This will copy the backups into ./uisp-backups directory.
On an Ubuntu system, docker needs sudo permissions. If you copy the backups with the above command, the backup files will be assigned to the root user and you will not be able to use your normal user to manipulate the files.
Note that there are a couple of limitations of using the Cloud Hosted Router (CHR). The main issue is that the default license doesn’t allow for more than 1Mbps on each interface.
The testing methodology was practically the same as our LineageOS test.
Testing methodology.
A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
Pixel 5 was installed with the latest version of GrapheneOS (August 2023)
Setup was completed without connecting to WiFi or a cellular network
There was no SIM card in while installing, setting up, or testing
After setup was complete, WiFi was connected to the computer running the Hotspot
After a base line was logged, we turned on GPS
Screenshot of Wireshark with DNS filter.
connectivitycheck.grapheneos.network
time.grapheneos.org
apps.grapheneos.org
releases.grapheneos.org
Total bandwidth sent and received for each IP
Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.
connectivitycheck.grapheneos.network and time.grapheneos.org – 25.794 KiB
apps.grapheneos.org and releases.grapheneos.org – 39.468 KiB
Total – 65.262 KiB
Turning on GPS
After turning on the GPS toggle, there was a DNS query for
qualcomm.psds.grapheneos.org
This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)
You can also enable/disable the Secure User Plan Location (SUPL)
This was a fairly simple test to see what network connections a fresh LineageOS install on a Google Pixel 5 makes. During the initial setup, GPS was disabled. After we set it up and got a base line, we turned GPS on to see what DNS requests it made.
Testing methodology.
A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
Pixel 5 was installed with the latest version of LineageOS 20 (August 2023)
Setup was completed without connecting to WiFi or a cellular network
There was no SIM card in while installing, setting up, or testing
After setup was complete, WiFi was connected to the computer running the Hotspot
After a base line was logged, we turned on GPS
GApps were not installed.
Fresh Install Network Requests
After setup was complete, we connected the Pixel 5 to the PC running NetworkMiner and Wireshark. It immediately made a handful of requests to the following 5 domain names
www.google.com
connectivitycheck.gstatic.com
time.android.com
g.co
firebaseinstallations.googleapis.com
connectivitycheck.gstatic.com is used to detect if the current network has internet and also to detect if there is a captive portal that you need to log into.
time.android.com would be to check the time and make sure it is correct.
Not sure what the extra 3 are used for. It is possible that firebaseinstallations.googleapis.com is used for the Android System Intelligence, or some other app that comes by default on LineageOS.
The following NetworkMiner screenshot shows all the IP addresses that were returned for the DNS queries. Note that a DNS query can return multiple IP addresses for a domain name, and then the device only use one of those IP addresses to transmit traffic.
A couple of normal network broadcast, multicast, and gateway addresses are blurred out as they are normal for devices on a local network.
Here is a Wireshark screenshot for all the DNS requests.
Total bandwidth sent and received for each IP
Using Wireshark, we were able to get a total amount of data sent and received for each of the domains.
www.google.com – 12.976 KiB
connectivitycheck.gstatic.com – 1.497 KiB
time.android.com 270 bytes
g.co – 21.883 KiB,
firebaseinstallations.googleapis.com – 16.225 KiB
Total for Pixel 5 – 52.851 KiB
Turning on GPS
Turning on GPS immediately led to a connection to xtrapath5.xboxprod.izatcloud.net.
The four lines are just different IP’s for the same domain.
From the Location settings, we can toggle on or off the “Use assisted GPS”.
The settings say the following about Assisted GPS “Download satellite assistance data from the internet which can greatly improve the GPS startup performance. For emergency calls, assisted GPS is always allowed”
Essentially, it will download some files that help your phone find satellites faster which will get you a faster GPS lock. Without it, it can take awhile to find your position.
During the initial setup (First screenshot below), you can toggle on/off Assisted GPS. By default, Android System Intelligence and the Browser are allowed to use Location.
Hopefully that is a helpful overview of the default LineageOS network connections and what some of them are used for.
Ubiquiti’s or UI’s GPONs do not have a SSH client by default. Or do they?
If you type “ssh” and hit return, you’ll receive a “not found” error.
Typically on devices like home routers, GPONs, UniFi AP’s etc, ssh is handled by Dropbear. Dropbear provides a Secure Shell compatible server and client and is typically used in embedded systems.
To SSH from a GPON to another device, use dbclient
We’ll create a tunnel between two Mikrotik RouterOS routers. Once we have the tunnel connected, we can then route traffic between them.
Note: You can add Preshared keys, but we don’t cover that in this post, just to keep things simple. Check out the following post if you want to add Preshared keys.
Here is how we will want our routers set up. The WireGuard PtP IP is the IP addresses used on both ends of the tunnel. The WAN IP is the IP of each Router. Local IP on Host B is setup to distribute DHCP.
Host A
WAN IP: 172.16.0.1 WireGuard PtP IP: 10.1.1.1/30
Host B
WAN IP: 10.0.0.2 WireGuard PtP IP: 10.1.1.2/30 Local IP: 192.168.0.1/24
We need Host A to be able to access Private IP’s (192.168.0.0/24) behind Host B.
We’ll pretend that the 172.16.0.1 address is a public IP, and Host B, is behind some sort of NAT network.
To create the Point-to-point, or PtP, we will create a WireGuard VPN tunnel, and then add routes from Host A to Host B.
For each Mikrotik we need to create a WireGuard interface, and then a peer. One of the peers needs a keep alive if we are behind a NAT.
Wireguard Setup Overview
Here is an overview screenshot of what our WireGuard settings will look like. Host A is on top, and Host B on the bottom. On the left are the WireGuard interfaces, and the right contains the Peers.
We copy the Public Key from the remote WireGuard interface, to the Public Key on the local Peer. I.e. The Host_B Peer contains Host_A’s Interface Public Key and vice verse
Host A
If you want to, you can use the WinBox GUI to setup and configure the router.
In the Allowed Addresses, put 10.1.1.0/30 and 192.168.0.0/24*.
Finally, put in the Public Key from Host B. Note that we can’t do this until we create the WireGuard Interface on Host B, so you’ll need to come back for this step.
*The Allowed Address sets which addresses work on the other side of the tunnel. If we don’t specify 192.168.0.0/24, then we won’t be able to route to those addresses. If we don’t add 10.1.1.0/30, then our tunnel won’t work at all. Since we only need to route to the 192.168.0.0/24 network from the Host A side, we don’t need this IP range on Host B.
That should be it. Verify that there is a connection. From Host A, ping 192.168.0.1 or any other remote device.
Troubleshooting
Unfortunately, there appear to be some wonky bugs with WireGuard on RouterOS. It does appear to be getting better, but here are a couple things to check if the tunnel is not connecting.
Verify that the Firewall is not blocking WireGuard. You can allow the WireGuard port in the Firewall.
Try disabling and re-enabling the Interfaces and/or Peers
Verify that all the routes for the PtP are in /ip/routes. If not, try manually adding the route (10.1.1.0/30) on the WireGuard interface on both routers.
Add a keep alive if a router is behind a firewall/NAT.
Reboot and or Upgrade the RouterOS version and firmware.
