Listing posts
Displaying posts 1 - 5 of 342 in total2025-02-14
1. SETUP
1.1 Install
1 2 3 4 5 6 7 8 9 10 11 | apt install wireguard cd /etc/wireguard/ wg genkey | tee private.key | wg pubkey > public.key touch wg-srv.conf chmod 600 private.key wg-srv.conf ## turn on ip forward systemwide within /etc/sysctl.d ## OR do it later inside wg-srv.conf #sysctl --write net.ipv4.ip_forward=1 #echo net.ipv4.ip_forward=1 >> /etc/sysctl.d/local.conf |
1.2 Firewall
1 2 3 4 | # open port and allow traffic from intranet ufw allow 1053/udp comment 'VPN server' ufw allow from 10.1.1.0/24 comment 'intranet VPN' ufw route allow in on wg-srv comment 'VPN forward' |
1.3 Network interface up/down
NB: wg-name
= interface name = config filename without the extension .conf
.
1 2 3 4 5 6 7 | wg-quick up wg-name # start wg # info wg-quick down wg-name # stop # enable service systemctl start wg-quick@wg-name systemctl enable wg-quick@wg-name |
2. SERVER
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | # /etc/wireguard/wg-srv.conf # server (with rules to allow routing all traffic) [Interface] PrivateKey = KFSjreufI8MJq5DD4c94EIuVOMBRGB0cL00uAmy9+2s= # server private key ListenPort = 1053 Address = 10.1.1.1/24 PostUp = sysctl --write net.ipv4.ip_forward=1 PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -A FORWARD -o %i -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #PostUp = iptables -t nat -A POSTROUTING -o wg-xxx -j MASQUERADE # can add other interfaces PostDown = sysctl --write net.ipv4.ip_forward=0 PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -D FORWARD -o %i -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #PostDown = iptables -t nat -D POSTROUTING -o wg-xxx -j MASQUERADE # client A [Peer] PublicKey = SCkqASUWoNXzDW59pZglfbUHMBzBMJmoH5HH7zffY0c= # client public key PresharedKey = tbAdUxK2T0uLIBk5IfSXXUYihPJUyGeFI0vP4MUPrUM= # wg genpsk AllowedIPs = 10.1.1.2/32 PersistentKeepalive = 23 |
3. CLIENT
3.1 Standard client
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # /etc/wireguard/wg-cli.conf # client A [Interface] PrivateKey = oP6Zfi5ud9i4OL/COrL4FK0luSYpxvf3H7XRk8xfN0w= # client private key ListenPort = 2053 Address = 10.1.1.2/24 DNS = 10.0.0.1,1.1.1.1 # server [Peer] PublicKey = ECxm9+6EAt/PPgIiVQEjzl0E8VZ7JBphZjWADUv/mVs= # server public key PresharedKey = tbAdUxK2T0uLIBk5IfSXXUYihPJUyGeFI0vP4MUPrUM= # wg genpsk AllowedIPs = 0.0.0.0/0 # route all traffic through the server #AllowedIPs = 10.1.1.0/24 # OR route VPN subnet only Endpoint = 185.193.254.157:1053 PersistentKeepalive = 5 |
3.2. NordVPN client (gist)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | # create a linux access token # => https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/ # get my wg private key curl -s -u token:XXXX https://api.nordvpn.com/v1/users/services/credentials | \ jq -r .nordlynx_private_key # get servers params wget -qO - https://api.nordvpn.com/v1/servers?limit=15000 | gzip -9 > servers.json.gz # get servers params (recommended) curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1" | \ jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load' # create conf [Interface] PrivateKey = <PRIVATE_KEY> # my private key Address = 10.5.0.2/32 # IP is always the same DNS = 127.0.0.1, 10.5.0.2, 1.1.1.1 # local ip/subnet/gateway rules to allow access to eth0 from outside #PostUp = ip rule add from 192.168.1.110 table 1000 ; ip route add to 192.168.1.0/24 table 1000 dev eth0; ip route add default via 192.168.1.1 table 1000 dev eth0 #PreDown = ip route del default via 192.168.1.1 table 1000 dev eth0; ip route del to 192.168.1.0/24 table 1000 dev eth0; ip rule del from 192.168.1.110 table 1000 [Peer] PublicKey = <SRV_PUB_KEY> AllowedIPs = 0.0.0.0/0, 192.168.1.110 # route everything, and allow binding to eth0 Endpoint = <SRV_IP>:51820 # port is always the same |
Source Linux: Debian wiki 1 and 2, davidshomelab, deb10 wg server, dynamic IP reddit & script
Source NordVPN: myshittycode, gist, NordVPN-WireGuard-Config-Generator, NordVPN api
~~~ * ~~~
2025-02-14
apps/addons/plugins»
Stores: Google Play, NeoStore, F-Droid, Droid-ify, Aurora (src)
To check
- FP4 alt. camera
- Secure Camera
- Open Camera
- GCam: wichaya, nikita
- Games:
- lemuroid -- libretro emulator
- lightblocks -- tetris clone for any device
- Metal Slug: Awakening
- Librera Reader -- eBook and PDF reader
- MaterialFiles -- file manager
- Multi profiles:
- Phonograph -- material music player
- Image gallery:
- Goodwy apps / gh
- Audio Recorder
- FossifyOrg -- a SimpleMobileTools fork before acquisition
- Immich / hp / gh -- Self-hosted backup solution for photos and videos
- FV File Manager + Shizuku bridge -- workaround android 13 locking /Android/data
- Hermit lite apps browser -- hp
General
- Add Country Code -- fix contacts
- AfterShip -- post tracking
- AndrOpen Office -- libre office port
- BigSMS
- CalcTape
- Catima -- carte fedeltà hp, fdroid
- Decathlon Coach -- home, esercizi da 10/15'/gg
- DeepL Translate
- Etar -- OpenSource Calendar
- Event Flow Widget
- Firefox focus
- Free-OTP+ / Free-OTP -- free TOTP autenticator
- Google Drive -- copy to clipboard share option
- KeePassDroid
- Classic notes lite -- notepad on steroids
- Trireme -- gh, deluge thin client (torrent)
- Nova Launcher + TeslaUnread -- unread badges
- Lightning browser
- Off+ -- turn off screen hack
- OperaMini
- Parcels -- shipment tracking
- Pixeful icon pack -- inexpensive icon pack (usable with Nova launcher)
- Pl@ntNet -- plant recognition
- Power Toggles
- QR Droid -- bar/qrcode scanner
- Screen Off -- lock display widget
- Should I Answer? -- call spam blocker
- SMS Backup & Restore
- Sound Profile -- rich sound profile manager
- Sygic -- car navigator
- Telegram -- IM
- Textra -- customizable SMS app
- TouchPal -- very customizable multi-mode keyboard
- Vuze -- torrent downloader
- Wallabag -- save articles to read later
WPS Office -- MSOffice compatibleuse AndrOpen Office
Media
- Boldbeast Recorder / hp -- audio & call recorder
- BookReader -- ebook reader (epub, ecc)
- Camera FV-5
- Flym feed reader
- iMediaShare -- media caster
- YouTube Vanced -- YT ad free + background play
- Perfect Viewer -- image viewer
- Piktures -- simple & powerful gallery
- Pulsar -- music player
- Radio alarm clock++
- Radio FM Italia
- Simple Last.fm Scrobbler
- Smart Recorder -- audio recorder
- Snapseed -- rich image editor
- Sound Hound -- song search by your own whistles and voice!
- Spreaker -- podcasts
- VLC -- rich video player + DLNA renderer
Games
- Alien Vs Space invaders
- Day Off
- Destiny Child -- dedicated post
- Deus Ex Go
- Dungeon cards
- GamePad Tester -- test controller
- GRIS
- Hearts Free
- Higgster Games -- 21 free offline games
- Jelly Splash
- Lara Croft Go
- Live2DViewerEX -- steam license
- Picross Luna I & Picross Luna II
- Pigeon Pop, alt
- Progressbar95
Puzzle Fighter- Shattered Pixel Dungeon foss -- github, f-droid
- Snes9x EX+
- --- to see ---
- Fist of the north star (Hokuto no Ken)
- Honkai Impact 3rd
- The King of Fighters ALLSTAR
System
- AccuBattery -- alert when reaching xx% charge level
- CPUz | Device Info HW
- DavX5 -- CalDAV, CardDav sync
- DiskUsage -- xdiskusage port
- Ghost Commander -- TotalC./MC/NC foss clone
- Hacker's Keyboard -- full PC keyboard
- Heliboard -- opensource keyboard, gh
- JuiceSSH
- Let's Print Droid -- CUPS client
- Let's Print PDF
- Open in browser
- OpenVPN
- Override DNS
- QuickEdit Pro -- fast text editor
- Quick Sync widget -- sync Google account
- Remote Ripple -- vnc viewer
- SANEDroid -- SANE client
- Simple Mobile Tools -- replacements for all fundamental apps
- sockstun -- create a VPN via a Socks5 service
- Tasker -- homepage
- Termux
- Thunderbird -- ex K9
- Titanium backup
- Total commander -- rich file manager MC style
- Turbo VPN -- AD supported free VPN
- Wi-Fi on/off widget
- ZArchiver -- supports many archive types (7zip)
Home automation
- ~
mydlink Home~ -- socket D-Link DSP-W215 - SmartLife -- rbg lamp LOFTer 10W
- TP-Link Tapo -- socket Tapo P100
Svago
Other lists: Retrial, Finalboss77
~~~ * ~~~
2025-01-28
- install the C version of
smem
(no multiple python dependency!):
1 | apt install smemstat |
- simple wrapper to shows only top lines and support regexp filtering
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | #!/usr/bin/env ruby if ARGV.include?('-h') puts "USAGE: #{File.basename __FILE__} [-a] [regexp]" exit end h, w = `stty size`.split(' ').map(&:to_i) lines = `sudo smemstat -d -m`.split("\n") lines.pop # Note: Memory reported in units of megabytes. lines.pop # empty lines totals = lines.pop # Totals header = lines.shift cmd_col = header.index('Command') if ARGV.include?('-a') ARGV.delete '-a' h = 100_000 end # replace Command with full cmdline lines = lines.map{|l| pid = l.split(' ', 2).first.to_i next if pid == Process.pid cmd_src = l[cmd_col..] cmd_dst = File.read("/proc/#{pid}/cmdline") rescue cmd_src args = cmd_dst.split(/[ \u0000]/) cmd_dst = [File.basename(args.shift)].concat(args).join(' ') "#{l[0...cmd_col]}#{cmd_dst}" }.compact lines = lines.grep Regexp.new(ARGV[0]) if ARGV[0] lines = lines[0..(h-9)] max_w = lines.map(&:size).max sep = '-' * (max_w > w ? (w-2) : max_w) puts header puts sep lines.each{|l| puts l[0..(w-2)] } puts sep puts totals |
Source: golinuxcloud, smem (python), smemstat (C)
~~~ * ~~~
2025-01-26
A general tunnel command:
1 2 3 4 5 6 7 8 9 10 11 12 13 | ssh myuser@mysrv -L 8080:localhost:80 # tunnel local_port:target:target_port -L *:8080:localhost:80 # tunnel open to everyone who can connect to this machine -R 3380:localhost:80 # reverse tunnel port_on_mysrv:target:target_port -R *:3322:localhost:22 # reverse tunnel open to everyone who can connect to mysrv -q # quiet mode -f # go to background -n # redirects stdin from /dev/null -N # do not execute a remote command -T # disable pseudo-terminal allocation -M -S /path/to/socket # enable master mode via a shared socket -o UserKnownHostsFile=/dev/null # do not update known_hosts file -o StrictHostKeyChecking=no # do no check the empty known_hosts file |
Note: to allow the creation of reverse tunnels opened to everyone (0.0.0.0) you have to set this option:
1 2 | # server configuration: /etc/ssh/sshd_config GatewayPorts clientspecified |
Scriptable tunnels
You can look for process IDs via pgrep/pkill:
1 2 | ssh -fnNT ... mysrv # start pkill -f -QUIT 'ssh.*mysrv' # stop |
or better use master mode to avoid both grepping and any timing issues:
1 2 3 | ssh -fNM -S /path/to/socket ... mysrv # start ssh -S /path/to/socket -O check # check ssh -S /path/to/socket -O exit mysrv # stop |
Auto-closing tunnels
SSH runs the specified command and then exits only if no one is using the tunnel:
1 2 | ssh -f myusr@mysrv sleep 10 # start auto-closing tunnel vncviewer 127.0.0.1::25901 # use the tunnel |
Keep alive your connection
Keep alive the connection for 60 seconds, 1440 times (= 24 hours):
1 2 3 4 | # client configuration: /etc/ssh/ssh_config | ~/.ssh/config Host * ServerAliveInterval 60 ServerAliveCountMax 1440 |
1 2 3 | # server configuration: /etc/ssh/sshd_config ClientAliveInterval 60 ClientAliveCountMax 1440 |
Test connectivity
1 | ssh -o BatchMode=yes -o ConnectTimeout=3 myusr@mysrv exit && echo ok || echo ko |
List active tunnels and ports
1 | sudo lsof -i -n | egrep sshd |
Port knocking
1 2 3 4 5 6 7 | # ip4, scan, UDP, verbose nc -4znuv hostname_or_ip port1 port2 ... # with wait interval (-u = UDP instead of TCP) nc -4znuv hostname_or_ip port1 && sleep 1 && \ nc -4znuv hostname_or_ip port2 && sleep 1 && \ ... |
Source: Stackexchange - master mode, Patrickmn - keep alive, Stackoverflow - test, Superuser - list active tunnels
~~~ * ~~~
2024-12-30
commands
1 2 3 4 5 6 7 8 9 10 11 12 13 | cp /usr/share/i18n/locales/en_US /usr/share/i18n/locales/en_US@iso8601 # integrate desired config from /usr/share/i18n/locales/it_IT # add new entry to supported locales mkdir -p /usr/local/share/i18n echo "en_US@iso8601 UTF-8" >> /usr/local/share/i18n/SUPPORTED # compile new entry dpkg-reconfigure locales # add en_US@iso8601 and set it as default # test after re-login locale # LANG=en_US@iso8601 date # 2024-12-30 15:32:51 CET |
custom entry
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 | comment_char % escape_char / % USA English locale +EUR +ISO8601 dates +A4 paper LC_IDENTIFICATION title "English locale for the USA (+EUR +ISO8601 dates +A4 paper)" source "Free Software Foundation, Inc." address "https:////www.gnu.org//software//libc//" contact "" email "bug-glibc-locales@gnu.org" tel "" fax "" language "American English" territory "United States" revision "1.0" date "2024-12-30" category "i18n:2012";LC_IDENTIFICATION category "i18n:2012";LC_CTYPE category "i18n:2012";LC_COLLATE category "i18n:2012";LC_TIME category "i18n:2012";LC_NUMERIC category "i18n:2012";LC_MONETARY category "i18n:2012";LC_MESSAGES category "i18n:2012";LC_PAPER category "i18n:2012";LC_NAME category "i18n:2012";LC_ADDRESS category "i18n:2012";LC_TELEPHONE category "i18n:2012";LC_MEASUREMENT END LC_IDENTIFICATION LC_CTYPE copy "en_GB" END LC_CTYPE LC_COLLATE copy "iso14651_t1" END LC_COLLATE LC_MONETARY int_curr_symbol "EUR " currency_symbol "<U20AC>" mon_decimal_point "." mon_thousands_sep "," mon_grouping 3;3 positive_sign "" negative_sign "-" int_frac_digits 2 frac_digits 2 p_cs_precedes 1 int_p_sep_by_space 1 p_sep_by_space 0 n_cs_precedes 1 int_n_sep_by_space 1 n_sep_by_space 0 p_sign_posn 1 n_sign_posn 1 END LC_MONETARY LC_NUMERIC decimal_point "." thousands_sep "," grouping 3;3 END LC_NUMERIC LC_TIME abday "Sun";"Mon";"Tue";"Wed";"Thu";"Fri";"Sat" day "Sunday";"Monday";"Tuesday";"Wednesday";"Thursday";"Friday";"Saturday" abmon "Jan";"Feb";"Mar";"Apr";"May";"Jun";"Jul";"Aug";"Sep";"Oct";"Nov";"Dec" mon "January";"February";"March";"April";"May";"June";"July";"August";"September";"October";"November";"December" week 7;19971130;4 first_weekday 2 first_workday 2 % date and time representation (%c) d_t_fmt "%F %T" % date representation (%x) d_fmt "%Y-%m-%d" % time representation (%X) t_fmt "%T" % Strings for AM/PM am_pm "AM";"PM" % AM/PM time representation (%r) t_fmt_ampm "%I:%M:%S %p" % Appropriate date and time representation for date(1). This is % different from d_t_fmt for historical reasons and has been different % since 2000 when date_fmt was added as a GNU extension. At the end % of 2018 it was adjusted to use 12H time (bug 24046) instead of 24H. date_fmt "%F %T %Z" END LC_TIME LC_PAPER % show current: locale -k LC_PAPER # A4 = 297 x 210 copy "i18n" END LC_PAPER LC_MEASUREMENT copy "i18n" END LC_MEASUREMENT LC_MESSAGES yesexpr "^[+1yY]" noexpr "^[-0nN]" yesstr "yes" nostr "no" END LC_MESSAGES LC_NAME name_fmt "%d%t%g%t%m%t%f" name_miss "Miss." name_mr "Mr." name_mrs "Mrs." name_ms "Ms." END LC_NAME LC_ADDRESS postal_fmt "%a%N%f%N%d%N%b%N%h %s %e %r%N%T, %S %z%N%c%N" country_name "United States" country_post "USA" country_ab2 "US" country_ab3 "USA" country_num 840 country_car "USA" country_isbn 0 lang_name "English" lang_ab "en" lang_term "eng" lang_lib "eng" END LC_ADDRESS LC_TELEPHONE tel_int_fmt "+%c (%a) %l" tel_dom_fmt "(%a) %l" int_select "11" int_prefix "1" END LC_TELEPHONE |
Source: serverfault, ccollins