Backup fail

So a few weeks ago our trusty NAS’s hard drives decided to be unhappy. No worry I thought as I shut down the NAS and replaced the HD with a spare. Unfortunately, the HD enclosure decided that it time was over and never came online again.

No worries I thought, I’ll just order a replacement. The replacement duly arrived and I transferred the hard disks to the replacement unit. All was well till the following Sunday when I woke up with I/O errors when I ssh’d to the machine. Checking MDADM showed that all 3 drives had detached from the enclosure. Luckily after a reboot everything came back and I decided to monitor it and make sure everything was backed up.

Backups were running and I thought that even if it all went down I would be able to restore from back-ups. I would be safe or so I thought. Sure enough, the NAS did the same thing the following weekend. This time sadly the raid5 array did not come back up. To compound matters the backups or the machines home directories consisted entirely of symlinks. Luckily I had a single backup of my home directory. Siobhan was not so lucky. We also lost the contents of an old hard disk from the laptop from my pre-transition days.

We recovered what we could and rebuilt. This time I decided to try out using LVM to run the raid rather than doing it at the disk level with MDADM which wasn’t particularly successful. Each time I set up a test RAID1 volume it would complain about a bad superblock on reboot. At that point I decided enough was enough with using ARM SBCs with their older Linux kernels and just decided to replace the SBC with a second-hand desktop PC.

A new PC was acquired from Ebay and arrived that week. It’s a lot bigger than the old SBC but it runs the latest debian and doesn’t consume huge amounts of power. It’s a bit overkill but has been stable so far which is the most important thing.

GRE tunneling for fun and profit.

I recently subscribed to Netflix and being in the UK I found that they have loads more available in the US to watch.  To get around this in a way that would also allow me to stream programmes to my chromecast is actually quite complicated.  As I have small Linux box on my network to provide IPv6 via a tunnel I thought I would allow this to also allow access via a GRE tunnel to a VPS running in the US.

The first thing you need to do is setup the machine in the US so it can do NAT just like your home router can do with the following:
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F FORWARD

iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

iptables -A INPUT -i us-gre -j ACCEPT
iptables -A FORWARD -i us-gre -j ACCEPT
iptables -A INPUT -i us-gre -j ACCEPT
iptables -A FORWARD -i us-gre -j ACCEPT

Your then need to setup a GRE tunnel between your VM running in another country and your home network.  One thing to be aware of is that GRE tunnels use a specific IP protocol number rather than TCP or UDP.  This means that your need to either activate an option which enables this or setup the machine doing the routing on your home network as the DMZ host.

I used the following to setup a GRE tunnel on the VPS which will forward all data to my home network over the tunnel (my home network has addresses in the 192.168.x.x range).

ip tunnel del us-gre
ip tunnel add us-gre mode gre remote local ttl 255

ip link set us-gre up
ip addr add 192.168.X.1/24 dev us-gre

echo add routes

ip route add via 192.168.X.10 dev us-gre
#ip route add dev us-gre

Once you have everything setup on the VPS VM then your need to do the same on your home network with the following:

# VPN hosts.
ip rule add from 192.168.0.x table vpn

# Add default routes for vpn table.
ip route add default via dev tun0 table vpn

ip route flush cache

ip tunnel del us-gre
ip tunnel add us-gre mode gre remote local ttl 255

ip link set us-gre up
ip addr add dev us-gre

echo add default route

ip route add via dev us-gre table vpn

You will also need to run the following to add a table so you can have different routing destinations for different hosts which route via this machine.

echo 200 vpn >> /etc/iproute2/rt_tables

In order to make a machine use the tunnel your need to adjust your DHCP settings so the machine you want uses the machine with the tunnel as it’s default route. Once this is done your use:

ip rule add from ip route flush cache

table vpn on the machine with the tunnel on it. This creates a rule which makes the requested machine use a different routing table to all other traffic.