QWORQS – A blog by Yazeed Almadaeen
If you were on a linux machine, it would be as simple as
ssh -L 5901:localhost:5901 root@192.168.7.119
Just kidding, don’t login as root, it is all just for tunneling, replace root and the IP of my super top secret server with something suitable
On windows, the most popular SSH client is putty, and to do that in putty, follow the following steps
Open putty, then enter the IP address or hostname of the remote machine
For some reason still unknown to me, stack overflow was not opening on my machine !
Not sure if the issue is cloudflare which seems to relevant to stackoverflow
It started opening when i went into settings (about:config), then disabled network.http.http3.enable then opened the website, then re-enabled it, still waiting for it to stop working again for further investigation, but for now, it is working just fine
VNC and RDP are great and all, and for so many purposes, they are the goto solution for remoting into a machine.
Now, another solution which is great (And much better if you have the bandwidth) is to broadcast your screen video and do all the work on the server rather than the client
The solution used to be nvidia’s game stream, which was abandoned by nvidia, the new solution based on nvidia would be the sunshine (Server) and moonlight client
The sunshine+moonlight duo work on almost every platform I need, Windows, Mac, Android, iOS, Even LG TVs running web OS… in short, it is a more universal solution. You can even create a virtual non existent monitor under linux and stream that to a different device !
So, let us start with the server (Sunshine)
Installing sunshine on debian is very easy as a .deb installation file is provided, sunshine is not yet in the debian repositories, but if i understand the license correctly, it can be some time in the future
Now, go to the sunshine website, and download the deb file., in my case, I visit this webpage, and download the sunshine-debian-bookworm-amd64.deb file
Now, from the command prompt, su (to run as root), then cd to the directory where your deb file resides, then “sudo apt install ./sunshine-debian-bookworm-amd64.deb”, We should now have the server running and waiting to be opened in the web browser, Now, on the command line , type “sunshine”
Point a web browser to https://localhost:47990/, ignore the problem with self signed certificates, and set your username and password
Now, your debian computer is running a sunshine server, go to any other machine where you want to install the client (moonlight) from here , and connect to your server by its IP address.
You are done !
Download sunshine on windows from the latest release (As of today, you will fine it here)
Install it like you would any other application, once done, the official help page will show up (this)
once you click finish, a page at https://localhost:47990/welcome will open, asking you to create a password, create one, the default username is sunshine, but you can use whatever you want (In my case, it is my default RDP password)
you are done, you can now access the windows PC from any device with moonlight
you can download moonlight ether from github (Here) or from the official website (https://moonlight-stream.org/),
Hyper-v does not provide USB passthrough, some people use USB redirection from remote desktop RDP… A similar technology might be USB over network, but this does not always work, as many USB devices have very little tolerance for lag ! and this will introduce some lag !
My objective is to connect a MINI-VCI connected on a raspberry PI to a computer running other software to analyze the data, whether this works or not is yet to be seen.
There seems to be a few solutions online, some using generic hardware, and some using specialty hardware
The most diverse of those solutions that can work on everything from a raspberry pi to a windows computer and android phone is (https://www.virtualhere.com/), but I have not yet verified whether this software is USB/IP compatible or not
USB/IP has been built into the linux kernel for some time now, and a couple of solutions for both server and client are available on github, So here I will be investigating what I can do to bridge the Linux Raspberry PI to my windows PC,
USBIP is a protocol where the server is the machine connected to the USB device via wire, and the client is the machine that needs to use the USB device but is not connected to it via USB.
In linux, usbipd is the name of the server, and usbip being the client, In debian, both server and client are included in the usbip package, hence, on the raspberry PI and on the Linux server, we need to run the command
apt-get install usbip
The modules of USB/IP (usbip-core, usb-host, and vhci-hcd) are already included,
We will get to the Windows client after the Linux to Linux section
In the cases we are exploring here, the server is a Raspberry Pi (3), the client is a Windows machine, but there are a couple of things to try first, the Windows clients are KVM virtual machines, we will try
1- The client is the Linux Host machine hosting the windows virtual machines, and the USB port is passed to the virtual machine
OR
2- The Windows client has the USBIP driver directly connecting to the Raspberry PI server
Installing the USB/IP server on the raspberry pi “apt-get install usbip”
First of all, the choice depends on 3 things, or 4 but to me, the fourth is not very important
I personally use more than one registrar, for some TLDs, I use nameCheap, and for the more standard domain TLDs (Like .COM etc…) I used godaddy for a long time, then i switched to a godaddy reseller (PoloDomains), it has the same exact products (and phone support) as godaddy and in my experience this reseller has very persistent prices that are lower than those of godaddy themselves, not to mention that godaddy keeps surprising me with different pricing when the time comes to renew. Again, godaddy is a good registrar that checks all the boxes, but the reseller is more or less just cheaper. other good well known registrars include namesilo.com, google domains (Not recommended as google is selling it to another company), Name.com, domain.com and many others that you can research online…
Some web hosts offer free domain names for as long as you are paying for your hosting, this is not exactly a catch, but it might be, so what I do is decide on a web host through reviews and what have you, and if that web host offers free or cheap domains with their web hosting, then that is where I will get my domain, But mind you, when i make the choice, i subtract 1/12 of the normal domain price (that you would get if you used a separate registrar) from the monthly hosting fee, and then compare the web-hosts with the new discounted price tag, the last thing i want is to get stuck with a bad web host because they offer a free domain, that would be a very bad decision.
The main function of a registrar is to sell you domains and register them with a registry, after registering them, the registrar also informs the registry of what nameservers to use with the domain name. after that, the registrar in it’s strict form has no technical function, up until you either want to renew that domain, or change the nameservers attached to that domain, a web request (from a website visitor for example) does not pass through your registrar.
The above remains true, unless you opt to use one of those free DNS services that are provided by many registrars, in this scenario you are using the registrar’s DNS servers instead of your host’s or a third party, which is not a bad idea depending on the quality of your registrar, godaddy (and it’s resellers) provides a free DNS service that uses anycast ! anycast is a cool internet technology where the user will be using the closest DNS server to them without knowing, effectively cutting down the latency of the DNS request.
First of all, check what ports nginx is currently listening on, you can do that with any of the following commands
netstat -tlpn| grep nginx ss -tlpn| grep nginx
So, you probably found nginx listening to port 443 for SSL connections, and on port 80 for plain http….
On many occasions, you may want other application (Such as varnish or apache) to be listening on port 80, So nginx needs to move to another port, in this example, I am moving it to port 8080
Step 1: Go to sites available, there is the default site, and there are any other sites you added to nginX, open those config files that you will find in /etc/nginx/sites-available, search for 80, and replace it wherever it may occure with 8080 or any port of your choice, restrictions are the following, port numbers under 1024 will requier root privilages (So keep it above 1024), and the maximum port number is 65535, Also port 0 can not be used for http (Relevant to UDP though)
I will here assume you already have a remote Linux machine that you can SSH into with putty, the instructions are simple from this point on
1- Basic putty settings, assuming you have already downloaded putty from chiark.greenend.org.uk, now open putty, enter the IP of the server you wish to tunnel through, and save it with a name, the steps are…
– Open putty,
– enter the IP of your remote machine
– give it a name of your choice
– save (You don’t need to save now, you will save again in a bit, but you can do it anyway)
2- Go to Connection and expand it, then expand SSH, then select Tunnels, this will show a dialogue such as the below, fill in the data as follows
3- From the menu on the left, go back to Session, and click the save button again (So that the new tunnel settings are saved for next time)
4- You are almost done, Now double click the saved session name or select it and hit open, the remote machine should now prompt you to enter a username and a password, once you enter those, you have a tunnel ready on your localhost (127.0.0.1) on port 8081, next we will setup Firefox to use that tunnel
1- Go to firefox settings (Click the accordion menu to the right, and chose settings), once open, scroll down under general, until you find the Network Settings section, click the settings button in that section
Clicking settings above will show the following popup dialogue, setup your system as follows
Now, to verify that you are conencted to the remote machine, google the following
what is my ip
and google should tell you what your IP address is, at this stage, it should be the same as the remote machine’s IP (Not yours)
Let’s encrypt is a Certificate Authority (CA) run by Internet Security Research Group (ISRG), and is sponsored by some of the biggest name in the web industry
You are probably here to create a certificate, not get a history lesson ! so Let me cut the chase, for those who want to know more, there is always wikipedia (Let’s encrypt on Wikipedia)
So let’s encrypt provides certificates for domain names, including wildcard certificates (Which I will get to by the end of this article), What we are going through here is the manual process, which serves to give you a taste of how things work, in practice, you are encouraged to use on of the automated methods for multiple reasons, one compelling such reason is that Let’s encrypt issues certificates valid for three months only ! You don’t want to have to cater to your certificate every three months do you ?
To simplify things, I will create a step by step video to demonstrate the creation process ! and post it here, but for now, I will simply take you through the steps, in this tutorial, all you need is SSH access to any server including one you have at home ! or even maybe a virtual machine running Linux inside your windows computer, anything goes, once you have a certificate, you can move it to your production server, this allows me to keep this as general as possible, and this is done using the –manual option, So without further ado, let me get to it
1- login to a linux server and install certbot, the tool that allows you to get certificates from let’s encrypt, On the official website, they promote the use of SNAP, here, I will skip snap and use Debian’s repository ! simpler and there is no need to get into snap
apt install certbot
Now that you have certbot, let us create a certificate for the domain example.com (replace it with your own)
certbot certonly --manual --preferred-challenges http
The –preferred-challenges directive allows you to specify what challenge (http or dns) you would like to perform, the manual plugin is basically the same as webroot plugin but not automated, which is a hassle to keep up to date as this form of issuance needs to be renewed manually every 3 months, (You can take extra steps to automate this) which i will describe later on another post to keep things tidy
Now, as soon as you enter the above, you will enter an interactive dialogue with the following steps
Note: If you want to create a wildcard certificate for your domain name, let’s encrypt allows the use of the * wildcard, but only supports DNS challenge, so the command must reflect that, So when asked for a domain, simply enter *.example.com (or -d ‘*.example.com’), should work normally
As soon as you are in, you will be asked 1- An email for notifications 2- Do you agree to the terms of service ? 3- Would you like to subscribe to the newsletter ? 4- enter your domain names (you should enter both example.com and www.example.com separated by either a comma or a space) 5- Create a file containing just this data: Pg1xJ.........-88 And make it available on your web server at this URL: http://example.com/.well-known/acme-challenge/Pg1...........xuu_0 6- Now you need to create the 2 challenge files, one for exmaple.com and the other for WWW.example.com Create a file containing just this data: Ud4m81x..............zupbWEz-88 And make it available on your web server at this URL: http://www.example.com/.well-known/acme-challenge/Ud4........550 (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) -------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your certificate will expire on 2023-03-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
At this stage, there are things you should remain aware of
1- DO NOT RENAME OR MOVE THE CERTIFICATES, they need to be in place for renewal if you decide to not automate and check on your certificates every 3 months.
2- Copy (Don’t move) them to the ssl directory, and add them to your config files, the only files you will need to include in your nginx or apache2 config are as follows
For apache 2, you need to use the following 2 lines, modify the path to the files to wherever you have placed them
SSLCertificateFile /etc/apache2/ssl/example.com/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/example.com/privkey.key
And for nginx
ssl_certificate /etc/nginx/ssl/allspots.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/allspots.com/privkey.pem;
So, restart apache or nginx, and you should be able to see the certificate in action, so this is the simplest way to use let’s encrypt, in my next post, I will
Now, after 3 months, the simplest way to renew the certificate is to issue the command
certbot certonly --force-renew -d example.com www.example.com
This tutorial is done on a debian 11 system… it should work for wildcard (For all subdomains under a domain), but also for subdomains or the primary domain, obviously, all you need to do is replace the * which denotes wildcard with the subdomain of your choice, so *.qworqs.com is wildcard, yazeed.qworqs.com is a subdomain 😉 so let us get started
Let’s encrypt has certainly revolutionized the world of SSL certificates (By making them free), but when it comes to wildcard certificates, let’s encrypt will require more than just generating the certificate, it will require a system that automatically alters DNS at your registrar, and differs from registrar to registrar.
So while I am developing, and need a wildcard SSL, I can simply generate a self signed wildcard security certificate, and teach my browser to accept it, and that is that, so here is how to generate that certificate !
So let us get started, first let us create a public and private key in one go, and a folder to store them !
cd /etc/ssl sudo mkdir qworqs.com sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/qworqs.com/wildcard-ss.key -out /etc/ssl/qworqs.com/wildcard-ss.crt
I will personally skip selecting a strong Diffie-Hellman group… this file though goes somewhere else in the nginx directory, and can be generated like the following, but again, I don’t need it atm.
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
Now you are done with creating everything you need, the next step is to install them into your nginx configuration
So all you need is to add the following 2 lines into your server section within the website config file 😉
ssl_certificate /etc/ssl/qworqs.com/wildcard-ss.crt;
ssl_certificate_key /etc/ssl/qworqs.com/wildcard-ss.key;
Now all you need is to restart nginx, and you should get a warning in your browser, I accept the warning, then make it permanent in firefox from the settings
Settings -> Privacy & Security -> Security -> Certificates -> View Certificates... -> Servers Then switch it from temporary to permanent
And that’s that
What services are listening on what ports ?
netstat -tunlp
or the all new ss which shares the same command options
ss -tunlpfor a better view of the files ! (Depending on your setup, you might be able to know which php script is generating outgoing traffic)
lsof -nP -iTCP -sTCP:LISTEN