Linux (or macOS) related

Tunnel Apple AirPlay/Bonjour across zones in OpenWRT Firewall

By Atomstar on Friday 20 September 2019 21:20 - Comments (2)
Categories: Linux, Security, Views: 3.174

I've separated my wifi on my OpenWRT (18.06.2) router (Netgear R7800) in a guest zone and a lan zone for security purposes (well not really, I did it because it was possible). One service I want to allow from guest -> lan zone is Airplay, which uses multicast traffic (Bonjour). It turns out to be very simple to forward Airplay somewhat difficult to diagnose or get this working. In the end I made the AppleTV part of two zones by connecting LAN to local zone and WLAN to guest zone.

Some required steps include (but are not sufficient):
  1. Install avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support as suggested by this post
  2. Forward ports from guest -> lan as listed by Apple
  3. Power cycle/reboot router, AppleTV, and clients (just to be sure)
  4. Profit! --> still doesn't seem to work stable
Unfortunately, I was not able to get this working with my Pioneer VSX-510 which supports AirPlay (v1) natively. Below I note some more details.

Read more »

InfluxDB retention policy and data downsampling

By Atomstar on Saturday 15 June 2019 12:52 - Comments (1)
Category: Linux, Views: 3.636

Goal: set up data downsampling scheme on existing collectd data.

This article elaborates the official InfluxDB guide here (https://docs.influxdata.c...wnsampling_and_retention/)
where we already have a database with existing measurements that we want to
keep.

I'd like to downsample my collectd data on ping, memory, load, etc. data from
two machines. I only want high (minute) time resolution for a few days, then
downsample to save space.

Update:
  • instead of using different field/measurement names (e.g. mean_value in ping_hourly), one can use the same measurement and field name to make querying more easy.
  • using grafana variables, one can use dynamic retention policy (RP) use, e.g. use the right RP for the right time range


Read more »

Speeding up an nginx webserver

By Atomstar on Saturday 9 February 2019 12:43 - Comments (6)
Categories: Linux, RaspberryPi, Views: 3.184

After properly securing my nginx webserver, I tweaked the cache and connecting settings to improve performance as measured by www.webpagetest.org which I documented below.

The results are as follows, I achieved a 3.2x faster document ready timing, and reduced bandwidth by 18x.

Read more »

Setting up an A+-grade nginx SSL server

By Atomstar on Sunday 27 January 2019 15:25 - Comments (7)
Categories: Linux, RaspberryPi, Security, Views: 4.614

Because I don't want to expose smarthome dashboards (like domoticz or grafana) directly to the internet, I've set up a separate server to publish data beyond my local network. For this I've chosen nginx using let's encrypt certificates renewed by certbot, enabling hsts and fixing the logjam vulnerability.

Read more »

StrongSwan IKEv2 VPN on Raspberry pi

By Atomstar on Monday 24 December 2018 01:08 - Comments (7)
Categories: Linux, RaspberryPi, Security, Views: 14.676

Guide to set up road warrior VPN server (i.e. road warrior = mobile clients connecting to static server, vs e.g. site-to-site connection) using IKEv2 using strongswan on a raspberry pi. This guide is largely based on this digitalocean guide combined with ready-made strongswan configurations.

Update 20181224: added algo VPN configurator
Update 20190223: added cipher analysis / recommendation, clarified eth0 interface use on server, ESP/AH forwarding, added password generation one-liner.
Update 20200801: minor fixes in commands.

Read more »