2019年12月7日土曜日

automount sshfs with passphrase enabled key

There are many articles to mount sshfs using autofs, but most of them use "empty" passphrase. I come up with a way to enable passphrase. Here is a memo for myself in the future.


2019年2月9日土曜日

Building ROCm on Gentoo

ROCm is a platform to utilze AMD GPU for computing.The most of the components are open source. HIP which is a part of ROCm allows to compile CUDA source.

2018年6月12日火曜日

A note to configure In-wall WiFi Accesspoint WAP-102S

I purchased 5 of In-Wall access point WAP-102S from PG-Direct. As of today, it is only 680JPY. I bought it by 980JPY :-(

According to the article, the AP does not offer any setting GUI. It only works as WiFi router, it can not be an access point. But  the catalogue says it is configurable.
After I tried, I could configure it to AP.

2017年7月4日火曜日

DDNS Site-to-Site IPsec VPN by Ubiquiti Networks EdgeRouter ER-X

I've been using ER-X from Ubiquiti Networks for more than half year. It is covered with metal chassis and its functionality is as solid as it looks, though it is cheaper than $50. One is used in my house and the other is used in my parents' house.

Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.

To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.



As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.

When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.

Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24,  DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24,  DDNS of WAN:site1.example.net

Preparing RSA key on the both side

In CLI of both site, run the following command to generate RSA key.
ubnt@site0:~$ generate vpn rsa-key bits 4096

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated
The public portion of the key is:

SOME_VERY_LONG_STRING
You need to copy the SOME_VERY_LONG_STRING to your local text file.


Register the public key of the counter part

 On site0,
configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site1 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE1
commit

On site1,

configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site0 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE0
commit

Open Firewall for remote site

Surprisingly, packets from the remote site come via pppoe0 (or whatever an interface you use to connect the internet). Usually an interface which is used for the internet connection has the most strict rules, so a rule to accept such packet is necessary. (configure, commit, and save are omitted in the following lists).

On site0,
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite1
set firewall name WAN_LOCAL rule 60 destination address 192.168.20.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.30.0/24
On site1,
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite0
set firewall name WAN_LOCAL rule 60 destination address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.20.0/24

Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.

 Configure other VPN settings

On site0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site1.example.com authentication id site0
set vpn ipsec site-to-site peer site1.example.com authentication mode rsa
set vpn ipsec site-to-site peer site1.example.com authentication remote-id site1
set vpn ipsec site-to-site peer site1.example.com authentication rsa-key-name site1
set vpn ipsec site-to-site peer site1.example.com connection-type initiate
set vpn ipsec site-to-site peer site1.example.com description ToSite1
set vpn ipsec site-to-site peer site1.example.com ike-group FOO0
set vpn ipsec site-to-site peer site1.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site1.example.com local-address any
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site1.example.com tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer site1.example.com tunnel 1 remote prefix 192.168.30.0/24

On site1,
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site0.example.com authentication id site1
set vpn ipsec site-to-site peer site0.example.com authentication mode rsa
set vpn ipsec site-to-site peer site0.example.com authentication remote-id site0
set vpn ipsec site-to-site peer site0.example.com authentication rsa-key-name site0
set vpn ipsec site-to-site peer site0.example.com connection-type initiate
set vpn ipsec site-to-site peer site0.example.com description ToSite0
set vpn ipsec site-to-site peer site0.example.com ike-group FOO0
set vpn ipsec site-to-site peer site0.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site0.example.com local-address any
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site0.example.com tunnel 1 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer site0.example.com tunnel 1 remote prefix 192.168.20.0/24

The setting in brown color is what I found necessary to connect each other.

Good luck! 

2017年7月2日日曜日

DNS Hosting and DDNS of changeip.com

Recently I registered some domain and want to use it for Dynamic DNS.
I googled for DDNS services which allows to use my own  domain.
Some service costs more than $10 / month, which seems to be for business purpose.


I found ChangeIP offers DNS hosting for $9 / year and DDNS for $6 / year which is cheapest service I could find for using my own domain.

I hit a trouble that my domain was not shown on their WEB control panel even after paid fee and delegated authority to DNS serves of changeip.com.
I asked via their support ticket, they answered promptly and fixed my problem.
Of course  no issue is better, but still quick and correct support is impressive.


Overall

I'm satisfied with the service. I hope more people use the service, then their business succeeds and I can keep using the  service in the good price 😄

Pros:

  • Competitive price ($9/year for DNS hosting and $6/year for DDNS of the domain)
  • Rapid DDNS update (TTL is 30sec which I've never seen in free DDNS services)
  • Quick support
  • Useful knowledge base 

Cons:

  • Wizard  or easy tutorial for initial setting does not exist
    • Knowledge base is good, but standard manual is helpful.

2016年9月19日月曜日

RISC-V on JCPU

RISC-V is attracting attention from uses recently especially after acquisition of ARM by Softbank.

Specification of RISC-V is well documented. I found its ISA is very simple and suitable for high performance micro architecture; no flag is necessary for conditional branch.

I saw "Hello world" of RISC-V on JCPU within a day!. Although only user mode  32bit integer instructions are implemented, I don't see any difficulty to support further instructions.

The biggest hurdle I'm struggling is version up of LLVM. Afte LLVM-3.6, OldJIT is removed and only MCJIT is available. The MCJIT does not allow adding function to module once a module is translated. It is crucial for my use. I need to build module for each code block of target program.
The change takes time, which is not available for me ;-)

During writing a test bench of RISC-V, I found very easy-to-use elf load library ELFIO. It really is handy because header-only style and written in C++.

2014年11月17日月曜日

When zpool create command fails

When try to create pool on whole disk but a partition, zpool command automatically creates partition.
But sometimes the command fails and emits the following error message.
the kernel failed to rescan the partition table: 16
cannot label 'sdc': try using parted(8) and then provide a specific slice: -1

As described in ArchWiki, that is because udev fails to create the device file within 1 second.

The ArchWiki proposes to slow down the disk by parallel read.
I found another way which is much stable.


strace command traps syscalls and dump the parameters of syscalls to stderr.
cstream command lets you limit throughput.
So limit the stderr by cstream slows down the zpool.
strace zpool create /dev/sda /dev/sdb tank |& cstream -b 64 -t 2048

If the command is too slow, then increase the throughput to 8K or 16K.