Update FreeDNS with PowerShell and Task Scheduler

After my long loved Raspberry Pi died I needed a new way to update my dynamic DNS. I recently discovered the Invoke-WebRequest cmdlet that lets you send and HTTP(S) request and parse pretty much whatever you get in return. My use for this is to keep my site-to-site VPN up and running.

# Script to update FreeDNS and log the output.

# Change Path to desired log location and Uri to your Direct or Token URL from FreeDNS
$LogPath = "C:\Scripts\Update-FreeDNS.log"
$Uri = "http://sync.afraid.org/u/your_token/"

# No need to change these - -
$Content = (Invoke-WebRequest -Uri $Uri).Content

Add-Content -Path $LogPath -Value (Get-Date) -NoNewline
Add-Content -Path $LogPath -Value $Content

Your log file will look something like this

12.11.2019 16.03.44No IP change detected for your.dyn.dns with IP 37.12.34.56, skipping update
12.11.2019 17.00.22No IP change detected for your.dyn.dns with IP 37.12.34.56, skipping update
12.11.2019 18.00.18No IP change detected for your.dyn.dns with IP 37.12.34.56, skipping update

Save these files to somewhere that makes sense, for example C:\Scripts.

  • Open Task Scheduler select Task Scheduler Library to the left and click Create Task to the right
  • Name your task Update-FreeDNS or something else explaining
  • You have to check “Run whether user is logged on or not” so if you do not want your credentials to be saved, create a new user and change to that
  • On the trigger tab you can create a schedule that suits your needs. I use every hour, but this is totally up to you
  • Under actions click New and paste the following
Program/scripts: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: "C:\Scripts\Update-FreeDNS.ps1"
  • At this point we are finished with the necessities, but feel free to click around to see if any options is of your taste
  • OK out and you will be asked for your password
  • Run the task on demand and see the result in the log file

As always, ask if anything is unclear.

How to safely clean up WinSxS

Windows Update may in some occasions not automatically clean up after it self. The fastest and safest way to do so is to run the following.

C:\>Dism.exe /online /Cleanup-Image /StartComponentCleanup

For more options and documentation you can read the source here;
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder

Sophos UTM

Yes! I have been looking forward to this one. In the following weeks I intend to publish a series of informative guides on Sophos UTM. My experience with XG is limited, but I have over five years of everyday configuration of the UTM.

My latest buy for the lab is a Sophos SG 330 which I plan to get working with a Home License. Lets see how it goes.

To be continued…

I have attached the brochures for anyone to see here, great read. 

Sophos SG Rev. 1

Sophos SG Rev. 2

Sophos SG Rev. 3

Sophos XG Rev. 3

Using the UniFi line as wlan controller part two

As I started to use the new setup, I realized more and more that I needed access to my lab (outside of plain rdp), especially with my laptop and phone. I tried several ways to solve this. Without any knowledge about the USG I had to try and error for some time before I found a reasonable solution.

The best option would be to make site-to-to IPsec to make use of all my old rules, but I could not get that working what ever I did. The USG still routed the traffic to the lab through wan and not through the tunnel. Anyway, next up was straight up static routes. Which is some what successful.

But, and this is a big one. Since the UniFi Controller does not expose any NAT rules in the UI there is no way (yes there is) to disable masquerading whenever an packet is leaving the wan interface. I have read by now that there are ways to manually add rules, but I feel that is for next time.

I read up on this article about how the firewall in the USG works (IN/OUT/LOCAL) and made all the necessary rules and finished with a deny rule for the rest. At the lab end there is simply an allow rule from the USG’s address. I found posts from Ubnt officials from back i 2017 saying NAT will be exposed in the Controller any time. We’ll see. For now this is OK.

Please feel free if there is anything I should do differently about this setup (or anything else).

Install Nginx Proxy Manager (npm)

As my self struggled to solve this, I shall help others.

Nginx Proxy Manager is a genius and powerful GUI to manage Nginx. It helps you create Proxy servers, redirects and certificates and control these options very smoothly.

I started with a plain install of Ubuntu Server 18.04 LTS and selected Docker under the install. The following code will help you get all the software up to speed and clean up afterwords.

sudo -s
apt update
apt upgrade
reboot
sudo -s
apt autoremove

Then it is time for NPM.

sudo -s
mkdir npm
cd npm

At this point I know you can to do clone/pull from Git, but I was eager to run this tool with the knowledge I had in the fastest possible way. With that, I used the example files and got going.

touch config.json
touch docker-compose.yml

Your npm-folder should look like this.

root@docker:~/npm# ls
config.json docker-compose.yml

Edit these settings to you liking (or don’t) and paste them in accordingly.

config.json

{
  "database": {
    "engine": "mysql",
    "host": "db",
    "name": "npm",
    "user": "npm",
    "password": "npm",
    "port": 3306
  }
}

docker-compose.yml

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    restart: always
    ports:
      - 80:80
      - 81:81
      - 443:443
    volumes:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    depends_on:
      - db
    environment:
    # if you want pretty colors in your docker logs:
    - FORCE_COLOR=1
  db:
    image: mariadb:latest
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: "npm"
      MYSQL_DATABASE: "npm"
      MYSQL_USER: "npm"
      MYSQL_PASSWORD: "npm"
    volumes:
      - ./data/mysql:/var/lib/mysql

While still in the directory run docker-compose to download and build the container.

docker-compose up -d

After a minute or two you should have a fully working manager for Nginx. Find your login at http://ip.or.name:81.

Default admin is
un: admin@example.com
pw: changeme

Please go read more at the developers site – https://github.com/jc21/nginx-proxy-manager – all credit goes to him.

Using the UniFi line as wlan controller

Ever since IoT started to be a thing it has eaten up my IPs from the free 50 of the Sophos UTM Home license. Since I am currently some what invested in its features going away from the UTM is not an option at this time.

After some back and forth I decided to use an old trick – NAT. Simply put a new firewall behind a dedicated NIC on the UTM. Very few or non of my devices actually needs to talk to my lab, so all the traffic is then routed to WAN.

What I bought?

  • USG-PRO-4
  • UAP-NANOHD

The UniFi controller is deployed on an Ubuntu 16.04 VM with this install script. The reason for 16.04 LTS is because that is the last version SCVMM 2012 R2 will recognize. I have successfully deployed 18.04 too, but it is not known to the VMM.

To be continued.

Landscape 18.03 on Ubuntu 16.04 LTS

Install on-prem and add clients

install landscape-server

Before installing anything. Be sure to check /etc/hosts and correct your FQDN to what ever you want it to answer to. User only lower cases, or Lanscape may give errors.

sudo add-apt-repository ppa:landscape/18.03
sudo apt-get update
sudo apt-get install landscape-server-quickstart

install landscape-clients

sudo apt-get update
sudo apt-get install landscape-client

install cert

To install on other computers, it needs to trust the serve. Add the certificate to allow this.

sudo scp user@landscape:/etc/ssl/certs/landscape_server_ca.crt /etc/landscape/server.pem

sudo nano /etc/landscape/client.conf
ssl_public_key = /etc/landscape/server.pem

register client

The last line will guide you through the registration.

sudo landscape-config --computer-title "webserver" --account-name standalone --url https://landscape.agurk.net/message-system --ping-url http://landscape.agurk.net/ping

The last step is to accept the registrations in https://landscape

https://help.landscape.canonical.com/
https://help.landscape.canonical.com/LDS/QuickstartDeployment18.03

Altibox – Bruke egen router

Oppdatering høsten 2019: Takk for at du besøker siden. Denne posten får meget mange treff, så det er en tydelig etterspørsel etter bruk av eget utstyr. Ta gjerne kontakt hvis noe er uklart i teksten, så skal jeg bistå så godt jeg kan. Se nederst for kommentar på de nye UHD TV-boksene.

Som mange andre med Altibox var jeg nysgjerrig på om det er mulig å gå utenom hjemmesentralen. Jeg fikk utlevert Zyxel P2812ac hjemmesentral og HET-3012 media converter. For å unngå feilkilder ønsket jeg å ta bort hjemmesentralen som sto i bromodus uansett.

Avhengig av hvor du har media converteren (Fiber til Ethernet) din trenger du minst én switch med VLAN-støtte. Tanken er altså å lage en trunkport som skal ta imot VLANene til Altibox og fordele de riktig innomhus. Selv bruker jeg Netgear GS724T i boden og GS716T i stuen og oppsettet fungerer meget bra.

Altibox bruker følgende VLAN;

  • IPTV – 101
  • Internet – 102

Som brannmur og router bruker jeg Sophos UTM. Det kan sammenlignes med pfSense og andre brannmurdistribusjoner. Grunnen til at jeg gikk for Sophos UTM for noen år tilbake var fordi den forholder seg til objekter på samme måte som for eksempel Cisco ASA, noe jeg synes er en meget ryddig og oversiktlig måte å fremstille aksessregler på. Og ikke minst får du en fullblods enterprise-løsning gratis for opp til 50 IP-adresser. Da jeg skrev denne artikkelen i 2016 holdt 50 adresser godt, men i 2019 og med voksende IoT er ikke lenger det tilfellet.

Avhengig om du skal bruke IPTV eller ikke er det to forskjellige fremgangsmåter. Hvis du kun er ute etter Internet kan du koble kabelen rett i valgte brannmur, hvis ikke må man sette en switch i forkant.

Opprett ny VLAN-port på din brannmur og tag den med VLAN 102. Sett virtuell MAC lik den du har på din hjemmesentral. Altibox bruker MER (MAC Encapsulated Routing) for trafikken sin, så dette er et krav. Sett IP til DHCP og koble til kabelen. Du burde på dette tidspunktet få Internet via din egen brannmur.

altibox vlan 102

Hvis du skal ha IPTV i tillegg trenger du en switch med VLAN-støtte. Lag en trunkport med VLAN 101 og 102. Opprett en port med VLAN 101 som du bruker til TV-trafikk og en port med VLAN 102 som du kobler brannmuren i.

Oppsettet blir dermed som følger;
GS724T

  • Port 13 – T 101 og T 102 – fra media converter (veggen).
  • Port 15 – T 102 – til brannmur.
  • Port 24 – T 101 – til stuen.

GS716T

  • Port 16 – T 101 – fra boden.
  • Port 15 – U 101 – til TV.

Dette oppsettet fungerte knirkefritt med de eldre TV-boksene. Med de nye Android-enhetene (UHD) blir det noe mer komplisert for disse krever IGMP snooping. Oppsett av dette er forskjellig fra merke til merke og man må nesten google og prøve seg frem. Jeg er nysgjerrig på hva folk ønsker så ta gjerne kontakt for tips.

Two-factor Authentication with Duo Security

Duo Security two-factor authentication is a breeze to set up. And deserves a look at by everyone who wants to make their appliances or other logins more secure. Whether it is for but not limited to Microsoft RDP or WordPress. As an example you can see how the two-factor authentication works for RDP in the image below.

two-factor-rdp-network-diagram

My search for a way to use two-factor authentication began when I decided to open for any IP to my remote desktop sessions. As always, I used google to come up with several options. But Duo seems to be the best and most flexible out there. It got tons of options, great documentation, and even a free plan for personal use. What I will miss most when the trial runs out is the option for white listing IP addresses. So that when I am at home or at any of my Site-to-Site locations I can log straight in.

The account creation may be a bit more than you are used to from other sites. You are asked to set up the application on your phone and verify a few things before you are let in. After creating your account, the rest is mostly self-explanatory. I followed two guides. One to set up RDP and one for WordPress just to get me started.

When signing in to those places now, you will get a notification on your phone asking for access. If this is you, simply hit the green button and you are logged in. The process is painless and is literally over in a matter of seconds. If you are outside the cover of cellular data, you also have the option to use codes which is pre-added in the application on your phone.