Hurrah - away with OrenoSP!

[ptruman]

Hi all,

I've been using OrenoSP to gain access to my TiVo externally.
For those who don't know OrenoSP, it's a reverse proxy you run on a PC on your LAN, and you connect to it from the internet, and it forwards connections to TiVo. Nice and secure etc etc.

However, due to my PC being somewhat irksome atm, I've got a nicer solution, which may be of interest to a few people.

I have acquired a Linksys WRT54GS (802.11G wireless broadband router). It's upgradable with 3rd party open source firmware.

I've now got said router running the Sveasoft f/w, and I can SSH into the router, and then tunnel into TiVo (or anything else on the LAN).

Much more secure than OrenoSP, and doesn't need my PC on!
And of course, there are mobile SSH clients too, so you can access it on the move...

The router costs about £50 to £80 and the SSH software is free. OrenoSP is now > £150 - although I have an old copy if anyone wants it!

Tutorials available on request if anyone wants them.

[mike0151]

Why not just post the tutorial?

Mike

[ncjok]

Can your TiVo now securely serve TiVoWeb aswell?

[beastman]

ptruman - do you know if a wired linksys router can so the same thing?

[tefster]

>Can your TiVo now securely serve TiVoWeb aswell?

If you have an SSH tunnel to inside of your Lan then you can tunnel TivoWeb through it.

I do a similar thing, but instead of ssh/tunneling via the router I ssh directly into the TiVo instead and securely browse TivoWeb through the ssh tunnel. That does eat a tiny amount of the Tivo's cpu time, when browsing TivoWeb but I've not seen it cause any problems so far.

[Fozzie]

Is there a quick guide to setting this up tefster? I'm currently using orenosp but having seen the figures people are posting for electricity usage when leaving a PC permanently on, I'm looking for a 'cheaper' solution!

[tefster]

There's an instruction guide within the README in the tarball here,
give it a whirl and let me know how you get on, a couple of
people have downloaded it but the only person so far whom I've
heard feedback from was one of the OzTivo guys who couldn't
get it working due to some wierdness in the C runtime library
version that they are using there.

[Fozzie]

Cheers tefster. Will give it a crack tomorrow night when I've a bit more time.

[Fozzie]

As an aside, can anyone compare/contrast opening up a port on the firewall and forwarding it to Orenosp running on a Windows box or forwarding it to an SSH server running on Tivo?

TIA.

[dimmyr]

Any chance you could post or post a link to your old, pre 1.0 version of OrenoSP?

[tefster]

>As an aside, can anyone compare/contrast opening up a port on the firewall and forwarding
>it to Orenosp running on a Windows box or forwarding it to an SSH server running on Tivo?

The main difference is less reliance on an extra box being up and running.

Running a tunnel via Orenosp and opening a firewall port to it means that you need an extra PC running all the time in order to access TivoWeb, however you do have the benefit of not having to run SSH server software on your Tivo and what's exposed to the outside world (Orenosp) is fairly well tested and stable.

Running an ssh server on the Tivo means having extra software in place on it, but does also mean that you don't need an extra PC running all the time in order to access TivoWeb. However when you are logged into it then as with any software the ssh server will eat up some CPU time, providing you aren't doing massive amounts of data transfer than I doubt that would be a problem though, certainly I've sat in front of Tivoweb/ssh tunnelled sessions and had recordings/play running without a problem. However, the dropbear ssh server port for the Tivo hasn't been hugely stress tested, and the kernel version that the UK TiVos run on is quite old, and so I'm not sure how well they would stand up to say a sustained SYN packet attack.

[Fozzie]

Am I right in saying that you need to have a specific client installed on the remote device, such as Putty? This would be a major drawback for me if it is, as I often access Tivoweb from my Smartphone.

[tefster]

Putty does SSH but there are SSH clients available for almost all platforms, I've SSH'd into my TiVo from my P900 phone, via the web (Java SSH client applet), etc.

For tunneling, it can be a bit more restrictive as not all clients will set up tunnels,
but there are certainly Java clients which do and so which should run on most
smartphones, and I've used native binary ports of PuTTY on Symbian smartphones

[Fozzie]

Guess I'll have to do some digging to see if there's a cleint for the proper Smartphones (with a capital 'S') i.e. Windows Mobile 2003SE/5

[Fozzie]

Quote:

Originally Posted by tefster

There's an instruction guide within the README in the tarball here,
give it a whirl and let me know how you get on, a couple of
people have downloaded it but the only person so far whom I've
heard feedback from was one of the OzTivo guys who couldn't
get it working due to some wierdness in the C runtime library
version that they are using there.

I've just given this a whirl but am getting:

Code:

./dropbearkey: error in loading shared libraries
libcrypt.so.1: cannot open shared object file: No such file or directory

Any ideas?

[tefster]

Hmm, it should have the crypt routines compiled into the static binary. Unfortunately my
aging Wireless Access Point seems to have finally and so I can't get into my TiVo remotely
at present to check, when I get home I'll telnet into it and see if I have libcrypt on there.

[Fozzie]

Quote:

Originally Posted by tefster

Hmm, it should have the crypt routines compiled into the static binary. Unfortunately my
aging Wireless Access Point seems to have finally and so I can't get into my TiVo remotely
at present to check, when I get home I'll telnet into it and see if I have libcrypt on there.

Did you manage to find anything tefster?

Ta.

[tefster]

Odd, it seems that somewhere along the way I acquired a libcrypt in my /var/hack/lib, not
sure where it came from and I don't remember cross-compiling it but there you go I need
to pull the drive tomorrow to re-do my network configuration with the new wireless bridge
and so I'll extract the libcrypt library and PM you it.

[Fozzie]

Cheers

[tefster]

here you go

[Fozzie]

Quote:

Originally Posted by tefster

here you go

Many thanks. But, I've still got the same error as before. I've created a /var/hack/lib and but the library in there and changed the permissions. I've also put a copy in /var/hack/bin and done the same but still the same error message.

What have I missed? Are there any paths or links that I need to set for /var/hack/lib, or anything like that?

Thanks.

[tefster]

If this is the first library that you've added into /var/hack/lib then you'll need to add
"export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/hack/lib" (without the quotes) to
your .profile (which might be in /var/hack/.profile or might be in /.profile)

[Fozzie]

Thanks for that; another step forward.

Ok, Dropbear now running but unable to connect using PuTTY. Looking at the PuTTY log, it just seems to hang after "Connecting to a.b.c.d port 80". The PuTTY session window also appears to just hang.

Lo is Up on TiVo.

Any ideas? Thanks again.

Edit: Up and running now. It helps if you connect to the right port i.e. 22!

[Fozzie]

Got everything running perfectly with one exception. I can't get dropbear to start from rc.sysinit.author; I've tried most combinations of full paths in the shell script, .author and such like. The commands all work perfectly from a BASH prompt but reboot TiVo and everything but dropbear is started.

Any ideas/tips? Thanks again.

[tefster]

You'll probably need to add the /var/hack/lib to your library path within the script, the
.profile is only called for login sessions. Try adding the LIBPATH statement above (the one
you added to your .profile) to the script before the dropbear invocation.

[Fozzie]

Flippin' 'eck, you're clever I didn't think of that one! All working perfectly now. Thanks for all your help.

All I've got to get working now is the IP detection bit in Dailymail_jazz and I can keep the PC switched off; I don't have a static IP and my router doesn't support DynDNS updating and so I have to use DirectUpdate running on the PC).

One final question: Is there any way (or any point) in changing the SSH port number, perhaps to a higher, less likely to be probed number?

Thanks again.

[tefster]

I don't use DynDNS any more as I have a static subnet coming into the house pipe, but
for a while I used this script to update a DynDNS account from a Linux box.

I haven't tried it on a TiVo, but in theory if you grab that, change the path of the shell, and
install the wget TiVo binary and OzTivo resolver library then you should be able to cron-enable the script and have it update your DynDNS account directly from the TiVo.

It wouldn't hurt to have it listening on a much higher port, I would also suggest
only opening up firewall access to it from known/trusted IP addresses and/or
subnets and not having it world-open.

[Fozzie]

Excellent stuff. I've now got TiVo detecting my WAN IP address and updating my DynDNS account PC can now formally be switched off!

One final question: I'm happy about changing the listening port on the non-TiVo/remote end of the tunnel. Is there any way though of changing the port that the SSH tunnel establishes with, or is it fixed at 22?

Many thanks again for all your help with this. My electric bill should be getting smaller from now!

[tefster]

No probs, glad I've helped the ozone layer a little

You can change the port which dropbear listens on by adding a -p <port> to its invocation
command. Or, rather than forward port 22 on your router to port 22 on the Tivo then if your
router allows it remap a higher port on the router's outside edge to port 22 on the TiVo.

You can also change the listening port for the tunnel (ie the port on your client machine
that you browse via) via the SSH command. E.g. if you have dropbear accessed via port 22
(the default) then you can do
ssh -l tivo -L8080:127.0.0.1:80
to set up the client end of the tunnel to listen on localhost:8080
or
ssh -l tivo -L1234:127.0.0.1:80
to make it listen on port 1234, i.e. change the first parameter on the -L command. If you
are using e.g. PuTTY then just change the "source port" parameter on the tunnel definition.

If you do change the dropbear access port to something other than 22 then for
command line ssh clients add "-p <port>", e.g.
ssh -l tivo -p <dropbears_port> -L<localhost_port>:127.0.0.1:80
when you set the tunnel up.

Again though, I would definately suggest that you restrict the IP addresses which can
access your dropbear port so that only known trusted IP addresses can access it.

[ptruman]

Hmm, I go away for a while, and someone replies to my thread! :P

In answer to various questions :

1) The Linksys router won't serve HTTPS, it doesn't need to - SSH is the same as HTTPS, your traffic just goes through it (tunnelled) so it won't look secure, but it will be.

2) You need a Linksys WRT54G or WRT54GS to do this. Comet are knocking them out for about £49 for the G and £79 for the GS (54 and 125 Mbps versions respectively)

Make DAMN sure you get a V1, V2 or V3 router. V4s are problematic, and V5s are INCOMPATIBLE with the flash. The version is under the router, and the serial numbers on the box betray the versions. V5 serials start "CDFB".
Google, you'll find the lists (I've lost the link)

3) You do NOT REPEAT NOT need SSH running on TiVo, and DO NOT need anything on a PC. You just need the router!

4) I can post the 0.84 Oreno if needed, but seriously, just get the router
(it's SOOOO much nicer)

5) The Alchemy ROM runs WOL, so you can wake up your PC if you keep a note of the MAC address and have a WOL capable NIC. Highly useful.

6) The Alchemy ROM runs a DYNDNS client, so you don't have to remember your DNS IP etc....or run it on TiVo!

7) I have two WRT54GS routers running a Meshed WLAN via Alchemy (RAR!) and can get TiVo tystreams to run a 880 mbps via 802.11G. Thats NOT bad...

THE INSTRUCTIONS!

You also need the Sveasoft Alchemy public ROM.
Thats available here > http://www.sveasoft.com/modules/phpB...fo&file_id=146
HOWEVER you need to register

Flash your router in the normal Linksys way (read the manual!)

Go to the admin page, enable SSHD, DISABLE password login, and set the SSHD to 443 (compatible with most firewalls)

Make VERY sure you follow the bit which reads :

nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 7490 -j logaccept"
nvram commit

But change 7490 to 443 (or whatever port you're using!)

Follow the instructions at http://hetos.de/sshtut.html
You'll need Putty and PuttyGen (available at http://www.chiark.greenend.org.uk/~s.../download.html)

This step is in conjunction with the HETOS info above.

Then, from whereever you are, with an SSH client and a copy of your private key, you can connect to your public IP, and get a shell on your router.

From there, you can telnet to Tivo. Or, if you use Putty and the instructions on tunnelling from the HETOS site above, you can tunnel web connections into TiVo via your router.

All traffic encrypted, all via 443, "legally" via most firewalls - the snag being you MAY be in breach of work policies as you are opening a secured connection outside/through firewalls....

Either way, it's secure, and allows TiVo or more (Terminal Services anyone?) services to be opened up.....