💾 Archived View for omg.pebcak.club › ~freezr › gemlog › stealthbox-setup.gmi captured on 2024-05-12 at 15:13:57. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-03-21)

➡️ Next capture (2024-08-18)

-=-=-=-=-=-=-

Make a StealthBox with Devuan and Libre Computer Renegade

The Setup

ISSUED: 2023-12-06
EDITED: 2024-02-16

↩ go back

At this point there isn't left much to do, but it is required you to have access to the network property of your Windows machine, if you can't the FAQ provides a viable alternative.

Make a StealthBox with Devuan and Libre Computer Renegade: FAQ

Cross Cable Setup

The Stealthbox is connected to the Windows machine through a cross cable:

This actually the same cable I use

đź’ˇ Be aware the color code for the ethernet crosscable is red đź”´

Changes on the Renegade board

I recommend to start changing the settings on the board before.

1. Changing the network interfaces:

sudo micro /etc/network/interfaces

The new settings:

auto lo
iface lo inet loopback

# eth0
auto
allow-hotplug end0
iface eth0 inet static
	address 10.0.10.2	
	netmask 255.255.255.0
	gateway 10.0.10.254

And this is done…

2. Fixing the script `criptroot-unlock`

A nasty systemd-related issue prevents to unlock the board from SSH during the booting time. Spotting this out took a lot of time, and as usual OP2 helped me with a solution.

Open the file script:

sudo micro /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock

Check for this block:

if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then
	# Too early, init-top/cryptroot hasn't finished yet
	echo "Try again later" >&2
	exit 1
fi

Modify it to:

if [ ! -f "$TABFILE" ] ; then
	# Too early, init-top/cryptroot hasn't finished yet
	echo "Try again later" >&2
	exit 1
fi
⚠️ You need to fix this script every time the package dropbear-initramf gets any update.

3. Changing the INITRAMFS IP setting:

sudo micro micro /etc/initramfs-tools/conf.d/IP

The new settings…

DEVICE=eth0
IP=10.0.10.2::255.255.255.0::10.0.10.254::

Next…

Update the INITRAMFS

sudo update-initramfs -c

Power off the board.

Poweroff the board

sudo shutdown -h now
đź’ˇ shutdown turn off the OS gracefully instead of `sudo poweroff`

Windows setup

On Windows it easier doing the changes through GUI, please follow the images:

media/2023/w10net01.png

media/2023/w10net02.png

media/2023/w10net03.png

media/2023/w10net04.png

media/2023/w10net05.png

Now a pause on windows, I'll come back later on it.

Plug your stuff

Spies do their jobs without let them noticing. Mount your ethernet USB port on a USB3 back case ports, front case USB ports are known to be flaky, put the board where you can have easy access to it and where nobody can notice its presence, plug the red cable on USB ethernet and on the board, plug the mini usb ac and the power supply.

If you haven't made it yet, you have to create a pair of keys, check for the windows instructions on this related gemlog:

⚠️ Only for the creation of the keys section: "Loading the public key into Dropbear"

Setup Dropbear to unlock Debian on the Libre Computer "Renegade" over your Local Network

Now always from the Terminal run that command to unlock the board:

ssh -i .\.ssh\unlock_luks -O "HostKeyAlgorithms ssh-rsa" -p 222 YOUR-USER@10.0.10.2 -v

Wait some seconds and SSH into the board typing your password

ssh YOUR-USER@10.0.10.2

Now you are inside your Stealthbox, modify the network interfaces to use the tethering from your (Android) mobile:

⚠️ I don't use Apple devices, I used to do but I stopped more than twenty years ago. I am pretty sure that do not exist drivers for Linux and as well doesn't exist Termux on iPhone; sorry I couldn't help with this…
# usb0
allow-hotplug
iface usb0 inet dhcp

to get internet working at full speed follow this tutorial:

# The day I boosted my tethering connection

OpenRC should be able to get the usb0 interfaces up even if you unplug and re-plug the cable cause you need the mobile, in that case you must re-run the DHCLIENT command:

sudo dhclient usb0 -v
⚠️ Sometimes that command isn't enough and you need to perform other operations that are described in the section "Caveats" at the bottom of this page.

Setting a VNC Server

I already talked about it in another gemlog, as you might figured out, each gemlog is the sum of the former experiences, this the pebcak's way!

PICO-8 development with OpenBSD… Or how to VNC connecting a RPI2 to a Crapbook empowered by OpenBSD…

Install and setup the VNC server

sudo apt install tightvncserver

It will prompt to type a 8 character password and guess what?

R E N E G A D E
1 2 3 4 5 6 7 8

But you can use the one that you like the most.

It will ask also to create a "read-only" password, say no!

lastly It will prompt the command to run the vnc server, that will be:

vncserver :1

The next settings is to run the server anytime the board boot, before the systemd era those stuff were easy as:

crontab -e

And type:

@reboot USER="YOUR-USER" vncserver -geometry 1440x900 :1
❓ @reboot — It is a special macro that launches a command as soon as the boot stages are completed!.
đź’ˇ On my 2K Display I find very comfortable this resolution: 1440x900; perhaps with lower resolution 1366x768 should be fine.

Now it is possible reboot the board or testing the VNC server using the aforementioned command:

vncserver :1

VNC Client for Windows

I found convenient and practical download and using TigerVNC:

TigerVNC: Home Page

Download for Windows is available here:

https://sourceforge.net/projects/tigervnc/files/stable/

You must look for the latest stable and download the "tigervnc64-[LATEST-VERSION].exe"; for the time I am writing this gemlog the latest version is 1.13.1 therefore you should look for "tigervnc64-1.13.1.exe".

As I mentioned in the F.A.Q. you can download and extract that binary on a USB pendrive.

The setup is very basic I used the defaults without changes, just follow the the images:

Tiger VNC: Tab option 1

Tiger VNC: Tab option 2

When ready click OK and it will ask the password:

Tiger VNC: Main window

Type in and there you go!

OMG what is this?

If you haven't setup a graphic environment perhaps you are just looking to a big Xterm terminal. Electing a lightweight graphic environment is essential for a good experience.

In the *nix world we usually divide the graphic environment in two categories: Desktop Environments (DE) and Windows Managers (WM).

? Windows Managers have their own sub-categories: stacking and tiling.

The former are complete environment that offer a lot of functionalities, ad-hoc tools and rely on specific libraries, like for instance XFCE4 or KDE Plasma; the latter are generally lighter, with less functionality and with a minimum footprint, perfects to be used on a small single board computer like this one!

Debian Wiki: WindowManager

Wikipedia: Stacking window manager

Based of what available on the Debian/Devuan repository I recommend one of these three windows managers:

IceWM

A WinXP-like stacking windows manager with a single panel, menu button and tray. Very intuitive, fully customizable, easy to setup and features reach!

Wikipedia: IceWM

A Debian screenshot of IceWM

sudo apt install icewm xorg

FluxBOX

It is an amazing stacking windows manager with a total different paradigm but it is really complete and blazing fast. It allows you a variety of windows and tab combinations. This is not recommended for a standard desktop experience.

Fluxbox Homepage

A video of FluxBOX in action.

sudo apt install icewm xorg

Windows Maker

This is my favorite and the one I am currently using. It was realized after the NeXTSTEP user interface. It is a Windows Manager but it is also complete as a real Desktop Environment with a lot of applets and extra settings. It does all the fancy stuff that modern DE like Gnome 3/4 states to have invented, its retro-look fit very well the small windows I assigned to my VNC session:

WindowMaker: HomePage

Windows Maker

sudo apt install wmaker xorg

If you are a power user install one you like the most but I discourage the usage of any DE.

List of the packages I've installed on my board

Here you have all the packages I've installed from the repository:

installed-package.txt

Tips & Tricks

This section is pretty juicy so read it carefully!

Launch the WM automatically

What is launched at VNC session is defined in .vnc/xstartup inside your home!

This is mine setup:

#!/bin/sh

# Load X resources (if any)
if [ -e "$HOME/.Xresources" ]
then
        xrdb "$HOME/.Xresources"
fi

#
xsetroot -solid black
xmodmap -e "keysym Alt_L = Multi_key" &
x-terminal-emulator -geometry "80x24+10+10" -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
xautolock -time 1 -locker slock &

Disable IPV6 for eth0

I disabled Ipv6 for the cable connection, this can be achieved with:

sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=1

To make effective the change:

sudo sysctl --system

Otherwise it will be applied next boot.

How to reload sysctl.conf variables in Linux

Install `NETPLUG`

Netplug allows to reconnect automagically the network — even the SSH connection — if it drops, for instance by a unplugged cable, from my tests it works very well with the `eth0` interface:

sudo apt install netplug

Then:

sudo micro /etc/netplug/netplugd.conf

type in:

eth*

Now "allow-hotplug" must be commented in: /etc/network/interfaces

Below my full configuration:

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

## CROSS CABLE SETUP: eth0
auto eth0
#allow-hotplug eth0 # DISABLE THIS LINE
iface eth0 inet static
	address 10.0.10.2/24
	netmask 255.255.255.0
	gateway 10.0.10.254

# DHCP SETUP: usb0
## Won't be touched by netplug
auto usb0
allow-hotplug usb0
iface usb0 inet dhcp

The daemon is already started after the installation, otherwise you can reboot the board!

Using LibreWolf as default Browser

LibreWolf is a heavily hacked and hardened Firefox fork, on aarch64 is available as appimage, you can download from it:

https://gitlab.com/librewolf-community/browser/appimage/-/releases

Create the directory and save the appimage file

sudo mkdir -p /opt/librewolf/
cd /opt/librewolf/
sudo wget https://gitlab.com/api/v4/projects/24386000/packages/generic/librewolf/120.0-2/LibreWolf.aarch64.AppImage

Or if you already boosted your tethering:

sudo curl --socks5-hostname 127.0.0.1:12000  https://gitlab.com/api/v4/projects/24386000/packages/generic/librewolf/120.0-2/LibreWolf.aarch64.AppImage -o LibreWolf.aarch64.AppImage

Create a symbolic link:

sudo ln -s /opt/librewolf/LibreWolf.aarch64.AppImage /opt/librewolf/librewolf

Update `www-browser` alternative:

sudo update-alternatives --install /usr/bin/www-browser www-browser /opt/librewolf/LibreWolf.aarch64.AppImage 50

Output:

update-alternatives: using /opt/librewolf/LibreWolf.aarch64.AppImage to provide /usr/bin/www-browser (www-browser) in auto mode

Update the `xdg-settings` ; if you check to which browser is the OS associated with, you'll see Firefox-esr:

xdg-settings get default-web-browser
firefox-esr.desktop

To change to LibreWolf:

xdg-settings set default-web-browser librewolf.desktop 

Checking again:

xdg-settings get default-web-browser
librewolf.desktop

Eventually create the .desktop file:

sudo micro /usr/share/applications/librewolf.desktop

And paste:

[Desktop Entry]
Name=LibreWolf
Exec=/opt/librewolf/librewolf %u
Icon=librewolf
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;application/pdf;application/json;
StartupWMClass=LibreWolf
Categories=Network;WebBrowser;
StartupNotify=true
Terminal=false
X-MultipleArgs=false
Keywords=Internet;WWW;Browser;Web;Explorer;
Actions=new-window;new-private-window;profilemanager;

[Desktop Action new-window]
Name=Open a New Window
Exec=/opt/librewolf/librewolf  %u

[Desktop Action new-private-window]
Name=Open a New Private Window
Exec=/opt/librewolf/librewolf  --private-window %u

[Desktop Action profilemanager]
Name=Open the Profile Manager
Exec=/opt/librewolf/librewolf  --ProfileManager %u

Now LibreWolf is officially the default browser anywhere!

Add a screenlocker to the VNC session

I was stuck at this step for a eternity, an annoying pebcak prevented to use xscreensaver and many other lockers all for the exact same reason:

xscreensaver --no-splash
xscreensaver: 12:09:54: XInput extension missing

xtrlock -f
xtrlock (version 2.15): No X Input extension

It came to my rescue a suit of fantastic software called: "Suckless Tools" ; the name is totally programatic and a guarantee! The locker shipped with the suckless tools, `SLOCK`, works without issues and without complaining!

Suckeless Tools: Slock

However it is unable to trigger itself, it is required another packages that is monitoring the activity, to fill this gap I installed `XAUTOLOCK` as well.

sudo apt install suckless-tools xautolock

These packages are very light and do not requires tons of depedencies to work!

If you noticed it, the command to launch it at every session are already in the "Launch the WM automatically" section.

Caveats

On my test with Debian systemd was able to handle better the usb0 connection with Devuan/OpenRC sometimes you have to go through a process to re-establish the tethering connection.

Things to check when the tethering drops

Sometimes the tethering drops even if it is running from TMUX; to check status you must go into the current TMUX session:

tmux attach-session

If you notice a lot of calls in idle, e.g.:

debug1: Connection to port 12000 forwarding to socks port 0 requested.
debug1: channel 4: new dynamic-tcpip [dynamic-tcpip] (inactive timeout: 0)
debug1: Connection to port 12000 forwarding to socks port 0 requested.
debug1: channel 4: new dynamic-tcpip [dynamic-tcpip] (inactive timeout: 0)
debug1: Connection to port 12000 forwarding to socks port 0 requested.
debug1: channel 4: new dynamic-tcpip [dynamic-tcpip] (inactive timeout: 0)
[...]

The connection is dropped, to come back the connection again you may try in order:

Internet connection won't work if eth0 is unplugged from the boot

If for some reason you connect the board to a monitor while still taking the internet connection from any interface but eth0, you need to deactivate eth0 in order to make the other connection is the primary on, e.g.:

sudo ifdown eth0
sudo dhclient usb0
ping www.devuan.org

And if you want use the internet connection from your ethernet you must comment — comments start with # — the current settings and enable the following one:

sudo micro /etc/network/interfaces

## DHCP eth0
allow-hotplug eth0
ifce eth0 inet dhcp

Wrapping this up

I hope to have touched all the necessary points to convert your Libre Computer ROC-RK3328-CC with Devuan into a Stealthbox! Actually using Devuan is not required, besides preferring Devuan to Debian, I feel that any system without systemd is faster because systemd is essentially bloated, so my recommendation is to stick with Devuan.

As usual should you find something wrong please do to not hesitate to contact me!

Thanks… 🙏

────────────

↩ go back