Friday, March 1, 2024

How to disable Debian 12 sleep on production servers

 Debian 12 has power saver enabled by default which causes your server to go to sleep if there is no mouse / keyboard interaction. To resolve this issue as discussed here, edit /etc/gdm3/greeter.dconf-defaults and update the following vars and reboot your server:

sleep-inactive-ac-type='blank'

sleep-inactive-battery-type='blank'

Wednesday, February 21, 2024

Setup tunneled hotspot on Bookworm Raspberrypi using Wireguard, Network Manager and DNSmasq plugin

This blog post is an update to the original post from 2019 for Debian buster and bullseye.

 In this tutorial we use eth0 as our main internet, wireguard uses eth0 to connect to the server and created a tunneled connection which is used for hotspot by wlan0.

NetworkManager GUI Interface makes our work easy. No need to setup a dhcp server like isc-dhcp-server since NetworkManager has built-in dnsmasq-basic package installed and uses it for DHCP.

To setup hotspot, use Network icon in Raspberrypi to setup a wireless hotspot. For wireguard, you need to edit the hotspot connection and set MTU to 1420. Also, enable auto connect in General tab. Disable IPv6 in IPv6 tab if you are not using it. Set the range for your DHCP clients in IPv4 tab to 10.0.1.1 with mask 255.255.255.0 and gateway 10.0.1.1

then set a separate routing table for the hotspot ip range which is 10.0.1.0/24:

echo 200 INET2 >> /etc/iproute2/rt_tables
and setup wireguard to route the ip range from your hotspot through itself.

[Interface]
PrivateKey = YOUR.PRIVATE.KEY
Address = 10.10.0.6/24
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip rule add from 10.0.1.0/24 table INET2; ip route add default via 10.10.0.1 dev wg0 table INET2; ip route add 8.8.8.8/32 dev wg0; ip route add 8.8.4.4/32 dev wg0; ip route flush cache
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip rule del from 10.0.1.0/24 table INET2; ip route del default via 10.10.0.1 dev wg0 table INET2; ip route del 8.8.8.8/32 dev wg0; ip route del 8.8.4.4/32 dev wg0; ip route flush cache
Table = off
MTU = 1420

[Peer]
PublicKey = SERVER.PUBKEY
AllowedIPs = 0.0.0.0/0

Endpoint = IP:Port
PersistentKeepalive = 25

set net.ipv4.ip_forward=1 in /etc/sysctl.conf

Edit your upstream Network connections and set their DNS to 8.8.8.8,1.1.1.1 

This way, after a reboot your /etc/resolv.conf is correctly set to the above name servers by NetworkManager.

NetworkManager has a built-in dnsmasq-base package installed and we need to set it to use google name servers for our dhcp clients:

echo -e "dhcp-option=option:dns-server,8.8.8.8,8.8.4.4" > /etc/NetworkManager/dnsmasq-shared.d/dns.conf

Restart your raspberrypi to apply changes.

You can see a list of connected clients in /var/lib/NetworkManager/dnsmasq-wlan0.leases


ps aux | grep dnsmasq 

shows the dnsmasq and its parameters which is running by NetworkManager. 

How to resolve repeating keys issue on WayVNC bookworm

 When you connect to your bookworm 12 wayvnc VNC server from another country, there might be repeating key's issue if there is a packetloss in the connection. If the packet containing the key-release event gets dropped, it will be retransmitted and this will cause it to be delayed, perhaps enough to trigger the repeat.

 To resolve this issue, you can set kb_repeat_rate to 0 in wayfire config as explained here

edit /etc/wayfire/defaults.ini add 

kb_repeat_rate = 0

under [input] section in the file

then restart  your raspberrypi os to apply the new setting. 

Saturday, February 10, 2024

How to take a screenshot using ssh on Wayland Desktop

On debian 11 for raspberrypi and older versions, we can take a screenshot of the active desktop from SSH by using scrot package and setting DISPLAY environment variable to the display number which is 0.0 by default:

        DISPLAY=:0.0 scrot -o screenshot.jpg

or in python:

        os.environ["DISPLAY"] = ":0.0"

        os.system("scrot -o {}".format(picfile))

On Debian 12  for raspberrypi and later versions, Wayland is the default window manager and scrot won't work. grim package can be used which is installed by default. A similar method can be used to access the default wayland desktop by setting WAYLAND_DISPLAY and XDG_RUNTIME_DIR environment variables :

WAYLAND_DISPLAY=wayland-1 XDG_RUNTIME_DIR=/run/user/1000 grim screenshot.png

os.environ["WAYLAND_DISPLAY"] = "wayland-1"

os.environ["XDG_RUNTIME_DIR"] = "/run/user/1000"

os.system("grim {}".format(pngfile))

To find the correct values for these environment variables, use env command in your main desktop to find which values are set for these. without setting proper values, you get the following error when trying to get a screenshot on a non-active tty:

failed to create display

Thursday, February 8, 2024

How to set the default route on Debian 12 bookworm

 /etc/dhcpcd.conf file is missing on debian 12 bookworm OS for Raspberrypi.

To find the current metrics, use route -n

To find the network interface names use nmcli connection show

Then use the connection name of the connection you want to make the default route and set its connection metric to a higher number than others:

nmcli connection edit "Wired connection 1"

set ipv4.route-metric 102

save

quit


Wednesday, July 5, 2023

How to configure Eturnal TURN server with TLSv1.3 support on Debian 12

 eturnal is a turn server and an alternative to coturn. It can be installed on Debian using the instructions provided here

To use a static username and password, a script must be used to generate one that works with the defined secret code in the config file. 

The following python code can be used for such conversion:

import hmac

import hashlib

import base64

username = "1735686000"          # For credentials valid until 2025-01-01.

secret = "1pIFIj70BPsgBI92j5ux"  # As specified in your configuration file.

sha = hmac.new(secret.encode('utf-8'), username.encode('utf-8'), hashlib.sha1)

password = base64.b64encode(sha.digest()).decode('utf-8')

print(username)

print(password)


The following options can be used to disable older versions of tls to force tlsv1.3:

  ## TLS certificate/key files (must be readable by 'eturnal' user!):
  tls_crt_file: /opt/fullchain.pem
  tls_key_file: /opt/privkey.pem
  tls_options:
    - no_tlsv1
    - no_tlsv1_1
    - no_tlsv1_2

It is recommended to also uncomment the - recommended item in the blacklist section to blacklist local network ip addresses from turn and speed up connection.

Monday, July 3, 2023

How to Install coturn 4.6.2 with TLSv1.3 support on Debian 12

 TLSv1.3 support is added in coturn >4.6.2  . Debian 12 bookworm comes with coturn 4.6.1 which does support TLSv1.3. Docker version of coturn may be used to get the last version of coturn then, or a compilation from source is needed.  

In case of compiling from source, openssl 1.1.1 is needed to support TLSv1.3.

To compile the last version of coturn on Debian, follow these instructions:

apt-get install pkg-config build-essential libssl-dev libevent-dev libsystemd-dev -y

cd /usr/src

wget https://github.com/coturn/coturn/archive/refs/tags/4.6.2.tar.gz

tar -zxvf 4.6.2.tar.gz

cd coturn-4.6.2

./configure --prefix=/usr --confdir=/etc

make

make install

cp ./examples/etc/coturn.service /etc/systemd/system/

mv /etc/turnserver.conf.default /etc/turnserver.conf

systemctl daemon-reload

chown turnserver:turnserver /var/run/turnserver.pid

useradd turnserver -s /bin/false

systemctl enable coturn --now

service coturn status

Now, in the log file you should see:

INFO: TLS 1.3 supported

Jitsi provides a sample turnserver.conf file to use for media streaming and TURNS. The syntax file can be found here

The following configuration can be added to the /etc/turnserver.conf file to disable older versions of SSL/TLS incuding tlsv1.2 to enfore tlsv1.3 connections:

no-sslv3

no-tlsv1

no-tlsv1_1

no-tlsv1_2

A static user and password for turn can be defined using the following config:

lt-cred-mech

user=TURNUSER:TURNPASSWORD


How to disable Debian 12 sleep on production servers

 Debian 12 has power saver enabled by default which causes your server to go to sleep if there is no mouse / keyboard interaction. To resolv...