Trikarus uses Freifunk firmware router to build up a network which can be used remotely. The router can be accessed from outside by SSH or just by another Freifunk router, also by SSH. You can also access the Freifunk router by the connected Raspberry Pi which has external connection with wireguard. This allows to build a long communication road (client computer → Wireguard server → Wiregard client @ Raspberry Pi → Freifunk router)

ssh <DEVICE-IPV6>

Reasons to access Trikarus devices from external / outside

  • Access to the web services (Raspberry Pi, Repetier Server, Duet Web Control, Grafana, InfluxDB, webcam, ...)
  • Access to the Freifunk node via SSH key

SSH Access

Freifunk router can be accessed from wide web and from localhost network over IPv6. Using the IPv4 network does not work (either from localhost nor from outside). This was tested from different clients with result of a "permission denied". Guess it's a configuration setting in dropbear which i did not change and which i don't want or need to change.

Overview

Configuring device name

https://wiki.freifunk.net/Konsole#Routernamen_.C3.A4ndern

uci set system.@system[0].hostname='theHostName'
uci commit system
reboot

Setting datetime

(info) It might happen that the router is up and running fine but time is not up to date. If the time is not set properly cronjobs will fail.

date
#Tue Aug 7 19:44:38 CEST 2018

#fix the time to match with recent time (enter manually). You could also sync with a time server
date --set '2020-06-21 00:38:00'

GEO coordinates

We can get latitude and longitude by mapcoordinates.net for example.

uci set gluon-node-info.@location[0]='location'
uci set gluon-node-info.@location[0].share_location='0'
uci set gluon-node-info.@location[0].latitude='someValue'
uci set gluon-node-info.@location[0].longitude='someValue'
uci commit
#Flush firewall rules temporarily or allow everything
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Some testings
ping -6 <DEVICE-IPV6>
telnet <DEVICE-IPV6> 22
telnet <DEVICE-IPV6> 80 
swconfig dev switch0 show | grep 'link:'

# Read global IPv6 address
ifconfig | grep Global

#Find IP addresses of devices with a given MAC address
batctl dc | grep "<RASPI-MAC>" | awk -F ' ' '{print $2}' #hangdevice
batctl dc | grep "<DUET2-MAC>" | awk -F ' ' '{print $2}' #Duet 2 Ethernet - see config.g

vim /etc/config/uhttpd

Remove unrequired SSH keys from unkown admins

vim /etc/dropbear/authorized_keys

Notes

  • (minus) it seems that Ed25519 key pairs on Freifunk Gluon using dropbear, which were generated with KiTTY Keygen and uploaded to server + client, cause undefinable bugs with SSH connection. RSA key pairs work properly.
  • IPv6 sometimes fails so router is not always available from regular web. SSH sometimes fails to access from outside which makes it harder to maintain.
  • Freifunk Chemnitz does not work in other cities. It cannot easily mesh to other Freifunk nodes than. A better approach to be fully mobile would be use a router with SIM card or to have some WAN access to plug an uplink cable into the router. Maybe another device could be utilized with IC-VPN
  • Meshing is often unstable when TQ (transfer quality) value is low. It results in dropping packages and lower bandwidth

DNS / resolving of hostnames

device names / host names are not announced in Freifunk network to have better anonymity. There is only IPv4 and IPv6 to communicate (e.g. "nslookup 10.149.11.71" returns "Server: UnKnown"). To get all devices from .ffcmesh you can run arp-scan from any Windows or Linux client. This way it can be monitored device availibility from outside by comparing recent IP addresses with fixed MAC addresses.

Private SSID (second SSID next to chemnitz.freifunk.net)

SSID="SSID"
KEY="KEY"
uci set wireless.wan_radio0=wifi-iface
uci set wireless.wan_radio0.device=radio0
uci set wireless.wan_radio0.network=wan
uci set wireless.wan_radio0.mode=ap
uci set wireless.wan_radio0.encryption=psk2
uci set wireless.wan_radio0.ssid="$SSID"
uci set wireless.wan_radio0.key="$KEY"
uci set wireless.wan_radio0.disabled=0
#uci set wireless.wan_radio0.hidden=1 #do NOT hide SSID because it won't be found
uci set wireless.wan_radio0.macaddr=$(lua -e "print(require('gluon.util').generate_mac(3))")
uci commit wireless
wifi

Switch mode vs mesh mode and over night security

In default mode the Freifunk router lets connect all Wifi and LAN clients to the Layer 2 switch of the Freifunk net. Sometimes this is unstable and even local clients cannot connect to each other on the same local switch. Furthermore it's possible to do port scans from all other Freifunk nodes to the locally connected devices (exposed hosts). To prevent attacks and port scans over night, the idea is to disable the Raspberry Pi and Duet devices to be in Freifunk network in a defined time slot. To do this we can move the eth0 interface from LAN to WAN. Then they will talk only like at a regular switch and they will have no access to the internet. The switching mode defaults the locally connected devices (Raspberry Pi, Duet, client computer) to be in IP range 169.254.XXX.XXX instead of 10.149.XXX.XXX.

See also

Mode swichting manually

Check the current state

uci get network.client.ifname
uci get network.wan.ifname

WAN at all LAN ports (change to local switch mode)

uci set network.client.ifname=bat0
uci set network.wan.ifname='eth0 eth1'
uci commit network
/etc/init.d/network restart

Client network on LAN ports (undo switch mode → restore defaults)

uci set network.client.ifname='bat0 eth0'
uci set network.wan.ifname=eth1
uci commit network
/etc/init.d/network restart

As all-in-one command from hangdevice

vim /opt/switchmode.sh
ssh -i /root/.ssh/theHostName <root@DEVICE-IPV6> "uci set network.client.ifname=bat0 && uci set network.wan.ifname='eth0 eth1' && uci commit network && /etc/init.d/network restart"
chmod +x /opt/switchmode.sh

This is configured as alias "swimo" in /root/.bash_aliases

(info) To switch back from switch mode to mesh mode you need to connect to the router from outside localhost! You should be able to do this by just connecting to chemnitz.freifunk.net by Wifi instead by LAN.

Over night change to swichting mode

The scripts as crontab

In Gluon there is no /etc/cron.d directory

#edit crontab - do this always this way. otherwise a file named "crontab.update" is left over all the time and changes are not recognized. As long as the crontab.update file exists the crontab is not updated accordingly.
crontab -e
# Disable LAN devices to be part of Freifunk network after 20:00
0 20 * * * uci set network.client.ifname=bat0 && uci set network.wan.ifname='eth0 eth1' && uci commit network && /etc/init.d/network restart

# Enable LAN devices to be part of Freifunk network after 7:00
0 7 * * * uci set network.client.ifname='bat0 eth0' && uci set network.wan.ifname=eth1 && uci commit network && /etc/init.d/network restart

# debugging crontab - use this if crontab is not triggered accordingly
#* * * * * env > /tmp/env.output

(info) For better debugging we can also try to grab the output by accessing Freifunk router externally using ssh. Because dropbear ssh has no rsync we cannot use rsync synchronization between hangdevice and Freifunk router. But we can use regular ssh command to do like this:

ssh -i /root/.ssh/theHostName <root@DEVICE-IPV6> 'cat /tmp/env.output'

USB slot / mount point

Note: USB devices on the Freifunk router are not directly possible to workby default, but can be activated later via detours. This requires a deeper recofiguration.

More info

  • No labels
Write a comment…