Meltdown and Spectre are vulnerabilities in modern processors,
which allow a rogue process to read all memory which is currently processed on the computer, including passwords, documents, security credentials, and your photos. Your operating system and software may have included corresponding patches to mitigate those vulnerabilities if they are up to date.
However, those patches significantly slowdown your computer.
If you have offline computers that run only trusted software, you may want to disable those patches to regain performance lost. This article will show you how to disable those patches on Linux. There is also an instruction for Windows.
Currently this article only covers the instructions to disable the Meltdown patch.
Check if Meltdown and Spectre patches are applied
Run the following command:
grep. /sys/devices/system/cpu/vulnerabilities/*
The following output means that the patches are enabled for the Meltdown and Spectre vulnerability:
Then regenerate the grub config file.
If your OS is booted from legacy BIOS, run:
sudo grub2-mkconfig -o /etc/grub2.cfg
Otherwise if your OS is booted from UEFI, run:
sudo grub2-mkconfig -o /etc/grub2-efi.cfg
Lastly, reboot your computer.
Verify if the patches are disabled
Rerun the following command:
grep. /sys/devices/system/cpu/vulnerabilities/*
If successful, your output should be something like:
shspectre fedora
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable
Re-enable the patches
Just remove the nopti boot option from /etc/default/grub and regenerate the grub boot config file like what we did before.
My PS4 has trouble connecting to PSN service these days. I suspect my ISP has blocked all traffic to oversea PSN servers.
Fortunately there is an OpenWrt router in my room, so that I can get through this kind of block by setting up a VPN connection to forward all traffic from my PS4 to my oversea VPS. Here is the expected connection solution:
I have two VLANs behind my OpenWRT router.
VLAN1 brings my laptop, smart phone, and other devices together, while VLAN2 is for PS4.
VLAN1 has IP address range 192.168.0.0/24 and VLAN2 has 192.168.1.0/24. My aim is to forward all Internet traffic from 192.168.1.0/24 to the VPN tunnel but exclude all LAN traffic. Upon the successful establishment of my IPSec tunnel, devices in VLAN1 and VLAN2 can also get access to each other.
Install strongSwan
I use strongSwan, an open source IPsec-based VPN software, to set up my IPSec tunnel. The first step is to install strongSwan on both VPS and OpenWrt router.
Certificate Authority
For security reasons, I choose RSA authentication with X.509 certificates for my VPN tunnel.
Both peers of strongSwan instances will identify themselves by corresponding X.509 certificates.
Start by creating a self singed root CA. Create a private key on your PC:
Then generate a self singed root CA certificate:
You can view the details of your root CA certificate with the following command:
Example output:
Create an X.509 v3 extension file ext.cnf containing the following content
in order to issue X.509 v3 certificates instead of v1 ones to end clients:
Having the CA certificate, you are able to issue client certificates to your VPS and OpenWrt router later.
Issue a Certificate For VPS
On your VPS, create a private key:
Then create a certificate request file:
Copy your certificate request file vpsHost.csr from VPS to your PC.
On your PC, use the following command to issue a client certificate to your VPS:
You can view the certificate details with the following command:
Example output:
Copy your certificate files rootCA.crt and vpsHost.crt from your PC to your VPS.
Issue a Certificate For OpenWrt Router
On your OpenWrt Router, create a private key:
Then create a certificate request file:
Copy your certificate request file openwrtHost.csr from OpenWrt router to your PC.
On your PC, use the following command to issue a client certificate to your OpenWrt router:
You can view the certificate details with the following command:
Example output:
Copy your certificate files rootCA.crt and openwrtHost.crt from your PC to your OpenWrt router.
Configure VPS peer
On your VPS, copy rootCA.crt to /path_to_strongSwan/ipsec.d/cacerts:
Copy vpsHost.crt to /path_to_strongSwan/ipsec.d/certs:
Copy vpsHost.key to /path_to_strongSwan/ipsec.d/private:
Tell strongSwan where to find the private key by editing /path_to_strongSwan/ipsec.secrets:
Configure IPSec policy by editing /path_to_strongSwan/ipsec.conf. Here is an example:
To make your VPS as a software router, you should turn on the following kernel options:
Enable SNAT to allow forwarding packets from private IP addresses to the Internet, because your clients (PS4, etc) have no public IPv4 addresses. You should configure your Linux firewall:
Don’t forget to start your strongSwan service and enable it at startup:
Configure OpenWrt Router
On your OpenWrt Router, copy rootCA.crt to /etc/ipsec.d/cacerts:
Copy openwrtHost.crt to /etc/ipsec.d/certs:
Copy openwrtHost.key to /etc/ipsec.d/private:
Tell strongSwan where to find the private key. Edit /etc/ipsec.secrets:
Configure IPSec policy by editing /etc/ipsec.conf. Here is an example:
Make sure your OpenWrt router have SHA256 kernel module installed:
A very important step, don’t let strongSwan configure routes on your OpenWrt router.
Otherwise strongSwan will insert an additional policy-based default route that forwards all traffic from VLAN2 to your VPS, which blocks the communication from VLAN2 clients to your OpenWrt router, resulting in your clients cannot receive any traffic from your router.
Edit /etc/strongswan.conf on your OpenWrt router:
You should also disable the farp plugin for strongSwan.
The farp plugin will fake ARP responses for rightsubnet to an established tunnel.
In our VPN deployment our rightsubnet (0.0.0.0/0) covers leftsubnet (192.168.1.0/24).
If we don’t disable this plugin, it will fake ARP responses for 0.0.0.0/0, which will disturb the ARP traffic in VLAN2 unexpectedly.
To disable the plugin, edit /etc/strongswan.d/charon/farp.conf on your OpenWrt router:
The last step, add new firewall rules to allow VPN traffic on your OpenWrt router:
Reload your OpenWrt firewall:
Start and enable your strongSwan service:
Now all Internet traffic from VLAN2 should be forwarded to the VPS. Please enjoy it.
Docker is an awesome software which makes use of Linux container
to package dependencies for an application and isolate its runtime environment from the host machine.
By default, Docker will set up an isolated private network and adopt Network address translation (NAT) technology
for forwarding incoming traffic to corresponding container. But sometimes we want to set up our own Docker network.
A few days ago, I was going to run several separated Bind DNS services on a single host.
Some of them are recursive servers while others are authoritative servers.
Traditionally, we need to bind these services to different addresses on the same host,
or create virtual machines for every Bind instance.
I chose Docker for this kind of deployment. The difficulty is how to expose the whole network of these containers
to the outside network instead of using NAT technology, because it is very hard to maintain so many IP addresses on a single host machine.
We can use --net=none option when starting a container to tell Docker not to configure its network automatically, which leaves us free to configure our own network.
Considering I have a host machine and 4 Docker containers. The host machine’s physical interface connects to a router that connects to an intranet.
The host machine has 2 IP addresses. One is 10.3.0.2/24, which connects to a gateway interface eth3 with IP address 10.3.0.1/24 through its physical interface eth0.
The other is 10.3.16.1/20, which is assigned to the Docker Ethernet bridge interface docker0. The four Docker containers have addresses from 10.3.16.11/20 to 10.3.16.14/20.
By default, Docker configures bridge interface docker0 with IPv4 address 172.17.42.1/16. We need to change it to 10.3.16.1/20 in this deployment.
To supply a different IP address for docker0, We need to edit Docker upstart configuration file. This file is usually located at /etc/sysconfig/docker for Fedora/RHEL/CentOS or /etc/default/docker for Debian/Ubuntu.
Here is a resonable configuration:
In this file, the --bip=10.3.16.1/20 option tells Docker to set up bridge interface with IPv4 address 10.3.16.1/20, and --iptables=false to disallow Docker to insert iptables rules automatically.
Restart your Docker service, then start a container:
This will start a CentOS 7 container named my_container. Option --net=none tells Docker not to set up container network.
Issuing ip addr in this container will find that there are no Ethernet interfaces configured:
As Docker uses Linux container to isolate environment, we should set up a container network through the host machine.
These instructions are adapted from official Docker documentation.
Firstly, use docker inspect command to find out the container process ID:
Then, create a peer of virtual network interfaces A and B, then bind the A end to the bridge, and bring it up:
Next, place B inside the container’s network namespace, and rename to eth0, and activate it with IP 10.3.16.11/20.
Follow similar steps to configure networks for other containers by replacing IP addresses with 10.3.16.12/20 - 10.3.16.14/20.
Lastly, add a static route on your gateway to forward address range 10.3.16.0/24 to your host machine:
In addition, I wrote a script called Dockernet in order to finish these steps in a very simple way. You can check out my code if you like.
Hello, I’m Yuxiang Zhu, a programmer working on free software. From today, I will keep my technical experience and knowledge in this blog and share to everyone.
This blog is built by Jekyll, an open software that transforms plain text into static websites and blogs. It is awesome and free to use. If you want to build a blog like me, you can follow instructions on Jekyll’s homepage. The theme of this site is adapted from Freelancer.