Posts by infinity85

    Hi there,


    first of all I want to provide the solution to this Issue in form of a feature request:


    Please add those VPN tun0 rules as default into your iptables (for the non-considered regular user like me and others):

    Code
    1. iptables -F
    2. iptables -A INPUT -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    3. iptables -A INPUT -i tun0 -j DROP


    These rules will filter only the tun0 interface in case an OpenVPN connection is established to a VPN provider (remote Server, which is not in your control) for overcoming geo-blocking or for IP anonymization etc. So only requested data will get to you (IPTV and scraping media coverarts will all work with that). All local connections (lcdproc, yatse, webserver, samba) will remain untouched by this.

    [hr]
    Now here's the long shot of the story as explanation why this is a concern of massive consequences:


    As nowadays many LibreELEC users consume not only local content, but also streaming content, they might use one of a lot of VPN Providers on the market to overcome geo-blocking or simply to mask their own IP Address to be anonymous during media scraping like Coverarts etc.


    Because of the demand to use VPN connections on LibreELEC, LibreELEC team reincluded OpenVPN and the user zomboided developed a mighty and very awesome addon VPN Manager for OpenVPN as well as lrusak provided his own one before. So the demand got heard :)


    The Problem with LibreELEC is that it was not meant to be used outside of the own LAN, thus no iptables rules are set as default and there is also no GUI for that or any addon that could provide you this. But fortunately iptables is integrated, so anybody can add his own rules, if he knows that they are mandatory on his setup. So this issue potentially exposes your entire local area network to the internet.


    BUT here's the massive security issue with some VPN Providers in combination with LibreELECs default setup:
    I can speak for my VPN Provider "PureVPN": PureVPN and probably many other VPN services assign an external IP to my/your LibreELEC device whenever you connect to one of their servers. The shocking point here is:
    Knowing this IP, everybody is able to access your LibreELEC system and bypassing the routers firewall as well as all its closed ports. This is an unbelievably massive security issue, because all ports are open (including SSH 22)!


    Obviously this is exactly how a VPN connection is working and why it was invented originally: People wanted an encrypted connection from workplaces or from vacation to their Network at home. So far so good, but the use case of overcoming geo-blocking or using VPNs to anonymize your own IP is differnt here: You are paying for a tunnel, of which you have only control on your own side (LAN), but not of the other side (VPN Providers remote Servers). That means that a mean employee at your VPN Provider sees the IP assigned to you upon establishing the connection and gets access to your LibreELEC machine, and in an extreme situation to your whole LAN, although you have set up a quite secure Router-Firewall and NAT (everything gets bypassed).


    I was naive and didn't ever consider that a big VPN-Provider like PureVPN (and some others are doing the same) assign not shared IPs upon established VPN connection, but real 1:1 for every single VPN tunnel. I thought that it would be like NAT: Every unrequested connection coming from outside will be simply rejected. But that's not the case. PureVPN and some other providers simply route every single connection from outside to your client. So whenever you are surfing or streaming or so through their tunnel, every content provider or website logs your PureVPN IP, which points directly to your machine bypassing your router. They can simply type in this IP into a browser and access your Webserver at Port 8080, or access through SSH.
    Comparison: If using a private VPN connection for connecting the home network to the working place network (vice versa), then you know the other side and have probably control of the server at the other end, also there might be a software firewall which does its part to security (Windows firewall doesn't help you, if established an OpenVPN tunnel). But here you don't know what is on the other side and you certainly don't want to be accessed without asking while you simply use netflix USA from Europe or so.


    And this is the frightening result of it:

    • Establish a OpenVPN connection with PureVPN
    • determine your external VPN IP: curl ifconfig.co --> Lets say you get this IP: 136.0.5.198
    • Everybody can SSH into your system now, just knowing your IP: 136.0.5.198:22 with root/libreelec (provided you have SSH activated with password)
    • Everybody can access your webserver at 136.0.5.198:8080, if you don't have set a password for it (default: not set). Even with password, it won't be hard for an attacker to breach it, I think.
    • You can be pinged with ping 136.0.5.198
    • This way everybody could also access your Samba shares and simply everything that is connected to your local network. Even if the routers firewall secures everything, the VPN tunnels from some of those VPN services, are really dangerous for not so well informed people like me and many others. Anybody on the other side simply needs to guess or to read the IP and then they can get directly into your network no matter what router security configuration you have.
    • As this is a VPN tunnel IP, it passes through my WAN router and bypasses also all the closed ports of it


    The worst thing in case of LibreELEC is that the SSH user/pass are hardcoded: root/libereelec, so anybody who has SSH activated and did not deactivate the password, is accessable due to this shit of some VPN providers from all over the world with root/libreelec.


    The thing is that I was concerned about security before using VPNs for this purpose. And whenever you search for "VPN+security", it tells you that it is kind of safe. Even if I search now for keywords with the current knowledge, it is nowhere mentioned, that those services don't close all ports in your direction by default. So a normal user like I am, would simply assume that only connections established by me will cause inbound traffic. Just like it is if you are using a Windows computer with a browser: The Firewall or routers NAT will block everything that I did not request by typing it in into the URL bar.
    And anyways... I can't even think of any use case where somebody would like to have opened ports in his direction from remote servers, where he is not sitting (if the other side is not his own LAN).


    So.. What I want to say is: VPN Providers like PureVPN, IPVanish, PIA are nowadays (especially on MediaCenters like LibreELEC) not to be seen as a regular VPN tunnel, which is commonly known for secure connections between workplaces and your homenetwork. After discovering this issue, I had the explanation why I had suddenly about 15000 infected files (by an ancient trojan) on my external harddrive some months ago, which is always connected to my Odroid C2, and no other system at home had this infection.


    Using another VPN Provider named PIA is also kind of strange: Mostly you land on a foreign computer (noticed because ssh user/pass didn't work). So it is also similar to PureVPN, except the IP is kind of random to many computers (real NAT would reject those access attempts).


    Quick workaround for those who encounter the same or who can successful access their webserver via External-VPN-IP:8080 :

    • create an autostart.sh in: storage/.config/autostart.sh
    • with this content:
      Shell-Script
      1. #!/bin/sh
      2. iptables -F
      3. iptables -A INPUT -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
      4. iptables -A INPUT -i tun0 -j DROP


    • make it executable: chmod +x storage/.config/autostart.sh
    • Reboot the system and check whether the new rules are set in SSH: iptables -L
    • Then try again to ping your computer or accress ssh via port 22. It should time out.


    Sorry for the long post :/. But I already brang this topic up in the german kodinerds forum and many users tried to explain me that this is what VPN is for... but they didn't want to understand that this geo-unblocking usecase is a different matter in terms of VPN usage. And then some other users tested it and found out that they have the same issue with their VPN Providers and didn't notice that their network was exposed the whole time because of this.

    After seeing this thread, I was curious whether my OLED 20x4 would run on LibreELEC (Krypton) v7.90.008 ALPHA for Odroid C2.


    Well.. it doesn't... it starts already with the missing i2c-2 address :D :

    Code
    1. HD44780: I2C: open i2c device '/dev/i2c-2' failed: No such file or directory


    On wrxtasys 7.0.x / 7.1 builds it works for i2c-2 and i2c-1. Unfortunately it is wired for i2c-2 right now, so I cannot check i2c-1 easily.


    Besides the question why i2c-2 is not present?, I still have two more questions:

    • I have to use a custom compiled HD44780 because my controller (SSD1311 is not fully compatible to HD44780). On my Raspberry Pi's and on my Odroid C2 with 7.0.x builds I simply had to put the modified driver and config files (hd44780.so, LCDd.conf) into .config directory and LCD.xml into userdata directory. The display worked then right away after enabling HD44780 displaydriver in LibreELEC Configuration / Services. LCDd.conf contained the path to my custom hd44780.so: "/storage/.config/"
      Where do I have to put those files now. LCD.conf in .config seems to be ignored?
    • There are no settings left in lcdproc (no dimming, no scroll speed, no alternative character choice). Is it coming back, or did you dig those configuration options somewhere else?


    Sweet! The wireshark info is nice to see. Didn't know that wireshark also lists this info, thanks for this hint!


    Well yeah, then it's indeed solved. I'd say allocation = 0 is a good setting as future default.


    Already marked it as solved ;)


    Regarding the passwords issue with special characters like ! and * that I mentioned in my Post #15: If somebody has a clue, feel free to share it :)


    cheers

    thanks vpeter :)


    Then it's more of a bug in Windows 7 and a rather bad linux default setting of 1MB.


    I'd say the actual Issue is solved then ;)



    EDIT
    @vpeter
    I guess your VM has a filesystem Blocksize of 1024 bytes, right?
    Just asking, because my Windows 10 Laptop has 4096 bytes (If I believe the "size on disk" propertiestab of a <1KB file).

    Here we are...


    Tried allocation roundup size = 4096
    Windows explorer showed me then 4KB instead of 1MB (for files below 4KB size)


    Then tried allocation roundup size = 0
    Windows explorer showed me then 1KB instead of 1MB (for files below 1KB size)


    So I guess for a default smb.conf in the future allocation roundup size = 0 would be the best.



    After reading your links and googling, my conclusion is that the actual "issue" is Linux default allocation roundup size = 1048576, whereas Windows 7 simply ignores it (I would call this a bug) and Windows >8.1 respects it (unfortunately).

    Perhaps you have the time to test allocation roundup size = 0 and allocation roundup size = 4096 with your Windows 7 machine? Who knows... may be the value =0 always results in 1KB (as a bug) or may be your system will simply ignore either setting. Just asking because I would like to know whether allocation roundup size = 0 corresponds to the filesystem (which is on my Odroid 1024 Byte as you stated) and on your Raspberry 4096 bytes then. If allocation roundup size = 0 shows 4096 on your raspberry (instead of 1024 like on my C2), then this setting is confirmed to be the best default solution :)


    And while we're talking about samba... noticed that setting samba-passwords containing special characters like ! or * in LibreELEC are somehow not working if trying to connect with windows explorer. Don't know whether this might be a windows bug, or a LibreELEC bug.


    Thanks milhouse, simpsons have always been one of the best out there :)

    @milhouse
    Thanks a lot to pointing to these facts! I feel reassured again somehow ;). Weird... then this might really be some new weird bug in Windows 10. I know that it is showing these big blocksizes since at least may, where I discovered it because I wanted to know how large a backup of my library could get. And I almost couldn't believe this discrepancy.


    Is the SMB.conf of v7.90.008 ALPHA for C2 the same as on your RPi and NUC then?



    EDIT


    have a look at this: Linux Performance - SambaWiki
    The third paragraph (from this URLs position) says that 1MB is default.

    Quote


    ...if the allocation size is set to 1MB (the default in Samba) then...


    I don't really understand that. Do the other systems use a different samba version then, so that your systems show the correct size?

    @trogggy
    thanks a lot for the mini guide :)


    Good question and point!
    Here's the output: NcXX
    It shows 1024, so this means it is bytes then?


    I was seeing it via SMB. Whenever I tried to make a manual backup of some folders I noticed that the size of lets say the thumbnails folder on my main installation is like this:

    Quote


    \\libreelec\Userdata\Thumbnails
    Contents: 3.212 Dateien, 18 Ordner
    Actual size: 212 MB (222.312.844 Bytes)
    Size on disk: 3,13 GB (3.369.074.688 Bytes)


    Thats like 14 times the filesize on the disk.


    Here's a screenshot of the by you suggested new v7.90.008 ALPHA installation on my C2:

    It implies that Blocksize is 1MB for every file. If I display those properties for one file, it will show 1MB respectively a multiple of 1MB.


    So does that mean that samba makes also some kind of abstraction for displaying and calculating filesizes (I know that it abstracts the actual filesystem)? That'd mean that I got fooled by samba :D :rolleyes: Is there any explanation for this?


    It's not a recommendation, rather an observation, but I've been using mini-toolPW for years to format for openelec and libreelec with no issues.


    Thanks! I've tried it, but I don't get it working. LibreELEC can't boot as soon as I reformat the second partition.


    I tried these two scenarios:


    1. Flashed the current v7.90.008 ALPHA and booted it the first time. LibreELEC expanded the second partition as expected. Then I reformatted this partition with MiniTool Partition Wizard Free to ext4 with 4kb blocksize. Put the card into my odroid c2 again and it refused to boot (I expected it, because .config etc. was also on this second "storage" partition before reformatting)


    2. I flashed the sd card from scratch with v7.90.008 ALPHA and then I reformatted the (now) unallocated space for the second partition (which is to be expanded during first boot) with ext4 4kb blocksize. It refuses to boot again.


    What is the correct way to get a new installation of LibreELEC onto a manually formatted disk? Or how do you reformat only the second partition as suggested by escalade in the first reply?


    Probably no thought behind it at all, as they just go with the default:


    LibreELEC.tv/installer at master · LibreELEC/LibreELEC.tv · GitHub


    You can simply backup your /storage, overwrite the filesystem with the block size you want and then restore.


    Thank you for your reply :)


    Do you happen to know whether this will be changed somewhen as default?


    If I understand it correctly, you suggest I put the card into my Laptop (Windows machine), use e.g. MiniTool Partition Wizard or similar to reformat the second partition with some other blocksize, yes?


    Any recommendation which blocksize / filesystem would be best?


    Thank you very much escalade!

    Hi,
    I've noticed, that the blocksize on the storage partition is 1MB.


    I'm aware that this is not a bug, but on the other hand it would also not be a feature request, as this big blocksize is a drawback, which I'd strogly suggest to get changed. Kodi mediascraping stores a lot of tiny <1KB files to the storage partition, which is good so far, but every single file consumes 1MB of storage. So even a 16GB SD card, which is only there for the Library files (Coverart, MetaData, etc.), can get full if the movie library is a bit bigger. And if you start having a music library as well, then every single of those small 4MB mp3's consume the same amount of actually 1KB small coverarts getting inflated to many MegaBytes.


    I can understand that some SD-Cards (Raspberry, Odroid C2) don't like writing a lot of small files from performance point of view. But 1MB per file for a 1byte file (it's blown up by the crazy factor of 1.000.000) is not necessary at all I think. I can't believe that the performance can benefit from this blocksize.


    Also making a backup of the library or restoring the backup takes unproportionally long because of the pure filesizes which get generated here without a reason I could get behind of :/


    Could you please change the blocksize to something like 128KB or even less? Or if not, could you explain then why it is as it is? Perhaps there is a way to change this default behavior?


    Thanks a lot in advance for some statements about this :)

    Just tried this addon on my RPi2. Absolutely great :) Thank you very much!


    Do you happen to know whether it will be possible somehow to integrate this addon as some kind of music player? I mean.. that it displays the cover and the controls (which I can see in Webinterface IP:4000) in LibreELEC GUI? So that perhaps even music visualization would be possible, just like as if it is with the kodi music player?


    Also I tested it with Yatse remote, and here it's the same: Media controls are not visible, so Yatse and Kodi doesn't seem to notice that music is running actually.


    This is not some kind of demand ;). Just want to know if it is/will be possible in the future :).


    Also... On my Odroid C2 it is not working, although the Odroid C2 has similar hardware as the Wetek Core/Play. I tried it with this preview release: LibreELEC


    Anyways, thank you very much for bringing spotify finally to kodi :)

    I didn't know that filenames are different between separate and single file export.


    Your Airwolf example confirms it. The filename "Airwolf:_The_Movie_1984-fanart.jpg" is generated out of the scrapers database (in this case apparently you aren't using thetvdb.com) movie name. It is understandable that it takes this name, but it should not do it for exporting the library backup.


    Well, I've written about this some weeks ago in the kodi.tv forum. But nobody paid attention and theres also no bug/issues section in at forum.kodi.tv and none at their github either. How can I submit them this issue?

    Thank you both for your quick replies :)


    But hmm... I'm not sure about this... I think we misunderstand each other.


    The actual video files (e.g. mkv) are in directories which do not have colons in their names.


    After the scraping, the scraper adds all my movies and tvshows to the database/library. As I cannot find those directories in any folder of kodi after the scraping process, I guess that they are written directly into this file:
    /storage/.kodi/userdata/Database/MyVideos99.db


    So the issue might occur whenever I export my library to file (for backup reasons). Then those names (containing colons) are written out of this MyVideos99.db to file, thus also strictly overtaking the colons into file names. So if my assumptions are correct, there is nothing I could "rename" to follow your suggestion.
    If it is like I described, then LibreELEC should simply exchange all colons with dashes or "%3A" before writing to disk. And then it should obviosly also support those dashes / %3A when importing the library again on another machine, thus exchanging them into colons before writing/importing in the new MyVideos99.db.
    Or simply do always dashes/%3A after scraping and simply exchange the output/displaying in GUI to colons (would be safest and cleanes solution).


    So it is not about the actual directories containing the video files, which I always transfer myself from windows to the external drive connected to my odroid/raspberry (obviosly not containing any colons in names).

    How do you get these links on the SD card then back to rasberry PI? Or do you do it from the PI? Please help, I'm about to fly this thing against the wall. It's been so hard trying to get a VPN on Libreelec.


    There you go, if still necessary
    OpenELEC Mediacenter - OpenELEC Forum - VPN Manager for OpenVPN (46/63)


    But be aware of this possible security issue if using vpn services on LibreELEC and if you aren't familiar with VPN and Iptables: OpenELEC Mediacenter - OpenELEC Forum - Massive security issue:certain VPN providers on OE (1/1)