m going to statefully NAT that network pool to my single address assignment. This could also be a larger assignment and a kind of stateless mapping. I’m not going into details why and how here. It will just blow the scope of this blog post.

# /etc/tayga/ygg.conf
tun-device nat64-ygg
ipv4-addr 100.100.0.1
prefix 2a04:5b80:300:4::/96
dynamic-pool 100.100.0.0/16
data-dir /var/lib/tayga/ygg

After preparing the configuration. We need to configure routing on the system as well.

But instead of going down the shell script rabbit hole, we can edit/override the systemd service unit file to pass some additional commands to setup the routing and what not.

Let’s begin with yggdrasil. By calling systemctl edit yggdrasil we can extend the unit file like this:

[Service]
ExecStartPost=/usr/sbin/ip address add 10.5.0.1/32 dev ygg 
ExecStartPost=/usr/sbin/ip route add 10.0.0.0/8 dev ygg src 10.5.0.1 scope global

That configures our assigned address as well as the remote subnet route.

Next up, we need to do the same with tayga. It’s a little bit more since we need to get iptables for NAT onboard. Also done through systemctl edit tayga@ygg:

[Service]
ExecStartPost=/usr/sbin/ip link set nat64-ygg up

ExecStartPost=/usr/sbin/ip addr add 100.100.0.1/32 dev nat64-ygg
ExecStartPost=/usr/sbin/ip route add 100.100.0.0/16 dev nat64-ygg proto 4

ExecStartPost=/usr/sbin/iptables -t nat -I POSTROUTING -s 100.100.0.0/16 -d 10.0.0.0/8 -j MASQUERADE
ExecStopPost=/usr/sbin/iptables -t nat -D POSTROUTING -s 100.100.0.0/16 -d 10.0.0.0/8 -j MASQUERADE

ExecStartPost=/usr/sbin/ip route add blackhole 2a04:5b80:300:4::/64 dev nat64-ygg
ExecStartPost=/usr/sbin/ip route add 2a04:5b80:300:4::a00:0/104 dev nat64-ygg

You might have noticed the route add blackhole magic there. It’s because of the routed /64 where I’m only using a /96 out of it. To avoid routing loops, I’m blackholing the less specific here.

Start and mark as autostarting both things using systemctl like this:

systemctl start tayga@ygg
systemctl enable tayga@ygg
systemctl start yggdrasil
systemctl enable yggdrasil

Make the routing work

Common safety switch or pitfall (depending on your view) is the switch to actually make Linux a defacto router. It’s by default off, so you’ll need to create a file and set it on.

# /etc/sysctl.d/router.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Apply it using sysctl -p /etc/sysctl.d/router.conf and there you have it.

That’s pretty much it at this point. Try to ping some CRXN host like this:

[~] ping 2a04:5b80:300:4::10.1.0.3
PING 2a04:5b80:300:4::10.1.0.3(2a04:5b80:300:4::a01:3) 56 data bytes
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=1 ttl=57 time=807 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=2 ttl=57 time=1343 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=3 ttl=57 time=828 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=4 ttl=57 time=750 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=5 ttl=57 time=699 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=6 ttl=57 time=696 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=7 ttl=57 time=720 ms
64 bytes from 2a04:5b80:300:4::a01:3: icmp_seq=8 ttl=57 time=744 ms
^C
--- 2a04:5b80:300:4::10.1.0.3 ping statistics ---
9 packets transmitted, 8 received, 11% packet loss, time 8026ms
rtt min/avg/max/mdev = 696.809/823.900/1343.824/201.499 ms, pipe 2

Have fun and don’t mind the packetloss. It’s from Europe to Africa.

Troubleshooting

Since I’m writing this blog post out of history and my faint memories there might be some gotchas in it.

However, consider the following tricks and places to check your stuff:

  • tcpdump the ygg or nat64-ygg devices
  • check iptables-save and iptables -L -n if there’s nothing botched, also keep an eye on the default policy for FORWARD
  • check the error logs of tayga and yggdrasil
  • make sure your IPv6 network is actually routed to your VM
  • make sure the tunnel routing in yggdrasil is enabled: TunnelRouting: true

MSS Clamping

I figured that some networks would drop ICMP packets regarding too large packets.

This is a bodged solution to prevent issues. Add following statements when calling systemctl edit tayga@ygg:

ExecStartPost=/usr/sbin/iptables -I FORWARD -p tcp -s 100.100.0.0/16 -d 10.0.0.0/8 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ExecStopPost=/usr/sbin/iptables -D FORWARD -p tcp -s 100.100.0.0/16 -d 10.0.0.0/8 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

This tells the kernel to overwrite the MSS negotiated within the TCP stream according the discovered MTU.

]]>
Quick guide to country and currency codes https://blog.chrisnew.de/2020/05/quick-guide-to-country-and-currency-codes/ Sun, 31 May 2020 21:46:36 +0000 https://blog.chrisnew.de/?p=152 Continue reading "Quick guide to country and currency codes"

]]>
TL;DR: Use ISO 3166-1 alpha-2 for countries, use ISO 4217 for currencies and currency codes start usually with a country code.

I often come across the situation where people start to abbreviate countries and currencies in an ambiguous way. So I want to help to improve that by recommending to use the ISO standards. It’s important to not invent your own standard.

For countries there’s ISO 3166-1 alpha-2. It’s just two letters which are unfortunately not chosen intuitively, but are internationally recognized.

Sometimes those two letters are easy to remember. For example:

  • US stands for the United States of America.
  • CO stands for Colombia.
  • BE stands for Belgium.

However, sometimes the abbreviation is not close to the long form. For example:

  • CH stands for Switzerland.
  • WS stands for Samoa.
  • GB stands for UK, because it’s referring to Great Britain.

Once you know your commonly used countries, you’ll notice them in different places. Such as in:

  • ccTLDs. Not all Country Code Top Level Domains equal the ISO 3166-1 alpha-2 codes, but a lot do. Examples: .de, .be, .ws…
  • IBAN. Your international bank account number starts with a country code.
  • Currency codes like EUR, USD, GBP.

For currencies there’s ISO 4217. Often you’ll see abbreviations like USD, EUR, RMB or BTC. Some of them are correct according to the ISO standard, some are not. It’s easy to remember the correct country code:

Your ISO 4217 currency code consists of three letters:

  • In most cases the first two letters are using the ISO 3166-1 alpha-2 standard denoting the country where the currency comes from. If it’s not belonging to a distinct country, the letter X is used.
  • The third letter is usually the initial letter of the name of currency. USD is a concatenation of US and Dollar. SEK consists of SE for Sweden and Krona.
  • Some exceptions to these rules are: EUR (Euro in Europe) and RUB (Russian Rubles).

These currency codes are also often used, but there are not ISO compliant:

  • RMB is often used for the Chinese Yuan, but the ISO currency code is actually CNY.
  • BTC stands for Bitcoin, but it’s conflicting with Bhutan (BT). So XBT is often used otherwise, but also not standardized yet.
  • SFr. is often used for Swiss Francs, but the ISO currency code is CHF.

That’s it for my 101 in standardized abbreviations for countries and currencies. Thanks for reading! Feel free to follow me to get more random reads from time to time.

This article was first released on 11th April 2020 on LinkedIn.

]]>
Bei den Wolken https://blog.chrisnew.de/2019/05/bei-den-wolken/ Wed, 15 May 2019 20:36:21 +0000 https://blog.chrisnew.de/?p=139 ]]> Winterjoggen https://blog.chrisnew.de/2019/03/winterjoggen/ Wed, 20 Mar 2019 17:45:00 +0000 https://blog.chrisnew.de/?p=136 ]]> Winteranbruch https://blog.chrisnew.de/2019/01/winteranbruch/ Fri, 25 Jan 2019 23:05:04 +0000 https://blog.chrisnew.de/?p=120

]]>