Installing and updating pihole on your Synology NAS Container Manager (docker)

Putting this here to help anyone else who needs it. I see lots of talk about running containers on your Synology, but not a lot of help in understanding how to operate the Container Manager to install and update pihole. 

To install pihole on Synology NAS

1. Find and install Container Manager through Package Center
2. Start Container Manager and go to  Registry on left nav
1. go to the search bar and type pihole
2. highlight pihole, click on the download button...wait for it to finish
3. create a new Project
4. use the newly downloaded pihole:pihole/latest image
5.  update details/settings
1. set gateway
2. set IP address
3. check ports include 53 UDP, 53 TCP,  67 UDP, 8080 or 8081 TCP for web interface
6. Click on the Actions menu, and click Build

Update:

1. Stop the container
2. go to the Registry
1. go to the Search bar and type pihole. pihole will show up in the search results
2. click on the Download button...wait for it to finish
3. Go to the Project, 
1. click on the pihole project
2. click on Actions, click on Build

Synergy, restarting the service from the PowerShell command line because you need to...

I ran into a technical issue recently, and the solution wasn't available via simple Googling, so time for another post! 

I use Symless's Synergy application to work between a few machines at home, so I only need to use one keyboard and mouse across multiple screens and systems. Very handy, I recommend you check it out here: (non-sponsored link) Synergy - Share one mouse & keyboard across computers

It's been working fairly well between multiple systems. One of those systems is a laptop, with a docking station, and an external monitor. That one system has caused me issues, and here's how/when I rant into problems.

The scenario:

1) Use laptop, away from the laptop dock. Screen size is 1300x768 (whatever the screen size is). Works great. Synergy isn't really in play, but all good. No issues.

2) Put laptop to sleep, plug back into dock. Synergy links back up, and I can log back into the system using the keyboard plugged into the other machine...and the WQHD monitor connected to the laptop.

This is where the issue rears its head. Synergy thinks the screen is still the laptop-sized screen, instead of the external monitor that's being used. Illustrative example below. The laptop was operating at 1920x1280 (for example) but the external monitor is operating at 4k UHD...and Synergy hasn't adjusted from 1080p worth of real estate to the 4k resolution.

The net result is that you can't move the mouse to the lower right corner of the screen to get access to the Synergy app. You also can't restart the app inside the app itself, that I can tell.

What I have figured out is that I can restart the Synergy daemon from the command line and it will reconnect to the main Synergy-equipped computer, and will reassess the screen size. Here's how to do it:

1. On the affected computer (my laptop in my example) Hit the Windows key
2. Type [power...], find Powershell in the search result, and then choose Run As Administrator.
3. Wait for the powershell window to open.
4. Type [Restart-S][tab] [Syn][tab] will result in: Restart-Service 'Synergy 3 Daemon' [hit enter] (see below)
5. Wait for the restart, and then the Synergy should sync back up and you're good to go!

Let me know if this is useful!

Chris

Modern Problems Require Modern Solutions: Split-Tunnel Client VPNs

Spent some time lately thinking about the approaches to corporate client VPNs, during a time of a pandemic, which has changed how a number of companies are operating. Namely, organizations are relying on their ability to remotely enable their workforce. To do this efficiently, there are modern strategies and tactics built into products engineers and management should be familiar with in order to achieve the best end user experience, and most efficient use of remote access to the company's information assets. Turns out, good end user experiences will also create both network performance increases, and potential cost savings.

Chris

VPNs as an Enabler

Virtual Private Networks, or VPNs, by their nature, are designed to protect network traffic from a network or individual machine, to another remote machine, or network.  VPNs have been around for a long time, supporting and securing corporate network communications from laptops, desktops, and remote offices back to the main office or data center. 

In the case of a client VPN, you're connecting your desktop/laptop to the corporate network, so you and your machine can work just like it did in the office.

Yes, desktops can VPN too, especially in the days of 100% WFH because of Covid quarantining and "safe distancing". Companies are just as likely to ship a desktop to a person's home to establish a home office when people are WFH.

So let's walk through the progression of remote access solutions, and what's possible today, selective split tunneling.

Remote Access Solution #1: Decentralized Broad Internet Access Creates Problems

Back in the day...companies didn't have high bandwidth connections, to the home office, or to the Internet. Given that, Network Admins wanted to only Corporate traffic to come back to Corporate networks, allowing users to use the local Internet connections for general Internet access. This is called "split tunneling" because you're splitting the VPN tunnel to allow network traffic outside the VPN, to access local or Internet resources. This saved on Corporate expenses around Internet bandwidth, and other overhead in managing people's Internet traffic.

There are potential problems with deciding routing for Internet traffic at the client level. Say you only route "company" traffic back to the company over a VPN. Or, in the case of a remote office, say you access the Internet using the local office connection, and you only route "corporate" traffic back to the "home office". Something like this:

The problem with this configuration is primarily that there may not be the same Internet controls, like URL filtering or other network security monitoring controls in place in each remote office, or on each client, to protect the company's assets from compromise.

Short-sighted companies without cybersecurity guidance frequently chose this configuration to save on costs and "create network efficiencies". 

Companies with information security expertise would tend to gravitate to solution #2...

Remote Access Solution #2: Centralizing Network Security Monitoring is Popular

This is the model we've been using since 1995, at least. Here's a basic example of what a traditional corporate VPN looks like because of the aforementioned issues with decentralized Internet access.  

In this example, the VPN Gateway is typically at your Corporate HQ/Data Center, and you get access to both local resources and the Internet, including all your SaaS providers like Office365, or Service Now, or Zoom, or WebEx, etc. 

The advantage to this is primarily network controls and visibility, since all traffic from the client comes back to the centrally managed, on-premise corporate information security controls. This includes things like

• Network traffic monitoring through IDS/IPS
• Basic firewalling, blocking general network access to both local networks and the Internet, since you won't know whether or not the laptop is in a hostile airport or hotel network or an unmaintained home network. 
• Category-based and specific URL blocking/permissions/reporting
• "next gen" firewall application security capabilities, monitoring application layer traffic
• network monitoring for data loss prevention (DLP) capabilities

Remote Access Solution #3: Selective Split Tunneling

As corporate software solutions have evolved to more Software-as-a-Service (SaaS) models, more of what we use in the day-to-day has moved to web-based, Internet-based service and software portals, companies have been moving to add more Internet bandwidth, adding SAML-based authentication, and providing more scrutiny and assessment of SaaS providers who provide business essential services.

Cyber-mature organizations will see a new way forward, to move beyond the Standard Corporate VPN, to enable both efficient use of network and Internet traffic, as well as maintaining expected and required cybersecurity controls.

This is still called VPN Split Tunneling, but is more appropriately called, Selective Split Tunneling. Here's what this looks like, from a Cisco WebEx perspective:

 

From: https://woland.com/2020/03/30/dynamic-split-tunneling-a-covid-19-best-practice/

And, from a SaaS industry perspective, *ALL* of the high bandwidth SaaS application providers are going to recommend split tunneling Corporate VPNs for their services. I've seen this from Zoom and O365, as well.  Here's the O365 guidance.

From: https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel?view=o365-worldwide

The controversy; dogma, NIST and current realities

If anyone has a rub with this design, its typically because dogma would have you believe split tunneling is risky behavior. May older information security frameworks, based on a compliance regimen, still prescribe that spilt-tunneling opens organizations up to additional risk. Traditional guidance on this topic is probably 10-15 years old. 

"Thou shalt not split tunnel VPNs!" 

That guidance was fine when VPNs only had two settings: no split tunneling, and only split the tunnel for specific networks you want to run through the VPN. But times have changed.

Modern problems require modern solutions

These days VPN capabilities are more robust and more capable, allowing for split tunneling for Zoom or Office 365, or other SaaS solutions. Companies should do this *if, and only if* a company is assessing their SaaS solutions for cybersecurity controls prior to their use. "Trust but Verify".

Allowing SaaS traffic to operate outside of the Corporate VPN should only minimally increase risk. The top SaaS solutions should care about and are taking actions to protect their traffic (Zoom was challenged on this point for a while in 2020, though, to be transparent). As a part of your own Vendor Risk Assessment, you should validate that a vendor is encrypting traffic between your clients and the SaaS provider.

But, but, but, you can't see or stop "bad" traffic!

Sure, you may not have network monitoring. You have to check your assumptions and ask yourself if you really have that visibility today. Do you intercept SSL? Would you intercept Zoom calls? Would you intercept WebEx? My bet is no.

Conclusion

I'd argue there's less reason, and little risk, to push full SSL-enabled web traffic through a VPN to partner organizations where the controls have been evaluated and understood, with contracts to enforce them. Yes, partner compromises happen (ahem Target), so it's highly dependent on the situation, but it seems like we should be taking a risk-based approach and not be just repeating dated dogma.

What points did I skip over, or miss? Or do you interpret differently? Comment below. Let me know what you think.

Chris

More info:

How to configure Cisco gear for split tunneling for O365, WebEx and Zoom: https://community.cisco.com/t5/vpn/split-tunnel-webex-outlook365-zoom/td-p/4049533

Fixing Steam 0 bytes available disk space issue when removing a drive from the system

 Ran into an issue this weekend, so I'm memorializing it here. 

I had two drives in my system, one SSD for the OS and one high capacity spinning drive for secondary, slower storage. The second drive is where I put my Steam Library.

I pulled the drive this weekend to put into another machine I'm using for temporary file storage while I migrate Synology servers (longer story). This 1TB drive was holding my Steam Library.

I went into Steam, and Steam recognized that the SteamLibrary folder was no longer present and set the default back to the C:\ drive. I thought I was all good.

Fast forward a week and I have picked up a used NVidia card, and wanted to test it out. Went to download/reinstall the game and Steam says there's "0 bytes available" even though there's no other Steam folder, and the DEFAULT is set to the C:\ drive.

Here's what I did, that wasn't covered by other posts and threads I found: 

1) Go to Steam Settings

2) then Downloads

3) then click Steam Library Folders

4) then right-click on the directory shown and click on Make Default Folder. (yes, yes, even though it says it's already the default)

5) then right-click on the directory again and click on Repair Library Folder. Steam will restart.

You're done. Try installing games again.

Synology, Mac OS X, OpenVPN and Tunnelblick

I'm putting this here so it shows up in your chosen search engine more easily.

If you have a Synology NAS, have the VPN Server installed, configured OpenVPN and use an Apple Macbook with OSX with Tunnelblick as your VPN client, you've probably seen this message:

Warning: This VPN may not connect in the future. The OpenVPN configuration file for 'Undercity OpenVPN' contains these OpenVPN options: 'comp-lzo' was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5 You should update the configuration so it can be used with modern versions of OpenVPN. Tunnelblick will use OpenVPN 2.4.4 - OpenSSL v1.0.2n to connect this configuration. However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.

All you have to do to ensure compression is enabled, through the config file is to replace one line in the ovpn config file you're using. Replace the line with

comp-lzo

with 

compress lzo

You won't have the warning message show up in the Log window after that.

Chris

LABRAT graffiti up and down Puget Sound

Rail bridge over I-5 South with
LABRAT KNATS graffiti.

Living in Puget Sound over the last decade, I've noticed tagging and graffiti with LABRAT or LABRAT KNATS across bridges downtown, by Lacey (picture below, the site of the recent train derailment) and down to Olympia, Washington (State).

To be clear, this graffiti is not mine, or is it associated with me. Just in case there was any question... (ha ha, lol)

(photo credit: Wikipedia)

Synology Let's Encrypt SSL certificate failure and ASUS AC68U

So...I was running my own SSL cert from a free SSL certificate provider SSLForFree.com but thought I'd try the built in capability of my Synology DS413J to provision one from Let's Encrypt for free.

I walked through the menus to find the Control Panel, Security, and Certificates tab. Once I walked through adding/replacing a cert, I receive this error:

For clarity, this is what it says:
     Get a Certificate from Let's Encrypt
   
     Failed to connect to Let's Encrypt. Please make sure your DiskStation and router have port 80
     open to Let's Encrypt domain validation from the Internet. All the other communications with
     Let's Encrypt go over HTTPS to keep your DiskStation secure.

I originally was thinking my router, an Asus AC68U, wasn't capable of forwarding port 80 because it uses that port for the web interface. Turns out that later software updates fixed this issue and is now able to pass the traffic from outside:80->Synology:80. All good.

I made sure Web Station was running. And it still failed.

Turns out, I think the biggest issue was that even though the screen suggests you should just use your top TLD, you really need to put in your full FQDN in both the domain name and the alternative subject name fields.

Then the wizard worked like a charm.

Good luck!
Chris