Project Logs

Collapse

• Audio capture & playback

  Christoph Tack • 08/12/2020 at 14:01 • 0 comments

  Command line tools

  Installation

  sudo apt install alsa-utils

  Audio playback

  We want to route audio to the line-out.  In order to do that, let's find out what the possible output devices are.

  ubuntu@wandboard:~$ aplay -L 
  null
      Discard all samples (playback) or generate zero samples (capture)
  samplerate
      Rate Converter Plugin Using Samplerate Library
  speexrate
      Rate Converter Plugin Using Speex Resampler
  jack
      JACK Audio Connection Kit
  oss
      Open Sound System
  pulse
      PulseAudio Sound Server
  upmix
      Plugin for channel upmix (4,6,8)
  vdownmix
      Plugin for channel downmix (stereo) with a simple spacialization
  default:CARD=DWHDMI
      DW-HDMI, dw-hdmi-ahb-audio
      Default Audio Device
  sysdefault:CARD=DWHDMI
      DW-HDMI, dw-hdmi-ahb-audio
      Default Audio Device
  dmix:CARD=DWHDMI,DEV=0
      DW-HDMI, dw-hdmi-ahb-audio
      Direct sample mixing device
  dsnoop:CARD=DWHDMI,DEV=0
      DW-HDMI, dw-hdmi-ahb-audio
      Direct sample snooping device
  hw:CARD=DWHDMI,DEV=0
      DW-HDMI, dw-hdmi-ahb-audio
      Direct hardware device without any conversions
  plughw:CARD=DWHDMI,DEV=0
      DW-HDMI, dw-hdmi-ahb-audio
      Hardware device with all software conversions
  usbstream:CARD=DWHDMI
      DW-HDMI
      USB Stream Output
  default:CARD=imxspdif
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Default Audio Device
  sysdefault:CARD=imxspdif
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Default Audio Device
  dmix:CARD=imxspdif,DEV=0
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Direct sample mixing device
  dsnoop:CARD=imxspdif,DEV=0
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Direct sample snooping device
  hw:CARD=imxspdif,DEV=0
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Direct hardware device without any conversions
  plughw:CARD=imxspdif,DEV=0
      imx-spdif, S/PDIF PCM snd-soc-dummy-dai-0
      Hardware device with all software conversions
  usbstream:CARD=imxspdif
      imx-spdif
      USB Stream Output
  default:CARD=imx6wandboardsg
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Default Audio Device
  sysdefault:CARD=imx6wandboardsg
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Default Audio Device
  dmix:CARD=imx6wandboardsg,DEV=0
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Direct sample mixing device
  dsnoop:CARD=imx6wandboardsg,DEV=0
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Direct sample snooping device
  hw:CARD=imx6wandboardsg,DEV=0
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Direct hardware device without any conversions
  plughw:CARD=imx6wandboardsg,DEV=0
      imx6-wandboard-sgtl5000, HiFi sgtl5000-0
      Hardware device with all software conversions
  usbstream:CARD=imx6wandboardsg
      imx6-wandboard-sgtl5000
      USB Stream Output
  

  Mixer settings

  1. Run "alsamixer"
  2. F6: select sound card → imx6-wandboard-sgtl5000
  3. Headphone Mux : DAC
  4. Use "Headphon" to set audio output level on line-out.  The line-out setting in alsamixer doesn't control line-out.

  Storing sound settings with "alsactl store" gives an error message. 
  

  Let's play a wav-file now using hw:CARD=imx6wandboardsg,DEV=0 if we would use plughw:CARD=imx6wandboardsg,DEV=0 ve9qrp.wav, then the mono audio from the file will be sent only to the left or right channel of line-out.

  ubuntu@wandboard:~$ aplay -D hw:CARD=imx6wandboardsg,DEV=0 ve9qrp.wav 
  Playing WAVE 've9qrp.wav' : Signed 16 bit Little Endian, Rate 8000 Hz, Mono
  

  The mono-wav file will be output to the left and right channel of line-out.

  Audio recording

  By default audio will be recorded from MIC_IN.  To record from LINE_IN, the capture multiplexer (mux) must first be adjusted:

  ubuntu@wandboard:~$ amixer -c 2 cset name='Capture Mux' 1
  numid=24,iface=MIXER,name='Capture Mux'
    ; type=ENUMERATED,access=rw------,values=1,items=2
    ; Item #0 'MIC_IN'
    ; Item #1 'LINE_IN'
    : values=1

  After that, recording 5s of audio from line-in is as simple as:

  ubuntu@wandboard:~$ arecord -D default:CARD=imx6wandboardsg -d 5 -f S16_LE -c 2 -r 48000 output.wav
  Recording WAVE 'output.wav' : Signed 16 bit Little Endian, Rate 48000 Hz, Stereo

  Python

  see Python audio capture & playback
  

• VPN

  Christoph Tack • 06/07/2020 at 18:47 • 1 comment

  Speed comparison SSH versus VPN

  https://blog.backslasher.net/ssh-openvpn-tunneling.html

  Setup

  Setting up a VPN-server is notoriously hard, so there are some scripts like openvpn-install and pivpn to help you out.

  More details here and here.

  To be able to connect to the VPN remotely, you need:

  1. assign a static IP to your VPN-server
  2. setup an account with a dynamic DNS provider (e.g. https://www.duckdns.org/)
  3. open a port in your router and forward it to your VPN-server.

• Regional settings

  Christoph Tack • 06/07/2020 at 18:13 • 0 comments

  Time zone

  ubuntu@wandboard:~$ sudo dpkg-reconfigure tzdata
  [sudo] password for ubuntu: 
  
  Current default time zone: 'Europe/Brussels'
  Local time is now:      Sun Jun  7 20:11:48 CEST 2020.
  Universal Time is now:  Sun Jun  7 18:11:48 UTC 2020.

  Reboot your device afterwards. Some services (like tor) don't like time zone switches.

• TUNTOX : Tunnel TCP connections over the Tox protocol

  Christoph Tack • 06/06/2020 at 15:39 • 0 comments

  All the info and programs can be found on Github.

  Download program

  • For the Thinkpad laptop running Ubuntu 18.04LTS : tuntox-x64
  • For the Wandboard (running Ubuntu 20.04LTS) : tuntox-armv7l

  Starting the Tox-server on the wandboard

  It's as simple as running that single command.  The shared secret is here "hellohello" (could use something more sophisticated).
  

  ubuntu@wandboard:~$ TUNTOX_SHARED_SECRET=hellohello ./tuntox-armv7l 
  2020-06-06 15:11:42: [INFO]     Tuntox built from git commit 0.0.9
  2020-06-06 15:11:42: [INFO]     Using 11624 for TCP relay port and 50928-50938 for UDP
  2020-06-06 15:11:42: [WARNING]  File not found (/etc/tuntox/tox_save)
  2020-06-06 15:11:42: [WARNING]  Could not open save file
  2020-06-06 15:11:42: [WARNING]  Could not open save file
  2020-06-06 15:11:42: [INFO]     Using Tox ID: 6611AA8F892AC73A88C43379C0CA31F1FDA58EED917D970846A43A45BF664966E48678E3ABB1
  2020-06-06 15:11:51: [INFO]     Connection status changed: An UDP connection has been established
  2020-06-06 15:14:51: [INFO]     Accepted friend request from 9E85FB6D952DDE04580E87E5EEBFD46E75DBD322B374D973EA214DF16C8EE3313E4E7AF0A901 as 0
  2020-06-06 15:16:06: [INFO]     Got a request to forward data from 127.0.0.1:22
  2020-06-06 15:16:06: [INFO]     Created a new tunnel object connid=35487 sockfd=8

  Client connecting to the Tox-server

  This command connects to the server and sets up local port forwarding.
  

  christoph@christoph-ThinkPad-L580:~/Documents/InterestingStuff/remoteConnection$ TUNTOX_SHARED_SECRET=hellohello ./tuntox-x64 -i 6611AA8F892AC73A88C43379C0CA31F1FDA58EED917D970846A43A45BF664966E48678E3ABB1 -L 2222:127.0.0.1:22
  2020-06-06 17:14:32: [DEBUG]	Server whitelist mode enabled
  2020-06-06 17:14:32: [INFO]	Tuntox built from git commit 896775c6089baa24edee06e04f5b83c3bb3bef5d
  2020-06-06 17:14:32: [INFO]	Using 17636 for TCP relay port and 56728-56738 for UDP
  2020-06-06 17:14:32: [INFO]	Connecting to Tox...
  2020-06-06 17:14:40: [INFO]	Connection status changed: An UDP connection has been established
  2020-06-06 17:14:40: [INFO]	Connected. Sending friend request.
  2020-06-06 17:14:40: [INFO]	Waiting for friend to accept us...
  2020-06-06 17:14:53: [INFO]	Friend request accepted (A TCP connection has been established (via TCP relay))!
  2020-06-06 17:16:06: [INFO]	Accepting a new connection - requesting tunnel...
  2020-06-06 17:16:06: [INFO]	Sending packet to friend #0 to forward 127.0.0.1:22
  2020-06-06 17:16:06: [INFO]	Created a new tunnel object connid=35487 sockfd=7
  2020-06-06 17:16:06: [INFO]	Accepted a new connection on port 2222

   In another window, the client can now make a SSH connection on port 2222 which will be forwarded to the Tox-server's port 22.

  christoph@christoph-ThinkPad-L580:~/Documents/InterestingStuff/remoteConnection$ ssh -p 2222 ubuntu@localhost
  The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
  ECDSA key fingerprint is SHA256:DsYVUlf605cdhz55Anl14mqYHqnV7ZKEcm4O0xyTaOk.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
  Last login: Sat Jun  6 15:10:44 2020
  ubuntu@wandboard:~$ 

   Well, that wasn't hard, was it?  The connection seems to be lagging a bit.
  

• VNC

  Christoph Tack • 06/06/2020 at 10:05 • 0 comments

  I planned to follow this guide.
  

  ubuntu@wandboard:~$ sudo apt install tightvncserver
  Reading package lists... Done
  Building dependency tree       
  Reading state information... Done
  The following additional packages will be installed:
    libdrm-amdgpu1 libdrm-common libdrm-nouveau2 libdrm-radeon1 libdrm2 libfontenc1 libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libice6 libllvm9 libsensors-config libsensors5
    libsm6 libx11-xcb1 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-shape0 libxcb-sync1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxft2 libxi6 libxinerama1
    libxkbfile1 libxmu6 libxmuu1 libxrandr2 libxrender1 libxshmfence1 libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 x11-common x11-utils x11-xserver-utils xauth xfonts-base xfonts-encodings xfonts-utils
  Suggested packages:
    lm-sensors tightvnc-java mesa-utils nickle cairo-5c xorg-docs-core
  The following NEW packages will be installed:
    libdrm-amdgpu1 libdrm-common libdrm-nouveau2 libdrm-radeon1 libdrm2 libfontenc1 libgl1 libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libice6 libllvm9 libsensors-config libsensors5
    libsm6 libx11-xcb1 libxaw7 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-shape0 libxcb-sync1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxft2 libxi6 libxinerama1
    libxkbfile1 libxmu6 libxmuu1 libxrandr2 libxrender1 libxshmfence1 libxt6 libxtst6 libxv1 libxxf86dga1 libxxf86vm1 tightvncserver x11-common x11-utils x11-xserver-utils xauth xfonts-base
    xfonts-encodings xfonts-utils
  0 upgraded, 52 newly installed, 0 to remove and 0 not upgraded.
  Need to get 27.5 MB of archives.
  After this operation, 482 MB of additional disk space will be used.
  Do you want to continue? [Y/n] n 

  482MB for a VNC-server? Really? No, thank you.

  Vino VNC-server is even worse: 903MB.  x11vnc is also 482MB.  TigerVNC is 483MB. directVNC is 474MB.
  The actual VNC-server is smaller than 0.5GB of course but it needs the graphical environment, which makes up most of the download.
  

• Tor

  Christoph Tack • 06/02/2020 at 20:02 • 0 comments

  Install Tor

  From ubuntu repository

  Installing from Ubuntu repository is the easiest, but if you want to make hidden services work with authentication, you'll need a more recent version.
  

  ubuntu@wandboard:~$ sudo apt install tor

  From tor repository

  Add the correct version to /etc/apt/sources.list (see Beginner’s Guide to Tor on Ubuntu).
  

  Tor key fingerprints : https://2019.www.torproject.org/docs/signing-keys.html.en

  christoph@christoph-ThinkPad-L580:~$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100 19665  100 19665    0     0  61839      0 --:--:-- --:--:-- --:--:-- 61839
  gpg: key EE8CBC9E886DDD89: 36 signatures not checked due to missing keys
  gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
  gpg: Total number processed: 1
  gpg:               imported: 1
  gpg: public key of ultimately trusted key 04C9A9E2D54E852C not found
  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
  christoph@christoph-ThinkPad-L580:~$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
  OK
  christoph@christoph-ThinkPad-L580:~$ sudo apt-get update
  ...
  christoph@christoph-ThinkPad-L580:~$ sudo apt-get install tor deb.torproject.org-keyring
  ...
  christoph@christoph-ThinkPad-L580:~$ tor --version
  Tor version 0.4.3.5.

  Configuring Tor

  On Beginner’s Guide to Tor on Ubuntu it's explained how to put a password on the control port.  We'll leave the control port disabled.
  

  SSH login with Tor

  This is explained well in Building a Tor Hidden Service From Scratch.
  

  If you use this command, you should change the username, the path, the ssh-key and the name of your onion-domain.
  

  christoph@christoph-ThinkPad-L580:~$ ssh -o VerifyHostKeyDNS=no -o User=ubuntu -o CheckHostIP=no\
  >     -o IdentitiesOnly=yes \
  >     -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p" \
  >     -i ~/.ssh/sshhs1.rsa af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
  Last login: Wed Jun  3 18:45:01 2020
  ubuntu@wandboard:~$ 

   It's easier to put it all in ~/.ssh/config of christoph@christoph-ThinkPad-L580:
  

  Host myOnion
        Hostname af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
        User ubuntu
        IdentityFile ~/.ssh/sshhs1.rsa
        ProxyCommand nc -X 5 -x localhost:9050 %h %p
        VerifyHostKeyDNS no
        CheckHostIP no
        IdentitiesOnly yes

  Then connection is as simple as:

  christoph@christoph-ThinkPad-L580:~$ ssh myOnion
  Last login: Wed Jun  3 19:01:32 2020 from 127.0.0.1
  ubuntu@wandboard:~$  
  

  Client authentication

  Configuring Onion service version 3 explains how to do it.  On client side, make sure to set the access rights for the ClientAuthDir correctly.

  root@christoph-ThinkPad-L580:/var/lib/tor# ls -l
  total 7936
  -rw------- 1 debian-tor debian-tor   20442 jun  2 21:33 cached-certs
  -rw------- 1 debian-tor debian-tor 2128913 jun  5 20:15 cached-microdesc-consensus
  -rw------- 1 debian-tor debian-tor 5381686 jun  2 22:03 cached-microdescs
  -rw------- 1 debian-tor debian-tor  573384 jun  5 20:25 cached-microdescs.new
  drwxr-sr-x 2 debian-tor debian-tor    4096 jun  5 21:52 client-auth
  drwx--S--- 2 debian-tor debian-tor    4096 jun  5 20:15 keys
  -rw------- 1 debian-tor debian-tor       0 jun  5 20:15 lock
  -rw------- 1 debian-tor debian-tor    7449 jun  5 21:33 state

   /var/lib/tor/client-auth was owned by "root".  That didn't work. 
  

• Zeroconf

  Christoph Tack • 05/30/2020 at 13:01 • 0 comments

  SSH-connections to the wandboard are great, but you need to know the IP-address in advance.  This becomes difficult in networks with a DHCP-server.  It would be easy if you could just call your device by its name.  No matter what IP-address it has.  Luckily in Linux, you can do that.

  Setting your hostname

  The default hostname for the wandboard is arm.  Let's change that to wandboard.
  

  ubuntu@arm:~$ hostname
  arm
  ubuntu@arm:~$ sudo hostnamectl set-hostname wandboard
  ubuntu@arm:~$ hostname
  wandboard
  ubuntu@arm:~$ 

   Reboot the wandboard.

  Establishing a remote connection to the wandboard

  There's no need to know the IP-address.

  christoph@christoph-ThinkPad-L580:~$ ssh ubuntu@wandboard.local
  The authenticity of host 'wandboard.local (192.168.1.8)' can't be established.
  ECDSA key fingerprint is SHA256:DsYVUlf605cdhz55Anl14mqYHqnV7ZKEcm4O0xyTaOk.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added 'wandboard.local' (ECDSA) to the list of known hosts.
  Last login: Sat May 30 12:58:22 2020
  ubuntu@wandboard:~$ 

  Correcting hosts file

  The Wandboard's /etc/hosts file will still contain the entries for arm.  One of the problems with that is that sudo will not be able to resolve the name.  Every sudo command will take about 30s to authenticate.  The solution is simple.  Open the Wandboard's /etc/hosts file and replace arm by wandboard.

  root@wandboard:~# cat /etc/hosts
  127.0.0.1       localhost
  127.0.1.1       wandboard.localdomain   wandboard
  
  # The following lines are desirable for IPv6 capable hosts
  ::1     localhost ip6-localhost ip6-loopback
  ff02::1 ip6-allnodes
  ff02::2 ip6-allrouters

• WiFi

  Christoph Tack • 05/26/2020 at 19:44 • 0 comments

  Broadcom BCM4330 driver

  This one uses the Broadcom BCM4330.  Be sure to use the correct firmware-file and NVRAM-file.  These are the ones that worked for me:
  

  ubuntu@arm:~$ sha256sum /lib/firmware/brcm/brcmfmac4330-sdio.bin
  004eb91ba7f1cd6eaf57b51f90d8004c5663c38175a8a9314a4e2f574cbfbd14  /lib/firmware/brcm/brcmfmac4330-sdio.bin
  ubuntu@arm:~$ sha256sum /lib/firmware/brcm/brcmfmac4330-sdio.txt 
  240cb4cbfb37cf516cb6df6373e6fb573ee45e14a22a565bf7d60f42fc40bdd8  /lib/firmware/brcm/brcmfmac4330-sdio.txt
  

  There should be some logging messages:
  

  ubuntu@arm:~$ dmesg | grep brcmf
  [   17.644303] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4330-sdio for chip BCM4330/4
  [   17.644638] usbcore: registered new interface driver brcmfmac
  [   17.693124] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac4330-sdio.wand,imx6q-wandboard.txt failed with error -2
  [   17.981990] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4330-sdio for chip BCM4330/4
  [   17.982083] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
  [   17.982727] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4330/4 wl0: Oct 25 2011 19:34:12 version 5.90.125.104
  [   19.875155] ieee80211 phy0: brcmf_p2p_create_p2pdev: timeout occurred
  [   19.881689] ieee80211 phy0: brcmf_cfg80211_add_iface: add iface p2p-dev-wlan0 type 10 failed: err=-5
  

   Don't panic.  The wandboard connects to the AP, even though there seem to be some errors.
  

  Check that wlan0 exists now:

  ubuntu@arm:~$ ip link
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,DYNAMIC,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
      link/ether 00:1f:7b:b4:11:ef brd ff:ff:ff:ff:ff:ff
  3: wlan0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
      link/ether fc:4d:d4:c5:17:ac brd ff:ff:ff:ff:ff:ff

  
  

  Connman

  This is the active command-line network manager.  Tips for practical use can be found on the ArchWiki.
  Just follow the steps to connect to an access point.  Once done, the DHCP-server should have assigned you an IP-address:

  ubuntu@wandboard:~$ ifconfig wlan0
  wlan0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
          inet 192.168.1.6  netmask 255.255.255.0  broadcast 192.168.1.255
          inet6 fe80::fe4d:d4ff:fec5:17ac  prefixlen 64  scopeid 0x20<link>
          ether fc:4d:d4:c5:17:ac  txqueuelen 1000  (Ethernet)
          RX packets 255  bytes 31958 (31.9 KB)
          RX errors 0  dropped 0  overruns 0  frame 0
          TX packets 224  bytes 27296 (27.2 KB)
          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  Pinging and DNS should work as well:

  ubuntu@wandboard:~$ ping -c3 google.com
  PING google.com (172.217.168.238) 56(84) bytes of data.
  64 bytes from ams15s40-in-f14.1e100.net (172.217.168.238): icmp_seq=1 ttl=54 time=30.9 ms
  64 bytes from ams15s40-in-f14.1e100.net (172.217.168.238): icmp_seq=2 ttl=54 time=34.3 ms
  64 bytes from ams15s40-in-f14.1e100.net (172.217.168.238): icmp_seq=3 ttl=54 time=33.1 ms
  
  --- google.com ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  rtt min/avg/max/mdev = 30.943/32.773/34.295/1.385 ms

   Remarks

  • It's not necessary to install rfkill.  You might be tempted to use it to unblock wifi. but connman handles that.
  • Don't edit /etc/resolv.conf.  Connmand will overwrite it.
  • Don't edit /etc/network/interfaces.  You could add info there about wifi networks, you'd better let that be handled by connman.
  • There's no need to create any wpa_supplicant.conf file as suggested in some fora.

• Remote Access

  Christoph Tack • 05/22/2020 at 17:19 • 0 comments

  How to make a connection from the internet to your wandboard when it's behind a router/NAT?  I see four options:
  

  1. Reverse-SSH tunnel
  2. Tor as a hidden service
  3. P2P network:
     1. Tox TCP Tunnel
     2. n2n
  4. 3rd party network
  5. Router port forwarding
  6. DMZ

  I'll only handle reverse SSH tunneling here, because it avoids fiddling with your router settings.
  

  1. SSH Remote port forwarding / Reverse SSH tunneling

  Using Serveo.net almost any port can be forwarded.  In the following example port 22 (SSH) will be forwarded with serveo.net used as a jump server.  It's also explained here.

  Serveo.net might not be up all the time.  Check here.
  

  This command instructs Serveo.net to forward incoming SSH-connections (on port 22) destined for the alias "wandboard" (the first wandboard in the command) to the localhost (which is the wandboard) (also on port 22). 
  

  The alias "wandboard" in the command is free for you to choose. The following command must be run from your wandboard:
  

  ubuntu@arm:~$ ssh -R wandboard:22:localhost:22 serveo.net                                                                                                                                                   
  Forwarding SSH traffic from alias "wandboard"
  Press g to start a GUI session and ctrl-c to quit.
  

  Remark that this command will lock up your terminal if you don't add an &.

  If you want to make this connection persistent, you might want to use autossh.
  

   On your local machine, which could be located anywhere on the internet, you execute the following command:

  christoph@christoph-ThinkPad-L580:~$ ssh -J serveo.net ubuntu@wandboard
  Last login: Fri May 22 17:03:39 2020
  ubuntu@arm:~$ 
  

  This command makes an SSH-connection to serveo.net, which in turn connects us through to ubuntu@wandboard.
  

  Weaved, Dataplicity, ngrok, pitunnel offer similar services.  But they require registration and the execution of some sort of script.

  Teleconsole can be used to share terminal sessions between users and port forwarding.  Basically, it's just an SSH-proxy.
  

  2. TOR as a hidden service

  The disadvantage is that the client side must also use Tor to make a connection.  For more info see Tor project log. Tor is also quite slow.
  

  3. Router port forwarding

  For connection through cellular networks, this is not possible because you have no access to the router.
  

  1. You need access to the configuration of your router.  This will most likely only be possible on your own home network.
  2. Each forwarded port must be setup separately in the router.
  3. You might have to assign a static IP-address to the Wandboard.
  4. The additional problem is that you'll probably don't have a static IP-address, so you'll have to use some Dynamic-DNS service such as Duck-DNS.

  • Setting Up Raspberry Pi Port Forwarding
  • Configure Your Router's Port Forwarding

  4. 3rd party network

  • Zerotier
  • Remote.it
    
  • Husarnet

  5. DMZ

  This fully exposes your wandboard to the internet.  I don't see a reason in taking this risk.
  

• SSH

  Christoph Tack • 05/22/2020 at 15:48 • 0 comments

  You might also want to try MOSH.

  • OpenSSH security and hardening
  • 5 Linux SSH Security Best Practices to Secure Your Systems
  • How To Configure SSH Key-Based Authentication on a Linux Server

  Checking SSH key-fingerprints

  christoph@christoph-ThinkPad-L580:~$ ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
  The authenticity of host 'af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion (<no hostip for proxy command>)' can't be established.
  ECDSA key fingerprint is SHA256:DsYVUlf605cdhz55Anl14mqYHqnV7ZKEcm4O0xyTaOk.
  Are you sure you want to continue connecting (yes/no)? yes

  You should only type "yes" after verifying the key fingerprint of the host.  This can be done by typing the following command on the host side.  First check the correct key algorithm and then show its fingerprint.

  ubuntu@wandboard:~$ sudo ssh-keygen -l -f /etc/ssh/
  moduli                    ssh_config.d/             ssh_host_ecdsa_key.pub    ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub      sshd_config.d/            
  ssh_config                ssh_host_ecdsa_key        ssh_host_ed25519_key      ssh_host_rsa_key          sshd_config               
  ubuntu@wandboard:~$ sudo ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
  256 SHA256:DsYVUlf605cdhz55Anl14mqYHqnV7ZKEcm4O0xyTaOk root@arm (ECDSA)

  Creating SSH-keys

  christoph@christoph-ThinkPad-L580:~$ ssh-keygen -b 4096 -t rsa -C "myKey" -f ~/.ssh/sshhs1.rsa
  Generating public/private rsa key pair.
  Enter passphrase (empty for no passphrase): 
  Enter same passphrase again: 
  Your identification has been saved in /home/christoph/.ssh/sshhs1.rsa.
  Your public key has been saved in /home/christoph/.ssh/sshhs1.rsa.pub.
  The key fingerprint is:
  SHA256:dBZqUfK7f4L+U36rc7ZPws+uKCJtUihO7fKrS9V4yKg myKey
  The key's randomart image is:
  +---[RSA 4096]----+
  |        o.o      |
  |         = .     |
  |        + +      |
  |     o * o .     |
  |    ..=.S .      |
  |   .o.o..  . ..  |
  |  Eo.o o  .. oo .|
  |   .o + + o.oooB.|
  |    o=o= o.o+=**O|
  +----[SHA256]-----+

  Copying SSH-key to the remote server

  You should already have a working SSH-connection for that user on that server to do this.
  

  christoph@christoph-ThinkPad-L580:~$ ssh-copy-id -o VerifyHostKeyDNS=no -o User=ubuntu -o CheckHostIP=no    -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p"     -i ~/.ssh/sshhs1.rsa af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
  /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/christoph/.ssh/sshhs1.rsa.pub"
  /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
  /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
  
  Number of key(s) added: 1
  
  Now try logging into the machine, with:   "ssh -o 'VerifyHostKeyDNS=no' -o 'User=ubuntu' -o 'CheckHostIP=no' -o 'ProxyCommand=nc -X 5 -x localhost:9050 %h %p' 'af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion'"
  and check to make sure that only the key(s) you wanted were added.
  

  Easy file transfer

  There's no need to use scp over the command line. 
  

View all 11 project logs