internet


Back to OpenWrt  

Some years ago, my network provider (O2 – Spain) installed a router for me (Mitrastar HGU GPT-2541GNAC) with much better specs than my old OpenWrt router (TP-Link TL-WDR4300). So, I ditched OpenWrt and started using the company’s router.

But the Mitrastar needed to be factory reset every 6 months because it had some problems with the DHCP in my network. Recently, I offloaded the DHCP to an OrangePi 3B, but now my home network was relying too much on the availability of this device. Also, the Mitrastar is starting to show its age without features like WiFi 6…

A couple of weeks ago I found on Aliexpress a new Xiaomi AX3000T router. It has an amazing set of specs:

  • 2 ARMv8 cores @ 1.3GHz (MediaTek MT7981B)
  • 128 MB ROM
  • 256 MB RAM
  • WiFi 6 (AX) in the 2.4 GHz and 5 GHz bands

And it’s compatible with the lastest snapshot of OpenWrt:

https://openwrt.org/inbox/toh/xiaomi/ax3000t

I was able to get it during the AliExpress ChoiceDay (this happens the first days of each month) for 26 EUR (including a 4 EUR coupon).

When it arrived, I found it a bit smaller than what I expected, and I liked its minimalist look. It has only one button for WPS (+ the reset pinhole), and one LED in the front panel (i.e. it does not have LEDs on the ethernet ports).

Everything was in Chinese, but it’s easy to read it using the Google Translate camera, only for the steps necessary to set up OpenWrt. I did a simple installation without the U-Boot boot loader.

So, I put again an OpenWrt router back in my home network moving the DHCP and WireGuard services to the router. I had forgotten the beauty and simplicity of OpenWrt.

I also tested adblock-lean and it works quite well on the router with big lists like https://oisd.nl/: It’s able to manage the 660K domains of both oisd big and osid nsfw lists. But at the moment I’ll continue using the Pi-hole on the OrangePi. I still need the OrangePi to run Home Assistant and the NAS.


WireGuard

I always used OpenVPN in my servers, but now WireGuard is a better option:

https://www.wireguard.com/

  • It’s simpler
  • It’s more efficient
  • It’s faster
  • It uses modern cryptography algorithms

I’m using it to remotely access private services in my home server. I setup a star topology, where all the VPN clients connect to the home server and they can only see the server.

So I need a dynamic DNS and an open port in the router, I already have them for Home Assistant.

Eloy Coto recommended Tailscale, it is an amazing mesh VPN based in WireGuard. It’s much simpler to set up, and you do not need to open public ports, but it’s commercial and a bit overkill for my needs.

Generating the WireGuard configurations

The most tedious part of WireGuard is to generate the configurations, but there are some nice tools to ease that, like:

https://www.wireguardconfig.com/

The tool generates the configuration for the server and for the requested number of clients. It does everything in the frontend, so it is not leaking the VPN keys.

As I’m only acessing the server, I have removed the IP forwarding options in the Post-Up and Post-Down rules.

Installing and configuring the WireGuard server

WireGuard is in the official Ubuntu repos, so to install it in the server it’s enough to do:

sudo apt install wireguard

Then I needed to put the config in the /etc/wireguard/wg0.conf file and do:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Installing and configuring the clients

WireGuard has clients for almost any OS:

https://www.wireguard.com/install/

To setup the client in the phones, the WireGuard Config web tool generates QR codes. In other devices you’ll need to create a file with it or paste the config contents.

Using Pi-hole from the VPN clients

To use the Pi-hole hosted in the same VPN server from the VPN clients, you can specify a DNS property in the client config, i.e. if the server is 100.100.1.1 and the client is 100.100.1.2:

[Interface]
PrivateKey = <client-private-key>
Address = 100.100.1.2/32
DNS = 100.100.1.1

[Peer]
PublicKey = <server-public-key>
PresharedKey = <preshared-key>
Endpoint = <my-home-server>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Every time that you connect the VPN, the DNS server in the client changes to 100.100.1.1 and it is reverted to the previous DNS server when the VPN is disconnected.

Additionally, Pi-hole needs to be listening in the wg0 interface, I explained how to make Pi-hole listen on multiple interfaces in the Pi-hole post.


Opening Home Assistant to Internet

To make Google Assistant work with your Home Assistant, you need to provide a public URL with HTTPS access to HA. Here are the full instructions:

https://www.home-assistant.io/integrations/google_assistant/

But something that seems trivial, like publicly accessing services in your home server, has some complications, and you usually need to worry about dynamic IPs and security.

What do we need:

  • An ISP not using CG-NAT
  • Redirect ports in the router
  • A dynamic DNS provider and a client to update the IP (or a static IP)
  • An SSL certificate to securely access the HTTP services

ISP providers with CG-NAT

Some ISPs use CG-NAT (Carrier-Grade NAT), sharing the same IPv4 among multiple customers. In that case the only way to expose your services is using reverse proxy services such as ngrok.

Ngrok allows you to generate one static domain and it also automatically generates a SSL certificate, so most steps in this post do not apply.

My ISP (O2 Spain) assigns me a dynamic IP, and I prefer to not rely on these reverse proxy services, so I remotely access my home server redirecting ports in the router.

Dynamic DNS provider

Usually, and unless you have a static IP service (not very common, and not available in my ISP), you need to setup a dynamic DNS service.

I have been using the free Now-DNS service for years:

https://now-dns.com/

And to update the IP in my home server, I setup ddclient with this /etc/ddclient.conf file:

ssl=yes
protocol=dyndns2
daemon=60
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
use=web, web=now-dns.com/ip             # get ip from server.
server=now-dns.com                      # default server
login=<your-login>
password=<your-password>
server=now-dns.com,<your-dynamic-domain>

Some of these dynamic DNS domains are blocked in the Pi-hole blocking lists, so, if you are using Pi-hole or other DNS blocking service, you’ll probably need to whitelist your domain.

SSL certificate

With the amazing Certbot you can obtain free SSL certificates:

https://certbot.eff.org/

There is extensive documentation in the Certbot site about how to use it. I simply install certbot from apt and do a:

certbot certonly --webroot -w /var/www/html/ -d <your-dynamic-domain> --email <my-email> --non-interactive --agree-tos

But in order to make that work, you need a domain name (available from the dynamic DNS provider in the previous section).

HTTP Server

And to verify that the domain points to your server, Certbot is going to do an HTTP request to that domain, so you also need to have an HTTP server in the port 80 and open the port 80 in the router. This is also needed for the certificate renewals.

You may encounter numerous attacks on this port, so it is crucial to have a reliable web server that is consistently updated and properly configured. I personally use nginx as my HTTP server, and it has never failed me so far.

Home Assistant

To use the SSL certificate from the HA container, we need to share the folder where certificates are stored passing a “-v /etc/letsencrypt:/etc/letsencrypt” to the docker command and setting in the HA configuration.yaml:

http:
  ssl_certificate: /etc/letsencrypt/live/<your-dynamic-domain>/fullchain.pem
  ssl_key: /etc/letsencrypt/live/<your-dynamic-domain>/privkey.pem

You can also use your public HA URL to remotely access it and to configure in the HA Android application.


Pi-hole as home DNS and DHCP server

I encountered numerous issues with my network provider’s router DHCP. Since I haven’t yet decided to acquire another router, I opted to offload the DHCP server to another machine, which is currently running my Home Assistant and NAS.

I was in search of a DHCP server with a web UI. During my exploration, I came across Pi-hole, a DNS server specifically designed to block DNS queries to domains that serve ads and do tracking. Interestingly, Pi-hole also incorporates an integrated DHCP server (dnsmasqd) that can be configured through its admin UI.

https://pi-hole.net/

I presume the integration of the DHCP server aimed to simplify the setup of clients’ DNS servers, yet it proves highly convenient for home networks. And forget about the “Pi” in the name, it can be run in any linux server, not necessarily in a Raspberry Pi.

I’m still an addict to running everything in Docker containers. So I set up the Docker Pi-hole container (https://github.com/pi-hole/docker-pi-hole) using this script localed at /usr/local/pihole/docker.sh:

#!/bin/bash 
cd $(dirname $(readlink -f $0))
docker stop pihole
docker rm pihole
docker pull pihole/pihole:latest
docker run -d \
	--name pihole \
	--privileged \
	--restart=unless-stopped \
	--network=host \
	-e TZ=Europe/Madrid \
        -e FTLCONF_LOCAL_IPV4=192.168.1.2 \
        -e WEB_PORT=8081 \
	-e WEBPASSWORD=admin \
	-e INTERFACE=eth0 \
	-e DNSMASQ_USER=root \
	-v ./etc-pihole:/etc/pihole \
	-v ./etc-dnsmasq.d:/etc/dnsmasq.d \
	--cap-add=NET_ADMIN \
	pihole/pihole:latest
docker image prune --all
  • Every time that you run the script, it updates the container with the last Pi-hole version
  • It didn’t work without setting FTLCONF_LOCAL_IPV4 to the local IP
  • I needed to set up WEB_PORT to not override with the nginx running in that machine (for Certbot)
  • Setting WEBPASSWORD is the easiest way to initially setup an admin password
  • I couldn’t make the DHCP server work with port mappings, it needed a –network=host
  • There is an image prune at the end to save space by removing old docker images

I also had some problems because Ubunt’s systemd-resolved includes a DNS server, and I needed to disable it:

https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu

And of course, you need to disable also the DHCP server on the router, it’s a very bad idea to have two DHCP servers working in the same network…

It is now functioning smoothly, and the included ad-blocking feature is a definite plus. Although it doesn’t currently block ads on YouTube and Twitch, its still great.

I’m also using it in my phone with a Wireguard VPN (it maybe a topic for another post). To make it listen in multiple interfaces like in the local and the VPN interfaces, I needed to create a /usr/local/pihole/etc-dnsmasq.d/99-interfaces.conf adding there:

interface=lo
interface=wg0

Another similar alternative worth exploring is AdGuard Home, but I haven’t had the time to test it yet:

https://adguard.com/en/adguard-home/overview.html


Filmon: Free IPTV service

filmon

IPTV is in a great momentum. In Spain we saw the rise of a lot of platforms: Yomvi, MovistarTV, OrangeTV, Nubeox… mainly paid platforms, but I am only interested in channels in English and Filmon is a great (and legal) option to watch some of them for free.

Filmon offers more than 600 live channels. There are lots of crap, but others are quite interesting:

  • UK TV channels: BBC One, BBC Two, BBC Three, BBC News, ITV1, ITV2, ITV3, ITV4…
  • News channels: Al Jazeera, Bloomberg, Euronews, France24, Russia Today…

Filmon is free for SD resolution, if you want to watch it in HD and access to program recording you must pay a 15€/month fee.

You can can watch Filmon directly from their web page http://filmon.tv, or from their Android and iOS apps.

There is also an unofficial Kodi plugin (previously called XBMC) at SuperRepo.


JavaScript as a Runtime

The future is here, and JavaScript (JS) is everywhere, but JS development is so hard that many people prefer to develop in other languages and then compile their code to JS, using JS as a universal runtime. Here are the most interesting options:

GWT

GWT stand for Google Web Toolkit, but now it’s in hands of the community and extensively used in many corporations. GWT compiles Java into JS and it’s strongly optimized. I use it a lot, and I feel very productive using an advanced IDE like Eclipse with tools like code assist, refactor, etc.

https://developers.google.com/web-toolkit/

CoffeeScript

A very compact language, inspired by Ruby and Python and that has become extremely popular in the last years. I’m not very familiar with the “Syntactic sugar” and I’m more productive with traditional languages (yes, I love curly backets! {}).

http://coffeescript.org/

Haxe

If you are an ActionScript developer (Adobe Flash), this is your language. It not only compiles to JS and ActionScript, also to PHP, C++, C#, etc. It’s becoming popular for the development of multi-platform mobile games with NME.

http://www.haxe.org/

Dart

This is a new language for the web pushed by Google. It tries to be a “modern and structured” language for the web that can be run directly into the browser, but to retain compatibility (and to run in other browsers that publicly rejected Dart), it can also be compiled to JS.

http://www.dartlang.org/

List of languages that compile to Js: http://altjs.org/


Google DevFest 2011 BCN

This week I assisted to the Google DevFest 2011 Barcelona. This year it was celebrated on a great “garage” located on an industrial area of Barcelona. I will tell the more interesting things that I found on the different sessions:

NEW IN HTML

As usual, this session presented by Paul Kinlan showed us the future of HTML5. I love the x-webkit-speech Chrome feature to make voice inputs that we already could see on the Madrid DevFest 2010. Paul made also some demos of WebIntents  a great idea to make something similar to Android intents on the web. Finally we could see that HTML5 is advancing very fast trying to implement many APIS that will make Flash obsolete, like window.navigator.getUserMedia() ot the Web Audio API.

GLSL

This session was presented by Mr. doob aka. Ricardo Cabello, a guy from the demoscene. He made a introduction of how 3D works in the browser and showed us how to use the GLSL language to make great effects on web pages. He has those GLSL demos on his blog.

GOOGLE+ SESSIONS

There were two Google+ sessions driven by Ade Oshineye, one presenting the new social network (also announcing the Google+ Pages) and other with more technical details for developers. One thing that you can do easily is adding the +1 button to your site. Other very interesting tools that we could see were the Google APIs Console and the Google APIs Explorer.

ANDROID SESSIONS

Bruno Oliveira is replacing Reto Meier as our “Android Developer Relations”.  On the first session he made a great review of the Android platform evolution since 2.1 to 4.0. On the second session he gave us great tips to improve UX experience on Android. This guy is a showman!

MAKING A BUSSINESS OUT OF APPS

This session was presented by Paul Kinlan and Bruno Oliveira, showing us that monetization tips are valid for both web and Android apps: Lazy registration, try before you buy, easy payment, in-app payments… Bruno also presented the new multilingual “Guide to the App Galaxy” http://www.guidetotheappgalaxy.com/.

GOOGLE SHOPPING API

Daniel Hermes showed us the Google Shopping API and many integration samples.

CHROME DEV TOOLS

Finally Sam Dutton made a review of the Google Chrome development tools. This tools replaced my FireBug many years ago! He also made his slides available.

APP COMPETITION

This year Google also organized and Appcircus-style app competition. Those were the apps and sites presented:

I won the app competition, but all were great apps. Our presentation and some photos of the app competition are available at our Mobialia Blog.


MythTV vs XBMC vs Blusens WebTV

I used for many years MythTV and XBMC, and as now I own a Blusens WebTV, I will do a feature comparation between this three media centers. I will rate some features from one star (*) to five stars (*****) based on my personal opinion.

MythTV XMBC Blusens WebTV
Movie library w/covers and info no yes no (but there is an app to build an HTML interface to your movie library)
Music library w/ covers, artists, genres… no yes no
TV tuner yes no yes (there is a cheaper LITE version without tuner)
PVR & time-shift yes no yes (no on LITE version)
TV and radio streaming  to other computers yes no yes (but TS streams, needs a low of BW, probably will not work over your WiFi)
Transcoding (converting between audio/video formats) yes (on records and streams!) no no
Web interface **** **** ****
Interface design **** (skinnable) ***** (skinnable and has great themes like Aeon, MediaStream…) *** (not skinnable)
Installable apps QT plugins (no app store, needs manual install) Python HTML & Javascript, Webkit powered
Killer apps Emulators (MythGame) Netflix (not on Spain), Emulators (with some work on the Launcher plugin), IMDB queries… Online Films and Serials from cinetube.es, peliculasyonkis.com…
Web browsing ** no **** (Webkit , no Adobe Flash, identified like an iPad)
Ease of setup * *** (if installing on a PC, if you buy a Boxee will be *****) *****
Ease of use **** **** ****
Android remote app *** ***** (shows movie & music library on the mobile) ***
Price of packaged solution No packaged solution 200€ (Boxee) 150€
Web http://mythtv.org http://xbmc.org, http://boxee.tv http://blusens.com

Now I’m using the Blusens WebTV because it’s a silent and small device (much more than my old PC running MythTV/XBMC). I solved the emulators part (that I had working on XBMC) with some Wii homebrew…


My Firefox 4 setup

After two weeks since the  Firefox 4 (FF4)  release, I decided to switch back again to Firefox from Google’s Chrome. But I miss Chrome a lot, so I configured FF4 almost like a Chrome… ¿how? using those themes and plugins:

  • FXChrome Theme: this theme claims to work only on Windows, but I’m using it on Linux without any problem
  • Movable Firefox Button: Converts the FF4 menu to a button that you can place on your navigation tab (to the right, like on Chrome)
  • Omnibar: Joins the address box and the search box in only one box
  • Titlebar Tweaker Plus: Hides title bar on Linux, on Windows you can use better options like “Hide Caption Titlebar Plus”, but on FF4 this last doesn’t work on Linux
  • Close Button: Without the title bar, I need a button to close FF4, I put it to the right of the tabs, (If using the  “Hide Caption Titlebar Plus” you don’t need this)
  • Barlesque: the new FF4 addon bar occupies all the window bottom, this extension collapses this bar on the bottom right (configurable), having much more space for browsing

And I also recommend this plugins:

  • AdBlock Plus: Removes ads from web pages
  • Speed Dial: Shows your favourite site on dials like Opera
  • FaviconizeTab: Adds a contextual menu on tabs to show only the favicon instead of the title on the tabs
  • Download Statusbar: Shows the downloads on the status bar
  • Echofon: a small twitter client, I miss the TweetDeck Chome app, but it seems that soon will be avaiable for FF4
  • Cutyfox URL Shortener: I use it to fast-shorten URLs with bit.ly
  • DownloadHelper: to download videos from Youtube and a lot of video sites
  • User Agent Switcher: some apps (Ok, JDEdwards) need to change the User-Agent header to work properly, also a good tool to test mobile web browsing

That’s the result:


Google DevFest 2010

As many of you know, this year I’m involved on Android with my project Mobialia. On February I was on the Android Developer Lab at Madrid and today I returned for the Google DevFest.

The event started with Dave Burke presenting Google Technologies in general. Many jokes about the iPhone (to show the Chrome2Phone extension he send a page about iPhone unlocking from Chrome to a Nexus One). He made the typical Sunspider Javascript Test comparation between a Nexus One with Froyo and an iPad. It also was quite impressive so see GWT Quake2 Port running on Chrome at 50 FPS and the new voice/camera input fields on HTML5.

Then the sessions where split on two lines, I assisted to the Android, Chrome&HTML5 and Maps related.

Our beloved Reto Meier was speaking at the Android Sessions, much more technical than on February’s Android Developer Lab (good!). On his first session he made a great presentation about good and bad practices developing Android Apps (I suggest every android developer to see it!), on the second he speaked in detail about Cloud to Device Messaging and vice-versa. He gave me lots of app ideas using this feature. Finally he swowed us proudly his new Samsung Galaxy Tab and encouraged us to adapt our applications to the new tablet devices. I even had to buy myself one after hearing how amazing it was. Luckily, I was able to find some pretty good deals online (more right here).

There were also very short presentations of spanish app developers (eAdventure, LibreGeoSocial, Inmobilia, Sicad and great the one of AnderWeb!).

Next, Paul Kinlan speaked about Chrome Apps and Extensions, the App Store and HTML5 on detail. I’m also very happy to see the progression of HTML5 and how Chrome is leaveraging the innovation towards a better web. Quite funny to see a modified Pacman Doodle controlled with the acceleromers of the iBook. There was also a presentation of Fiabee showing their HTML5 app and Chrome extension.

On the last sessions with Josh Livni talking about maps and presenting the Google Maps API v3, I was very impressed with maps customization, Fusion Tables and the new Google Street view API possibiliting the creation of 360º photos and adding them on specific locations (as inside a bar!).

All the sessions where recorded on video and will be avaiable at the Google DevFest Madrid web site.