Ages ago, i’ve written a small DHCP Server and Client in Go.

DHCP has a few (surprising to me, back then) complications which force one to use raw sockets:

A client needs to be able to perform an arp ping and receive replies of the server before its IP stack is configured.

Likewise, the server needs to be able to see requests which are not adressed to its IP or MAC (since the client doesn’t know this information yet!) and therefore needs to ‘sniff’ all IP traffic which can be quite expensive if the machine is busy doing other things. Even if my server was written in assembly, things would be suboptimal since eachh received packet causes an (often unneeded) context switch. So how can we do better?

I’ve recently noticed that Oracle (yes, oracle) offers a pretty nice ‘Always Free Tier’ cloud offering.

Unfortunately, only Oracle Linux and Ubuntu are available, which is not really what i want.

So i went ahead and wrote a small script which ’takes over’ an existing ubuntu installation: takeover.sh.

Using the script is rather simple:

• First, create a new ubuntu minimal instance
• SCP the script to /tmp
• Login to the ubuntu host and (as root) execute sh /tmp/takeover.sh, then wait.

Note: You likely want to modify the script to use a different root password and create a different user (with different keys ;-) )

I’ve been using Linux on the Desktop since probably around 1998. While i did try a few desktop environments (KDE, Gnome, GNUStep), i always came back to just using fvwm2 with a terminal (and netscape/mozilla/firefox).

However, Xorg is dying and so i’ve moved on to Wayland about 2 years ago, settling on swaywm with foot or/and Alacritty.

I never really liked the setup: While SwayWM felt quite okay on may laptop, i never liked it on my workstation and somehow ended up using wayfire which also always felt - ieks (just getting focus-follows-mouse working was a pain).

I recently (finally) got myself a yubikey which i plan to use with pass - and hence gpg.

In this article, we take a look into the basic setup required to make the yubikey work on void linux.

Install required packages

First, we need to install a couple of packets such as a pcsc daemon and the yubikey manager:

$ xbps-install -Su u2f-hidraw-policy gnupg2-scdaemon yubikey-manager pcsc-ccid pcsclite

Also make sure that your user is a member of the plugdev group to use the key via gnupg2 (more on that later).

In my previous post, we started to play a little bit with a cheap LTE stick from Aliexpress.

We identified the APK responsible for serving the limited Web-UI and keen eyes might have spotted something unusual:

So this APK claims to be signed by Google (well, ‘Android’) which seems odd. Well, not really:

$ adb shell getprop ro.build.description
msm8916_32_512-user 4.4.4 KTU84P eng.qwang.20220611 test-keys

Did you notice something? Yes: test-keys.

What are test-keys?

Android OTA packages are signed using a ‘platform key’ which should usually be kept secret.

I recently decided that i “need” an LTE USB stick to tinker around with, so i visited Aliexpress and bought one of the many available cheap devices.

Weeks later, i was the proud owner of this thing:

First impressions

After plugging the device in, it appears as an ‘Android’ device, which is - interesting.

$ lsusb |grep Android
Bus 001 Device 017: ID 05c6:9024 Qualcomm, Inc. Android

$ dmesg | grep usb
[20388.606115] usb 1-2.4: new high-speed USB device number 16 using xhci_hcd
[20388.684301] usb 1-2.4: New USB device found, idVendor=05c6, idProduct=9091, bcdDevice=ff.ff
[20388.684309] usb 1-2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[20388.684311] usb 1-2.4: Product: Android
[20388.684313] usb 1-2.4: Manufacturer: Android
[20388.684314] usb 1-2.4: SerialNumber: 1234567890ABCDEF
[20425.758881] usb 1-2.4: USB disconnect, device number 16
[20425.935886] usb 1-2.4: new high-speed USB device number 17 using xhci_hcd
[20426.013250] usb 1-2.4: New USB device found, idVendor=05c6, idProduct=9024, bcdDevice=ff.ff
[20426.013264] usb 1-2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[20426.013270] usb 1-2.4: Product: Android
[20426.013274] usb 1-2.4: Manufacturer: Android
[20426.013277] usb 1-2.4: SerialNumber: 1234567890ABCDEF
[20426.017802] rndis_host 1-2.4:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-2.4, RNDIS device, 02:0c:08:57:35:38
[20426.029337] rndis_host 1-2.4:1.0 enp0s20f0u2u4: renamed from usb0

As we can see in the dmesg output, the device also provides a ‘virtual’ ethernet interface, so let’s see if it likes us:

Nsjail and netns

I’ve been a long time user of nsjail which is a pretty handy tool to create linux namespaces. My common usecase for nsjail is to put services into their own, well, jail - by only giving them access to specific folders in the filesystem.

As an example: The webserver which served you this page runs with the following configuration:

mode: ONCE
hostname: "nsjail-hostname"

clone_newnet: false
time_limit: 0

rlimit_cpu_type: INF
rlimit_nofile: 4096
rlimit_fsize: 320960

uidmap {
        inside_id: "1099"
        outside_id: "psa-www"
}
gidmap {
        inside_id: "1099"
        outside_id: "psa-www"
}
mount {
	src: "/tank/websites"
	dst: "/web"
	is_bind: true
}
mount {
        src: "/usr/local/bin/psa-www"
        dst: "/psa-www"
        is_bind: true
}
# standard paths.
mount {
        src: "/dev/urandom"
        dst: "/dev/urandom"
        is_bind: true
}

And this works fine: The process is neatly isolated and can only access resources it has to - it doesn’t even see any other processes given that it runs in its own pid namespace.

What this article is about?

This article describes how to configure a linux router to send traffic from specific IPs to a non-default (wireguard) route. With such a setup, you will be able to use a VPN with ‘smart’ devices (A TV, Nintendo Switch, etc…) which do not have native wireguard support.

Configure wireguard interface

First, we configure a new wireguard interface which we will call sbr0. Note that we are not using wg-quick to bring the device up since we want to have full control over its configuration (and not use it as a default route anyway).