Continue reading »]]> The Raspberry Pi seems nice hardware for a small home server like the FreedomBox. It is both low power and low cost. The only questions for me were: is it powerful enough – how does it compare to other computers?

On the Raspberry Pi website I read that it’s performance is roughly equal to a 300 MHz Pentium 2 which is not very helpful. I once owned a 300 MHz Pentium 2 system, but that was 15 years ago. I really have no idea how any modern system compares to it.

In my previous article I measured the performance of the MK802 stick computer. This computer turned out to perform roughly equal to a single core Intel Atom. Last week I finally got my own Raspberry Pi so I decided to run the same tests for the Pi.

Hardware.

I bought version 2.0 of the Raspberry Pi model B. This version has the following hardware:

Software.

As OS I use Raspbian. This is a Debian derivative that has been optimized for the Raspberry Pi.

Measurements.

To measure the performance I used an experimental python-powered version of my blog. This version does not use a database, but stores the individual postings in a simple directory structure. For each request 10 postings are read from disk and served as one HTML page that looks (almost) exactly like my normal blog. The size of this page is 64.9 Kb.

On a fast system Apache bench was used to measure the performance in pages/sec. I requested 1000 pages with a concurrency of 10.

The measurements were done for the following systems:

1. The Raspberry Pi model B version 2.0, running at 700MHz
2. My current FreedomBox. This is an 1.2 GHz Marvell Kirkwood 6281 system. The same SoC is used for the DreamPlug.
3. The MK802, which uses an 1 GHz Allwinner A10.
4. An Intel Atom 330 system running at 1.6 GHz
5. My Desktop system with a dual core G620 Pentium processor running at 2.6 GHz.

Except for the MK802, all systems have a wired 1Gb Ethernet connection. For the MK802 i did two measurements: one with WIFI Ethernet and one with a wired 100Mb USB-Ethernet adaptor.

Results.

(#) A fair comparisson would include 5W for the missing HD
(~) estimation, could not measure without ruining my uptime
(*) 4 threads were used.
(**) 2 cores (= 2 threads) were used.

As you can see, the Raspberry Pi is not very fast. Still I found its performance much better than expected. It roughly performs at 70% of my current FreedomBox and roughly at 40% of a single core Intel Atom clocked at 1.6 GHz. This may not look great but remember that the important question is not how fast it is, but: is it fast enough?

Having expected much worse results for the Raspberry Pi I wondered if the test reflected real-world performance. What if I run some real-world server software like Apache on it? To test this I installed Apache with WordPress on the Raspberry Pi and copied my blog to the Raspberry Pi.

Requesting the main page of my blog took 3.4 seconds on the Raspberry and 2.6 seconds on my Marvell system. A difference of 25 percent. Not bad! I find the performance of my FreedomBox quite acceptable and I do not think anyone would notice it it was 30 percent slower. So in my opinion the Raspberry Pi would be fine hardware for a FreedomBox.

Continue reading »]]> Recently a whole range of cheap Android devices have become available, all powered by the Allwinner A10 SOC. Thanks to the way A10 devices boot they are very easy to hack. All that is needed is a bootable SD card. How to make such a card is no big secret, and there are now multiple SD card images available. You can boot for example Lubuntu or Debian instead of Android. One A10 device, the MK802 stick computer, is almost ideal for a small home server. I bought one to examine its potential for the FreedomBox.

What makes A10 devices special?

Before i share my experiences with the MK802 i have to write something about its hart, the Allwinner A10 SOC. This remarkable 400 pin (!) chip only costs about $7 and houses the following:

• A one core Cortex A8 ARM processor, typically running at 1GHz.
• A MALI400MP OpenGL 2.0 GPU
• DDR3 800 MHz controller
• Hardware accelerated video playback
• Video outputs for: HDMI, VGA, Analog video, and LCD.
• A 10/100 MHz Ethernet controller
• A NAND Flash controller
• USB Host controller + USB OTG controller
• A SATA-II controller
• Etc, Etc, Etc….

Wow!

Apart from all the hardware features its boot process is also interesting. Booting goes as follows:

1. Check if the reset pin is pressed. If so, load new firmware from the USB port.
2. Check if there is a SD card present. If it contains a bootable image, boot from the SD card.
3. Boot from the internal NAND storage (boot Android).

Step 1 can recover a “bricked” device. Step 2 makes loading an alternative OS possible. Very hacking friendly!

What A10 devices are available?

The A10 is used in a whole range of products, from tablets to TV multi media boxes to stick computers. The most popular devices are:

The $70 Mele A1000. This is a complete computer. Some specs: 512 Mb RAM, SD slot, support for SATA Hard-disks, connectors for multiple types of monitor (VGA/HDMI/Analog video), 10/100 Ethernet connector, WIFI, Audio out and two USB host ports.

The $65 MK802. This is a stick sized computer (0.47 x 3.46 x 1.38 inch) that has (of course) less connectors than the Mele A1000. The specs are: 1024 MB RAM (older versions 512 MB), microSD slot, HDMI video out, WIFI, one USB host port and one USB-OTG port.

You will probably agree with me that the $70 Mele is a better deal – the MK802 is overpriced. It would not surprise me if the MK802 drops in price to about $40 in the near future.

Booting an alternative OS.

A10 devices have become very popular the last few months and a lot of development is going on. Most development targets Lubuntu (Ubuntu + LXDE) and the Mele A1000.

The best way of running an alternative OS is download a ready made SD image for your device and write this to a cheap SD card (8GB class 4 is fine). On my MK802 i successfully tried the following images:

A Lubuntu 12.04 desktop version, downloaded from miniand.com. This version has a fixed 720p HDMI output with no hardware acceleration. While i’m not very interested in desktop use, i found the desktop performance quite acceptable. This Lubuntu version seems stable too.

The Linaro-alip armhf version. This image is made by Toby Corkindale and has an 1080p HDMI output, again with no hardware acceleration. Desktop performance is acceptable, stability is OK.

How does the MK802 perform?

A small internet-connected server like the FreedomBox should meet the following performance requirements:

• It should be fast enough for simple tasks like serving web-pages.
• Ethernet/WIFI must be fast enough.
• Because the device runs 24/7 energy consumption must be low.

All of these can be measured easily. Measurements are more interesting if you can compare them for different systems, so i decided to do the same measurements for the following systems:

1. My current FreedomBox. This is an 1.2 GHz Marvell Kirkwood 6281 system. The same SOC is used on the DreamPlug.
2. The MK802, which uses an 1 GHz Allwinner A10.
3. An Intel Atom 330 system running at 1.6 GHz
4. My Desktop system with a dual core G620 Pentium processor.

Except for the MK802, all systems have a wired 1Gb Ethernet connection. For the MK802 i did two measurements: one with WIFI Ethernet and one with a wired 100Mb USB-Ethernet dongle.

To measure the performance i used an experimental python-powered version of my blog. This version does not use a database, but stores the individual postings in a simple directory structure. For each request 10 postings are read from disk and served as one HTML page that looks (almost) exactly like my normal blog. The size of this page is 64.9 Kb.

Apache bench was used to measure the performance in pages/sec. I requested 1000 pages with a concurrency of 10. The results are:

(~) estimation, could not measure without ruining my uptime
(*) 4 threads were used.
(**) 2 cores (= 2 threads) were used.

From the results the following conclusions can be drawn:

• The WIFI of the MK802 performs poorly. However, a bandwidth of 770 KB/sec is still well above the upstream speed of most households so it may be considered acceptable.
• The 1 GHz A10 processor is much more powerful than the 1.2 GHz Kirkwood processor of my FreedomBox. Personally, i find the performance of my FreedomBox (which runs several virtual machines with WordPress blogs) quite acceptable. A10 devices will do well as FreedomBoxes.
• The A10 performs roughly equal to a 1.6 GHz single core Intel Atom (with no hyper-threading).
• Using an Intel Atom or even a desktop computer seems overkill. An A10 powered device should be powerful enough.
• Pages/sec/W is a measurement of the energy efficiency. To be honest, these values are not fair because the MK802 is the only device without a hard-disk. A hard-disk consumes about 5 W so it has a big impact. The energy efficiency of the MK802 is excellent.

My overall conclusion is that the MK802 should do well as a FreedomBox. It’s a pity that it has no wired Ethernet connection. It has however an USB-OTG port which could be programmed to behave like an Ethernet dongle (just like those WIFI sticks – you plug one in and it is detected as a new network interface)

Links.

Here are some links to start with if you are interested in A10 devices:

Much pioneering work on the A10 was done by Luke Kenneth Casson Leighton. Luke is the one behind Rhombus Tech. A Community Interest Company, which is developing an open hardware Computer-on-Module that uses the A10. Lots of info can be found at:

http://rhombus-tech.net/allwinner_a10/

A good place to buy an A10 device is “The Cubies hacker shop” at:

http://www.aliexpress.com/store/511685

Tom Cubie (alias hipboi) is very actively involved in getting GNU/Linux working on the A10. Just like Luke he is planning to release open hardware based on the A10.

http://cubieboard.org/

Both the SD card images i used come from the miniand.com website. Miniand sells A10 devices and has a busy forum at:

https://www.miniand.com/forums/

MK802 images are available at:

https://www.miniand.com/forums/forums/development/topics/mk802-guides-and-images

Another company that sells the MK802 and other A10 devices is Rikomagic.

http://www.rikomagic.co.uk/
forum:
http://www.rikomagic.co.uk/forum/viewforum.php?f=2&sid=3c3ef83dd83af61f8af6a82c6b28cf47

Someone named gnexus has a very interesting site about A10 devices:

http://a10linux.org/

Last but not least – i enjoyed the info at Jeff Doozan’s site.

http://forum.doozan.com/list.php?6

Continue reading »]]> In this article i answer the following question: When does the energy cost of running the FreedomBox software on a desktop computer justify buying specialized low power hardware? The answer to this question may surprise you.

Not long ago a reader of my blog asked me why he could not use his desktop computer to run the FreedomBox software. I answered that he could, but it would not be very economical. I gave him the following example: My desktop computer at the time consumed 93 Watt when idle. Keeping this machine running for a year would cost me 186 EUR. The energy costs of my 11 Watt NAS “FreedomBox edition” is just 22 EUR a year. In this example it is clear that it pays to buy special hardware for the FreedomBox. For my new energy efficient desktop computer (23 Watt idle) the situation is different.

In a previous article (Free hardware for the FreedomBox software) i argued that the cheapest hardware for the FreedomBox is hardware that you need anyway. If you can run the FreedomBox software on this hardware without changing it’s function, then the hardware for the FreedomBox costs you nothing. This is true for always-on devices like wireless routers and NAS servers. With these devices the only cost of running the FreedomBox software is the cost of the extra energy which is probably very low. For desktop computers the situation is different. Desktop computers consume more energy than specialized always-on devices and are only used part of a day (normally).

How much does it cost to use a desktop computer to run the FreedomBox software?

Calculating the costs is very easy. Because you need the desktop computer anyway, the price does not enter the equation. Only the extra energy costs are important. This leads to the following equation:

Cd = Pdi * Td * Ckwh/1000

where:

Cd    : Cost of running FB software on a desktop computer
Pdi   : Power consumption in Watt of the desktop computer when idle
Td    : Time in hours the desktop computer is running FB software exclusively
Ckwh  : Kilowatt-hour price.

Because the FreedomBox software is mostly sleeping, i only take the idle power consumption into account.

How much does running a dedicated FreedomBox device cost?

With a dedicated device you have to enter the price of the device into the equation:

Cf = Cfd + Pfi * Tf * Ckwh/1000

where:

Cf    : Cost of running FB software on a dedicated FB device
Cfd   : Price of the FB device
Pfi   : Power consumption in Watt of the dedicated FB device when idle
Tf    : Time in hours the FB device is running

Some quick calculations

Let’s compare the cost of my (very) energy efficient desktop computer with a DreamPlug. I use the following parameters:

Pdi  = 23 W
Td   - do not correct the time for non FB use of the desktop computer.
Cfd  = 163 EUR DreamPlug + 50 EUR USB hard-disk = 213 EUR
     - assume a 3 year life of the DreamPlug 
Pfi  = 5 W DreamPlug + 5 W USB hard-disk
Ckwh = 0.25 EUR

For a 3 year period this calculates to:

Cd = 23W * 3*365*24 * 0.25/1000 = 151 EUR
Cf = 213 EUR + 10W * 3*365*24 * 0.25/1000 = 278 EUR

In this example using a DreamPlug as a dedicated FreedomBox device is not economical. Even with no correction for the time the desktop computer is used for it’s normal tasks, the DreamPlug solution is almost 2 times as expensive.

Using the DreamPlug results for a 3 year period you can calculate the idle power consumption of a desktop computer that is just as expensive as a dedicated DreamPlug. This turns out to be 42 Watt.

Let’s calculate the costs of running a Raspberry Pi model B for three years.

Cfd = 39 EUR (32.70 GBP * 1.2 EUR/GBP) + 50 EUR USB HD = 89 EUR
Pfi = 1 W Raspberry Pi + 5 W USB HD = 6 W

Cf  = 89 + 6W * 3*365*24 * 0.25/1000 = 128 EUR

The very low power Raspberry Pi is the winner. It would save me 33 EUR over a period of three years. For me, this is not a good reason to buy a Raspberry Pi. (Still think i buy one, just for fun!)

(Note: in these calculations i have not corrected for the time i use my desktop computer for it’s normal tasks. If i correct for the 8 hours a day i use my system for desktop-tasks, the desktop costs for running the FreedomBox software would be 100 EUR.)

Conclusion:

If you have desktop computer with low idle power consumption, then there is no (economical) need to buy special low-power hardware for running the FreedomBox software.

Continue reading »]]> Last week I finally built my first custom PC. It’s very energy efficient, quiet and it can be used as a 24/7 server or as a general purpose PC.

The specs are:

Processor             : Intel G620 Dual core Pentium processor
Mainboard             : Intel Desktop Board DZ68DB
Memory                : 2 * 4GB PC3-10600 (DDR3-1333) (No Name)
Power supply          : Be quiet! Straight Power E9 400W
Hard-disk             : Western Digital Caviar Green WD5000AZDX, 500GB
Graphics              : Intel HD Graphics (integrated into the G620 processor)
Case                  : Recycled an old computer case.
DVD-writer            : None, I use an external USB drive if needed.

• The total cost of this setup is about 350 EUR.
• Idle power usage is 23 Watt.
• Maximum measured power is 53 Watt. This is without stressing the graphics core which will probably add an extra 7 Watt if its used to its full capacity.

Hardware.

When I selected the system components I had the following main requirements:

• It must be able to use the system to develop software for GNU/Linux.
• I wanted to use the system as an internet connected server that runs 24/7.

To isolate my development work from the server-tasks, I want the server-tasks to run inside a virtual machine. The server-tasks are simple (personal web-server, email server, etc.) and do not need a very fast CPU (I am currently using ARM hardware for these tasks)

Because the machine is always on, its important that the system uses as little energy as possible. A one Watt device that runs for a year costs about 2 EUR in the Netherlands. Normal PC’s like my old system easily consume 90 Watt or more when idle, which make them very expensive servers.

Both main usages of the system only occasionally stress the system so low energy consumption for the idle state is a main concern.

Here are some remarks on the components I selected.

Processor.

I selected an Intel G620 processor because its performance is more than enough for my simple tasks. I t has an nice integrated graphics core and low power consumption. With a price of only 54 EUR it’s cheap too.

The specs mention a TDP of 65 Watt. My whole system never uses more than 60 Watt so this is a bit pessimistic. I think a TDP of 35 Watt like the special energy efficient G620T version is more realistic. When compared with the G620T the G620 only uses one or two Watt more.

Mainboard.

Finding the right mainboard was a bit tricky. Power consumption varies quit a bit between different products. Even when idle the difference in power consumption can be over 10 Watt! A very nice comparison of 21 mainboards can be found here. From this comparison you can see that the Intel DZ68DB mainboard I selected does very well.

Power supply.

Here I had two requirements. High efficiency and low noise. These qualities are both present in the selected Be quiet! Straight Power E9 400W. This power supply has an 80Plus gold certification, which guaranties an efficiency of 90% or more. For cooling an 135mm SilentWings fan is used resulting in an extremely low noise level of under 15 dB(A) at full load. With a price of about 70 EUR this power supply is twice the price of a standard power supply. When I look at the specs and build quality I find this very good value for money.

Memory.

Not much to say. I bought 8GB just to be able to compile very large programs and run the VM’s

Harddisk.

I bought an energy efficient Western Digital Caviar Green WD5000AZDX, 500GB. This HD is fast and almost silent.

Graphics.

The integrated graphics core of the G620 processor is more than capable for any graphics task other than gaming. Video decoding is pretty good. I even managed to play the “killa sample” with only a small distortion in the first two seconds of the clip.

Software.

At the moment i’m running the testing version (Wheezy) of Debian GNU/Linux on the system. Quite a nice experience, everything worked out of the box and no proprietary drivers needed to be installed.

I only needed to make some small adjustments to the kernel settings in order to lower the power consumption. It turns out that the 3.x kernels have support for the power saving features of the integrated graphics core of the G620 processor, but these features are disabled by default. To turn the features on you have to edit the grub boot configuration as follows:

Edit:

/etc/default/grub

Find the line:

GRUB_CMDLINE_LINUX=""

Change it to:

GRUB_CMDLINE_LINUX="i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1"

Save this configuration and activate the settings with the command:

update-grub2

After restarting the system consumes 7 Watt less power…

Continue reading »]]> Most of the readers of this blog will probably know the Tor project. One of the problems that Tor has encountered is that all nodes of the Tor network are public. This enabled governments to block all IP addresses of the Tor nodes, preventing anyone behind their firewall to use Tor. To solve this problem the Tor project created a pool of unlisted Tor nodes known as bridges. If a user gets blocked, he/she can ask for the IP address of (only) one of these unlisted Tor nodes and use this node as the entry point to the rest of the Tor network.

The function of a Tor bridge is simple: provide an unlisted IP address that blocked users can use to connect to the rest of the Tor network. You can run a full Tor node at the unlisted address, but you don’t have to. Forwarding the traffic from the unlisted address to a public Tor node will provide the same functionality and can be done by a simple router.

How to configure a router to forward Tor traffic?

Forwarding traffic from the internet to your local network is very easy. Every router has a nice UI that can be used to do this. Forwarding traffic from the internet to another IP address in the internet zone is slightly more complicated. This type of forwarding is so uncommon that most (all?) routers simply leave it out of the UI.

The first step you have to take if you want your router to forward Tor traffic is to replace the firmware with less limited free software. I replaced the firmware of my TP-Link router with OpenWrt. With OpenWrt you have access to all the functions of your router.

With full control of your router forwarding Tor traffic is simple. I started a ssh connection to my router and typed the following three commands:

iptables -t nat -i eth0.2 -I PREROUTING -p tcp --dst xxx.xxx.xxx.xxx --dport 443 -j DNAT --to-destination 77.247.181.164:443

iptables -t nat -o eth0.2 -I POSTROUTING -p tcp --dst 77.247.181.164 --dport 443 -j SNAT --to-source xxx.xxx.xxx.xxx

iptables -I FORWARD -o eth0.2 -p tcp --dst 77.247.181.164 -j ACCEPT

Where:

The first command tells the iptables firewall to translate the WAN IP address to the address of the rainbowwarrior Tor node if the destination port is 443. The second command changes the source address of packets leaving the system into the WAN address. The last command allows traffic with the rainbowwarrior Tor node destination to pass through the system.

That’s it. I checked this using a remote system and it seems to work. Double checking with Wireshark showed all traffic was routed through my router-bridge.

Continue reading »]]> One of the goals of the FreedomBox project is to give users back their privacy. No more snooping by Google, Facebook, governments etc.

In order to give users back their privacy two conditions must be met:

• First: It must not be possible for a third party to monitor (or change) the information a user exchanges with a website. In an ideal world this kind of protection should be provided by SSL. Unfortunately the world is not ideal. Companies that issue SSL certificates can be incompetent, or forced by a government to give out false certificates. It is not clear why they should have our trust.
• Second: It must not be possible for a third party to monitor which website a user contacts. Knowing which websites a user visits can be quite revealing and possibly dangerous for the user (think of someone in China who surfs to MaoWasACriminal.org)

One project that tackles both privacy conditions is the Tor project. Tor stands for The Onion Router. It is a special type of network in which all traffic is encrypted and there is never a direct connection from a user to a website (details are here). Protecting privacy the way Tor does comes at a price, connecting to a website using the Tor network is much slower than a direct connection.

How fast (slow) is Tor? At the Tor metrics portal you can find all kinds of interesting statistics that are updated every day. One statistic I find interesting is the time it takes to download files of different sizes. Although this measurement is a good indication of the speed of the network, it does not measure the user experience. Normal websites download at least 10 files and do so on multiple parallel connections. To give an (extreme) example: http://edition.cnn.com contacts 11 different domains using 64 connections, on these connections a total of 145 HTTP requests (wow!) are issued.

I really like the Tor project and I would love to see it improve (especially its speed). One thing that’s missing from the project is a way to accurately measure what is going on between Tor and the browser. I believe this information can be quite useful and therefore wrote a special measuring proxy: MITM.

What is MITM?

MITM stands for Monitor In The Middle. It is basically a Socks 5 proxy that is placed between the browser and Tor. The browser connects to MITM, MITM connects to Tor. All communication between the browser and Tor is intercepted and decoded.

MITM decodes both the Socks protocol as the HTTP protocol and collects the following data:

Socks protocol:

• Time of the available authentication methods request.
• Time of the selected authentication method response.
• Time, domain and port of the connect request.
• Time of the connect response.

Http protocol:

• Time and lines of a request header.
• Time and data of a request body.
• Time and lines of a response header.
• Time and data of a response body (or each body chunk).

All collected data is converted into a nice report that can be viewed by contacting an internal mini webserver that lives at: http://mitm.proxy.

The report consists of the following sections:

A time graph of all connections. The graph uses SVG so you need a recent browser to display the results.

In the graph you see the following information:

• Each line is a separate connection.
• Blue bars show the total time to handle the Socks protocol (DNS request+TCP connection).
• Gray bars show the time between a Http request and the start of a response (waiting time).
• Green bars show the time between the start and end of a Http response (transfer time).
• Green dots are displayed when there is no response body, or if the time of the response body is too short to display.
• On the right side of the graph are a number of circles that indicate if a connection is open or closed.

Each bar or circle in the graph has a tool-tip and a link connected to it. If you click on a bar you navigate to the connection information.

Server information:

This section shows the following statistics of the servers that were connected

Connection information:

This information can be quite substantial. In the table below you only see the first lines of a request and response. You can use the settings page to change this to all the header lines.

How to use MITM.

MITM is a Python 2.x program that uses the Twisted event-driven networking framework. You can download MITM by pressing this link. MITM has been tested with OpenSuse 11.3 and Firefox > 4. You need at least Firefox version 4 to see the SVG graphics.

In order to use MITM effectively you need to create and use a special Firefox profile. Use the following steps:

• Close all Firefox instances.
• In a terminal window type: firefox -ProfileManager.
• In the dialog press: Create Profile and answer the questions (more details)

If you named your profile “mitm” you can start using this profile by typing:

firefox -P mitm -no-remote

The first time you start you have to change the configuration of the profile:

Feeds.

Remove all feeds if they are present.

Network configuration.

Edit Preferences:Advanced:Network:Connection-Settings
Choose: Manual proxy configuration,
Socks Host 127.0.0.1 Port 9000
Socks v5
Clear the “No proxy for” setting.

Save these settings and open the about:config page. Filter on socks_remote_dns and change this setting to true

History.

On the privacy tab choose: Never remember history

With these settings in place and TOR running you can start mitm_proxy.py. To display the results I usually open a second tab and navigate to http://mitm.proxy.

Some extra functions.

MITM does not only monitor all communication but it can also delay Socks connect requests and HTTP requests. This function can be used together with some bandwidth limiting software to simulate a slow TOR connection.

MITM can also take measurements without connecting to Tor. On the settings page there is an option to use an internal Socks5 server.

Limitations and final words.

The HTTP specification(s) are large documents with many sections that are open to interpretation (confusing). This makes it difficult to write an HTTP decoder that’s 100% bulletproof. I did not try to handle all possible aspects of the specification. I just wanted something uncomplicated that is correct most of the time. Feel free to contact me if you find a problem.

MITM is my first Python program. I tried to make it as Pythonic as possible. Don’t hesitate to contact me if something in the code is less optimal. I like to learn more.

Continue reading »]]> On my FreedomBox I want SSH access from the internet for the following reasons:

• My FreedomBox is designed to be shared with family and friends, any user can get his/her own private virtual machine(s). To remotely manage a virtual machine SSH access is needed.
• SSH can be used as a secure inter – FreedomBox communication channel.

Using virtual machines complicates the use of SSH. Each virtual machine has its own IP address, and the FreedomBox only has one external IP address. There must be a way to connect this external address to one of the many internal addresses. Fortunately SSH is very flexible and it is possible to do this very elegantly.

Read this first.

This article is one in a series that describes the building of my FreedomBox. Not all information from the previous articles is repeated.

The method.

On my FreedomBox the external IP address is connected to a special virtual machine which I call the internet module. This internet module acts as a gateway to the host system and all the other virtual machines.

[client (A)] --> Internet --> [internet module (IM)] -->  n*[virtual machine (B)]

If you want a SSH connection from client A to a virtual machine B then you need two SSH connections. First you have to make a connection from A to an account on the internet module (IM). From this connection you can make a second connection from IM to B. Making connections this way is not transparent. Machine A does not know it’s connected to machine B, machine B does not know it’s connected to machine A. Because the machines are not connected directly some SSH commands do not behave normally, or may not work at all.

Fortunately there is an elegant way to let both machines think they have a direct connection. For this you have to use the ProxyCommand statement in the ~/.ssh/config configuration file. With this statement you can specify a shell command that makes the connection to the remote system. The SSH client then uses the resulting stdin/stdout of the command as a channel to the remote SSH server.

For a transparent connection the returned stdin/stdout must be connected to the SSH port of the target server. The tick to get this done involves the following steps. First make a connection to the gateway system. On the gateway system start a program that returns a connection to the target system. Return this connection to the client.

Enough theory, here’s the ~/.ssh/config setting I use to connect to my freedomboxblog VM over the internet:

Host freedomboxblog
  ProxyCommand ssh -p 99999 -qax guest@freedomboxblog.nl nc -w 1 freedomboxblog.freedom.box 22

I use ssh to log-in on the guest account of my internet module. Then the netcat program is used to make a connection to the freedomboxblog VM. This connection is returned and used by the SSH client to connect to “host freedomboxblog”.

On the internet module I only allow RSA authentication for the guest account. This is not only the most secure way, but it also prevents the password pop-up. With RSA authentication it is not possible to log-in if you don’t have the private key. Unfortunately many people still try to log in by brute force. To prevent these attacks I use a non-standard SSH port (see my firewall article).

The configuration.

Client side:

cd ~/.ssh

Edit the config file, add the following lines:

Host myhost
  ProxyCommand ssh -p 99999 -qax guest@mydomain.com nc -w 1 myhost.freedom.box 22

Create RSA authentication keys:

ssh-keygen

This command creates two keys with your username. The one ending with .pub is needed by the internet module on the FreedomBox.

scp yourusername.pub root@internet.freedom.box:~

The internet module.

ssh root@internet.freedom.box

Install netcat:

apt-get install netcat

Create a guest user:

useradd -m guest
cd /home/guest

Add your public key to the authorized users of this account:

mkdir .ssh
cd .ssh
cat /root/yourusername.pub >> authorized_keys

Edit /etc/ssh/sshd_config so it has the following settings:

PasswordAuthentication no
AllowUsers guest

Restart ssh:

/etc/init.d/ssh restart

Now you can only log-in using the guest account, and only if you have one of the private keys belonging to the public keys in /home/guest/.ssh/authorized_keys.

The next time you try:

ssh root@internet.freedom.box

you get:

Permission denied (publickey).

So in order to get root access you first have to log-in to the guest account and then use the su command.

Continue reading »]]> Something every FreedomBox should have is a firewall combined with NAT functionality. These functions are provided by every router, so why not let the router take care of these functions? There are several reasons against using the router for these functions:

• Firewall and NAS functions are of vital importance for the security of a FreedomBox. These functions should therefore be implemented on the FreedomBox hardware and not be delegated to third party hardware. Most routers don’t come with source code or hardware specs and cannot be fully trusted.
• The FreedomBox cannot control the firewall or NAT of a particular router. There are just too many different brands and models. As a device for non technical users the FreedomBox cannot ask the user to manage the router firewall and NAT every time a new program is (de-)installed.
• Having a firewall on the FreedomBox gives us the possibility to log attacks and implement our own counter measures.

Read this first.

This article is one in a series that describes the building of my FreedomBox. Not all information from the previous articles is repeated.

A short overview of my FreedomBox architecture.

In order to understand the configuration of the firewall you need to have a high level view of the architecture of my FreedomBox. In my architecture I use virtual machines (Linux Containers: LXC) that are all part of the same bridged network br0. All VM’s use DHCP to get an IP address. There are two static IP addresses:

192.168.1.3

This is the address of the br0 interface. (a.k.a. the internal address of my FreedomBox)

192.168.1.10

This address belongs to a special VM: the internet module. The internet module is a so called bastion host. A bastion host is a special hardened system that is placed in the DMZ of the router as a gateway to the internal systems (or programs).

In my architecture I try to run every service that is connected to the internet inside its own VM. Access from the internet to a service inside a VM always passes the internet module first.

Sometimes it is not possible to run a service inside a VM. In that case I use NAT to route incoming requests from the DMZ (IP: 192.168.1.10) to the host system (IP: 192.168.1.3). At the moment OpenVPN is the only service connected to the internet that is running directly on the host.

Objectives.

Installing a firewall/NAT should accomplish the following:

• Strengthen the isolation of the VM’s.
• Make it possible to have firewall settings for a single VM or a group of VM’s.
• Prevent VM’s to access services on the host system except for some necessary services.
• Create routes for traffic that cannot be routed by the internet module.
• Make it possible to run services on non standard ports.
• Forward traffic to other FreedomBox systems.
• Logging attacks.

Some small adjustments.

In order to integrate the firewall into my FreedomBox I had to make the following changes to my setup:

• Add a vendor class identifier to the DHCP request of a LXC module.
• Use the vendor class identifier to give LXC modules IP addresses from a separate DHCP range.

For the vendor class identifier I changed my lxc-debian-box script. Click the link for the update. If you have already made some LXC modules you can bring them up to date by adding the following line to the /etc/dhcp/dhclient.conf file inside the container:

send vendor-class-identifier "lxc.module";

The vendor-class-identifier is used by dnsmasq. The file /etc/dnsmasq.conf should be edited as follows:

change:

dhcp-range=192.168.1.10,192.168.1.250,12h

to:

dhcp-vendorclass=set:lxc,lxc.module
dhcp-range=net:lxc,192.168.1.10,192.168.1.50,12h
dhcp-range=192.168.1.100,192.168.1.150,12h

Restart dnsmasq and all the containers to activate the changes.

Installing Shorewall.

On my FreedomBox I use Shorewall for the firewall/NAT functions. It is a very mature and flexible program. Installing is simple:

apt-get install shorewall

Configuring Shorewall.

Shorewall is well documented so I only give a quick overview before presenting my Shorewall configuration.

Central in the Shorewall configuration is the concept of zones. A zone is one-to-one coupled to a network interface. If it is necessary to have multiple zones within the same network (this is the case with my FreedomBox) you can specify sub-zones. Only traffic between different (sub-)zones is examined by the firewall. Default actions for inter-zone traffic are specified by a policy. Exceptions to the policy are specified by rules.

All Shorewall configuration files are in the directory /etc/shorewall. After installing this directory only has one file (shorewall.conf) in it that does not have to be changed. The actual configuration is in the files:

• interfaces – specifies network interface <> zone relations.
• zones – defines zones and sub-zones
• hosts – specifies sub-zones
• policy – the default actions for inter-zone traffic
• rules – the exceptions to the policy
• tunnels – needed for VPN
• routestopped – specifies the state after Shorewall is stopped.

I have the following configuration:

interfaces

#ZONE   INTERFACE     BROADCAST     OPTIONS

net     br0           detect        bridge,dhcp
vpn     tap0

On my system there are two network interfaces. Br0 is placed in the net zone, this zone represents the internet. For OpenVPN I have a second zone (I will write about my OpenVPN configuration in a next article)

zones

#                                 IN          OUT
#ZONE       TYPE      OPTIONS     OPTIONS     OPTIONS

fw          firewall
vpn         ipv4

net         ipv4
loc:net     ipv4
vmnet:net   ipv4
imod:vmnet  ipv4

The fw zone is a special firewall zone. Think of “fw” as the system on which Shorewall runs. The net zone is split in tho sub-zones: loc and vmnet. Loc stands for all the systems that are not VM’s, those systems are in the vmnet zone. One special VM, the internet module, is placed inside its own imod sub-zone.

hosts

#ZONE     HOST(S)                           OPTIONS

imod      br0:192.168.1.10
vmnet     br0:192.168.1.11-192.168.1.50     routeback
loc       br0:192.168.1.100-192.168.1.150   routeback

This file has all the sub-zones

policy

#SOURCE	    DEST     POLICY     LOG LEVEL     LIMIT:BURST

net         all      DROP       info

imod        vmnet    ACCEPT
imod        all      REJECT     info

vmnet       net      ACCEPT
vmnet       all      REJECT     info

loc         all      ACCEPT
$FW         all      ACCEPT
vpn         all      ACCEPT

# The FOLLOWING POLICY MUST BE LAST

all         all      REJECT     info

The policies are examined from top to bottom and the first match cancels further processing of policies. You can see that no traffic from the net zone to any other zone is allowed by the default policy. The exceptions to the policies are in the rules configuration file.

rules

#                                                           DEST     SOURCE     ORIGINAL     RATE     USER/     MARK
#ACTION        SOURCE      DEST                     PROTO   PORT     PORT(S)    DEST         LIMIT    GROUP

SECTION NEW

Ping(DROP)     net         all

# enable DHCP and DNS access for zones on the freedombox

ACCEPT         imod        $FW                      udp     67:68
DNS(ACCEPT)    imod        $FW

ACCEPT         vmnet       $FW                      udp     67:68
DNS(ACCEPT)    vmnet       $FW

ACCEPT         loc         $FW                      udp     67:68
DNS(ACCEPT)    loc         $FW

# enable HTTP and SSH access, use a non-standard port for SSH

ACCEPT:info    net         imod                     tcp     http
DNAT:info      net         imod:192.168.1.10:22     tcp     99999

# enable OpenVPN

DNAT:info      net         fw:192.168.1.3:1194      udp     1194

The only traffic from the net zone to my FreedomBox is HTTP, SSH and OpenVPN traffic.

It’s amazing how many people try a brute-force attack on your SSH port. Even if you clearly indicate that it is only possible to login with RSA. I got very annoyed by the constant flickering of my lan-light so for SSH i’m using a non-standard port (not port 99999 ).

tunnels

#TYPE                ZONE    GATEWAY      GATEWAY_ZONE

#openvpnserver:1194  net     0.0.0.0/0

routestopped

#                                               DEST      SOURCE
#INTERFACE     HOST(S)    OPTIONS     PROTO     PORTS     PORTS

br0            -          source

Running Shorewall

With the configuration in place Shorewall can be started. The Debian packagers have wisely prevented Shorewall to start by default. For this you have to edit /etc/default/shorewall and change the startup configuration option. Shorewall is a very flexible program. This flexibility comes at a price: it is very easy to make a mistake, and mistakes can lock you out. I think it is best to start Shorewall manually. If you make a mistake you can correct the error after restarting the system.

Continue reading »]]> Until now everything I built was “just infrastructure”. The WordPress module is the first module that uses the infrastructure. Building a WordPress module as the first “real” module had two reasons. First: I need the module to house this blog . Second: the configuration and data inside the module is reasonably complex. This makes it ideal to develop and test the data-interface of my FreedomBox architecture.

Creating a WordPress module consists of the following steps:

• Create a LXC container to house the module.
• Install MySQL.
• Install PHP & Co.
• Install a Mail Transfer Agent (Exim4).
• Install and configure WordPress.
• Configure Apache.
• Configure the internet module.

Read this first.

This article is one in a series that describes the building of my FreedomBox. Information from the previous articles like network and software configuration is not repeated.

Create a LXC container to house the module.

cd /var/lib/lxc
mkdir wordpress
/usr/lib/lxc/templates/lxc-debian-box -n wordpress -p /var/lib/lxc/wordpress

Start the container and continue installation.

lxc-start -n wordpress -d

Login (password = root)

ssh root@wordpress.freedom.box

Inside the container issue the following commands:

passwd
dpkg-reconfigure tzdata
dpkg-reconfigure locales
apt-get update
atp-get upgrade

Choose both a locale and default locale (my system: es_US.UTF-8).

Install MySQL.

apt-get install mysql-server

Install PHP & Co.

apt-get install php5 php5-mysql php-apc

Installation of PHP triggers the installation of Apache2. The php-apc package caches the byte codes of the PHP interpreter. This makes PHP execution much faster.

Install the Exim4 MTA.

WordPress needs a MTA to send notifications to the blog admin/user. I use a version of Exim4 that is probably way too powerful for this simple task.

apt-get install exim4-daemon-heavy

After installation you can use the following command to configure Exim4:

dpkg-reconfigure exim4-config

Most configurations should be “mail send by smarthost”.

Install and configure WordPress.

I found the Debian WordPress configuration a little bit confusing so I decided to install the official version:

apt-get install wget

cd /var/www

wget http://wordpress.org/latest.tar.gz
tar xfvz latest.tar.gz

Create a WordPress database:

mysql -u root -p 

mysql> CREATE DATABASE wordpress;
mysql> GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;
mysql> exit

Change the password in the line with the privileges statement (do not remove the quotes).
Create and edit a wp-config.php:

cd /var/www/wordpress
cp wp-config-sample.php wp-config.php

Install your favorite text editor and edit wp-config.php. Change the MySQL settings and use the link in the “Authentication Unique Keys and Salts” section to get unique values.

The www-data user needs to be the owner of /var/www/wordpress.

cd /var/www/wordpress
chown -R www-data:www-data *

Remember: every time you edit one of the files in the wordpress directory you have to change the ownership to www-data afterwards.

Configure Apache2.

In my FreedomBox every request to Apache comes from the Nginx web-server in the internet module. Therefore Apache thinks that every request comes from the same IP address. This must be corrected otherwise things like logging and surveys won’t work as expected. To correct the IP address mod_rpaf must be installed and configured:

apt-get install libapache2-mod-rpaf
cd /etc/apache2/mods-enabled

Edit rpaf.conf. Add the IP address of the internet module (192.168.1.10) to RPAFproxy_ips.
Make a symbolic link to mod_rewrite so you can have “pretty urls” in WordPress:

ln -s ../mods-available/rewrite.load

Create a file with the name wordpress inside the directory /etc/apache2/sites-available
The file should contain something like:

<VirtualHost *:80>
	ServerAdmin yourname@yourdomainname.com
	ServerName wordpress.yourdomainame.com 
	DocumentRoot /var/www/wordpress

	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>

	<Directory /var/www/wordpress>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.

	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Change both ServerAdmin and ServerName.
Enable the site by creating a symbolic link in /etc/apache2/sites-enabled and by restarting the Apache web-server.

cd /etc/apache2/sites-enabled
ln -s ../sites-available/wordpress
apache2ctl restart

Configure the internet module to forward requests to the WordPress module.

Logout from the WordPress module and connect to the internet module:

ssh root@internet.freedom.box

Edit the Nginx configuration in /etc/nginx/nginx.conf. Make it look like:

user  www-data; 
worker_processes  1; 

#error_log  logs/error.log; 
#error_log  logs/error.log  notice; 
#error_log  logs/error.log  info; 
#pid        logs/nginx.pid; 

events { 
    worker_connections  1024; 
} 

http { 
    include       mime.types; 
    default_type  application/octet-stream; 

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' 
                      '$status $body_bytes_sent "$http_referer" ' 
                      '"$http_user_agent" "$http_x_forwarded_for"'; 

    access_log /var/log/nginx/access.log main; 

    gzip              on; 
    sendfile          on; 
    keepalive_timeout 65; 
    server_names_hash_bucket_size 64; 

    server { 
      # this is a catch-all for requests with none of our hosts 

      listen 80 default; 
      location / { return 403; } 
    } 

    server { 
      server_name wordpress.yourdomainame.com; 

      location / { 
        proxy_set_header Host $host; 
        proxy_set_header X-Forwarded-For $remote_addr; 

        proxy_pass http://wordpress.freedom.box; 
      } 
    } 
}

Change the server_name setting to the domain name you used inside the WordPress module.
Restart nginx

/etc/init.d/nginx restart

Configure your router.

If you configure your router to forward port 80 to the internet module you can start blogging!

Continue reading »]]> My FreedomBox architecture is built from isolated LXC modules, each having it’s own local IP address. A FreedomBox only has one internet address so there must be a component to route traffic from the internet to the various FreedomBox modules. This internet module is a vital part of the architecture.

On my FreedomBox I want the internet module to route traffic to the following services:

• Web-server modules. Example: A WordPress module.
• SSH servers. Some modules may support ssh access.
• E-Mail modules. SMTP / POP / IMAP and Webmail.
• Storage modules. I want to give family and friends some space on my FreedomBox for (encrypted) backups.

At the moment I have only implemented routing from the internet to web-server modules. The other routing functions of the internet module are still being researched. Building the internet module with web-server routing consists of the following steps:

• Create a LXC container to house the module.
• Instruct the DHCP server to give the container a static IP address.
• Start the container and continue installation.
• Install Nginx as reverse proxy.
• Adjust the router settings.

Read this first.

This article is one in a series that describes the building of my FreedomBox. Information from the previous articles like network and software configuration is not repeated.

Create the LXC internet container.

cd /var/lib/lxc
mkdir internet
/usr/lib/lxc/templates/lxc-debian-box -n internet -p /var/lib/lxc/internet

Give the internet container a static IP address.

edit /etc/dnsmasq.conf find the #commented line and replace with the next:

#dhcp-host=bert,192.168.0.70,infinite
dhcp-host=internet,192.168.1.10,infinite

NOTE: make sure that the address is within the specified dhcp-range setting.
Restart dnsmasq:

/etc/init.d/dnsmasq restart

Start the container and continue installation.

lxc-start -n internet -d

Login: (password = root)

ssh root@internet.freedom.box

Inside the container issue the following commands:

passwd
dpkg-reconfigure tzdata
dpkg-reconfigure locales
apt-get update
atp-get upgrade
ifconfig

Choose both a locale and default locale (my system: es_US.UTF-8).
The IP address that ifconfig reports should be the one specified in dnsmasq.conf.

Install Nginx as a reverse proxy.

Nginx has great features that makes it ideal to act as a reverse proxy (a proxy from the internet to the system) inside the internet module. It supports HTTP, SMTP, POP3, IMAP and uWSGI. These are all things that I want.

Unfortunately Debian only has a legacy version (0.7.67) in its repository. This version does not support the uwsgi protocol that is used by Python powered websites. The lack of Python support and the fact that version 0.7.67 is basically a two year old version that is bugfixed made me decide to compile the newest version (1.0.0).

Compiling is simple and painless:

apt-get install wget
apt-get install gcc
apt-get install make
apt-get install libpcre3 libpcre3-dev
apt-get install openssl libssl-dev

cd /usr/src

wget http://nginx.org/download/nginx-1.0.0.tar.gz
tar xfvz nginx-1.0.0.tar.gz

cd nginx-1.0.0

./configure \
  --conf-path=/etc/nginx/nginx.conf \
  --lock-path=/var/lock/nginx.lock \
  --error-log-path=/var/log/nginx/error.log \
  --http-log-path=/var/log/nginx/access.log \
  --pid-path=/var/run/nginx.pid \
  --http-client-body-temp-path=/var/run/nginx/client_body_temp \
  --http-proxy-temp-path=/var/run/nginx/proxy_temp \
  --http-fastcgi-temp-path=/var/run/nginx/fastcgi_temp \
  --http-uwsgi-temp-path=/var/run/nginx/uwsgi_temp \
  --http-scgi-temp-path=/var/run/nginx/scgi_temp \
  --with-mail \
  --with-mail_ssl_module \
  --with-http_ssl_module \
  --user=www-data \
  --group=www-data \
  --with-cc-opt="-DNGX_HAVE_ACCEPT4=0"

make
make install

mkdir -p /var/run/nginx/client_body_temp
mkdir -p /var/run/nginx/proxy_temp
mkdir -p /var/run/nginx/fastcgi_temp
mkdir -p /var/run/nginx/uwsgi_temp
mkdir -p /var/run/nginx/scgi_temp

These commands install Nginx in /usr/local/nginx/sbin. The only thing that’s missing now is an init.d script. I use the following (too simple?) script:

#! /bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/nginx/sbin/nginx
NAME=nginx
DESC=nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
    . /etc/default/nginx
fi

test -x $DAEMON || exit 0
set -e

. /lib/lsb/init-functions

case "$1" in
    start)
        echo -n "Starting $DESC: "
        $DAEMON
        echo "$NAME."
        ;;
    stop)
        echo -n "Stopping $DESC: "
        $DAEMON -s stop
        echo "$NAME."
        ;;
    restart|force-reload)
        echo -n "Restarting $DESC: "
        $DAEMON -s stop
        sleep 1
        $DAEMON
        echo "$NAME."
        ;;
    reload)
        echo -n "Reloading $DESC configuration: "
        $DAEMON -s reload
        echo "$NAME."
        ;;
    configtest)
        echo -n "Testing $DESC configuration: "
        $DAEMON -t
        ;;
    status)
        status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
        ;;
    *)
    echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
    exit 1
    ;;
esac
exit 0

Copy this code into a new file and save it as nginx in the directory: /etc/init.d
Check if everything works:

/etc/init.d/nginx start

If you browse to http://internet.freedom.box you should see the Nginx welcome message.
Make the script run at startup:

cd /etc/init.d
update-rc.d nginx defaults

Adjust the router settings.

The router can now forward requests to the internet module. This is not very interesting at the moment (you will only see the Nginx welcome message). In the next article I will build a WordPress module and connect this module to the internet module.