ACME Systems Arietta G25 bootstrap

I’m using the ACME Systems Arietta G25 256MB model for a project I’m working on, but their website only provides a bootstrap for the 128MB version. Let’s build a bootstrap for the 256MB version.

The instructions on their website are for Ubuntu 13.10, but I run Debian so these instructions are for Debian 7.

As per their instructions you need to enable the emdebian repository:

user@debian7:~$ sudo -i
root@debian7:~# apt-get install emdebian-archive-keyring
root@debian7:~# echo "deb http://www.emdebian.org/debian/ squeeze main" > /etc/apt/sources.list.d/emdebian.list
root@debian7:~# echo "deb http://ftp.us.debian.org/debian/ squeeze main" >> /etc/apt/sources.list.d/emdebian.list

Even though I’m running Wheezy the repositories in /etc/apt/sources.list.d/emdebian.list are for squeeze. This is necessary due to unavailable packages on Wheezy which are present in squeeze. Please see the Emdebian page for an explanation.

user@debian7:~$ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross binutils-arm-linux-gnueabi u-boot-tools libncurses5-dev gcc-4.4-arm-linux-gnueabi cpp-4.4-arm-linux-gnueabi g++-4.4-arm-linux-gnueabi

Clone the bootloader from ACME Systems:

user@debian7:~$ git clone git://github.com/linux4sam/at91bootstrap.git
user@debian7:~$ cd at91bootstrap
user@debian7:~/at91bootstrap$: git checkout origin/at91bootstrap-3.x -b at91bootstrap-3.x
user@debian7:~/at91bootstrap$: wget http://www.acmesystems.it/www/compile_at91bootstrap/acme.patch -O acme.patch
user@debian7:~/at91bootstrap$: patch -p1 < acme.patch
user@debian7:~/at91bootstrap$: make mrproper
user@debian7:~/at91bootstrap$: make acme_ariettasd_linux_zimage_dt_defconfig
user@debian7:~/at91bootstrap$: wget https://watchmysys.com/blog/wp-content/uploads/2014/07/256mb.patch_.txt -O 256mb.patch
user@debian7:~/at91bootstrap$: patch -p1 < 256mb.patch
user@debian7:~/at91bootstrap$: make CROSS_COMPILE=arm-linux-gnueabi-

Now copy the generated zimage to the boot partition on the sdcard (/dev/sdX1, mounted here at /tmp/arietta/boot):

user@debian7:~/at91bootstrap$: sudo cp binaries/acme_arietta-sdcardboot-linux-zimage-dt-3.6.2.bin /tmp/arietta/boot/boot.bin

Boot the Arietta G25. You should have 256MB of RAM available now.

The 256mb.patch does two things to the at91bootstrap:
1) Changes the size of the memory initialized from 128MB (0x8000000) to 256MB (0x10000000)
2) Changes the Kernel command line to mem=256M so the additional memory is utilized by the Linux kernel

If you aren’t interested in setting up a build environment, you can find the 256MB boot.bin: here. WordPress does not allow .bin files, so you will need to rename boot.bin_.zip to “boot.bin” before copying it to the sdcard boot partition.

Additionally if you want to automate building the bootstrap with Jenkins, here is a shell script you can put into a new Jenkins project to automatically build the zimage. You will need to manually install the toolchain (described above).

Your company is using Twitter wrong

It’s 2014; if your company sells users a service and doesn’t already have a social media presence then you should stop reading this and fix that. Right now.

Okay, now you have a social media team. However, I would bet that they aren’t helping your brand image when the sh*t hits the fan. I’m going to cite examples of bad and good responses from companies I follow on Twitter:

Recently WIND Mobile (@WINDmobile) suffered from a service interruption on their network. Here’s how they responded to annoyed customers:

WIND Mobile Twitter responses to annoyed users during the service disruption

WIND Mobile Twitter responses to annoyed users during the service disruption

I’m not sure if this was a Twitter bot posting replies to users, or a CSR who just really likes to copy and paste things. Either way, it provides users with no information whatsoever on the cause of the disruption (ie., why they’re annoyed and Tweeting at WIND Mobile) and it reeks of a form letter beginning with “Dear VALUED CUSTOMER,”

Users want information on a disruption, they don’t want to feel like a wallet that is forced to give your company money every month and only gets form letters in response. The more information you supply to users, the happier they will be. Selfnet e.V. (@Selfnet_eV) is an ISP at a German university. Their twitter feed is perhaps a little more casual than that of a large corporation, but I think it still provides a good example of what kind of feedback a company should be providing users:

Selfnet eV Twitter response to a service disruption

Selfnet eV Twitter response to a service disruption

Teksavvy (@TeksavvyCSR) suffered from a network disruption, and here’s how they dealt with it:

Teksavvy Twitter response to an outage

Teksavvy Twitter response to a service disruption

Notice the difference between the response from Teksavvy and Selfnet e.V., and the response from WINDmobile? Teksavvy made a limited number of replies to people, and posted a link to their website where users could see status updates on the outage. As another user noted, their customer service representatives were also posting updates to Reddit on the progress being made toward restoring service:

UPDATE. Looks like a MUX card issue at 151. Rogers just tried to re-seat it but no luck. They are currently working on alternatives.

My point here isn’t to bash WINDmobile. Service providers have a tough job, users have an expectation that the availability of the network will be 100% and when things aren’t working they quickly become annoyed. But, there is a huge difference between giving users canned responses and no details about an outage or the progress toward restoring service, and actively working to update users, even if doing so doesn’t shorten the time to resolution.

If you notice that your company is giving users canned responses, it’s time to re-think how you are approaching social media platforms. Users come to platforms like Twitter and Facebook to get answers, if they want canned responses they’ll call your customer support line and listen to the phone menu and hold messages that endlessly repeat “Due to higher than normal call volume, all customer service representatives are currently busy. Your call is important to us, please continue to hold.”

I would like to clarify that I am not currently a customer of any of the companies mentioned above. I was formally a customer of Teksavvy and WINDmobile. I am no longer a customer because I moved out of their service region.

Direct wifi traffic through a VPN with openwrt

I think we probably all know someone who’s received a copyright violation notice. Usually these notices list the user’s IP address, date, and copyrighted file that was shared while demanding some payment or the content owner will take the user to court.

Today we will explore how to setup a wireless access point that automatically tunnels traffic through a VPN, so that you don’t have to worry about the activities of your guests on your network.

Note: If your VPN provider does not push the “redirect-gateway” option then DNS queries from clients will still go through your normal internet connection. This means that activities on the guest wifi are not completely anonymous!

For this I will be using the following:

  • TP-Link WR703N running OpenWRT 12.09 (Attitude Adjustment)
  • 1GB USB key
  • a subscription-based VPN provider

I chose the WR703N mainly because I had one and it is small, has low power consumption, and is quite inexpensive.

There are many instructions for how to install OpenWRT on the WR703N, so I’m not going to discuss that here. Also the choice of VPN providers differs based on your needs and price range. I recommend reading the TorrentFreak articles on VPN providers to find out which one is best for you.

A 1GB USB key is required as the flash on the WR703N is not large enough to hold an OpenWRT installation with luci and openvpn installed. First we need to move the OpenWRT OS from the internal flash to the USB key, this will allow us to install the additional packages required, namely openvpn. I followed these instructions for how to transfer the OS from internal flash to USB. I’ll provide a tl;dr:

  • Partition the USB key with a DOS partition table, make at least one partition of type 82 (Linux)
  • Format this partition as ext4
  • Install block-mount, kmod-usb-core, kmod-usb-ohci, kmod-usb-storage, kmod-usb2, kmod-scsi-core, kmod-scsi-generic, kmod-fs-ext4, libblkid

Plug in the USB key. Check dmesg on the router and you should see that it recognizes the USB key as a block device. Create two temporary folders, one to mount the USB key at, and the other to bind mount /

mount /dev/sda1 /tmp/usb
mount --bind / /tmp/flash
tar -C /tmp/flash -cvf - . | tar -C /tmp/usb -xf -
umount /tmp/flash
umount /tmp/usb

Now that we’ve moved the OpenWRT installation to the USB key we have to configure the router to boot from the USB key instead of internal flash. Edit /etc/config/fstab and change the following:

config mount
     option device /dev/sda1
     option target /home
     option enabled 0

to:

config mount
     option device /dev/sda1
     option target /
     option enabled 1

Now reboot the router, it should boot off the USB key now.

Now there is lots of available space

Now there is lots of available space

I followed this post for most of the following openvpn configuration. Now go ahead and install the openvpn package:

opkg install openvpn

scp all the crt, ovpn and other openvpn configuration files to /etc/openvpn on the router.

You can test openvpn by ssh’ing into the router and running:

openvpn --config myconfig.ovpn

from /etc/openvpn. Assuming that works, now open the luci interface on the router to create a new interface:

  1. Go to the Network tab, click on Interfaces
  2. Create a new interface, I called mine “VPN” and set the protocol to “unmanaged”
  3. Specify tun0 as the network interface for the VPN interface
  4. Under “Advanced Settings” click the “Bring up on boot” checkbox

Now you have a choice, you can either:

  1. add the VPN interface we are in the process of creating above to the WAN zone, in which case a route with the prefix 0.0.0.0/1 will be added, which will supersede the WAN route of 0.0.0.0/0 through longest prefix matching, or
  2. create a firewall zone in luci to ensure that any traffic from LAN is automatically forwarded directly to the VPN, never going to the WAN. This is based on an openwrt wiki example

If you choose the second, then you need to do some additional work in luci:

  1. Go to the Network tab, click on Firewall
  2. Add a new Zone, I called mine “vpn” set it to Input:accept, Output:accept, Forward:accept
  3. Forward all traffic from the LAN to the vpn zone and visa versa, remove the WAN zone from the forwarding from the LAN zone.

Your zones should look like this now:

Firewall Zones

Firewall Zones

Go back to the Interface page and edit the VPN interface. Under the “Firewall Settings” tab change the zone from “wan” to “vpn”. The interface should look like this now:

VPN Interface Firewall Zone Settings

VPN Interface > Firewall Settings > Assign Firewall Zone “vpn”

There is an airvpn thread full of information on how to ensure that traffic goes from the LAN through the VPN. The above achieves something similar to the iptables rule mentioned in the airvpn thread.

Now that we have the routing all configured, you can go back to openvpn. If the ovpn file has “auth-user-pass” in it, you can create a text file which contains your VPN username on the first line, and your password on the second, and change the ovpn file to have “auth-user-pass credentials.txt” so openvpn will not prompt you for them when it connects.

Next we need to configure openvpn to start a boot:

  1. Go to the System tab, click on Startup
  2. At the bottom in the text box, add the following above “exit 0”
/usr/sbin/openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/myvpn.ovpn &

Now we want to secure the router more. You might have some technically savvy guests who may try to break into the admin interface of your router to reconfigure it.

Before we block access to the management ports from the “bad” (guest-facing) side, we need to ensure that we don’t lock ourselves out of the router. Go to the Network tab, click on Firewall, click on “Port Forwards” add new rules to forward SSH (TCP 22), HTTP (TCP 80), and HTTPS (TCP 443) from WAN to the IP address of your router, in my case this is 192.168.1.1. Make absolutely sure you can access these ports from the WAN interface (your home LAN) before you do the following!

Now, go to the Network tab, click on Firewall, click on “Custom Rules” and add these rules in the space provided:

iptables -I zone_lan_ACCEPT 1 -p tcp -i wlan0 --dport 22 -j DROP
iptables -I zone_lan_ACCEPT 1 -p tcp -i wlan0 --dport 80 -j DROP
iptables -I zone_lan_ACCEPT 1 -p tcp -i wlan0 --dport 443 -j DROP

This blocks your wireless clients from accessing ports 22, 80, and 443 on the router, which means if they try to go to the luci interface or SSH into the router from the wireless side, they can’t! You need to restart the firewall for these changes to take effect.

The performance appears to be quite good. I am not sure precisely what the speed of my internet connection here is, but I was able to get over 6MBit/s down using the VPN and the speedof.me speed testing service, which seems very good.

That’s it. I recommend rebooting the router to make sure everything you did will survive a power cycle. IANAL but this solution should allow you to avoid any legal ramifications for the activities of guests on your IP address since they’ll be using a VPN and have a different termination IP address.

So, in summary:

  1. All traffic from wireless clients will be directed through the VPN, if the VPN is down wireless clients will not have internet, nor will they have access to your network
  2. Wireless clients are considered hostile, and as such are blocked from accessing ports 22, 80, and 443 on the router to prevent break-in attempts.