Blog

  • VyOS-1x build script on VyOS

    Put vyos/vyos-1x code to /config/build/vyos-1x

    Script as /config/build/build.sh

    #!/bin/sh
    
    
    cat << 'EOF' > /etc/apt/sources.list.d/debian.sources
    Types: deb deb-src
    URIs: https://mirrors.tuna.tsinghua.edu.cn/debian
    Suites: bookworm bookworm-updates
    Components: main contrib non-free non-free-firmware
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
    
    Types: deb deb-src
    URIs: https://mirrors.tuna.tsinghua.edu.cn/debian-security
    Suites: bookworm-security
    Components: main contrib non-free non-free-firmware
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
    EOF
    
    
    podman pull docker.io/vyos/vyos-build:current
    
    mkdir -p /config/build
    cd /config/build
    
    rm -f /config/build/vyos-1x-* /config/build/vyos-1x_*
    
    chown -R vyos: /config/build
    chmod 777 /config/build
    
    podman run --rm -it --privileged --network host -v /config/build:/vyos -w /vyos/vyos-1x vyos/vyos-build:current dpkg-buildpackage -uc -us -tc -b
    
    
    dpkg -i vyos-1x_1.5dev0-*_amd64.deb
    
    systemctl restart vyos-configd
    
    chown -R vyos: /config/build
    chmod 777 /config/build
    
    
  • VyOS Debug PBR & NAT

    As ROOT.

    Keyword: nftrace

    Edit VyOS generated NFT files: /run/nftables*.

    Enable nftrace on full chain

    table ip vyos_mangle {
        chain VYOS_PBR_PREROUTING {
            type filter hook prerouting priority -150; policy accept;
            meta nftrace set 1
            iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
        }
    }

    Make sure nftrace is enabled before other rules!

    Enable nftrace on SINGLE RULE.

    table ip vyos_mangle {
        chain VYOS_PBR_PREROUTING {
            type filter hook prerouting priority -150; policy accept;
            iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
        }
    
        chain VYOS_PBR_UD_MY_PBR_RULES {
            ip saddr  @A_SRC_HIJACK_MITMPROXY counter meta mark set 2147483628 meta nftrace set 1 return comment "ipv4-route-ROUTE_CLASH_TUN-50"
        }
    }

    Test & Apply

    # Test
    nft --check --file /run/nftables_policy.conf
    # Apply
    nft --file /run/nftables_policy.conf

    Monitor

    nft monitor trace 

    Example Result

    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_static_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_conntrack PREROUTING_HELPER packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip raw VYOS_TCP_MSS packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 inet mangle FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip protocol udp ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_filter VYOS_FORWARD_filter packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_filter VYOS_ZONE_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip nat VYOS_PRE_SNAT_HOOK packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
    trace id 0abb78f9 ip vyos_static_nat POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
  • Protected: VyOS MiTMPROXY Using WireGuard

    This content is password protected. To view it please enter your password below:

  • 海康威视 R1 安全迁移 Docker Root

    桌面App 直接迁移,会提示数据要重新下载和配置。

    systemctl stop containerd
    mv /drives/raid_a1/.docker /drives/nvme_e1/
    
    # 
    cd /tmp/nand_config
    cp docker.json docker.json.bak
    # 修改 docker.json
    # 看后边说明 
    
    
    # 修改 /etc/docker/daemon.json,配置不能持久化
    # 直接修改路径,可以不重启生效,但是务必按说明修改持久化配置
    systemctl start containerd

    桌面客户端可以改配置(Docker设置 / 装载目录),建议顺手先改掉。

    固件里 /tmp/nand_config/docker.json 是自动生成的,里边定义了 disk_pathdisk_uuid,前者的值是类似 /drives/raid_a1,后者是用 disk_get_uuid_byfilepath 的函数生成的,有重建逻辑,删掉即可。

  • VyOS 实现LAN 流量劫持

    以前 EdgeRouter 时代,使用的是 DNAT + redsocks + charles/mitmproxy 实现的流量劫持和分析,比较麻烦的点是,redsocks的配置文件需要维护,服务需要重启,每次系统升级(虽然好多年没升级了)都需要重装 redsock,所以当时搞了一套初始化脚本,脱离config tree自动安装deb,自动加载配置,自动symlink配置文件。

    换到 VyOS 之后,本来也想搞这一套,被研发打回来了,他们不接受过分灵活的config tree,让我用 container。

    新方案用 hev-socks5-tunnel,直接把流量转给另外一台主机上的mitmproxy。charles proxy也可以用同样的方法配置

    开 mitmweb,方便web看数据

    mitmweb --web-host 0.0.0.0 --mode socks5 --listen-port 8889

    下列命令创建container,配置PBR

    set container name tun2socks allow-host-networks
    set container name tun2socks capability 'net-admin'
    set container name tun2socks device dev-net-tun destination '/dev/net/tun'
    set container name tun2socks device dev-net-tun source '/dev/net/tun'
    set container name tun2socks environment CONFIG_ROUTES value '0'
    set container name tun2socks environment IPV4 value '198.51.100.1'
    set container name tun2socks environment LOG_LEVEL value 'debug'
    set container name tun2socks environment MTU value '8500'
    set container name tun2socks environment SOCKS5_ADDR value '192.168.11.19'
    set container name tun2socks environment SOCKS5_PORT value '8889'
    set container name tun2socks environment SOCKS5_UDP_MODE value 'udp'
    set container name tun2socks environment TUN value 'tun9'
    set container name tun2socks image 'ghcr.io/heiher/hev-socks5-tunnel:latest'
    
    
    set protocols static table 19 description 'route to mitmproxy'
    set protocols static table 19 route 0.0.0.0/0 interface tun9
    
    set policy route PBR   interface 'eth2'
    set policy route PBR rule 50 set table '19'
    set policy route PBR rule 50 source group address-group 'SRC_HIJACK_MITMPROXY'
    
    
    # firewall rules ...

    防火墙规则需要自己搞定,按需NAT。

    nftables 不支持 ipset 那样动态操作成员了,只能在config tree里维护。

    这个方法和以前一样,只能去分析 TCP 协议。如果有 UDP 的需求可以尝试 WireGuard 的方式。

  • VyOS Debug DHCP Server

    Add following to /usr/share/vyos/templates/dhcp-server/kea-dhcp4.conf.j2, node under .Dhcp4

        "loggers": [
          {
            "name": "kea-dhcp4",
            "severity": "DEBUG",
            "debuglevel": 99,
            "output_options": [
              {
                "output": "/var/log/kea/dhcp4.log",
                "maxver": 10
              }
            ]
          },
          {
            "name": "kea-dhcp4.dhcpsrv",
            "severity": "DEBUG",
            "debuglevel": 99,
            "output_options": [
              {
                "output": "/var/log/kea/dhcp4-dhcpsrv.log",
                "maxver": 10
              }
            ]
          },
          {
            "name": "kea-dhcp4.leases",
            "severity": "DEBUG",
            "debuglevel": 99,
            "output_options": [
              {
                "output": "/var/log/kea/dhcp4-leases.log",
                "maxver": 10
              }
            ]
          }
        ],

    Restart VyOS configd

    systemctl restart vyos-configd

    Update config in configure mode.

    View files under /var/log/kea

  • Protected: IDA Pro 9.0 macOS arm patch

    This content is password protected. To view it please enter your password below:

  • Proxmox VE + 海康威视 R1 共享 UPS

    买了个便宜的UPS,想把PVE主机和海康的R1都挂在下边,所以简单折腾一把。

    本来是担心有点麻烦,结果发现海康的UPS已经用了 NUT,那就简单粗暴来了。

    R1 上

    echo "LISTEN 0.0.0.0 3493" >> /etc/nut/upsd.conf
    killall upsd

    过一会儿,upsd会自己重启

    cat /etc/nut/upsd.users 读账号密码

    PVE

    apt install nut-client

    执行

    root@pve6:~# upsc -l 192.168.11.111
    Init SSL without certificate database
    HikUPS
    root@pve6:~# upsc HikUPS@192.168.11.111
    Init SSL without certificate database
    battery.charge: 100
    battery.voltage: 13.50
    battery.voltage.high: 13.00
    battery.voltage.low: 10.40
    battery.voltage.nominal: 12.0
    device.type: ups
    driver.name: nutdrv_qx
    driver.parameter.bus: 001
    driver.parameter.pollfreq: 30
    driver.parameter.pollinterval: 2
    driver.parameter.port: auto
    driver.parameter.product: USB to Serial
    driver.parameter.productid: 5161
    driver.parameter.synchronous: auto
    driver.parameter.vendor: INNO TECH
    driver.parameter.vendorid: 0665
    driver.version: 2.8.0
    driver.version.data: Voltronic-QS 0.07
    driver.version.internal: 0.32
    driver.version.usb: libusb-1.0.26 (API: 0x1000109)
    input.voltage: 224.4
    input.voltage.fault: 224.4
    output.current.nominal: 2.0
    output.frequency: 50.1
    output.frequency.nominal: 50
    output.voltage: 224.4
    output.voltage.nominal: 220
    ups.beeper.status: disabled
    ups.delay.shutdown: 30
    ups.delay.start: 180
    ups.firmware.aux: PM-V
    ups.load: 0
    ups.productid: 5161
    ups.status: OL
    ups.type: offline / line interactive
    ups.vendorid: 0665

    修改配置 /etc/nut/upsmon.conf

    MONITOR HikUPS@192.168.11.111 1 hikups Aa123456 master

    密码是写死的

    /etc/nut/nut.conf

    MODE=netclient

    重启

    systemctl restart nut-client

  • Protected: IDA Pro 9 Debug iOS Using Remote-iOS Debugger

    This content is password protected. To view it please enter your password below:

  • macOS Find Unread Messages by Sender

    # sqlite3 ~/Library/Messages/chat.db

    select SUBSTR(fallback_hash, 1, INSTR(fallback_hash, '|') - 1) AS sender, count(*) as c from message where is_read=0 group by sender order by c;
    
    select count(*) from message where is_read=0;