Weaved Support

[j-schwartz]

Team -

I talked with the team at Weaved and I believe that could be a game changer for our CAP. It allows us to easily remote in to any CAP that gets plugged in, without the need to configure firewalls and port forwarding.

http://weaved.com

@spatiald do you have any time to take a look at how we can include this as part of the set-up script?

Thanks all.

best, Jeremy

[spatiald]

Oh man...that is awesome and right where we need to be.

For everyone's knowledge, here is some information I gleaned about their security and processes. I will begin testing. sam

TECH OVERVIEW: "One way to think of Weaved is a secure replacement for port-forwarding.

Weaved is a "service-level VPN" for any TCP port (a.k.a "TCP-service") used to connect two devices that speak TCP. In other words, Weaved makes any TCP port (ex. SSH port22, HTTP port80) uniquely nameable, own-able, and addressable over the Internet from a browser, client software, or the Weaved mobile App.

For example, the WebIOPi application uses HTTP on port 8000 to control the GPIO on a Raspberry Pi. With Weaved installed on the Pi you can connect to your Pi directly over the Internet from our mobile app, or any browser, without having to use port forwarding. Port forwarding leaves open ports on your network is a well known security vulnerability in IP networks.

Weaved is like a VPN except that as an additional layer of protection ..... Weaved is nailed down to an individual port, rather than exposing all ports. Moreover, multiple ports on a single device can be "Weaved-enabled" simultaneously and with different owners. Our technology works on top of TCP, so it works with any standard protocol, and if the client end can decode that, it's effectively a direct peer-to-peer connection."

MORE DETAIL:

"Question: With incoming connections blocked, how does Weaved work, if that's not a commercial secret? How does it bypass the blocked-incoming-request issue?

Answer: Weaved is like a port specific VPN, the connections look like they are coming from your device, your ISP never sees these connections since they are encrypted. Question: When no-one is accessing my Pi through Weaved, is there any traffic passing between my Pi and Weaved's servers? I ask because I have noticed an increase in data usage since around the same time I installed Weaved, and wondered if part of this could be due to how Weaved works.

Answer: When Idle Weaved devices send/receive about 250 bytes every 5 min. 250 bytes per 5 mins works out to only 2MB per month when my Weaved/Pi is idle."

A WEAVED DEVELOPER TALKS ABOUT TRUST: "You don't need trust weaved.

Yes, the default behavious is, that you send your "data" to the weave-proxy and the proxy send it to your PI. Routing as usal. Instead: A (you) --> B (your ISP) --> X --> C (your pi ISP) --> D(your pi), it could be with weaved: A --> B --> X --> W --> X --> C --> D. Normaly you trust A and D, because its yours. You don't know what your ISP or X realy does. So, weaved - no weaved doesn't matter. You should not trust your "path" anyway.

So, whats about my password? SSH is called ssh, because its a secure Shell. The protocol takes care about your password security. So, go to you pi "directly" with no "untrust" router in the path (local LAN or old school with keyboard). And print your host(s)-key fingerprints. For example:

find /etc/ssh/ -iname "sshhost*_key" -exec ssh-keygen -lf {} \;

256 7f:9c:28:2a:55:b9:cf:e8:24:ee:c0:d8:01:e0:ec:c9 /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA) 1024 8c:94:10:bd:eb:5b:c0:f0:07:f0:e2:93:53:a1:f2:12 /etc/ssh/ssh_host_dsa_key.pub (DSA) 2048 7e:cf:68:50:b0:d4:2f:c7:24:8d:c5:ef:c5:04:4b:15 /etc/ssh/ssh_host_rsa_key.pub (RSA)

The first time, you connect to your pi over a "unknown" domain name (like the weaved address), ssh will show you the fingerprint. Just check, its on your list of fingerprints. If yes. Its secure, because weaved and all other just "see" encrypted data. If you missed the fingerprint-check the first time, just take a look in the cache. On you local linux in "~/home/.ssh/known_hosts", for putty on windows in the registry: HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys"

sam

On Tue, Oct 20, 2015 at 1:10 PM, Jeremy Schwartz notifications@github.com wrote:

Team -

I talked with the team at Weaved and I believe that could be a game changer for our CAP. It allows us to easily remote in to any CAP that gets plugged in, without the need to configure firewalls and port forwarding.

http://weaved.com

@spatiald https://github.com/spatiald do you have any time to take a look at how we can include this as part of the set-up script?

Thanks all.

best, Jeremy

— Reply to this email directly or view it on GitHub https://github.com/rachelproject/rachelplus/issues/33.

[spatiald]

Update...it works. Current installer.sh needed one line tweaked but, otherwise, it runs well. Tested with SSH and HTTP. I haven't tested VNC yet but believe it will work fine.

Working on incorporating it into the configure script.

Check the wiki for examples of my install/uninstall.

[j-schwartz]

Amazing. So any thoughts on how we enable effective use of this feature? I mean, it'd be great to have a web dashboard or something where we could group devices. For instance, we have 50 caps in prisons in Oregon (and it sounds like we'll have another large order in Kentucky also). The group in Oregon put together a content package and now needs to update it for 50 units. It'd be great if we could manage that for them, such that we know which CAPs are theres, what content we need to push onto them, etc.

Just kind of beginning to brainstorm, but I know BRCK has something like this.

Excited to test it out.

On Wed, Oct 21, 2015 at 1:14 PM Sam Kinch notifications@github.com wrote:

Update...it works. Current installer.sh needed one line tweaked but, otherwise, it runs well. Tested with SSH and HTTP. I haven't tested VNC yet but believe it will work fine.

Working on incorporating it into the configure script.

— Reply to this email directly or view it on GitHub https://github.com/rachelproject/rachelplus/issues/33#issuecomment-150012128 .

[spatiald]

Added to the config script...please test and let me know. The installer is in the main menu. Just run it again to add additional services. The uninstaller is in the Utilities (since we prob won't need it that often).

Let me think on the management topic. Some quick thoughts: that could be a nightmare or maybe not. There is a cost to Weaved over the personal limit of 10 devices. Also, the connection is limited to 30 minutes. So an effective update mechanism is essential for large files (ie using linux tools to background update processes). I am also not sure the prisons CAPs should be connected to the internet during operation. Was that their idea?

[j-schwartz]

The weaved guys actually love what we're doing. They certainly signaled they'd like to help as part of our nonprofit mission. They had mentioned $1 / year / device for 'enterprise' accounts, but really just seemed more excited about our concept than trying to make money off of us.

The prisons are incredibly geographically diverse. With this new oregon law library package, the administrator in eugene is planning to drive to each CAP (some a day away to do the work). He would love to be able to have someone just plug them into internet at home and let us/him do the work of adding that package remotely. They won't be plugged into the internet at the facilities though. Local administrators generally have no linux experience, no internet, and no ability to install FTP or SSH services on their local Windows machines.

On Wed, Oct 21, 2015 at 2:12 PM Sam Kinch notifications@github.com wrote:

Added to the config script...please test and let me know. The installer is in the main menu. Just run it again to add additional services. The uninstaller is in the Utilities (since we prob won't need it that often).

Let me think on the management topic. Some quick thoughts: that could be a nightmare or maybe not. There is a cost to Weaved over the personal limit of 10 devices. Also, the connection is limited to 30 minutes. So an effective update mechanism is essential for large files (ie using linux tools to background update processes). I am also not sure the prisons CAPs should be connected to the internet during operation. Was that their idea?

— Reply to this email directly or view it on GitHub https://github.com/rachelproject/rachelplus/issues/33#issuecomment-150025750 .

[bnordha]

I think this is a great added functionality which opens up the door for some great opportunities. Besides updating content and getting diagnostic, I think it would be great to be able to collect usage information in order to determine what content/app is popular and what is not.

I have been managing the content for two remote schools (Zambia and Philippines) on the C3 solution from Critical Links. A few things to note regarding content

1) In a school setting, content actually is not updated very frequently. In the case of Zambia, they bring their device to an office with internet connection every 4 – 6 months.

2) Any content update should be automatic and resiliant, like DrobBox or Google Drive. I never know when they actually connect the device, and I have pushed large amounts of content (>4GB) over very thin pipes which can take days.

[spatiald]

I completely agree with both of your comments re management. I only raise concerns for the prisons and Jeremy somewhat alleviated those concerns.

Jeremy, question on the prisons. If the CAPs are not connected to the internet, wouldn't the administrator in Eugene would still to drive to each CAP to plug it into the internet for remote connect/management? Or would he just ask someone to "plug them in?"

Bernd, agree on your comments. Remote, automated updating is the next step in this process. I think we are working our way to that ability. Right now, we can manually update them when asked to support. That is a huge step in the right direction. Since Weaved knows when a CAP is online, we should be able to (1) send a text message (via email) to the administrator of a CAP to let them know and (2) automatically check the CAP for current content. Ultimately, a CAP admin should be able to request new content and have that content downloaded/installed the next time a CAP is online.

I also think usage data is important. How to collect that is another challenge (however, I am sure it has been done before). Maybe Google Analytics would work for us.

[spatiald]

Updated the install/uninstall code for Weaved in the configure script. Let me know how it works.

NOTE: You will need a Weaved account in order to used Weaved.

@j-schwartz my account username is sam@hackersforcharity.org (in case you need to let Weaved know)...I would like to test the "enterprise" level service if that's possible.

[edresor]

Sam and Jeremy,

Below are two thoughts from my current work. Once you guys have done a test, I would like to set up some tests with Bonface in Kenya.

One: Can Weaved work through multiple private networks?

From Weaved FAQ:

  "Does Weaved work over cellular connections?"

"Yes. Weaved is the only VPN solution that works universally over CGN (Carrier Grade NAT) without a public IP address. In fact your device doesn’t need a public IP address on a cell network and we can still get you connected."

Most VSAT ISPs (and possible some cell phone network providers) do not provide public IP addresses without special monthly charges. In addition RACHEL servers are often behind another router. If Weaved could get through these multiple address translations, that alone could make Weaved worth the cost.

Two: Adjustable timeouts to allow for satellite delay

I could not find any mention of this. I hope this feature will be available as Weaved seems to be serious about global coverage. It's better to be able to work slowly, than not at all. However, extra long timeouts could frustrate other users, so that is why adjustable timeouts would be nice.

If Weaved can help set up connections for various ports, we might be able to use alternatives to SSH such as Mosh that have been developed to deal with this delay problem. Mosh uses UDP packets instead of TCP connections.

Many types of VPN encryption work extra slowly over satellites, including HTTPS. Syncing with Learning Equality, for example, is often not possible. I have given up on this. RTT times form ping tests often average over 1,000 ms and run as high as 3,000 ms.

We might want to actually try doing some work without encryption. Many files do not need to be encrypted.

Most satellite ISPs have a system to spoof TCP to run faster by sending acknowledgements from the near end and getting TCP to ramp up its transmission speed and then checking that the true acknowledgements do arrive from the far end. However, with encryption these spoofing systems may not work.

I would be happy to email someone at Weaved about this if you have a support contact.

All for now, Ed

[spatiald]

Weaved's primary purpose will be to provide us with a remote help desk support capability that won't require any  end user configuration. 

As far as I know, all updates will be http or https, depending on the updates. 

We should be testing this in Uganda soon. Ed, if you have another test location, email me and we can work the details.  

[j-schwartz]

So on my cap I run:

wget https://raw.githubusercontent.com/rachelproject/rachelplus/master/cap-rachel-configure.sh -O /root/cap-rachel-configure.sh; bash /root/cap-rachel-configure.sh
1) online
5) install weaved

but the process seems to hang after: [*] Installing Weaved service.

[*] Downloading required files. [+] Command successful.

Anyone else having this issue?

[spatiald]

Could you do 2 things:

• check to see if your /var/log/RACHEL/rachel-install.tmp file exists. If so, please send it to me.
• try running the script again but this time, run with option = 1-Online, 7-Utilities, 6-Test once the script runs, then send me the /var/log/RACHEL/rachel-install.tmp

Thanks!

[j-schwartz]

I think this (perhaps unsurprisingly) was my bad. My cap was still running a 1.2.10, not a 1.2.15.

Once I re-imaged with your USB recovery and ran the script, weaved installed just fine. Thanks, Sam.

[spatiald]

No worries, thanks for the feedback

[bnordha]

Works beautifully.

I used your script to uninstall my previous installation. Install weaved service on port 22 and 88, and everything worked great.

[spatiald]

@edresor Do you have a CAP at a location over a sat hop that you could install Weaved onto for testing?

[edresor]

Sorry for the slow reply.

Yes. This is a priority for us, but it will take some time to set up. Bonface is in Tanzania and the woman up in South Sudan is overloaded.

I will do it first on my unit here so I can support them. Of course, I do not use a satellite link from NYC.

I will keep you posted on my progress.

Ed

[j-schwartz]

New Weaved installer available specifically for the CAP:

https://github.com/weaved/installer/blob/master/Intel_CAP/README.MD

[spatiald]

That's nice of them...I'll add that to our configure script as an option. Should be super clean.

[spatiald]

Weaved installer incorporated into configure script...opening new issue for merging their "new CAP install" script into ours.

[spatiald]

Added the installer option to our configure script - its called "Install-Default-Weaved-Services"

There are a couple issues that I posted as a bug to our GitHub issues page; it should be fixed as of commit f59f82f https://github.com/rachelproject/rachelplus/commit/f59f82f80f4de51b4080727bf53beb38c0f4e55e