I’m using OpenVPN on my Synology DiskStation with certificates instead of Preshared Keys. A few days ago I’ve wanted to login to my VPN and it wasn’t working. After checking the log file I’ve seen that there were some issues with the used configuration file for OpenVPN.
Tue Nov 20 23:04:27 2018 Cipher algorithm 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CB' not found
Tue Nov 20 23:04:27 2018 Exiting due to fatal error
How can this be? The configuration worked for months without problems? I’ve started to remember that I’ve started to increase the security of my OpenVPN configuration using a few parameters. The Cipher algorithm is one of them. This page describes some of the changes I’ve made (unfortunately only in German).
I’ve added the tls-cipher and tls-auth options as last parameter lines to my configuration file. The synology web UI tried to parse those parameters as cipher and auth parameter when it shows those values as part of the DSM UI.
I’ve reorderded the tls-auth and tls-cipher parameter to be above the auth and cipher parameters and the DSM UI is now able to show those values correct. This will enable you to restart the OpenVPN service from the WebUI without the need to login via SSH.
How do you get supported values for auth, cipher and tls-cipher you might wonder? Just execute
to get the supported tls-cipher you might line up with a : separated.
shows you the allowed values for auth and
will show the allowed values for cipher. However, cipher and auth can also be preselected from the DSM UI.
Don’t forget to use the same values in your OpenVPN configuration on your VPN client as well, otherwise the connection won’t work.
Inspired by a friend I’ve decided to install InfluxDB and Grafana on my Raspberry Pi 3. InfluxDB is a database optimized for storing time related data like measurements of my recently installed particle sensor. Grafana is used to create beautiful graphs to display the stored data.
The InfluxDB installation can be done in a few simple steps:
This will install the InfluxDB without a user and any rights. You can read up further on that topic. Ideally you should setup an user for authentication but since some IoT devices do not support this I’m not going to explain it here.
The Grafana installation is similar simple:
Please make sure that you’ll get the most current version from github and replace it in the wget command:
If you use the AVM FritzBox you’ll now about this dreaded DNS suffix „fritz.box“ which every device will get in your network, if you decide to use the DNS server of the FritzBox. I wanted to have something different which doesn’t collide with domains on the internet, e.g. „stuff.local“. As I already use pihole as adblocker on DNS level I needed a solution to configure it in pihole. The following info is based on the pihole forum.
Create a file called lan.list in /etc/pihole and fill it with content in the following format:
<ip-address> <hostname>.stuff.local <hostname>
Create a second dnsmasq config file which references the file we’ve just created:
echo "addn-hosts=/etc/pihole/lan.list" | sudo tee /etc/dnsmasq.d/02-lan.conf
Restart the dns services in pihole:
sudo pihole restartdns
You should now be able to lookup your stuff.local hostnames on your pi with e.g.
I’ve tried to setup NFS on my old Raspberry Pi 1 with Raspbian Stretch. I assumed that I just need to add an entry to the /etc/fstab file and the NFS volume on my Synology NAS would be mounted automatically.
and thought I would be done. I’ve created the /mnt/databases folder with
and tried to mount everything with
and my volume showed up as mounted. After reboot the volume wasn’t mounted anymore and the service couldn’t find its data. So what shall we do? After some research I’ve found these options, which fixed the problem:
The NFS volume now shows up even after a reboot. I’ve also tried to change the configuration of Raspbian so that it waits for the network before any services start but that didn’t fix the problem. Interestingly the entry with only defaults seems to be working on a Raspberry Pi 3 B.
I own a Xiaomi Robot Vacuum. This robot can be controlled by the Xiaomi app, however, I don’t like it very much. The idea is to control this robot over HomeKit. To use HomeKit, I use an old Raspberry Pi 1B. The software will be HomeBridge.
Use Etcher to write the image to the SD card. Remount that SD card and add a file called „ssh“ in the root of the mounted partition. This will enable SSH from the beginning so that you can login directly to the Pi. I don’t want to attach a screen or keyboard to that machine so it will only be reachable over the network. Now boot your Pi from this SD card.
Identify the Pi’s IP (e.g. by looking at the network overview in your router). Now connect to that IP with user „pi“. The default password is „raspberry“. Please change the password now with passwd and assign a new user password.
According to Wojtek only this version works currently with HomeBridge. I did not test any other version so I’m just describing what I did on my machine:
Download nodejs for the PI into your users homefolder, e.g. with wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-armv6l.tar.xz
Unpack the file with tar -xvf node-v8.9.4-linux-armv6l.tar.xz
sudo cp -R * /usr/local/
add export PATH=$PATH:/usr/local/bin to e.g. ~/.bashrc
node should be now available
Install the necessary libraries: sudo apt-get install libavahi-compat-libdnssd-dev
Install HomeBridge with npm: sudo npm install -g --unsafe-perm homebridge
open /etc/default/homebridge and safe it with this content:
# Defaults / Configuration options for homebridge
# The following settings tells homebridge where to find the config.json file and where to persist the data (i.e. pairing and others)
# If you uncomment the following line, homebridge will log more
# You can display this via systemd's journalctl: journalctl -f -u homebridge
open /etc/systemd/system/homebridge.service and safe it with this content:
Generate a new MAC address separated by : using this website. You’ll need the IP address of your Xiaomi robot as well as the token. There are several ways to get the token. I’ve extracted mine from the iOS backup. Instead of uploading the token I’ve used this command on the token taken from the sqlite database:
Install the Home app, if you’ve removed it from your device. You can reinstall it from the App store.
Open the Home app and add a new device
If you’ve give the app access to your camera, you can scan the QR code you’ve seen earlier. However, HomeBridge is now running as a daemon in the background so you won’t see that QR code. You can add the bridge manually by using the PIN you’ve set in the config.