James' Tech Blog

This is the second post in the series “Remote admin your mama’s gentoo boxen” This post I will be going over how I am going to handle the “dynamic” IP address on the WAN of my router. I say “dynamic” because I’m not really sure how dynamic it is. It’s likely only dynamic in the way that Comcast could give it to someone else (like if they wanted to pay for it) and there’s nothing I could do about it (unless I told them I would pay more for it!).

You probably just said to yourself, “DyDNS! Don’t they have services for that already?” The answer is yeah, they do, if you want your router to have a URL and probably be poked at more. Oh and dydns has sent me emails before about my IP not being “dynamic enough” and that I should “use static registration!” Besides, this way I can encrypt my IP not only when I update it, but when the client retrieves it. Not to mention client authentication.

Here is the scheme:

Router runs ash script reporting IP to remote server

Server does it’s thing and records IP

Client runs bash script getting IP from remote server

From there the client knows the router IP and can connect with reverse SSH.

Here comes some code. I would have prefered to write this in PERL but my router doesn’t have PERL! Also, less dependencies on client. Everyone has a shell. I decided to send the IP as hexadecimal without separators. As I’m not really proficient at shell scripts I looked up how to convert IP’s to hex: http://blog.mecworks.com/articles/2007/07/05/bash-scripting-tip-convert-ip-address-to-hex/ I did some fun stuff for the client. It probably looks horrible, but it should work.

First up is the router script:

#!/bin/sh
SUCCESS=1
while [ $SUCCESS -eq "1" ]
do
RTR_IP=`ifconfig eth0.1 | awk -F "[: ]+" 'NR==2 {print $4}'`
UPDATE_IP=`printf '%02X' ${RTR_IP//./ }; echo`
SUCCESS=`wget -q -O - "http://www.ultravstudios.com/myphpscript.php?update=$UPDATE_IP"`
sleep 5
done

I’ll break it down for y’all. It loops until it works. We use ifconfig to get the IP of WAN (eth0.1), use printf to turn it into 8 character hexadecimal, send it to the special secret PHP page. The PHP page will return a value 0 on success 1 on error. Next is client side

#!/bin/bash
GET_IP=`wget -q -O - "http://www.ultravstudios.com/myphpscript.php?get=0"`
K=`printf "%d". "0x"${GET_IP:0:2} "0x"${GET_IP:2:2} "0x"${GET_IP:4:2} "0x"${GET_IP:6:2}`
RTR_IP=$(echo ${K%\.})

So this one’s really easy.  Get the value from the special secret PHP page. Turn it back to decimal with period separators. Chop the last period off. Okay, so that’s just the part to retrieve the IP. Next is my PHP code for the remote server. It seems like WordPress doesn’t like me adding php tags?!

$filename = "supersecretfilename";
//open file and get old ip
$file = fopen($filename, 'r');
$old_ip = fgets($file);
if ($_REQUEST['get'] == "0") {//the client does want the ip
print $old_ip;
fclose($file);
return;
}
//so the rest means that the client does not want ip
if (is_null($_REQUEST['update']) || $_REQUEST['update'] == "") {//there is not data
fclose($file);
print "1"; //tell client there was error
}
elseif ($_REQUEST['update'] == $old_ip) {
//there was no update close file and return
fclose($file);
print "0";
return;
}
else {//ip is new
fclose($file);
$file2 = fopen($filename, 'w');
fwrite($file2, $_REQUEST['update']);
fclose($file2);
print "0";
}

Apparently I comment my php code more than my bash! So it’s pretty dumb right now. There is no authentication, no encryption, very few fail-safes. If my router is somehow having problems updating the IP, like the script doesn’t work, it will try forever until it works. I assure you, this is just the beginning, a quick hack to get things rolling.

So a couple years ago before I moved to NorCal I setup a computer for my mother. I did it with the intention that she would be able to use the webcam to communicate with my sister/nephew/niece in NorCal. I tried Ubuntu and got nowhere cause it just didn’t work. So I said screw it, I’ll throw Gentoo on it. It works great, but it’s hard to admin 2000 miles away. A year ago I did the big ’emerge -avu world’ took a couple days.

Long story short my brother said the other day he’s going to setup a WinXP boxen for her! WinXP are you kidding? So she can use Skype? You know Linux Skype does video right? Well I can fix that! And my mama’s Gentoo box! I have a pretty good scheme for how to do it with _minimal_ help from anyone actually in front of the machine.

Here’s the scheme:

Mama boxen gets IP addy for my router

Mama boxen reverse ssh into my router

I ssh into Mama boxen through router. Point-to-point encryption! Secure tunnel through 2 NATs and at least 4 firewalls!

I start fixing stuff (I’m going to setup a change-root on my machine so that I can build packages for her and just send binaries instead of having Mama boxen compile everything, well maybe the kernel)

Get VPN to my router, Skype, TightVNC, etc running so that I can kick more ass with remote admin.

Tell my brother’s not to worry about Mama boxen!

First I setup my router, an important aside my WRT54GS is running Openwrt Kamikaze 8.09,  to accept keys for ssh connection that way shell script can run without password input. I added a user to /etc/passwd and /etc/groups and put my new key into it’s .ssh/authorized_keys. Next I need to open up the firewall to allow connection to dropbear over WAN. I’m going to wait till I actually need that though.

Moving forward: I am going to have a script to update a special PHP script (on this website) with my public IP every so often. Then make a script to get the public IP from special PHP script and open reverse ssh tunnel with router using new user.

Once that’s done I will be able to ssh into Mama boxen through router and it should be pretty straight forward from there. Kernel updates are worrying me, but GRUB can have if/then, file exists kinda stuff so I should be able to work something out for that. Stay tuned for more and alot more specifics.