Cross compile Shadowsocks-libev for DS116

The shadowsocks-libev in repo entware-ng  is several versions behind the current release version on github. The latest 2.5.6 comes with fixes and new improvements. One feature, which I like the most, is the attack detection improvement. Since there is no ready-made compiled version I can find for DS116, so I decide to compile the package.

1. To start with, we need a Linux based build environment. In the past, I have built an ubuntu server based  build VM using vagrant. I will continue to use that VM for this purpose. Make sure the VM has build-tools installed. For ubuntu, do following to install the bulild-essential:

   sudo apt-get install build-essential autoconf libtool

2. Download the Synology toolchain for DS116 from here. Untar and copy the extracted files to the VM. Setup the extracted bin folder so it is in the execution path, if not, set it up.

    export PATH=/<toolchain_path>/bin:$PATH

3. Before we can compile the shadowsocks-libev, we need to compile its dependent libraries. Following is the full compile command trace:

   # zlib
   wget http://zlib.net/zlib-1.2.8.tar.gz
   tar xzvf zlib-1.2.8.tar.gz
   cd zlib-1.2.8
   CC=arm-unknown-linux-gnueabi-gcc CXX=arm-unknown-linux-gnueabi-g++ AR=arm-unknown-linux-gnueabi-ar RANLIB=arm-unknown-linux-gnueabi-ranlib ./configure --prefix=/vagrant/Works/build/zlib
   make && make install
   
   # openssl
   wget https://github.com/openssl/openssl/archive/OpenSSL_1_0_2j.tar.gz
   tar xzvf OpenSSL_1_0_2j.tar.gz
   cd openssl-OpenSSL_1_0_2j
   CC=arm-unknown-linux-gnueabi-gcc CXX=arm-unknown-linux-gnueabi-g++ AR=arm-unknown-linux-gnueabi-ar RANLIB=arm-unknown-linux-gnueabi-ranlib ./Configure no-asm shared --prefix=/vagrant/Works/build/openssl linux-armv4
   make && make install
   
   # pcre
   wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.bz2
   tar xjvf pcre-8.39.tar.bz2
   cd pcre-8.39
   CC=arm-unknown-linux-gnueabi-gcc CXX=arm-unknown-linux-gnueabi-g++ AR=arm-unknown-linux-gnueabi-ar RANLIB=arm-unknown-linux-gnueabi-ranlib ./configure --prefix=/vagrant/Works/build/pcre --host=arm-linux-gnueabi 
   make && make install
   
   # shadowsocks
   wget https://github.com/shadowsocks/shadowsocks-libev/archive/v2.5.6.tar.gz
   tar xzvf v2.5.6.tar.gz
   cd shadowsocks-libev-2.5.6
   CC=arm-unknown-linux-gnueabi-gcc CXX=arm-unknown-linux-gnueabi-g++ AR=arm-unknown-linux-gnueabi-ar RANLIB=arm-unknown-linux-gnueabi-ranlib ./configure --disable-ssp --disable-documentation --prefix=/vagrant/Works/build/ss  --host=arm-linux-gnueabi --with-openssl=/vagrant/Works/build/openssl --with-zlib=/vagrant/Works/build/zlib --with-pcre=/vagrant/Works/build/pcre
   make && make install

4. After successfully compiled the files, we just need to copy the resulting shadowsocks executables in the /vagrant/Works/build/ss/bin directory to DS116 /opt/bin to replace the existing files. Before we do that, we need to stop the running shadowsocks and restart it after the replacement. Check on the log, verify everything works. For detail on configuring the Shadowsocks, please refer to the previous post.

Resources:

crosstool-ng 1.22.0 and shadowsocks 2.4.5 备忘录

Running ShadowSocks service on DS116

Tags

DS116, GFW, Shadowsocks

Shadowsocks is an open sourced light weight socks5 based secured/encrypted proxy, commonly used to provide uncensored internet access across GFW. shadowsocks-libev is a C port of the Shadowsocks aiming to provide a high performance and low resource requirements than the original Shadowsocks, which is a python based solution. With pkg management bootstrap installed on DS116, installing shadowsocks-libev is an easy task.

1. Install the shadowsocks-libev via opkg:

   opkg install shadowsocks-libev

   This will install version 2.4.5 of shadowsocks-libev, which is behind the current 2.5.6 version on github.

2. By default, the installed package runs the client (ss-local) other than the server. So we need to modify the startup script:  /opt/etc/init.d/S22shadowsocks
   

   PROCS=ss-server
   ARGS="-c /opt/etc/shadowsocks.json -f /opt/var/run/$PROCS.pid"

3. Now we need to create the configuration file referred in the last step: /opt/etc/shadowsocks.json
   

   {
       "server":"my_server_ip",
       "server_port":8388,
       "local_port":1080,
       "password":"barfoo!",
       "method": "aes-128-cfb",
       "timeout":60
   }

   Please refer to this page for more information on the configuration options.

4. In the startup script, we have specified “-f” option to run the ss-server as a service, this also enables shdowsocks-libev to output log to the syslog. We can define a shadowsocks file inside /usr/local/etc/syslog–ng/patterndb.d/ to have a separate log file for ss-server:

   filter f_ssserver { program(ss-server); };
   destination d_ssserver { file("/opt/var/log/ss-server.log"); };
   log { source(src); filter(f_ssserver); destination(d_ssserver); };

5. Reload the syslog-ng with the change

   /usr/syno/etc.defaults/rc.sysv/syslog-ng.sh reload

6. Start up the shadowsocks server

   /opt/etc/init.d/S22shadowsocks start

Then refer to the official site to find and install the correct clients for your environment. For iOS devices, it is bit tricky to have a good client installed. One alternative approach is to share the shadowsocks proxy running on computer with the iOS devices. This approach has been discussehered at and a chinese version. For iOS, there is a free Wingy client.

After initial setup, we can turn on some options like tcp_fastopen to improve performance:

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

We could put following to shadowsocks startup script to auto apply this when server starts:

if [ "`cat /proc/sys/net/ipv4/tcp_fastopen`" -eq "0" ]; then
 echo 3 > /proc/sys/net/ipv4/tcp_fastopen
fi

For more optimization options, please refer to this page.

VPN Set Up on Synology DS116

Tags

DS116, ocserv, VPN

My good old Synology DS107e finally decide to quit after about 10 years of usage. DS116 is then purchased as the replacement.

1. Setup SSH
   1. From Control Panel -> Applications -> Terminal & SNMP, enable SSH service
      This allows connection using user name and password. To allow access using user certificate, we need to do some changes manually.
   2. Open /etc/ssh/sshd_config, make proper changes
   3. After the changes have been made, we need to reload sshd. We can do this by using DSM to turn SSH service off then on again.
2. Set up OpenVPN
   With the new DSM 6.0, it is a lot easier to install and enable OpenVPN. Just do the following:
   1. From package center, install VPN Server
   2. Run VPN Server application, then from Settings -> OpenVPN, enable OpenVPN. VPN can then use DS116’s authentication setup to control the access, However to enable the client certificate access other than using user name, password, we need to do some custimzations.
   3. Create your CA, server key and certificate (using EasyRSA, XCA or other certificate management tools). From DSM management console, Control Panel -> Security->Certificate, add your own certificates to the DS
   4. After that is done, select your certificate, choose Configure and assign this certificate to your VPN service
   5. Now SSH into DS116, open /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf file, make proper changes:
   6. Restart OpenVPN service either via DSM enable OpenVPN interface or from command line
3. Set up 3rd party package sources and a pkg management tool
   DS116 uses Marvell Armada 385 88F6820 processor, which belongs to armada38x family and is based on ARMv7. There are several ways we can install pkg tool for this box. The easiest method that we can use is a EBI package installation to enable either optware or entware repo, or use a manual approach like this. Since entware is the modern alternative of optware and provides a lot more packages than optware-ng, so choosing entware-ng bootstrap using EBI will be the obvious choice.
   1. Add package source: https://www.cphub.net in the DSM package center.
   2. From Community find the Easy Bootstrap Installer and install the package
   3. Follow the on-screen instructions to complete the installation. At the end of the installation, select to use entware-ng.
4. Install OpenConnect VPN
   OpenConnect VPN Server (ocserv) is an SSL based VPN server. It has the compatibility with Cisco AnyConnect VPN protocol. Since this is a VPN works over GFW without any extra obfuscation needed, unlike OpenVPN (which require a secured proxy, like Shadowsocks, to work), so it is desirable to get this up and running.
   1. Using opkg to install the ocserv
   2. Modify the ocserv.conf file located at /opt/etc/ocserv with proper setting.
      Hint: it can share the same certificates setup as the OpenVPN if desired
   3. Create a file ocserv in /usr/local/etc/syslog-ng/patterndb.d/ with following to capture the log:

      filter f_ocserv { program(ocserv); };
      destination d_ocserv { file("/opt/var/log/ocserv.log"); };
      log { source(src); filter(f_ocserv); destination(d_ocserv); };

   4. Reload the syslog-ng configuration with:

      /usr/syno/etc.defaults/rc.sysv/syslog-ng.sh reload

   5. If non-standard port number is used then modify the iptables rule in

      /opt/etc/init.d/S79ocserv, or comment them out and use NAT instead

   6. Enable NAT

      iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

   7. Enable IPV4 forwarding, modify the file /etc/sysctl.conf with following:
      net.ipv4.ip_forward=1, Apply the change:

      sysctl -p /etc/sysctl.conf

      Notes: This change seems not working correctly, it also break the Resource Monitor package. So alternative solution is to turn on ip forward directly with:

      echo 1 > /proc/sys/net/ipv4/ip_forward

   8. Start up the server:

      /opt/etc/init.d/S79ocserv start

   9. ocserv actually span two processes, one main process named ocserv-main, another worker named ocserv-sm. So the script to stop the ocserv failed to stop both process with the killall ocserv command. If desired, modify the /opt/etc/init.d/rc.func stop() to kill the ocserv-main process instead.
5. Runing ocserv without OpenVPN
   Once OpenConnect server is up and running, there is no need to keep both VPN solutions running at the same time. Also, the performance test seems to suggest OpenConnect provides better network transfer rate. So we can switch off OpenVPN. However, if OpenVPN is not running, then the iptables and tun kernel modules will not be loaded when ocserv starts, so we need to update the /opt/etc/init.d/S79ocserv script with following to check and load the required modules and do the necessary network setup as needed:

   IPTABLES_MODULE_LIST="/usr/syno/etc/iptables_modules_list"
   BIN_SYNOMODULETOOL="/usr/syno/bin/synomoduletool"
   
   source "${IPTABLES_MODULE_LIST}";
   
   # check on iptables and load NAT rule
   if [ -z "`grep -w ip_tables /proc/modules`"]; then
    "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${KERNEL_MODULES_CORE};
    "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${KERNEL_MODULES_NAT};
    sleep 1;
    iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE;
    echo 1 > /proc/sys/net/ipv4/ip_forward
   fi 
   
   # check on tunnel module
   if [ -z "`grep -w tun /proc/modules`" ]; then
    "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${OPENVPN_MODULES};
    sleep 1
   fi
   
   . /opt/etc/init.d/rc.func

6. This should keep the ocserv service running correctly after a DS116 reboot.

Resources & References:

https://openvpn.net/index.php/open-source/documentation/howto.html
http://www.synology-forum.de/showthread.html?68335-EBI-Easy-Bootstrap-Installer
http://jexbat.com/2016/NAS-Shadowsocks/
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/syslog-ng.conf.5.html
https://forum.synology.com/enu/viewtopic.php?t=116126
http://blog.centurio.net/2014/12/23/how-to-use-client-certificates-with-synology-vpn-server-and-openvpn/

Install openvpn server on DS107e

Tags

iptables, NAS, openvpn, Synlogy

DS107e needs to have ipkg and bootstrap installed, if not, please refer to this guide; Then using ipkg to install openvpn package:

ipkg install openvpn

Once this has been done, refer to openvpn’s howto guide to setup the openvpn configuration.

Please note, easy-rsa is a separated download and can be downloaded and run from a local environment other than inside DS107e. An easy windows based guide on using easy-rsa to prepare the keys and certificates can be found here.

Transfer generated server keys and certificates to DS107e, such as to /opt/etc/openvpn/keys/. Change the permission for all the keys to private:

chmod 600 *.key

Modify /opt/etc/openvpn/openvpn.conf to reflect your server configuration. It should have something similar like following:

port 1194
proto udp
dev tun
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key 
dh /opt/etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
status /opt/var/log/openvpn/openvpn-status.log
log /opt/var/log/openvpn/openvpn.log
verb 3

Enable push redirect, route, DNS etc. if you want your vpn client to access your network resources and use your network setup for internet other than client’s local network setup.

Comment out the return 0 line from following script, then start the vpn using following command:

/opt/etc/init.d/S20openvpn

Tail the openvpn.log to monitor whether openvpn has been started correctly or not. If it is, it should show following line in the log:

Initialization Sequence Completed

Now, basic VPN server setup has been completed. we also need to setup port forwarding on the router to forward all the public access traffic to your vpn port 1194 to your vpn server’s IP. So VPN service can be used from WAN.

If we want vpn clients to access local network resources or using local network setup for internet service, we need to either setup routing rules or a bridge between vpn tu0 with ethernet port eth0.

If your router supports setup static routing rules, then set the rules up to redirect all the network traffic of your vpn network subnet to your vpn server’s IP address.

However, if your router doesn’t support static routing, then we need to setup either bridge or NAT from DS107e. Unfortunately, DS107e doesn’t include kernel bridge moduels (bridge.ko and stp.ko), so the bridge option is out of questions too.

DS107e has a version 1.4.2 iptables installed, which doesn’t include some required components for NAT we needed for VPN routing. So we need to install a newer, extended version:

ipkg install iptables

Now, load the iptables kernel modules:

insmod /lib/modules/ip_tables.o
insmod /lib/modules/iptable_filter.o
insmod /lib/modules/ip_conntrack.o
insmod /lib/modules/iptable_nat.o

Since the MASQUERADE doesn’t work, so we can’t use following command to setup the NAT rule:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

We have to use SNAT to create the iptables rule to NAT the traffic:

iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <DS107e static IP>

We need to save the iptables rule, so it can be loaded next time when NAS reboot:

/usr/syno/bin/firewalltool -dump_rules /etc firewall_rules.dump

We are done! Test this out and verify everything works as expected.

Install ipkg on Synology DS107e

Tags

DS107e, ipkg, NAS, Synology

I have an outdated but still going strong Synology DS107e NAS installed in my home network. This NAS runs Synology’s DSM 3.1,  it is a stripped down Busybox linux. Unfortunately, this version of DSM has removed ipkg package management tools. So in order to install any 3rd party tools or extend box’s functionalities, we have to install the ipkg.

First step, we have to enable the SSH to the NAS. This can be easily done via DSM’s web interface: Control Panel -> Terminal -> Enable SSH service.

Next, we need to log in the NAS via SSH, then run the following command:

cd /tmp
wget http://ipkg.nslu2-linux.org/feeds/optware/ds101g/cross/stable/ds101-bootstrap_1.0-4_powerpc.xsh
chmod +x ds101-bootstrap_1.0-4_powerpc.xsh
./ds101-bootstrap_1.0-4_powerpc.xsh

This script will run successfully to setup ipkg, openssl etc. at /opt, however it will fail at the end with wget-ssl with errors complaining: missing libidn package. As a result of this error, ipkg will not work correctly since it will use wget from DSM to retrieve package, which can not redirect the result to the location ipkg expected, so ipkg will faile to find the downloaded packages and install them.

The solution is to download wget package manually and also fix root user’s PATH to use commands from /opt/bin and /opt/sbin first. First, we need to fix the wget-ssl install issue:

cd /tmp/bootstrap
wget http://ipkg.nslu2-linux.org/feeds/optware/ds101g/cross/stable/wget_1.12-2_powerpc.ipk
ipkg install wget_1.12-2_powerpc.ipk 
ipkg update

ipkg install libidn
ipkg remove wget
ipkg install wget-ssl.ipk
ipkg update

This should fix the wget issues and make ipkg works correctly. Now we need to make root user login with the correct PATH order:

vi /root/.profile

and change the PATH to look like below:

PATH="$PATH:/opt/bin:/opt/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/syno/bin:/usr/syno/sbin:/usr/local/bin:/usr/local/sbin:"

Now, we done, ipkg should be installed on the NAS. We can now use ipkg to install 3rd party packages, like openssh, bash, vim, openvpn etc.

Resources:

• https://forum.synology.com/enu/viewtopic.php?t=17893
• https://forum.synology.com/enu/viewtopic.php?t=48035
• http://www.nslu2-linux.org/wiki/DS101/HomePage

Install a SSL certificate to AWS Elastic Beanstalk

Tags

AWS, AWS Elastic Beanstalk, Beanstalk, SSL Certificate

I recently come across a need to secure a AWS Elastic Beanstalk site for a product we developed. After search online and on AWS documentation, it seems all the resources/solution available is to do this via the command line.  Being lazy and for a challenge, I decide to try out a different approach, doing it graphically via GUI tool and AWS web console.

To start with, download this nice graphic tool XCA, which provides a nice GUI over openssl.  Then run through the normal process (basically from tab to next tab in this program):
1. Click on “new key” to generate your private key
2. on “Certificate signing requests” tab, click on “new request” to generate the csr (of cause fill out the usual information)
3. Export out the csr and get it signed by your CA provider
4. import the signed certificate back into the XCA, along with your CA’s signing certificates under “Certificates” tab
5. Now export out your private key and certificate chain out as PEM format file. We are going to need them later

To install your signed certificates following following steps:
1. Log in to AWS EC2 console: https://console.aws.amazon.com/ec2
2. From “Load Balancers” find the instance for your Beanstalk site, select this instance
3. From the detail tabs, select “Listeners” tab, then click on Edit button
4. Create a new HTTPS listener if it is not created yet, then click on “Change” under SSL Certificate
5. Choose “Upload a new SSL Certificate” then fill out the information from your exported certificate (open your PEM file in a text editor then copy and paste the content in this form)
6. Click on “Save” button, if you have done it right, this should upload the SSL Certificate to AWS and create the HTTPS listener for you
7. You might also want to double check under your security tab for the security group used to see whether it has inbound setup for HTTPS as well
8. Now switch your AWS EC2 console to Elastic Beanstalk management console, then select your Beanstalk instance configuration
9. Under Network Tier, select to configure your Load Balancer
10. Choose the HTTPS, 443 and the uploaded SSL certificate then save and wait for it take effect

You might also want to disable HTTP access once HTTPS access has been verified.

That is all you need to do to set this up without running a single command from openssl or AWS command tool!