Howto

Random notes and recipes you may find helpful


Anonymous I2P proxy

This is pretty handy if you want to blog about democracy from China or do security research on the I2P darkweb (which by default usually dumps out onto the regular internet via a TOR exit)

Below are the steps I carried out on ‘minibian’ for a raspberry pi, which should work similarly on any Debian based distro. It is assumed that you have a freshly installed operating system using a static ip in your DMZ…

#### Run below commands as root

passwd root

apt-get update

apt-get dist-upgrade

apt-get install oracle-java8-jdk

apt-get install nano htop

adduser user2

nano /etc/apt/sources.list

#### Add these lines then save

deb http://deb.i2p2.no/ jessie main

deb-src http://deb.i2p2.no/ jessie main

#### control+x to save

wget https://geti2p.net/_static/i2p-debian-repo.key.asc

apt-key add i2p-debian-repo.key.asc

apt-get update

apt-get install i2p i2p-keyring

i2prouter start

nano /home/user2/i2pstart.sh

#### Add these lines

#!/bin/bash

i2prouter start

#### control+x to save

chmod u+x /home/user2/i2pstart.sh

#### Run below commands as user2

crontab -e

#### Add these lines then save

0 * * * * /home/user2/i2pstart.sh

@reboot /home/user2/i2pstart.sh

#### Run below commands as user2

nano /home/user2/.i2p/i2ptunnel.config

#### Change these lines from

tunnel.0.interface=127.0.0.1

tunnel.6.interface=127.0.0.1

#### to

tunnel.0.interface=0.0.0.0

tunnel.6.interface=0.0.0.0

#### Run below commands as root

reboot

Now forward a high UDP and TCP port to the box from your firewall

I2P is now running and accessible from a browser if the proxy is setup, I recommend setting up a separate browser just for this, like firefox portable since you can set proxy independent of system.

Setup proxy to use port 4444, then navigate to your box in a web browser from another machine.

Scroll to bottom of UI and go to Bandwidth settings.

Mine is setup for 512KBps In & 256KBps Out with Share of 80%, you may want to go lower but these settings give me great performance. (Note big B for Byte, this is actually 4Mbit Down & 2Mbit up).

Go to the network tab, specify the high UDP and TCP ports you forwarded earlier from your firewall.

Once you save the left-hand status pane should show ‘Network: OK’

#### All done!



Worry free’ public hotspot

Many moons ago, my daughter came to me with an interesting challenge: her gameboy only supported WEP. I wasn’t willing to create an insecure wireless network based on WEP, but after some thought, it occurred to me that I could create a wide open network for public to connect to, not a whole lot different from a coffee shop, without any authentication. Why not take this approach?

Here are some good reasons:

1) You could be held responsible for activities carried out on your internet connection, P2P filesharing is a good example. For this reason also, coffee shops usually have a splash page with rules you must agree to before using.

2) You would not want your traffic impeded by users of the hotspot

To solve problem #1 you can prevent user traffic from being attributed to your public IP address by using the TOR protocol. TOR is normally intended for anonymity, it was originally developed by the US Navy. By sending the untrusted user traffic to TOR, it gets redirected somewhere else in the world, and access to the internet happens from somewhere else in the world vs your WAN IP address as it would normally. Anonymity that TOR provides will be destroyed by users that are signing into services like Facebook (as they would on any public hotspot), so nevermind that feature of TOR for this purpose. A really easy way direct the traffic into TOR is to use an OpenWRT based firmware called Gargoyle that has built-in transparent TOR proxy out of the box, this will block non-TOR protocols, ensuring that only TOR traffic goes out of your WAN IP. It works on several routers, even on a PC if you do not have a supported router. Just install, enable TOR for all traffic, block unsupported protocols, and make sure its connected to your DMZ network segment.

To solve problem#2 your main router should be using QoS feature of your router, and you would want to designate only leftover bandwidth to go to (and come from) this device, ensuring your normal traffic is the priority.

Having a public hotspot I can turn on when needed prevents me from having to give my main wifi password to guests to get them on the internet. It’s not super fast but YouTube videos play. There is one undesirable side effect: Google shows a different page to people based on source IP, and coming off of a random TOR exit somewhere else in the world, Google may be Google Japan or Google Canada from time to time, but other than that the hotspot users will be be oblivious to using TOR. There is a way to set a specific exit node if you need it to be a predictable TOR exit every time.

Additional recommendations:

Setup periodic reboot as a keepalive

Only access TOR proxy from WAN side with https and SSH

Install watchcat to reboot if connectivity is lost with main firewall via ping

Assume TOR could fail open and block p2p protocols on this subnet

Block .onion sites, remember anonymity is not functional for this purpose

NoDogSplash can be used to intercept the first webpage visited with splash webpage of your choosing, can use that to let the public know what rules you have for your hotspot


QEMU Notes

#### MAKE DRIVE

qemu-img create /mnt/usbdrive/vm/os.img 5G

#### INSTALL OS

qemu -vnc :1 -hda /mnt/THUMBDRIVE/VM/OS.IMG -cpu host,+x2apic -cdrom /mnt/THUMBDRIVE/VM/fix.iso -m 1024 -net nic -boot d -usbdevice tablet &

##### RUN OS

qemu -vnc :1 -hda /mnt/usbdrive/vm/os.img -cpu host,+x2apic -smp 3 -m 2048 -daemonize -net nic -net bridge,br=green0 -boot c -usbdevice tablet &

#### WINDOWS EXAMPLE

C:\Progra~1\qemu\q64.exe -L -kernel-kqemu -hda d:\VM\android.img -cdrom D:\VM\android7.iso -m 2048 -net user -net nic,model=rtl8139 -soundhw es1370


SETI@Home (headless) on Linux

##### DEBIAN 10

ADD THIS TO /etc/default/grub, MODIFYING THIS LINE FROM

GRUB_CMDLINE_LINUX_DEFAULT=”quiet”

#### TO

GRUB_CMDLINE_LINUX_DEFAULT=”quiet vsyscall=emulate”

update grub

reboot

apt-get install boinc-client

#### USE YOUR OWN ACCT KEY HERE , GET FROM WEBSITE

boinccmd –project_attach http://setiathome.berkeley.edu 12345__678910111213

service boinc-client stop

nano /var/lib/boinc-client/global_prefs_override.xml

#### ADD THIS IN BETWEEN GLOBAL PREFERENCES, MODIFYING AS YOU NEED

<global_preferences>

<run_on_batteries>1</run_on_batteries><run_if_user_active>1</run_if_user_active><run_gpu_if_user_active>1</run_gpu_if_user_active><suspend_cpu_usage>75.000000</suspend_cpu_usage><leave_apps_in_memory>1</leave_apps_in_memory><max_ncpus_pct>75.000000</max_ncpus_pct><cpu_usage_limit>75.000000</cpu_usage_limit>

</global_preferences>

service boinc-client start

boinccmd –get_simple_gui_info

DONE!


####### COPY FILE VIA SCP

scp myfile.txt remoteuser@remoteserver:/remote/folder/

##### Fix original Ooma inability to connect due to non-existent DNS server

iptables -t nat -I PREROUTING -d 208.83.244.20 -j DNAT –to-destination 8.8.8.8

##########INTENTIONAL UNDERCLOCK (FOR LOUD FANS / EXCESSIVE HEAT)

cpupower frequency-set –max 800000   

(VERIFY WITH)

cat /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_cur_freq

#######WRITE ISO TO SD CARD

dd if=file.iso of=/dev/sdX status=progress

########DISABLE IPV6 ON DEBIAN

nano /etc/sysctl.d/disable-ipv6.conf

—–ADD THIS TO FILE AND SAVE:——

net.ipv6.conf.all.disable_ipv6=1

——APPLY——

sysctl -p -f /etc/sysctl.d/disable-ipv6.conf

—–CONFIRM NO inet6———

ip a