networking – Incoming traffic not forwarding to Wireguard gateway

I’m not sure if this is a general routing question or more to do with Wireguard or EasyTether but I think it’s general routing.

I have a Raspberry Pi 4 to enable an Android phone to act as the WAN port on a NAT router.

The Pi runs EasyTether via USB to the phone. This is working. It provides an tun-easytether interface on 192.168.117.0/31 The phone is 192.168.117.1.

I have defined a gateway resulting in the following:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.117.1   0.0.0.0         UG    0      0        0 tun-easytether
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.117.0   0.0.0.0         255.255.255.254 U     0      0        0 tun-easytether
192.168.118.0   0.0.0.0         255.255.255.0   U     0      0        0 wg0

eth0 is the Ethernet port at 192.168.115.1 which is connected to the router’s WAN. The router has a static IP of 192.168.115.2.

That works nicely. I can browse the web from my laptop connected to the LAN side of the router.

Now I’m trying to introduce Wireguard. I have Wireguard installed on a droplet at Digital Ocean and on the Pi. The server is at 192.168.118.1 and the Pi is 192.168.118.2.

I have changed the default route and setup one for the VPN resulting on the following:

0.0.0.0         192.168.118.2   0.0.0.0         UG    0      0        0 wg0
68.xxx.xx.xxx   192.168.117.1   255.255.255.255 UGH   0      0        0 tun-easytether
192.168.115.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.117.0   0.0.0.0         255.255.255.254 U     0      0        0 tun-easytether
192.168.118.0   0.0.0.0         255.255.255.0   U     0      0        0 wg0

68.xxx is the public address of the server. That pretty much works because I can ping 192.168.118.1 and 8.8.8.8 from the command line on the Pi. A traceroute to 8.8.8.8 shows it going through Digital Ocean. That all looks great except that I can no longer get to the outside world from my laptop on the LAN side of the router. A traceroute stops at 192.168.115.1, i.e., eth0 on the Pi.

The Pi seems to be not forwarding traffic coming into 192.168.115.1. I’ve reverted to the original non-VPN config several times to make sure that still works. net.ipv4.ip_forward=1 is set in sysctl.conf on the Pi.

I feel like I’m close but just missing something. I could give the Wireguard setup etc but it doesn’t seem relevant because that appears to be working.

Thanks for any help.

ssl – HAPROXY : Redirect incoming HTTPS request to HTTP backend

I’m a newbie with HAProxy, and I want to use it to redirects HTTPS incoming requests to my HTTP backends servers.

I know, how it is possible to do it with Nginx, like this :

#SSL for all
server {
    listen 443 ssl ;
    server_name www.example.com;
    absolute_redirect off;
    proxy_redirect off;

    access_log /var/log/nginx/example.com-ssl-access.log;
    error_log /var/log/nginx/example.com-ssl-error.log;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1 ;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; 


    location / {
        proxy_pass http://bo.example.com;
    }
}

But I don’t know how I can do it with HAProxy ?

I have already tried several things. But each time I only had HTTPS to HTTPS redirects.

Can you help me ?

This is my current HAProxy configuration :

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 5s
    user haproxy
    group haproxy
    daemon

    tune.ssl.default-dh-param 2048

defaults

    log     global

    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    stats enable
    stats hide-version
    stats refresh 30s
    stats uri /hastats

frontend www-http
        # Frontend listen port - 80
    bind *:80
    #Mode de fonctionnement
    mode http

    reqadd X-Forwarded-Proto: http

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    # Set the default backend
    default_backend www-backend
    # Enable send X-Forwarded-For header
    #option forwardfor
    #option httpchk GET /
    # log reqs http
    #option httplog

    # acl
    #acl prod_acl  hdr(host) prod.local

    #use_backend apache_backend_servers if prod acl


# Define frontend ssl
frontend www-ssl
        bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
        reqadd X-Forwarded-Proto: https
        default_backend www-backend


# define backend

backend www-backend
    mode http
    option httpchk
    option forwardfor except 127.0.0.1

    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    
    redirect scheme http if { hdr(Host) -i example.com } { ssl_fc }
    balance roundrobin
    #Define the backend servers
    server  web1    XXX.XXX.XXX.101  check inter 3s port 80
    server  web2    XXX.XXX.XXX.102  check inter 3s port 80

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8080

UFW allow incoming to specific source IP

I am trying to allow connections from my ufw firewall to a specific source IP on my machine. I know it can be done with interfaces, but is it possible just for a source IP?

ubuntu – IPTABLES – Route all incoming IP requests through another IP on a different network

I need help with iptables to allow all requests come from one single IP.

Server1 IP : 1.1.1.1 [Dedicated Server]

Server2 IP : 2.2.2.2. [VPS Server]

Both Servers are running Ubuntu, and are NOT on the same network.

I have service running on Server1 on port 1234. I want all traffic to come to server1 only from server2. And, if a request is received by Server1 directly, instead of killing/dropping the request, is it possible for server1 to forward the request to Server2, and have server2 send it to server1.

On Server2 I have:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward 
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 1.1.1.1:1234
iptables -t nat -A POSTROUTING -j MASQUERADE

On Server1 where the service is running, I have:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward 
iptables -I INPUT -p tcp -s 2.2.2.2 --dport 1234 -j ACCEPT

The Server2 is redirecting requests fine to Server1. Can you help me with iptables command for Server1, to route all other incoming IP requests through server2?

Thank you.

transactions – Is 8 the maximum number of incoming peer connections?

The reference here for running the bitcoin daemon does not really clarify what maxconnections mean.

maxconnections=  Maintain at most  connections to peers (default: 125)

Is this the max connection for all inbound and outbound peer connections? Or is it just to one or the other? If I understand correctly, inbound connections are others trying to connect to your node for information (e.g. transaction) propagation, while outbound connections are your bitcoin daemon node connecting to others for information.

Here’s another reference in one of the posted answers that stated 8 outbound peer connections is the max; it seems to imply that the number of outbound peer connections is unconfigurable. Furthermore, that maxconnections only controls the number of inbound connections and not outbound. Is this true?

I don’t intend on being connected to by other peers (this decision is rather selfish, but that’s besides the point), so I’ve blocked port 8333. I believe, effectively, blocking port 8333 will only stop peers from connecting to me (stops inbound) and not me connecting to peers (does not stop outbound). Is this right?

What implications do blocking port 8333 have on my bitcoin daemon from getting transactions? Does it get less transactions or get transactions slower? I’ve been noticing that for relatively long stretches of time (e.g. 20 seconds or so), sometimes I see no transactions come through.

The same outgoing and incoming degree in graph

I have an undirected graph with $n$ vertices and $m$ edges. How to determinate in $poly (n, m)$, is it possible (and how is it necessary) to orient all the edges so that each vertex has the same outgoing and
incoming degree.

In what ways site administrators can detect incoming CSRF attacks?

You implement a CSRF token on every vulnerable form. When there is a CSRF error, it is logged, so you “detect” it (do note that it might be a false positive, such as having cleared the cookies). If you protect from CSRF attacks, I don’t think it would be woth preparing such attack, as it won’t work.

You might do some checks based on Referer header, which could allow you to detect certain CSRF attacks. Although that depends on the browser and settings, if there’s no referer header (which could be suppressed by the attacking page on modern brower) you would receive no information.

office 365 – Save the email attachments of incoming email in SharePoint List using Azure Logic Apps

As of now, I am able to perform below two steps:-

1. I am able to save the Office 365 email (whole email itself) to SharePoint (online) document library as a .eml file using Logic Apps and open up in office outlook. – I am using Create File action

2. Also, I am able to save the metadata (To, From, Subject, CC) of incoming email in a SharePoint List. – I am using Create Item action

Now, I want to save the O365 incoming email attachments to SharePoint (online) list along with other email metadata. So, when email metadata is getting added in list (as per point-2 above), I want to save incoming email attachments as list item attachment.
NOTE – I don’t want to save incoming email attachments as individual items in a Library.

Any thoughts?

What exactly does the scary option “Allow incoming connections” do in Bitcoin Core?

Software authors seem to enjoy consciously freaking me out by having vaguely or entirely uncommented options in their software with very ominous labels.

In Bitcoin Core’s settings, it says “(X) Allow incoming connections”, which has an entirely meaningless “elaborate description” on hover which just repeats what it already said with a couple more words: “Accept connections from outside.”

What does this actually do? My first thought is that this enabled-by-default option somehow allows people from all over the world to connect to my computer and freely grab Bitcoins from my wallet.dat and look through and download files from my computer. Naturally, it doesn’t mean that, but the way it’s so vaguely described does not make me feel good, to put it that way.

My serious guess is that it has some kind of hard to understand technical explanation, but why is it an option to begin with if it’s crucial for Bitcoin to function? Is there some privacy/security benefit to me unchecking it? Does leaving it on pose some sort of privacy/security threat*? Why is it an option?

(* Usually when you ask that kind of question, people will lie to you and claim that there is no security/privacy issue, when in fact there actually is. For example, PHP developers told me that there’s nothing lost by keeping the expose_php and other configuration options on, but to me, there definitely is as it sneakily lets the world know that you use PHP and even which version. It seems that, whenever something is bad for users, but good for the authors of something, they claim that it doesn’t pose a security/privacy threat.)

Would appreciate some clarification.

enter image description here

transactions – In Electrum, how does one watch/poll a wallet for an incoming payments to a certain address via API?

I want to create a simple way to accepting bitcoins on my own, using Electrum. I don’t except big volume. I suppose, I’d have at most a handful of incoming payments in the beginning.

That is, I generate an address, a new one for each checkout where Bitcoin is selected as a payment method. And then I’ll need to watch an address, via API of Electrum, for an incoming payment of a certain amount. The 1st confirmation, at least, which will have to arrive within, I suppose, 1 hour.

How can it be implemented? I don’t need the code, but a high level explanation: what API to use, potential caveats and suggestions in general.

P.S.

I’m aware of this – https://electrum.readthedocs.io/en/latest/merchant.html , but it won’t work for me. I’m a developer, therefore I can create a simpler solution and which I also could customise however I like.