Today I updated my bananapi zero w running raspbian and the dump1090 flightaware software ADS-B monitor. Unfortunality the web server lighttp did not start any more after the update with an error about a line in 89-skyaware.conf. I did not accept the installer/update message to overwrite my custom files. But how can I get the maintainer versions of the conf files?

After some research I found them at https://github.com/flightaware/dump1090/tree/master/debian/lighttpd. So I used these files (89-skyaware.conf and 89-dump1090-fa.conf) instead and the web server started without error.

Finally I added my

server.use-ipv6 = "enable"

to the $SERVER[“socket”] of 89-skyaware.conf and my adsbox was reachable from internet again. I am at a FTTH network with global IPv6 only and use feste-ip.net to map ipv4 public IPs to my internal network.

I am running two openvpn servers in private network (192.168.0.0). Only in case one server stops working.

Network

default gateway internet router: 192.168.0.250
openvpn1: 192.168.0.137 10.8.0.0, debian, bananapi m2
openvpn2: 192.168.0.143 old=10.8.0.0 new=10.8.1.0, debian, bananapi B2
web server1:    192.168.0.40 (static ip), also running unbound dns and dnsmasq as DHCP server, debian
web server2:    192.168.0.50 (static ip), enigma2

Problem

First, both openvp servers where configured the same, using 10.8.0.0 for the remote clients. Do not forget to enable ip4 forwarding: sudo sysctl -w net.ipv4.ip_forward=1.

Unfortunately, some hosts did not respond, when connected to the second openvp server. Don’t know, why openvpn server1 works for remote connections connecting to private web servers. Internet browsing using default router worked with both opvpn connections.

When running a ssh session on .137 or .143, I was able to ping .40, but could not browse to the .40 web server from the remote connection. When connected to openvpn2, I could not open the web page of the 192.168.0.40 server.

How does a host know to use correct vpn network for sending back traffic and do not use the default router?

Solution

I changed the configuration to openvpn2 to use 10.8.1.0. Then I tested with static routes on 192.168.0.40:

For the static ip (/etc/network/interfaces):

  post-up route add -net 10.8.0.0/24 gw 192.168.0.137 dev eth1
  post-up route add -net 10.8.1.0/24 gw 192.168.0.143 dev eth1

After that temporary change on .40, I was able to to connect to openvpn2 and the web server on .40.

For dhcp clients in network (many esp8266, esp32 and esplink devices), I need to have an option for DHCP too.

On the dnsmasq dhcp server:

dhcp-option=option:classless-static-route,0.0.0.0/0,192.168.0.250,10.8.0.0/24,192.168.0.137,10.8.1.0/24,192.168.0.143

Note that the default router option (dhcp-option=option:router,192.168.0.250) may be ignored by dhcp clients

The dhcp options have been verified on a debian client:

aoa150:~$ ip r
default via 192.168.0.250 dev wlan2 proto static metric 600
10.8.0.0/24 via 192.168.0.143 dev wlan2 proto dhcp metric 600
10.8.1.0/24 via 192.168.0.137 dev wlan2 proto dhcp metric 600
192.168.0.0/24 dev wlan2 proto kernel scope link src 192.168.0.111 metric 600

Now I can connect from my mobile using OpenVPN to my network using openvpn1 and openvpn2 server.

Recently I switched by flight tracker Bananapi M2 Zero with RTLSDR from adsbox (port 7070) to dump1090 (port 8080). But then, the IPv6 official address does not open the web site any more, although I switched the port forarding from 7070 to 8080 on the router.

After some digging and tests, I found that lighttpd, that was used as web server by dump1090-fa (fligh-warae variant), does not default to use IPv6 too. I had to change the dump1090-fa extension for lighttpd to:

/etc/lighttpd/conf-enabled/89-dump1090-fa.conf

...# Listen on port 8080 and serve the map there, too.
$SERVER["socket"] == ":8080" {
  server.use-ipv6 = "enable"
  alias.url += (
    "/data/" => "/run/dump1090-fa/",
    "/" => "/usr/share/dump1090-fa/html/"
  )
}
...

Now,  netstat -tulpn did show that port 80 and 8080 are open for ipv4 and ipv6

...
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
...
tcp6       0      0 :::8080                 :::*                    LISTEN      -

Just to remember.

OpenVPN auf BananaPi M2 Zero W mit Raspbian

Deutsche Glasfaser Genexis Router in Verbindung mit feste-ip.net zur Umsetzung ipv4 nach ipv6

Ich versuche hier meine Installation basierend auf den nachfolgenden Quellen zusammenzufassen.

Quellen: https://wiki.ubuntuusers.de/OpenVPN/ und https://blog.sengotta.net/openvpn-server-am-unitymedia-ds-lite-anschluss-betreiben/

Nachfolgend sind persönliche Angaben in < und > gesetzt. IP Addressen sind in der Form durch x ersetzt.

Feste-ip.net Universal Portmapper einrichten

Über https://test-ipv6.com/ die öffentliche IP6 Adresse des Servers (VPN Gateway) ermitteln.

Feste-IP.net Portmapper

Bei feste-ip.net habe ich eine Port Weiterleitung auf die öffentliche IPv6 Addresse des BananaPi (dem OpenVPN Server) und den Port 443 unter “Universelle Portmapper” angelegt.

Ich habe hier den Port 443 gewählt da dieser auch in vielen Fremdnetzen (zb Mobilfunk Netze) funktioniert. Der Standard VPN Port 1194 ist möglicherweise in dem einen oder anderen Netz gesperrt.

Ich habe einen Alias gewählt den ich mir leichter merken kann als den DNS-Namen. Ausserdem laufen auf demselben BananaPi M2 Zero W noch drei weitere Dienste. Diese sind über den gleichen Alias unter drei anderen Ports erreichbar.

In der Client.conf muss später der Alias Name und der gemapte Port angegeben werden, da die Verbindung nicht über IPv6 und Port 443 hergestellt wird. Siehe client.con Zeile:

remote <aliasname>.feste-ip.net <auf 443 umgeleiterter port>

Openvpn Server einrichten

Continue reading ‘Openvpn server an Deutsche Glasfaser IPv6 only Router und feste-ip.net’ »