Korhonen.cc Blog

OpenWRT firewall rules with dynamic IPv6 prefix

2024-06-10T00:00:00-05:00

I recently got IPv6 connectivity at my house, so naturally I wanted to add IPv6 support for my server. I ran into some difficulties that I didn’t find documented in a single place so here is the solution I came up with.

The problem

I quickly discovered that my ISP is not doing the IPv6 support "right", they are not giving me a /56 prefix with prefix delegation but instead a /64 prefix that cannot be further divided into subnets. This is true for all mobile operators in Finland and I cannot get anything else in my current address so this will have to do.

The lack of prefix delegation means that I have to set RA and NDP to relay mode in OpenWRT and I have no control over the IPv6 addresses that are assigned to my devices. That in turn means I cannot create static firewall rules based on those addresses because they can change any time.

For a few weeks I got by with manually changing the firewall rules every time the prefix changed but that was not sustainable because I have a lot of firewall rules.

Turning off IPv6 SLAAC Privacy Extensions

While I couldn’t have a predictable prefix, I can have a predicatble suffix by turning off the IPv6 SLAAC Privacy Extensions on my server. This way the suffix (the host part) is derived from the MAC address of the device and it will always stay the same.

Privacy Extensions exist for a reason. It increases privacy by generating the host part of the IP randomly and changing the address from time to time. I don’t think that is a problem for my server because it is open to the public anyway. The main reason for Privacy Extensions is so that mobile devices can’t be tracked across networks and my server obviously stays in the same network all the time. It’s good to acknowledge that this effectively makes your MAC address public, but I don’t personally see an obvious risk in that.

I’m using NetworkManager on my server. You can turn off Privacy Extensions by locating your interface configuration under /etc/NetworkManager/system-connections/. On my server it was in the file Wired connection 1.nmconnection. Add/change the following lines in the [ipv6] section:

[ipv6]
addr-gen-mode=eui64
method=auto
ip6-privacy=0

After this, you can either restart NetworkManager or reboot the whole computer. Then your computer should have a new IPv6 address.

The logic by which the IPv6 address is calculated now is called EUI-64. I found a great tool to test and better understand it: the EUI-64 Calculator.

Dynamic prefix forwarding

I discovered that in OpenWRT firewall rules, part of the target address can be dynamic. This technique is called dynamic prefix forwarding. As I understand it, it is specific to OpenWRT, so this syntax doesn’t probably work in other firewalls. With this technique we can use the static host part we set for the server in the previous part as the firewall rule’s target IP address.

Server IPv6 address

2001:14bb:8ad:6b:f279:59ff:fe65:f9e4

Firewall rule target address

::f279:59ff:fe65:f9e4/-64

Here you can see the current IPv6 address of my server and the resulting firewall rule target address. The /-64 tells the firewall to ignore the first 64 bits of the address and only look at the 64 bits at the end, which is the host part.

For more information about the firewall configuration, you can refer to the OpenWRT wiki

Migrate Misskey root account

2023-12-10T11:41:08+02:00

I recently migrated my single user Fediverse server from Misskey to Firefish. During the migration I encountered an issue that I did not find documented elsewhere. I thought I’d write down the solution I found, in case anyone would benefit from it and save some time in the future.

I decided to migrate to a new domain at the same time, so the easiest way was just to create a new server and migrate my account and not fuss about migrating the Misskey instance itself.

Being a single user instance, my account was also the "root" account of Misskey. Misskey does not allow migrating the root account, if trying to do so, you will just get an error along the lines of "root cannot migrate".

Solution

I took to the database to find out what I can do bypassing the UI, and lo and behold, I found an isRoot column in the user table. I didn’t want to end up without a root account on my old instance however, so I went to the Misskey control panel and created a new account, simply called "root".

Misskey seems to save all of it’s known users to the user table, not only the actual local accounts. To find the local accounts only, you can use the following query

misskey=# SELECT id, username, "isRoot" from "user" WHERE host IS NULL;
     id     |  username   | isRoot 
------------+-------------+--------
 98wzsyrur6 | relay.actor | f
 9n1njqolcd | root        | f
 9n342nasd3 | marko       | t

Now you can simply make your new root account’s isRoot column true and your actual user account false. After that, the migration will work.

misskey=# BEGIN;
UPDATE "user" SET "isRoot" = true WHERE id = '9n1njqolcd';
UPDATE "user" SET "isRoot" = false WHERE id = '9n342nasd3';
COMMIT;

You should probably check that you only modified 2 rows before committing the transaction.

I would imagine that this solution should work for the numerous Misskey forks around, but I have not tested it so your results may vary.

If you found this post useful, make sure to share, tweet, toot, bleep and bloop this on your social media service of choice. If you have any issues with this process, you can leave a comment below and I will try to help you out.

Creating this site

2022-09-14T00:00:00-05:00

As seems to be customary on technology related blogs, the first post is about creating the blog itself. So here we are, this is the first post in my blog, detailing the steps I took to arrive here.

Assessing the options

I first got interested in static site generators years ago when my friend Fatih built his site with Jekyll. It felt very refreshing at the time since I was hosting my homepage on WordPress, which always seemed a little too bloated and overkill for my needs.

Jekyll

I tried setting up Jekyll multiple times during 2021 but got discouraged by the build process which involved specifying all sorts of bundles and gems for just for building the site (I never was very into Ruby to begin with). I also got to debug all sorts of build problems which were a result of my very specific requirements for the blog. I added multiple plugins which didn’t work together very well. The biggest hurdle to overcome was the fact that I wanted to use AsciiDoc as the mark-up language. Jekyll doesn’t natively support this so I had to use a plugin to bring in the functionality. This plugin specifically didn’t seem to work very well with the other plugins I required and the theme I had selected.

Anyways, I never got further with setting up the site so I put the project on the backburner. From the inception of the my current domain korhonen.cc in late 2020 until summer 2022 the main domain just showed a 404 error. I had a lot of self-hosted applications only on subdomains.

Hugo

After discovering Hugo I got very exited immediately. It seemed to be an answer to all of my problems. The main benefits were

Single binary
Support for AsciiDoc out of the box

Because of this, I got a basic site setup within a matter of minutes. No more fiddling with bundles and gems. I also didn’t require any other plugins since Hugo seemed to support everything I wanted natively.

Configuration

I opted to use the Hugo Toha theme for my site since it seemed to do well all of the things I wanted to accomplish with this site

A website where I can add any number of static pages (not blog posts)
- Information page about my PGP key
- Information page about my Arch Linux repository
Introduction and portfolio
A blog

The configuration of Hugo and the theme took quite a while but was well worth it. I now have a beautiful multipurpose site which is easy to maintain and expand.

Commenting system

I wanted to add support for users to add comments on the blog. While I usually self-host everything I can, this time I landed with Giscus. It’s built upon the GitHub discussions platform so all I needed to do was to create a repository in GitHub with the discussions feature enabled and configure it in Toha (the Hugo theme I selected).

I went through all of the options that Toha supported but none of them were self-hostable and I didn’t feel like implementing support for a different platform myself. This might be a cool future project at some point though.

Automating the build process

Update 2022-12-17: I have switched from Drone CI to Woodpecker CI. Woodpecker is a FOSS fork of Drone as Drone has moved to a proprietary license.

Update 2022-12-17 part 2: I have switched from Gitea to Forgejo. Forgejo is a FOSS fork of Gitea as Gitea seems to be moving towards a closed business model.

Update 2025-08-15: I have switched Woodpecker CI to Forgejo Actions. I actually switched a lot earlier but only now thought to update this site.

Over the years I have moved to different CI systems. The current system is Forgejo Actions. It’s basically the open source equivalent of GitHub actions and I really enjoy using it.

Relevant configuration files

Future plans

I don’t plan to become a regular blogger any time soon but if I find something that I think would be of value to other people, I will write about it here if I find the time and energy.

I really enjoy tinkering with Linux and self-hosting applications on my server so I might write some tutorials about these topics in the future. I’m also a passionate NeoVim user so I might write a post about my configuration sometime soon.

Just for fun, here is a screenshot of me writing this blog post. How meta of me 😃

Figure 1. A screenshot of me writing a blog post about this blog