Category: Network

Wireguard VPN to my home network

I recently upgraded (or downgraded?) my home wifi router to an eero device.

Form factor on the router is great, very small, but for wired ethernet devices, it requires seperate switches to connect ethernet devices.

Previous routers had openvpn built in which allowed me to get into my home network if I were on the road for work or just away from home in general. Helpful to keep my plex library going if I’m away from home. Happy Wife, Happy Life and all that 😉

Anyway, the eero does not have a VPN option.  There is a paid feature in the iphone app for VPN, however it does not allow you to create a VPN connection to your home network, just a VPN on your mobile device for accessing the internet. I already have a PIA VPN account that’s paid for several years, so I don’t need the eero one (or the extra $99 a year).

My home network is all running Fedora Linux. Instead of Docker, Fedora uses podman.

Asking around for recommendations, Wireguard was typically the answer to ‘what home vpn do i need’, so I started with Wireguard.

Running inside a container, the syntax I went with is here . Replacing ‘docker’ with ‘podman’, first time around, the container logs threw an error on iptables

iptables v1.8.10 (legacy): can’t initialize iptables table `filter’: Permission denied (you must be root)

This lead me to github and to this tweak.   I’ve got firewalld disabled and the ip_tables module wireguard uses was not loaded.   I created the file /etc/modprobes-load.d/iptable_raw.conf, rebooted, and confirmed  lsmod shows it was loaded

$ sudo lsmod |grep iptable
iptable_nat 12288 1
iptable_filter 12288 1
nf_nat 65536 4 xt_nat,nft_chain_nat,iptable_nat,xt_MASQUERADE
iptable_raw 12288 0
ip_tables 28672 3 iptable_filter,iptable_raw,iptable_nat

Still getting ‘Permission denied’ error after restarting the container – the final answer here was to add ‘–privileged’ to my podman command and binjo, VPN.

My final ‘docker run’ command :

$ cat run
sudo podman rm -f wireguard
sudo podman run -d \
–name=wireguard –privileged \
–cap-add=NET_ADMIN \
–cap-add=SYS_MODULE \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-e PEERS=1 `#optional` \
-e PEERDNS=auto `#optional` \
-e INTERNAL_SUBNET=10.13.13.0 \
-e ALLOWEDIPS=0.0.0.0/0 \
-e LOG_CONFS=true \
-p 51820:51820/udp \
-v /local/docker_data/wireguard/config:/config \
-v /lib/modules:/lib/modules \
–sysctl=”net.ipv4.conf.all.src_valid_mark=1″ \
–restart unless-stopped \
lscr.io/linuxserver/wireguard:latest

I loaded the wireguard app onto my iphone, used it to scan in the QR code generated by the container (accessible via ‘podman logs -f wireguard’).  I am behind an ATT router which blocks many incoming ports but I was able to find an open port.  From the ATT router, i port forwarded that port to the eero  and then in the eero app, I could create a port forward to my fedora container machine and the default wireguard port ‘51280’.

Finally, I modified the entry in the wireguard app with the open att port and saved it.  I dropped my iphone all wifi and hit connect in the wireguard app and   bingo, via terminus (a ssh app on iphone), I could connect to my internal machines.  I checked with Lunasea   that I use to access my other home entertainment containers and that also let me connect via wireguard without wifi

 

 

 

Using your iTunes xml file with Linux PlexMediaServer

My home network setup consists of a Linux box (running Linux Mint), a “Hackintosh” (a hp compaq 6000 pro small form factor pc running macos sierra), a mac mini (macos sierra also hacked to install on a 2009 mac mini), and then a laptop running RHEL6.  I also have a 2 disk buffalo NAS and a 2 disk lenovo NAS with a 4 bay SATA enclosure with 2x2TB disks hanging off it.

My Linux server runs several different background services for my primary source of streaming video to my roku – these consist of sabnzbd+, sonarr, and plexmediaserver.  On my buffalo NAS I have almost 18000 mp3s which are mounted as /Volumes/Music and added to my itunes library on the mac mini. This same NAS share is mounted as /Music on the Linux Mint machine.

Here’s how I got them into the iTunes channel in plex.

  1. First you need to set the option in iTunes to share its library via an XML file.
  2. This will put a file called iTunes Music Library.xml in your “Music” folder.
  3. via cron or something, set up a process to copy this file over to the /Music share on the linux server and post process it to change the Location tag  – /Volumes/Music/Music needs to become just /Music/Music :
    # scp mini2:Music/iTunes*.xml /Music/itunes_temp.xml
    # cat /Music/itunes_temp.xml | sed ‘s%/Volumes%%’ > /Music/iTunes\ Music\ Library.xml
  4. In the server settings for Plex Media Server, there is option under Server -> Channels (click “Advanced”) and you can enable the iTunes channel.  Enter /Music/iTunes Music Library.xml in the box “
  5. Restart plexmediaserver :
    # sudo systemctl restart plexmediaserver.service

Enjoy your itunes music in plex.  Now just to figure out how to get Alexa to play it back 🙂

 

Using gvfs to access remote servers via FTP/SFTP

Using the Gnome virtual file system (gvfs) packages allows us to access remote servers from the linux userspace GUI environment via FTP/Obex/SSH/WebDAV/WebDAVS/Samba Read the Rest…

Linux Networking

Tips and tricks on how to enable network features on Linux, such as network bonding, VPN, firewall, IPv4 vs. IPv6

Configure a cPanel system to do Subject: tagging with SpamAssassin and Exim

By efault, on a cpanel system, Spam Assassin doesn’t allow the subject line rewriting.  I find it a quick short cut to be able to glace at the subject line and tell if the email is junk or not … Here is how to enable it.  Requires root level access on the server.

Read the Rest…

Tweaking the Evolution Menu Bar

If you are like me, you have a ton of different email addresses, some for work, some for play, etc…

Most times, you don’t want to take a chance to mixing these, and sending your personal signature on a business email, so if you do what I do, you sent up a couple different email clients.

 

Read the Rest…