7 minutes read (About 1091 words)

Holiday time, home network improvement time :)

IPv6

like most ISPs in Germany, Telefonica/O2 STILL does not provide IPv6 to their residential customers. During the past year i’ve been using the IPv6 tunnel broker offering from Hurricane Electric (HE). A alternative service would have been SixXS, but besides having multiple local PoP, it lacks some functionality and i had very bad experience with their support team. Being called a liar and getting insulted because of a typo or overcautious fraud detection system is not nice guys.

HE provides you with a /64 network and a optional /48 if 18446744073709551616 hosts simply don’t cut it and you rather need 1208925819614629174706176. HE turned out to be super reliable, fast and of great value - well, it’s free. The documentation is a bit scarse and the user interface obviously targets experienced users. However, i made my way through and also migrated my domains DNS/rDNS services there. A real killer-feature is the included DDNS (Dynamic-IP-to-DNS mapping) option, so you can update and assign a dynamic IP to a regular A or AAAA record without CNAM’ing via one of those dyndns domains. Especially mail servers don’t like CNAMEs for sender domain/servers. Thanks HE, you’re awesome!

Now, having my router configured for DDNS and tunneling IPv6 is one thing but i wanted to use native IPv6 for all clients within my home network. Turns out that dd-wrt, which powers my Asus RT-AC66U router, has solid support for RA (Router advertisement) and DHCPv6. Certain features do not work reliable with specific dd-wrt beta (aka. recent) builds so i had to trial&error myself to “v3.0-r27858 giga” to find a “good” build. Configuring IPv6 is straight forward but some components, especially wide-dhcp6, are very picky about their syntax and not very verbose when it comes to errors. Therefor i’m sharing the configuration, i hope it will help others and spare some frustration.

A central thing to understand with IPv6 is that DHCP works a bit different compared to IPv4. In good’ol IPv4 DHCP provided clients with information about DNS, Gateway/Router, Subnets and of course a IP address. With IPv6 those tasks are split between RA and DHCP. RA takes care about providing router information to the local network while DHCP assigns everything except router information. RA can actually also provide prefix information, which makes clients pick a random IPv6. Most small networks will just work fine with RA but DHCPv6 is more powerful in terms of assigning ranges or even do reservations for specific hosts. Therefor i chose to go with RA and DHCPv6 to learn some stuff in the processb.

To configure DHCP for IPv6, enable “Dhcp6s” at the “Setup” -> “IPv6” tab of dd-wrt. Also enable “Dhcp6s custom” and provide configuration like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
option refreshtime 900;
#option domain-name-servers  2001:470:1f0a:d2a::2;
option domain-name "heiland.io";

interface br0 {
  allow rapid-commit;
  address-pool home 3600;
};

pool home {
  range 2001:470:1111:aaaa:acab:c0ff:ee:1 to 2001:470:1111:aaaa:acab:c0ff:ee:ffff;
};

host vip {
  duid 00:01:00:01:1d:9f:e9:8d:20:c9:aa:bb:cc:dd;
  address 2001:470:1111:aaaa:acab:c0ff:ee:1337 infinity;
};

The domain-name-servers option is commented out since i chose to distribute DNS resolver information via radvd. Usually that would be a task that gets handled by the DHCP server, but my efforts so far were not working out. For some reason the local address of the router was propagated as DNS server even though i’m not running a DNS cache or forwarder there. This could be some dd-wrt quirk.

I’m distributing search-domain and IPv6 client information via DHCP. As an example i added a specific host that shall get a reserved IPv6. Note that you can assign multiple IPv6 ranges to multiple interfaces if needed. Compared to IPv4 DHCP, hosts are specified via their DUID instead of just their MAC address. The MAC address of the network card is still part of DUID but it gets prefixed by a timestamp that gets generated by software, usually when installing your OS.

Getting your clients DUID is a bit more complicated than just getting a MAC address. Johannes Ullrich posted a nice article about where to find it on various operating systems. Again, wide-dhcp is very picky about syntax, duid 0:1:0:1:1d:9f:e9:8d:20:c9:aa:bb:cc:dd would not work properly while duid 00:01:00:01:1d:9f:e9:8d:20:c9:aa:bb:cc:dd does.

RA is implemented by the radvd service and that gets enabled at the same page. “Radvd config” allows to specify some more details, like this:

1
2
3
4
5
6
7
8
9
10
11
interface br0
{
 AdvManagedFlag on;
 AdvSendAdvert on;
 AdvOtherConfigFlag on;
 MinRtrAdvInterval 3;
 MaxRtrAdvInterval 10;
 RDNSS 2001:470:20::2 2001:418:3ff::53
 {
 };
};

This is a very simple configuration, note that it does not contain any prefix delegation since assigning addresses is done via DHCP. IPv6 DNS resolver configuration is performed via the RDNSS option.

Tada, 20/20 at ipv6-test.com

DNS

Next, i headed to my DNS setup. My colleague Bert recently held a great presentation that outlined how important proper DNS is for a good online experience. Virtually any service nowadays depends on DNS and websites use dozens of lookups that suffer from bad DNS performance. Google introduced their Public DNS as a cure-all solution and almost 500M users re-configured their default DNS to point to Google or use it as a default with Android. That service is blazing fast and reliable, no discussion about that. However, Google already knows all your searches - using their DNS also exposes all your other online activity to them, without even using a Google account.

So i gave namebench a spin and tested several DNS servers close to my IPv4 and IPv6 exit points. The results were quite interesting, especially when it comes to speed. The gap between fast and slow services was about 40%. The default IPv4 DNS of my ISP was already good and i kept it as secondary DNS. I added the quickest one as primary and a backup DNS within a different state as tertiary. My local clients get the IPv4/IPv6 of the router as DNS, which acts as a forwarder. I ended with the following servers which were quick, uncensored and reliable:

IPv4

  • 193.189.250.100 (Telefonica, Kassel)
  • 213.191.74.18 (Hansenet, Hamburg)
  • 213.73.91.35 (CCC, Berlin)

IPv6

  • 2001:470:20::2 (HE, Fremont)
  • 2001:418:3ff::53 (NTT, Denver)

3 minutes read (About 461 words)

During vacation i decided to give my Blog a makeover. It was hosted at Blogger for a couple of years and helplessly outdated. Over time i felt it was too limited for “tech stuff”. Not that there was a lack of topics to cover, blogging just never felt “natural” to me. I also recognized that it’s quite pointless to replicate content which has already been written a dozen time.

So, for the makeover i set up Nginx on a virtual server. It came as a great co-incidence that the folks at Let’s encrypt chose me for their closed beta. A set of commonly trusted SSL certs certainly fuled my interest a bit more. In that process i optimized the sites SSL configuration. Remy van Elst has put out a great collection of Nginx/SSL related topics. While deploying all those settings and tune-ups it crossed my mind that back in 1998 “SSLEngine on” (Apache 1.3) was almost all someone needed to secure their HTTP traffic. Well, nowadays you have to be aware of a dozen potential attacks, cipher suites, special headers and what not. No wonder people are fleeing to the arms of content silos which provide all that as a service.

Evaluating the blog-o-sphere showed that most technically good solutions require to give away your blog posts to some media/advertising based company. Meh, just got away from that when leaving Blogger. On the self-hosted area there still is the usual suspect: Wordpress.

Given the available system resources, clunkyness and security issues with dynamic sites i went in another direction. Well, my decades long dislike of PHP and current interest in NodeJS led me to Hexo. In a nutshell, this is a static site generator which transforms Markdown to HTML and adds some prettiness using CSS based on Themes. It’s not close that “powerful” from a feature perspective but that was exactly what i was looking for. Heck, it even lacks a rich-text editor - typing these posts in vim feels awkwardly “personal” and cool. It might just be the perfect fit since i developed quite a minimalistic approach to IT over time.

So, what to expect on this blog? I definitelly will get into daily life stuff more, share some experiences, awesome articles i stumbled upon and review stuff. Tech will obviously always be a part but not the primary reason to keep a blog. I’ll keep English as the default for my postings but may occasionally switch to German for more regional topics.

a minute read (About 220 words)

Imagine the following task:

“Use a script to open https://www.example.com/ in Private Browsing mode.”

Well, this does not seem to be a overly sophisticated requirement and should be a rather easy task to implement. For most browsers, that’s absolutely true.

Microsoft Internet Explorer

1
iexplore.exe -private https://www.example.com/

Google Chrome

1
chrome -incognito https://www.example.com/

Mozilla Firefox

1
firefox -private-window https://www.example.com/

Apple Safari

  1. Go to “System Preferences -> Security & Privacy -> Privacy -> Accessibility”
  2. Click “Add”, select “Applications -> Utilities -> Terminal”
  3. Just execute this simple command…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
osascript -e 'tell application "Safari" to activate
tell application "Safari"
 close window 1
end tell

tell application "System Events"
    tell process "Safari"
        tell menu bar 1
            tell menu bar item "File"
                tell menu "File"
                    click menu item "New Private Window"
                end tell
            end tell
          end tell
    end tell
end tell

tell application "Safari" to set the URL of the front document to "https://www.example.com/"'

In a nutshell, this AppleScript launches Safari and closes the first browser window, which is non-private, right away. Then it uses OSX accessibility features to click through the menu bar to launch a Private Window. Finally it sets the address of the focused window to the desired URL.

Well… praise Apple for making intuitive software that just works. Magical. </rant>

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×