R.I.P. Wable: Fun While It Lasted

completetech · Jun 25, 2015

KUMARULLAL I did try the steps you mentioned above. however, upon performing them, and doing the reboot. I can no longer access the system. Although I will say part of my issues may have to do with my lack of sleep and 14+ hour days of working hard and not smart at my business.

One thing to note may be too that NetworkManager does appear to be installed. At least that is what the system is telling me after trying to stop the service.

I'm beginning to think that its time to jump ship and try out DigitalOcean or one of the other providers as this is way to much of a headache

completetech · Jun 26, 2015

ok...ok....ok..... so I am going to kick myself in my own @$s...... the issue is between the chair and the keyboard.....

I have forgot how locked down a new install is.

Once I connect back to my "home ip" and not the "office ip" and try and connect life is fine. if I switch IP's I can not connect........

So now it looks like I just need to get the rest of the server set up and working so I can have access to it.

completetech · Jun 30, 2015

wardmundy said:
To have a secure platform with IPtables, you either have to use Dynamic DNS updating on the client side or use a VPN on the client devices. PortKnocker will work, but it means there's an extra step before the phones will work, and then they only work until the IP address changes.

wardmundy can you explain this some? I am trying to get this working myself and having issues to some extent. Basically I do have to have a DynamicDNS setup for my phone and have the client on my cell running in the background in order for it to work. which then I guess sort of defeats the purpose of having or using knockd unless I'm missing something?????

wardmundy · Jun 30, 2015

PortKnocker isn't an option on Wable. Here's why.

completetech · Jul 3, 2015

wardmundy I know, I saw that as well. I was just curious if you had anymore insight into it.

I'm thinking that they would be a good place in general to "play around with" to slap together some machines or things you may want to check some functionality with. But not much more. I say this because now for the past few days after a little while (not sure exact amount of time) Asterisk from the status screen shows down and no remote clients can connect via SIP device / phone. Very strange behavior. Makes it very hard to test at the end of the day of working if I have to login via SSH and do an "amportal restart" in order to have my test SIP device "re-connect" back to it.

wardmundy · Jul 3, 2015

completetech: Thought for a while they might be a less costly alternative to the penny-an-hour Digital Ocean, but there are too many OpenVZ quirks to be a reliable sandbox for testing new features so we're headed back to DO. Also can't beat the DO $10 credit using the Nerd Vittles referral link. :clover:

TonyColorado · Jul 9, 2015

I suppose my original question has been answered - there are indeed some "quirks" running a PBX on an OpenVZ powered virtual server. I think that this is important info so I have updated the original post with a few words of caution to anyone considering Wable (or, any OpenVZ platform)

... This is just one example of the awesome collaboration and information sharing that I've seen since joining these forums. Super exciting to be part of this community! You guys rock.

krzykat · Aug 10, 2015

Anyone still using Wable? I've had a couple backup servers running there for a couple of months now with zero issues ???

wardmundy · Aug 10, 2015

If your applications can tolerate the OpenVZ platform, it works great. Things that require kernel hooks can be a deal-breaker.

completetech · Aug 12, 2015

I have not really had any issues.

P.S..... I also figured out that I can get port knocker working. Took some banging of my head to realize that I needed a bit simpler approach. But it seems to work flawlessly from my experience.

P.S.S.... I have not extensively tested it in a mock "production" type environment. But for 2 weeks on and off it worked via a crappy WiFi connect at a new Tanger mall we were working at.

wardmundy · Aug 12, 2015

completetech said:
I have not really had any issues.

P.S..... I also figured out that I can get port knocker working. Took some banging of my head to realize that I needed a bit simpler approach. But it seems to work flawlessly from my experience.

P.S.S.... I have not extensively tested it in a mock "production" type environment. But for 2 weeks on and off it worked via a crappy WiFi connect at a new Tanger mall we were working at.

Please share the Magic Trick. :drool5:

vic555 · Aug 12, 2015

wardmundy said:
Please share the Magic Trick.

http://shorewall.net/OpenVZ.html may apply, as some fairly recent discussion is aimed at establishing a rudimentary, port knocking scheme with iptable configurations. Shorewall is open source linux firewall/iptable configurator that apparently works with the OpenVz model. Magic?

I hope, .....but like most technology, it comes at a price.

completetech · Aug 12, 2015

ok... So I am going to have to make it quick and to the point as I am dealing with a bit much right now with work. But heres the "rough" steps I took to get it going.

Pre-Starting: Make sure you are doing this from the location (i.e. your IP address you started the container with)

1.) make sure to to get signed up for a DYNDNS type account. I used DuckDNS.org (you get 4 for free)
2.) add a DuckDNS, DYNDNS and put it on something, I used my Samsung Galaxy Note 4, and follow the prompts to add your token and get the device setup and verify it on DuckDns.org that it really is updating
3.) add your FQDN via SSH to box as root (./add-FQDN) e.x.

Code:

./add-fqdn note4 myphone.duckdns.org

3 a.) I choose all options under privileges to test with since I can delete this account later
4.) change the /root/ipchecker file via nano as describer in wardmundy guide to reflect your new FQDN under

Code:

account[0]=

5.) add the time limit that you desire to

Code:

/etc/crontab

as also described on NerdVittles.com (I chose 3 minutes, I'm impatient)
6.) configure a port knocker utility. I used PortKnocker as suggested by Ward on NerdVittles.com article for my Note 4. And added the 3 unique ports
7.) test out by running Port Knocker on your device (you dont have to use Port Knocker, just for my case it made things easier)
8.) you can if still SSH'd in to the box in question, look at the ipchecker.log file. The only thing that would hold up this process is possibly having to wait the amount of time you have allotted in crontab for the script to run & the DYNDNS client update time.

Hope this helps. This post as raw and unedited as it is has now taken me since about 3:15pm EDT until now which is 10:30PM EDT. Being busy is nice. Yet has it's downsides as well.

*** Knock on Wood......... Everything has worked fine with this setup for 2-3 weeks now using "public" WiFi which was of course not the greatest being at a mall, but hey, no cell coverage during that time and its what I had to work with. And it worked great during that time even as horrible as the WiFi was.

wardmundy · Aug 13, 2015

Thanks. Sounds like he fixed the missing piece in the kernel. Great news! Now if we could only get ipset working to block countries, it'd be perfect.

Dave Gray · Aug 13, 2015

I guess I would point out, that if you're using a known DNS address, via a DYNDNS, and setting that address via add-fqdn, then you are *not* using portknocker at all. (https://goo.gl/i2HpJY)

completetech · Aug 13, 2015

True Dave. However. Try using just port knocker. See if it works for you. So far this method is the only way I've found that allows access to the machine (using both on the method described ).

I could do something different I'm sure. But based on the responses by everyone here and in other topics I created by people a lot smarter then me. It wasn't possible. The method I used makes it possible for a remote "device/worker/etc" to connect back to the box.

If I only use port knocker to try and connect and monitor the logs. It doesn't make it passed the 2nd step (if I remember correctly ). This method allows it to succeed then. I guess I haven't tried elminating port knocker all together and see what happens. I guess I'll have to give that a shot and see.

wardmundy · Aug 13, 2015

completetech Take a look at this week's Nerd Vittles article and search for trick. That's an easy way to avoid the whole PortKnocker drill, but I'm not sure it works with OpenVZ platform.

completetech · Aug 13, 2015

I'll give it a try later on when I'm a bit more stationary. Currently I'm on the road

completetech · Aug 13, 2015

If I do remember correctly though. I could only get it to work by using port knocker.

I guess since I'm mobile I could try it without using port knocker

Dave Gray · Aug 13, 2015

Portknocker is never going to work on Wable. Wable is not using a 'true' virtual machine, it's a container. You can't actually get privileged access to the kernel. (Try running lsmod, for example. You cannot see the running kernel's modules. You cannot install a new kernel. You cannot run dmesg, the dmesg log file is empty.)

Take a look at the log (/var/log/portknockd if I remember right.) You should see each knock attempt, followed by an "open sesame". Do you see that?

What you have done, is the old, original Travelin' Man setup (forget if it's original or 2). You allow a domain name, then use dynamic DNS to keep the IP address (which is what the firewall cares about) current.And that's OK.

Knockd needs to see the packets off the wire, before the firewall gets them, which the Linux TAP device, or a BSD BPF (Berkeley Packet Filter) device allows. Both require direct access to the kernel, which you can't have.

R.I.P. Wable: Fun While It Lasted

Guru

Guru

Guru

Nerd Uno

Guru

Nerd Uno

Guru

Telecom Strategist

Nerd Uno

Guru

Nerd Uno

Member

Guru

Nerd Uno

Guru

Guru

Nerd Uno

Guru

Guru

Guru

Forum statistics