Unstick a LinkStation Disk Backup

Imagine this… you have two decent network attach storage boxes which regularly backup one to the other using a built in Disk Backup tool –  Brilliant huh, sounds almost like a nerdy dream! Now imagine part way through a backup you get a power cut or you just trip over the power cable ripping the plug out the wall… not to worry, things will pick up where they left off… unless those decent boxes are Buffalo LinkStations!

I first discovered this flaw a few weeks back when one of my nightly backups seemed to be taking longer than usual. I gave the box about a day or so to try and fix itself but it still kept saying that the disk backup was in progress and in the admin interface and I was unable to cancel or remove the backup, so it was pretty much stuck as you can see below:

stuck-backup

I headed to the official Buffalo support website which seemed to have a fix for this common problem – See for yourself below:

buffalo-stuck-disk-backup
Okay so you have to restore the box to factory defaults… no thanks! I can only assume that because the HS-DHGL is one of their older discontinued products they just can’t be bothered to make a firmware update as it’s not worth their time or effort, but the other option is to use SSH to edit a file which will force the backup to complete.

Getting Unstuck

The following guide will assume you have already enabled SSH and are logged in ready to go, if you haven’t yet enabled SSH see this post here.

  • First of all we need to locate the backup configuration file and this depends on the job number specified on the admin interface, in my case it was number 1 so we need to type in the following command to open the file in a text editor:
    • "vi /etc/melco/backup1"
  • You will now see the configuration file open, hit I (for indigo) on your keyboard to allow inserting of new text and change the line status=running to status=done
  • Hit the Escape key and then type :wq to save your changes and quit
  • Head back to the admin interface to the Disk Backup section and you’ll now see the backup showing as complete as seen below:
    job-complete
  • That’s it – The backup is unstuck, and we haven’t had to restore anything to factory defaults!

Notes

  • This has been tried and tested on the following models/firmware: HS-DHGL/v2.1
  • Finally, if you could let me know if you encounter any problems or can confirm if this works for other models I’d be grateful

Encrypted AES VPN tunnel between pfSense 2.3 and Ubiquiti EdgeRouter Lite

I recently retired my Draytek 2830 following a serious security flaw I discovered (that’s another post, stay tuned!) and took the plunge with a rather impressive looking Ubiquiti EdgeRouter Lite.

The other option was a rack mountable TP-Link TL-ER6020 although the maximum NAT throughput was only 180Mbps and it only had 128MB  DDR2 memory and no clear CPU specs, also the web interface looked tired and very restricted. Pound for pound the EdgeRouter was cheaper and has a better spec of anywhere up to and over 600Mbps, 512MB DDR2 memory and Dual‑Core 500 MHz, although it wasn’t rack mountable it was a no brainer with its modern web interface, also did I mention it can process 1 million packets per second?

The EdgeRouter also appeals to my inner nerd  (you can no doubt tell) as you can program it via web interface, command line or console connection and you can remove features you don’t need to boost performance. For example, it may only have 3 gigabit ports, but you can do whatever you like with them! In my case I have it configured as 1 WAN port and the other 2 ports are linked to two seperate LAN’s. I will write a full review when I get chance, but for now just take my word that it is the best router I have ever owned.

Anyway, to business!

Home Network

As before with the Draytek guide my home network is still double NAT’d but there isn’t a speed issue anymore. I do plan to eventually run everything via the EdgeRouter but first I need to install a few additional access points (I’m thinking a couple of airGateway-LR’s hidden in roof spaces will do, powered by PoE obviously!).

In the example below the home network subnet will be 192.168.100.x
and WAN address will be 1.2.3.4

Remote Network

The remote network is the same as before too – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x and WAN address will be 5.6.7.8

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely and under no circumstances use the example key!
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is. Anything to do with double NATing is in red, ignore this if your router is WAN facing.

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the EdgeRouter (or the Superhub in my case) 1.2.3.4
  • Enter a brieft description in the Description box – VPN to pfSense LAN
  • Select Peer identifer as KeyID tag then enter the WAN address of EdgeRouter (192.168.100.1) else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box – testing123
  • Set the DH Group to 14
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box – Home
  • Set PSF Key Group to 14
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box – Allow VPN Traffic
  • Press Save any hit Apply Changes

Configuring the EdgeRouter

First of all make sure you are running the latest firmware otherwise options may be missing and this may not go smoothly! Currently (March 2017) I’m running EdgeRouter Lite v1.9.1.

Configuring the EdgeRouter is pretty straight forward, you don’t need to do anything via command line or console (unless you really want to, knock yourself out!) – Go to VPN > IPSec Site-to-Site

  • First tick the box Show advanced options to show the encryption options
  • Under Global Options leave Automatically open firewall and exclude from NAT unless you want greater control over who can connect in
  • Under Site-to-site peers enter the Peer as the home WAN address – 5.6.7.8
  • Put a brief description in the Description box – Remote
  • In local IP enter any
  • For Encryption set AES-256
  • In Pre-shared secret enter the key set previously – testing123
  • Enter the Local subnet as 192.168.100.0/24
  • Enter the Remote subnet as 192.168.150.0/24

All being well you should end up with something like below:

Once everything is saved, head over to the pfSense IPSec Status page and hit connect if it hasn’t already established and  there you have it!

At this point you may be asking why did you uncheck the option to Automatically open firewall…, this is because I like to have greater control over what IP addresses are allowed access to my network.

To substitute this option I created a rule in the NAT section translating UDP port 4500 to the routers local IP address (192.168.100.1). In turn I set the Src Address Group of this rule to a list of predefined IP addresses, thus only allowing access to my networks and blocking the rest of the world.

 

 

 

Fix TRENDnet TV-IP310pi Corroded PoE Connector

Following Storm Doris back in February 2017, one of my cameras at the back of my house stopped working. Part of the roof had been blown off (only a plastic cover, thankfully nothing more serious) which exposed the cable and allowed things to get a little damp.

On closer inspection the 3 far pins in the connector had corroded as seen below, click any picture below to see a bigger version:

I’m presuming the corrosion had been going on some time and the storm was the icing on the cake. I tried a mixture of WD40 contact cleaner followed by a strong acid based electrical cleaner and the pins had cleaned up nicely but it still wasn’t working.

I was really trying to avoid was chopping the connector off completely as after all it is over £100 worth of camera, but that happened…

As you can see from above I opted for jelly crimps (scotch locks) as these are waterproof, the alternative was either a  surface mounted punch-down box or RJ45 coupler both which would have corroded over time and eventually left me with a broken camera again.

After making sure everything was working I wrapped the jellys in a fair amount of electric tape followed by a healthy dose of vaseline.

I would have exposed more of the camera cable which would have made things look neater and given me more room to position each jelly connector but ultimately I wanted to cut as little as possible, and the fact it was now working again was a good enough excuse to leave it alone!

Colour Combinations

It came as no suprise that the camera didn’t use standard 568B colours but here is the combination I used:

Key: 568B Standard Cable / TRENDnet Cable

  • Orange WhiteOrange
  • OrangeYellow
  • Green WhiteGreen
  • BlueGrey
  • Blue WhitePurple
  • GreenBlue
  • Brown WhiteBrown
  • BrownWhite

I found the colours by refering to this guide here. I did manage to get the green and green white cables mixed up, however this hasn’t affected the camera in any way that I can tell. If it does ever cause a problem I will swap the cables around at the patch panel to avoid having to tamper any further.

Encrypted AES VPN tunnel between pfSense 2.3 and Draytek 2830

For a long time now I’ve managed several VMware ESXi servers and for easy management I’ve created a local area network on each making backups, monitoring and the usual sysad tasks a breeze.

The icing on the cake is that I recently swapped from m0n0walll to pfSense and went about setting up a lan to lan VPN tunnel to my home network, so now I can access everything locally as if I was on the same network.

Home Network

My home network uses a Draytek 2830 connected to a Virgin Media Superhub. Unfortunatley the Draytek is getting on a little bit now and doesn’t have the processing power to deal with my 100mbit connection speed, so I’ve had to double NAT the network using the Superhub in router mode and then DMZ everything towards the Draytek.

This isn’t a bad thing though as all the “dumb” wireless devices (mobile phones, Roku’s, Nest thermostat, etc) connect direct to the Superhub whilst my home server and everything crucial connect via the Draytek. All in all I get 70mbit through the Draytek on average and there’s plenty of bandwidth left for the devices connected to the Superhub.

In the example below the home network subnet will be 192.168.100.x

Remote Network

The remote network is pretty simple, they are all setup the same apart from x is a different number based on the virtual host name – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the Draytek (or the Superhub in my case)
  • Enter a brieft description in the Description box
  • If you are double NAT’d like me select Peer identifer as KeyID tag then enter the WAN2 address of Draytek else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box
  • Set PSF Key Group to 2
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box
  • Press Save any hit Apply Changes

Configuring the Draytek

Now it is time to configure the Draytek – Go to VPN and Remote Access > LAN to LAN

For Common Settings:

  • Enter a Profile Name
  • Tick Enable this profile
  • Make sure Call Direction is set to Both

For Dial-Out Settings:

  • Set type of server to IPSec Tunnel
  • Enter the Remote WAN IP in the Server IP/Hostname for VPN box
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method set it to High (ESP)AES with Authentication
  • Under Advanced set IKE phase 1 propsal to AES256_SHa1-G14 and IKE phase 2 proposal to AES256_SHA1 then press OK

For Dial-In Settings:

  • Set the Allowed Dial-In Type to IPSec Tunnel
  • Tick the box to Specify Remote VPN Gateway and enter the remote network WAN IP
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method untick all apart from High (ESP) – AES

Under TCP/IP Netowrk Settings:

  • Set Remote Network IP as the remote network subnet – 192.168.150.0

Hit OK at the very bottom to save the profile, leave it a few seconds and it should connect. If it doesn’t connect automatically, head to the IPSec Status page in pfSense and hit Connect manually

Icecast PHP Stats

A recent project of mine called Coop Cam uses several live video streams served by an Icecast server at different mount points which works great, but I found there was no real solution to simply display how many viewers were actually watching the live streams.

I put together a basic PHP code that reads the Icecast XML stats file and retrieves the current overall viewers (or listeners as its officially known) of all available mount points.

Code

// get the stats xml file //
$output = file_get_contents('http://admin:adminpassword@youricecastserver.com:8000/admin/stats');

// explode to make the magic happen //   
$listeners = explode('',$output);
$listeners = explode('',$listeners[1]);

// output to the world //
echo "Currently <b>$listeners[0]</b> people are watching the live stream!";

Once you have amended the admin password, server name and port the code above will then connect to your server and read the /admin/stats XML file. From here it will literally pick out the content shown between the <listeners></listeners> tags and that then becomes the $listeners[0] variable, simply place this wherever you want to display the amount of current viewers.

Notes

  • This code may or may not work depending on if your hosting provider allows the file_get_contents function – In my case I use my own dedicated servers and it works without issue, if you have any problems I’m sure I can sort something for you!
  • You can show the amount of sources, file connections and so on by amending the code to reflect the correct tags – A full list of tags can be seen by visiting the youricecastservername.com:8000/admin/stats page
  • You can find a live working example of this script here or actually see it in place here
  • Finally, you can download the script by clicking here

Disable Virtualmin Two-factor Authentication

Virtualmin is constantly being developed and gaining ever useful features, and for a while now has featured two-factor authentication which is great, although what happens if you get locked out of your system? As long as you have SSH or console access then you can follow the steps below to easily get back in.

Disabling two-factor authentication for a single user

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.users, comment out the current line for the user then create a fresh copy above it
  • Remove any mention of “totp” and the long string of characters near the end and save, for example your file should now look like the following:
...
root:x::::::::0:0:::
#root:x::::::::0:0:totp:ZZZZZZZZZZZZZZZZ:
...
  • Restart Webmin and log back in normally

Disabling two-factor authentication entirely

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.conf and find the line “twofactor_provider=totp” and replace with “twofactor_provider=” and save
  • Edit the /etc/webmin/miniserv.users as mentioned above
  • Restart Webmin and log back in normally

Notes

  • I’ve had success with this on Webmin 1.760 running on CentOS 7.0

How to List the Contents of a Web Directory

Any good web host will secure the contents of website directories which don’t have an index page by not allowing the  files or folders to be listed, instead you’ll get a 403 error page saying access is forbidden. Whilst this is good in practice, sometimes you might actually need to list the contents – and its simple to enable on an Apache web server – add one line to your .htaccess file and you’re done!

How it’s done

Options +Indexes

Notes

  • If you have access you can edit your web server configuration and make it global

Setup your own live pet webcam for free using Yawcam

I’ve been experimenting for a while with different ways to stream live to the Internet from webcams, IP cameras and capture cards for the Coop Cam project, here is a basic guide on how to setup a simple live stream using a basic webcam.

What is required?

You will need a couple of things, including:

  • A computer with a webcam
  • An Internet connection with decent upload speed
  • Router access to port forward

Software

To create the stream we will use a free piece of opensource software called Yawcam, you can download it directly from here or learn more about the software here.

Installation is pretty simple, download and launch the installer then follow the on screen instructions.

Configuration

After the installation has finished open your newly installed software, you will see a screen like below:

1

The first thing we need to do is set the stream type, to do this go to Settings > Edit Settings…

2

Under Output select Stream and change the Stream type to MJPEG and hit OK

3

Next we need to select your webcam, head to Settings > Device > Change to and select your webcam from the list

4

Finally, back on the main screen hit enable on the Stream option – we are ready to go!

5

Previewing your stream

Here is the exciting part, previewing your live stream! On the same computer open up your browser and head to http://127.0.0.1:8081/video.mjpg

If everything is configured correctly you should see your webcam displayed live.

Here is my example of Spirit our pet quail:



What next?

The next thing you need to do is configure port forwarding in your router to allow people to connect in and view  your stream. I can’t really go into specific detail as there are many different types of router with different configuration options but basically what you want to do is forward port 8081 to your computer so anyone that connects to your-public-ip:8081/video.mjpg can see your stream.

You will also want to make sure that your computer has a static IP address or DHCP reservation to make sure the local IP address doesn’t change.

If you need help with that part let me know and I’ll give you a hand.

Will my Internet connection be able to cope?

This depends entirely on your upload speed, by default Yawcam only allows 10 concurrent connections.

For added security and to take the strain off your Internet connection I can relay your stream via Coop Cam’s powerful relay servers. They are able to take the single stream from your camera and amplify it allowing hundreds of users to connect at once.

The upside to this is that you will only have one connection being uploaded to the relay server, the server then handles everything else and even hides your public IP address – If you would like to know more please get in touch.

Notes

  • If you want Yawcam to start streaming automatically when you login to your computer then head to Settings > Edit Settings… > Startup and tick Start Stream output
  • You can check that port forwarding has been setup correctly by using the NerdTools Port Scanner, if it isn’t working double check your firewall settings
  • If your Internet connection has a dynamic IP address you’ll want to look into a Dynamic DNS service

Add a NAS drive to your Livedrive account for free

I used to be a customer of popular cloud backup service Livedrive. The upload and download speeds were nothing to shout about and one annoyance was having to pay extra to add a NAS drive to your account, but there is a workaround!

How so?

All you need to do is add a symbolic link to your NAS drive from your computer. Think of a symbolic link as a fancy shortcut, the only difference being it masks the destination instead of taking you straight there – you’ll see what I mean when you read on.

Imagine you have a Windows computer with your NAS drive with the root of the drive already mapped to Z:, you have a folder on your NAS called MyFiles and would be able to browse to Z:\MyFiles to see whatever is stored there. Next imagine we have a folder called C:\Backup which is already uploading to your Livedrive account, using  the following command we will make C:\Backup\MyFiles lead to your NAS and in turn be included with your Livedrive backup.

mklink /d "C:\Backup\MyFiles" "Z:\MyFiles"

For me, this worked absolutely fine and I had a couple of TB uploaded without ever being caught out. I’ve since jumped ship to Amazon Drive, whilst it is more expensive per year I’ve got it running from multiple computers and the upload and download speed always tops out my connection, so I can’t complain!

Notes

  • Use the above guide at your own risk – I won’t be held liable if anything happens to your Livedrive account, files or anything else because of this!
  • This doesn’t work with Dropbox or Google Drive  – sorry
  • You only need to run the command once, after that the link will be remembered
  • To remove the link just delete it as you would any other  file or folder