Musings

Gl inet OpenVPN client routing all traffic, ignoring pushed routes

If you’re using the rather excellent Gl inet series of routers as VPN end points, then you may find they have a “feature” which causes all traffic to tunnel through the OpenVPN, even if you push smaller subnet routes.

[email protected]:~# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  10.254.254.17 (10.254.254.17)  78.267 ms  76.049 ms  77.880 ms
 2  10.34.56.1 (10.34.56.1)  82.636 ms  84.339 ms  80.361 ms
 3  *  *  * (81.82.83.84)  82.747 ms  122.769 ms  93.138 ms
 4  *  *  *
 5  *  *  *
 6  tcma-ic-3-0.network.myisp.net (62.63.64.65)  128.810 ms  157.364 ms  141.007 ms
 7  162.158.32.254 (162.158.32.254)  78.899 ms  144.601 ms  83.033 ms
 8  one.one.one.one (1.1.1.1)  80.166 ms  79.087 ms  76.484 ms

There is a script which runs on these devices which forces all internet traffic to route down the OpenVPN tunnel, no matter what settings you seem to apply either on the client web page, or on the server side of things. This seems to be evidenced by looking at the routing table, which seems to generate two default routes, with the ethernet route being a higher (and therefore deprioritised) metric.

[email protected]:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         10.10.99.1      0.0.0.0         UG    10     0        0 eth0
10.10.19.0      *               255.255.255.0   U     0      0        0 br-lan
10.10.99.0      *               255.255.255.0   U     10     0        0 eth0
10.10.222.0    10.254.254.17   255.255.255.0   UG    0      0        0 tun0
10.254.254.17   *               255.255.255.255 UH    0      0        0 tun0
18.203.182.0    *               255.255.255.0   U     0      0        0 eth0
86.11.242.12    10.10.99.1      255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0

After *much* searching around, I eventually got directed to this post on the Gl-inet forums https://forum.gl-inet.com/t/openvpn-configuration-to-avoid-the-default-redirection-all-through-the-vpn/6519/5 which details the cause of this.

You have to edit two files – /etc/init.d/startvpn

Just add a # to the line lan2wan_forwarding disable which is in ovpn_firewall_start() section

The next file to edit is /etc/vpn.user

Just add # marks on every line between (and including) if and fi on the section # Load default rules

Finally, reboot or restart your OpenVPN service for the new rules to take place. After a reset, you can see that the routing is as it should be

[email protected]:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.99.1      0.0.0.0         UG    10     0        0 eth0
10.10.19.0      *               255.255.255.0   U     0      0        0 br-lan
10.10.99.0      *               255.255.255.0   U     10     0        0 eth0
10.10.222.0    10.254.254.17   255.255.255.0   UG    0      0        0 tun0
10.254.254.17   *               255.255.255.255 UH    0      0        0 tun0
86.11.242.12    10.10.99.1      255.255.255.255 UGH   0      0        0 eth0

And a ping

[email protected]:~# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  10.254.254.17 (10.254.254.17)  0.733 ms  0.591 ms  0.426 ms
 2  *  *  *
 3  *  *  *
 4  31.32.33.31 (31.32.33.31)  9.383 ms  8.870 ms  31.55.185.180 (31.55.185.180)  8.968 ms
 5  core2-hu0-8-0-5.colindale.theotherisp.net (191.99.127.154)  9.055 ms  core1-hu0-6-0-6.colindale.theotherisp.net (211.121.192.0)  8.594 ms  core2-hu0-12-0-1.colindale.theotherisp.net (191.99.127.118)  8.984 ms
 6  core2-hu0-7-0-0.colindale.theotherisp.net (191.72.16.128)  8.900 ms  peer7-et-7-0-1.telehouse.theotherisp.net (101.159.252.92)  15.313 ms  peer7-et-3-1-4.telehouse.theotherisp.net (109.159.252.168)  9.227 ms
 7  *  109.159.253.95 (109.159.253.95)  10.421 ms  14.362 ms
 8  one.one.one.one (1.1.1.1)  9.379 ms  9.363 ms  9.062 ms

Note, I install nano on my devices but obviously you can use VIM or any other preferred text editor.
I also noted during my research that others using OpenWRT suggested similar behaviour, but the fix may or may not be related to the above.

Also note that changing this may cause an unexpected security issue as traffic will now go locally other than the routed subnets.

Finally, be VERY confident that this will fix your issue if your device is remote deployed. Perhaps make sure you still have remote access to the device if the VPN breaks, or be prepared to travel to the device if it breaks. With the low cost of Gl-inet devices, its worth having a spare on hand to test against before deploying to live.

CreateSRSMedia.ps1 – invalid version

I’ve been messing around trying to get my HP Slice built with the latest Teams Room System (SRS client) which is billed as an “easy way” to create the requisite recovery/build media for an SRSv2 Environment.

However, it is EXTREMELY picky around the Windows version you build with. This was with the 1909 build from Microsoft, but because there was a patch, the version was different.

Your Windows installation media is version 10.0.18362.592. Your SRSv2 kit requires version 10.0.18362.418.

However, if you’re just doing some testing, you can force overriding the check from within the script relatively quickly.

!! THIS IS NOT RECOMMENDED FOR PRODUCTION SYSTEMS !!

Open the Powershell script in your favourite editor and find the line

if ($img.Version -ne $KitOsRequired)

and change -ne (not equals) to

if ($img.Version -eq $KitOsRequired)

Which will cause it to fail in the positive and allow you to continue setup.

Finally, a pfSense VPN Guide that works!

I’ve been tinkering with IPSec on pfSense for a while, but struggled to find a solution which worked for a range of devices reliably. Happily, I have found a guide which I’ve tested on Windows, Android and iOS.

So thanks to Kliment Andreev for writing this guide. https://blog.andreev.it/?p=3617

The only thing I did have to do (and this may be related to my specific config) but I did have to manually add the IPSec rules to the WAN interface.

pfSense WAN Interface rules for IPSec

Here you can see that I have three rules, one which is the ESP traffic, then two UDP rules, where the destination source port is NAT-T and ISAKMP respectively. Note, NAT-T and ISAKMP are ready created protocols so you don’t have to manually define the port rules.

FFMPEG HEVC_NVMPI RTMP HLS

Works to produce a (slightly unstable) HLS stream from an incoming stream, using the NVMPI accelerated encoder.

ffmpeg -hide_banner -re -i http://10.10.10.157:5004/auto/v107 -bufsize 16092k -analyzeduration 20000 -probesize 16092 -sn -dn -ignore_unknown -force_key_frames:v “expr:gte(t,n_forced*2)” -map_metadata “-1” -map_chapters “-1” -c:a copy -c:v hevc_nvmpi -num_capture_buffers 8 -x265-params “keyint=50:min-keyint=50:no-open-gop=1:scenecut=0” -level 4.0 -profile:v baseline -preset slow -rc vbr -movflags faststart+frag_keyframe -tag:v hvc1 -f hls -hls_time 2 -hls_list_size 6 -hls_flags delete_segments+append_list+split_by_time -hls_playlist_type event -g 50 /var/www/html/hls/videostream.m3u8

Seems to work fine until there is a network glitch.

Mimecast to Office 365 – Split Routing of Email Domains

We’re currently going through a migration from our existing legacy email provider to using Mimecast as our SPAM filter. We have some services which we can’t interrupt without planning, so need to deploy Mimecast to Office 365 for our ‘user’ domain without disrupting our ‘alerting’ domain. We also need to validate Mimecast configs and setup before impacting on users, so we also have a test domain to verify configuration.

We therefore wanted to add the email filtering staged in the following order over a number of days:
1) Test
2) User
3) Alerting

However, the Mimecast documentation isn’t great for describing split routing of email based upon the senders domain, and essentially assumes that you want to send all email out through Mimecast from the off.

This great article from Antonio Vargas really helped us out in understanding why the rule wasn’t intercepting messages from the domains to send out.

In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization

Once that was applied to our rule, we were immediately able to verify that the test domain was able to then route email through Mimecast from Office 365.

WD My Passport Pro – RClone Backup to Cloud (AWS S3)

I’ve setup my WDMPP to perform a regular cloud sync of my pictures into an Amazon S3 data store so that when it is on an internet connection, it will sit and run in the background and upload the pictures.

Note, I’m only backing up photos rather than video as I intend to run this on a 4G mifi hotspot and don’t want 4k video uploads to trash my data allowance.  I’ll run the risk of losing these in the event of a failure whilst mobile, but its something I can live with.

First all, you need to have rclone installed on your WDMPP which involves using the SSH terminal.  I’ll create a separate article at some point, but there is plenty of information about how to do this on the internet.

Create two files within the root of the harddrive

rclonescript.sh is the command which executes the backup script

rclone copy /media/sdb1/ AmazonS3:wdmpp.backup/ -v --log-file /media/sdb1/logs/rclone.log --copy-links --ignore-case --filter-from /media/sdb1/filestocopy.txt

Command Meaning
rclone copy Use the copy command in rclone
/media/sdb1/ Source root path to look for data
AmazonS3:wdmpp.backup/ Destination root path to send data. In this instance, I’m using AWS S3, but the same principle should work for other cloud services
-v Verbose mode
log-file /media/sdb1/logs/rclone.log rclone logs to this path (note, you’ll need to mkdir the logs directory)
–copy-links Follow Symlinks for copying – seems to be required
–ignore-case Because WDMPP backs up from a variety of devices, don’t be case sensitive when applying filters
filter-from /media/sdb1/filestocopy.txt This is the filtering definition rclone uses to identify the files to copy.

You will need to chmod +x this file to make it executable
chmod +x /media/sdb1/rclonescript.sh

/media/sdb1/filestocopy.txt is the filtering rules.

- /logs/
- /.USB/
- /.wdmc/
- /.wdcache/
- /.DS_Store/
- *.txt
+ *.jpg
+ *.png
+ *.heic
+ *.bmp
+ *.raw
- *

Include (-) / Exclude (+) File or Path Description
/logs/ Exclude the logs path where rclone writes its own log to
/.USB/ Exclude the system .USB path
/.wdmc/ Exclude the system .wdmc path
/.wdcache/ Exclude the system .wdcache path
/.DS_Store/ Exclude the system .wdcache path
*.txt Exclude any text files that exist (some of my camera devices create text logs which I’m not interested in copying).
+ *.jpg Copy any jpeg files with the extension jpg
+ *.png Copy any Portable Network Graphics files with the extension png
+ *.heic Copy any  High Efficiency Image File Format files with the extension heic (these come from my phone)
+ *.bmp Copy any bitmapped files with the extension bmp (Not expecting any of these, but heh)
+ *.raw Copy any RAW camera files (my camera uses the .raw extension
* Exclude anything else

You can obviously change your filters as you need to, for example including video files or whatever else you write to the disk. I had to put the excludes before the includes as I found otherwise it wouldn’t necessarily behave as expected.  This seems to work well for me.

Once you’ve tested that it works,  it can be added to cron
First, create the cron path

mkdir /var/spool/cron

Then create the crontab

crontab -e


8 * * * * /media/sdb1/rclonescript.sh >/dev/null 2>&1

In this crontab, it runs the script every 8th minute of each hour. If you’re not sure how to create a cron job, https://crontab-generator.org/ is a great website for building cron lines.

WD My Passport Pro SSD – SMBv2 / Win 10

To enable SMBv2 compatibility on the Western Digital My Passport Pro SSD, so that it supports Windows 10, go through the following steps.

1) Enable SSH access via the admin console
2) Use PuTTy/etc to log into the console
3) nano /etc/samba/smb.conf
4) add the line
[global] workgroup = WORKGROUP
server string = MyPassport Wireless Pro
netbios name = MyPassport
protocol = SMB2

5) run /etc/init.d/S75smb restart
6) try and browse to the \\ IP of the disk drive
7) If you can’t login (username admin) reset the password by typing
8) /usr/bin/smbpasswd -a admin
Enter the new password
9) Finally restart Samba again (per 5)
10) Profit?

Note, if your username/password isn’t recognised, use [email protected] as the username within Windows.