Category: networking

Upgrade-All Script for OpenWRT

OpenWRTIn my experience, neither opkg’s command line interface, nor Luci’s web interface will allow you perform all available upgrades, all in one go.

They make you do each one, one at a time. Maybe for safety reasons?

If you accept the risks involved and want to save some time like I did, make yourself a script:

#!/bin/sh

opkg update
upgradables=$(opkg list-upgradable | awk '{print $1}') || exit 0
[ -z "$upgradables" ] && echo "No packages to upgrade." && exit 0
echo "Upgrade: $upgradables"; read -p "Enter y/n: " r
[ "$r" = "y" ] && opkg upgrade $upgradables

This is genuinely quite useful, and it also is a very good bash scripting example that I wanted to share.

Save it, chmod +x, rock and roll.

Probably should keep a copy on your workstation too, because unless you put it somewhere on the router that’ll survive reboots it may get lost during one.

Network wide ad-blocking with dnsmasq

Mask and ShieldPiHole is a thing, so is AdGuard Home— these are both excellent, and work well. They’re easy. you don’t have to be a network administrator to get up and running.

I’ve been a satisfied PiHole user for about a year, but I wanted something a little cleaner. Here is what I don’t like about PiHole:

  1. It isn’t a “normal” package. Perhaps “conventional” would be a better word; You need to use their install script. This makes updating a pain, and personally I think it is a messy way of doing things.
  2. The web interface wants to install its own server, on port 80. You can change this, and I did. Things were working fine, then I updated and the web portion no longer worked because they’ve switched to Lua… so more configuration needed, or use the web server it comes with.
  3. It is essentially just a re-release of dnsmasq, with a web front end slapped on.

So, let’s talk about doing the exact same thing, with the normal dnsmasq package that your distro comes with

IMO, the special sauce of PiHole is Stephen Black’s hosts list. This is what PH uses out of the box, to block ads, trackers and other malicious sites. Available on github here: https://github.com/StevenBlack/hosts

This file is laid out like a normal hosts file (0.0.0.0 somename.com) and we need to change that to something dnsmasq will understand. Dnsmasq needs it written like this, address=/somename.com/0.0.0.0

We can do that with a simple script. In my case, I wrote one which will grab the list for me, format it for dnsmasq and then put it in the dnsmasq.d config directory. Note, this does mean you’ll need to run with sudo, or do this in a way that you’re putting it in with the correct permission to do so.

#!/bin/bash

BLOCKLIST_URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
BLOCKLIST_FILE="/tmp/stephenblack_hosts"
OUTPUT_FILE="/etc/dnsmasq.d/100_stephenblack.conf"

# Download, process, and create dnsmasq config
wget -q -O "$BLOCKLIST_FILE" "$BLOCKLIST_URL" && \
awk '!/^#/ && NF > 1 {print "address=/" $2 "/0.0.0.0"}' "$BLOCKLIST_FILE" > "$OUTPUT_FILE" && \
systemctl restart dnsmasq && \
echo "Blocklist update and dnsmasq configuration complete!" || \
{ echo "Error occurred."; exit 1; }

Now, to get this to work, you’ll have to edit /etc/dnsmasq.conf and comment or add conf-dir=/etc/dnsmasq.d This is a massive file, so use search in your editor. Because the file is so large, make yourself a different file in dnsmasq.d called 99_custom.conf and we can put DNS related stuff in there. Here is mine, it has most of what one might want to play with dns-wise.

# Custom Configuration file for dnsmasq.
# ---------------------------------------
# These are the most relevant, DNS related options.
# All DHCP related options are in /etc/dnsmasq.conf

# To set upstream servers here; in case resolv.conf changes
no-resolv
server=1.1.1.1
server=9.9.9.9

# If you don't want dnsmasq to poll /etc/resolv.conf for changes
#no-poll

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec

# Replies not DNSSEC signed may be legitimate. Because the domain
# is unsigned, or may be forgeries. Dnsmasq can check unsigned replies.
#dnssec-check-unsigned

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=

# Use upstream DNS server in order, or any available.
#strict-order

# Add other name servers here, (if non-public domains).
#server=/localnet/192.168.0.1

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/lan/

# Add domains which you want to force to an IP address here.
# This is also how ad-blocking works. (point @ 0.0.0.0)
#address=/double-click.net/127.0.0.1

# Run dnsmasq as...
#user=
#group=

# Use specific network interface, bind to LAN (only) if doing NAT.
# You don't want to make your DNS avail to the public internet.
#bind-interfaces

# Set the cache size here. Default is 100, max is 10000
cache-size=10000

# If you want to disable negative caching (non-working names)
#no-negcache

# May serve potentially stale date, you can set a custom time-to-live
local-ttl=900

# For debugging purposes, log all queries (will use many MB in a day)
#log-queries

# Good idea if you're passing out this DNS server directly to clients
addn-hosts=/etc/hosts

# Option to disable ipv6, shouldn't need to enable
#no-ipv6

I’ve got no-resolv set here, because if you tell your router to hand out this machine for DNS then it’ll get only itself as a source and well, you won’t have working DNS. So either keep no-resolv and set your upstream servers in this custom file, or make sure you’re not using anything which is going to overwrite your resolv.conf entries.

For those interested, here’s how you could deal with that:

Adding dns-nameservers 1.1.1.1 9.9.9.9 to /etc/network/interfaces (if you’re using ifupdown)

Putting supersede domain-name-servers 1.1.1.1, 9.9.9.9; into your /etc/dhcp/dhclient.conf file, should you be using dhclient for a dynamically assigned address. Good idea to do this, if you use any NICs with DHCP unless you told dnsmasq to ignore resolv.conf.

And well, I think that’s about it. The last step is going into your router, setting the machine /w dnsmasq as the DNS server… and of course, adding any names you want/need to resolve on your LAN to the DNS server’s /etc/hosts file.

Enjoy!

A fail-safe for changing network config on headless servers

Lenovo Tiny PC

I’ve been setting up a Lenvo tiny system, which came with an M.2 wifi card. I’m going to probably replace it with another Intel GB / 2.5 GB adapter at some point, but right now I don’t really have a reason to. It is always a little scary when you make major changes to your network configuration on a headless system. This box isn’t physically far away, but it is indeed tucked away in another part of the house and I have no desire to bring a monitor over to it.

I realized, the wifi could serve a purpose in case I bork the bridge config somehow, or something unexpected breaks my configuration. Because I used wifi for the Debian netinstall, ifupdown already connects to wifi on boot, so there’s my failsafe. However, I don’t want or need that to stay up after the wired network is up. So I came up with this:

@reboot sleep 60 && ping -c 3 -I br0 10.0.0.1 >/dev/null 2>&1 && ifdown wlp2s0

Put this in root’s crontab, 60 seconds after cron starts it will try to ping something on the LAN, trying three times. If it can ping successfully, we bring down our backup interface. Beautiful.

This would make even more sense with a cheap USB network adapter just to have a failsafe if you’re experimenting and don’t want to lock yourself out of a system without a monitor (or even a physical serial port, for that matter).

Fail-safe, for what? – long version, for those so-inclined

Well, I wanted to be able to easily network some VMs on this thing, so I set up bridged networking. For those who don’t know, this is how Proxmox lets your VMs basically all share a NIC and each get a DHCP lease from your main network, no double-NAT nonsense, and no need to configure static routes either. I briefly did try ProxMox on this thing, and not to talk down of it but there is a reason I don’t use it… has way too much going on out of the box that I’ll never use. It is a great product, and it definitely has its place but I like the minimal-manual style of setting things up. If I wanted to take advantage of the cluster / high availability features or ZFS snapshots then it is a great way to save you a ton of hassle manually setting up some pretty complicated stuff… But I’m not doing anything that fancy. Proxmox IMO is overkill if you just need to run a few VMs, jails or containers. It is convenient as a “poor man’s KVM” though.

Laptop Motherboard hacked into Minimal Web Server

I had an old Core 2 based “Pentium” laptop kicking around, battery long past dead, no charger either.  Only had 2 GB of RAM, wifi card was already missing… No HDD either! I really had no use for the laptop.

Old parts we won't be needing

So, what to get rid of? Well, as you’ll see further along, I wanted to make this a more compact and simple solution. For most people it probably would make the most sense to just leave your old laptop as, well… a laptop. This thing is nothing special though. Don’t get me wrong, it is 15 years old sure, but that isn’t why it’s considered by most to be nothing more than e-waste. This 15 year old laptop specifically, was pretty poor spec’d even when it was new. New this PC was between $300 – $400, in 2009. So, that is why the battery is no longer in the mix — I have enough paperweights. This battery hasn’t held any charge in a long time. The hinges, webcam, usb ports? Save those for another project. If that’s your thing.

Also won't need these.

I don’t need these either. This server will be “headless”. Everything can be done over SSH.

The new server
Now we’re talkin’! Compact, and somehow doesn’t look like a total nightmare.  Like an oversized Raspberry Pi… but x86!
In my opinion this actually looks somewhat respectable. This doesn’t always happen whitest trying to run a laptop motherboard outside of the machine it came in. Not seen in the pictures of the hardware no longer being used is the plastic casing (obviously) and also both SATA drives it previously had. A DVD-RW drive which I don’t need, and a 5,400 RPM 2.5″ hard disk which I… well, I haven’t actually got a spare at the moment! A plus of this laptop MB layout is that the HDD mounts on top of, and not overhanging any edge of it. But for now we don’t have any SATA drives. Something else is in store.
Underside

 

The furniture pads keep the board up and off my my desk so it sits with (albeit a small amount) dignity. Here we can see a dirty secret… White tape covering the blindingly bright white and orange LEDs. That little LED board also holds the power button. Kinda important. Some hot glue was used here, hot glue can make a project go south quickly but in some cases it can be forgiven. In the lower left corner you may have spotted the solution to my lacking of a hard drive.

Killer feature

Like I said, a big Raspberry Pi.  It even boots from an SD card!

    Putting an operating system on something like an SD card isn’t something I’d recommend.  However, as seen here it is quite convenient to test multiple configurations.

This is actually sort of a neat feature. It is, and it isn’t. Onboard SD card readers are usually less than stellar and this one is no exception. Bear in mind, this laptop doesn’t have any USB3 ports. Even if it was new enough to have USB3, the card reader would more than likely be USB 2.0.

Future plans include a SATA hard drive. Mechanical, SSD, who cares. But a proper hard disk will be incorporated when one falls into my lap. Till then, this website is brought to you via this FreeBSD powered franken-server. 128 GB of SanDisk goodness.

Technical Resources & Great Websites

Useful resources for geeks using BSD:

FreeBSD live boot images /w SSH enabled. Boot & use / remote installation.
Highly recommended: mfsBSD and mfslinux

FreeBSD WiFi Basic Setup / Configuration – Well put together here

Beginner BSD basics (10 page PDF)  – For people new to FreeBSD & UNIX

Installing & Configuring Grahics Drivers on FreeBSD  – Handbook Chapter 5

Installing Desktop Environments on FreeBSD – Handbook Chapter 8 BSD Daemon

NetBSD Performance and Power Management Tweaks  – Post on unitedbsd.com

Useful resources for geeks using GNU/Linux:

UC Berkley Open Computing Facility Mirror – I can get 300 Mib/sec down!
Definitely a great place to download both BSD and Linux from. They mirror many popular projects.    HTTP   HTTPS

The Debian Administrator’s Handbook  – Very well organized HTML book

Building a Debian Kernel Package – Easier than you may think Debian Wiki
Tux Penguin
Detailed rundown of Linux’s init systems (sysv, systemd) a bit outdated but quite comprehensive yolinux.com Init Tutorial

The T2 System Development Environment  – aims to support all CPU architectures, including maintaining or bringing back architectures which have been dropped in the mainline kernel.  Intel Itanium support as well as fixing drivers and other things which didn’t need to be broken or removed simply because they were “old”.
Visit t2sde.org. The developer documents much of his progress in a series of videos.

 

Useful resources for hardware hacking & modifications:

OpenWRT Project Table of Hardware  – List of devices supported by OpenWRT
Linksys WRT54G         The OpenWRT project is a completely free and open source linux system intended to replace the firmware on your router / wireless AP. It has tons of packages available and has a very active community and development scene.  I’ve used it for years, it is incredibly good firmware.  If you’ve never heard of it think DD-WRT but better, in my opinion.

Parkytowers.me.uk has a website dedicated to re-purposing “thin client” PCs into general purpose PCs, Linux boxes, servers, etc.  This guy has written up information on HUNDREDS of these things, and details hardware and software hacks to get more functionality out of them.  Check it out!  https://www.parkytowers.me.uk/thin/
(you click the DETAILS link and get to a page with all the OEMs down the left side)

© 2025 LostGeek.NET - All Rights Reserved. Powered by ClassicPress, NGINX, Debian GNU/Linux.