Video To Watch


Subpage about Rust

Postfix with Let’s encrypt certificates

Use this documentation for installation and afterwards configure your reverse DNS to point back to your domain. Together with the TLS communication between postfix and the Gmail server this was sufficient for emails not landing in the SPAM folder of the recipients.

Cross compiling with Rust/rustc/cargo

When you encountered the following error while trying to cross compile:

error[E0463]: can't find crate for `std`
  = note: the `armv7-unknown-linux-gnueabihf` target may not be installed

Then install missing files with

rustup target add armv7-unknown-linux-gnueabihf
rustup target add armv7-unknown-linux-gnueabi
# To also install arm-* files:
rustup target add arm-unknown-linux-gnueabihf
rustup target add arm-unknown-linux-gnueabi

Then you can cross compile with

CC=arm-linux-gnueabihf-gcc  rustc src/ --target arm-unknown-linux-gnueabihf -C linker=arm-linux-gnueabihf-gcc

Please note that using cargo failed for me by using:

CC=arm-linux-gnueabihf-gcc  cargo build  --target arm-unknown-linux-gnueabihf

ODOH clients in Go and Rust from Cloudflare

vim format text length to 80

vim IDE support



SSL Configuration Generator

SSL Configuration Generator

Capture Network Traffic on Remote Host

Imagine you want to capture traffic from your Raspberry Pi and want to see it in Wireshark in realtime.

user@pc $ mkfifo capture
user@pc $ ssh rpi sudo tcpdump -U -n -w - -i eth0 tcp port 53 > capture
# Or more specific DNS traffic: 
user@pc $ ssh rpi sudo tcpdump -U -n -w - -i eth0 tcp port 53 > capture

Then open Wireshark and under Manage interfaces open tab Pipes and create a new pipe which points on the file you created with mkfifo above. Then start to capture and you see the traffic.

Next step I try is to use dumpcap instead of tcpdump.

Using dumpcap instead of tcpdump

mkfifo /tmp/capture
# Set /tmp/capture as capture device under "Manage interfaces" in Wireshark
ssh rpi sudo dumpcap -n -w - -i eth0  -f \'not tcp port 22\'  > /tmp/capture

The above captures all traffic but not the SSH traffic in particular not the traffic you are producing with this ssh command. Probably, you could further restrict this capture filter by using not host and not tcp port 22 if your host has this IP.

Hardware Memory Models


Create a Microk8s Node

The following is based on this blog post.

sudo snap install microk8s --classic
alias kubectl='microk8s.kubectl'
kubectl get nodes
kubectl get po,svc --namespace kube-system

# Enable/disable dashboard
microk8s.enable dns dashboard
microk8s.diable dns dashboard

# Turn off k8s for a while
snap disable microk8s
# Turn it on again
snap enable microk8s

# Remove it completly
sudo snap remove microk8s

c’t References

c’t References


apt install wireguard wireguard-tools

Add interface in /etc/network/interfaces:

auto eth0
iface eth0 inet dhcp
iface eth0 inet6 auto

auto wg0
iface wg0 inet static
  pre-up ip link add wg0 type wireguard
  pre-up wg setconf wg0 /etc/wireguard/wg0.conf
  up ip link set wg0 up
  down ip link delete wg0 
iface wg0 inet6 static
  address fd00:42::1
  netmask 64

Enable router functionality by adding `/etc/sysctl.d/wireguard.conf:


Then enable this settings by

sysctl -p /etc/sysctl.d/wireguard.conf

Restart system now to see if everything work until here.

Enable NAT:

iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip6tables -A FORWARD -i wg0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To make these rules persistent:

apt install iptables-persistent

Wireguard Server

On the host which forwards packages between peers we use the configuration file /etc/wireguard/wg0.conf.

Create private key:

umask 077
wg genkey > /etc/wireguard/server.key
# /etc/wireguard/wg0.conf

Alternative Configuration

Generate keys:

wg genkey | tee privatekey | wg pubkey > publickey

config file:

PrivateKey = <contents-of-server-privatekey>
Address =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

PublicKey = <contents-of-client-publickey>
AllowedIPs =


wg-quick up wg0


wg show

Enable SystemD service:

systemctl enable wg-quick@wg0

Alternative 2

Check configuration:

ifup wg0

You should see Waiting for DAD... Done.

Public Key

cat /etc/wireguard/server.key | wg pubkey

Client Site

Create private/public keypair for client:

wg genkey | tee /etc/wireguard/client1.key | wg pubkey
cat /etc/wireguard/client1.key

Set peer as allowed client in /etc/wireguard/wg0.conf:


Enable changed configuration

wg setconf wg0 /etc/wireguard/wg0.conf

Each client gets its own configuration file under /etc/wireguard/clients/ e.g. client1.conf:



Alterantive configuration

Address =
PrivateKey = <contents-of-client-privatekey>

PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs =, ::/0

Note that setting AllowedIPs to, ::/0 will forward all traffic over the WireGuard VPN connection. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.


sudo wg-quick up wg0
# or
sudo systemctl start wg-quick@wg0


sudo wg-quick down wg0
# or
sudo systemctl stop wg-quick@wg0

Get Configuration to the Clients

For mobile clients

apt install qrencode
cat /etc/wireguard/clients/client1.conf | qrencode -t ansiutf8

For further clients add [Peer] sections.

Formating/Reading output (JSON,XML)

curl ... | jq .
# XML: 
curl ... | xmllint --format -
# Read node value with Xpath
curl ... | xmllint --xpath "/mainnode/subnode/text()" -


Service Types

Dependency to other service

# service that depends on important.service say A.service

Requires only defines a dependency but not an ordering. If you use only Requires in A.service, both services will be start together. Only if you use Requires and After then service A will be startet after the important service and will be only startet if the important service is available.

Webengine Notes

Web Engines


Linux Performance Analysis

Rust / Go

12 factor apps

See here for details.

Yocto notes

Yocto notes

ssh with certain Keyfile

Do you know the message about too many login tries when trying to ssh to an remote host? Use this to pin the one and only correct key or also multiple keys:

ssh -o IdentitiesOnly=yes \
    -o IdentityFile=id1.key \
    -o IdentityFile=id2.key \
    -i id3.key \
    -i id4.key \

Linux Command Line Tools for Network Traffic

git SSL certificate verification error

Situation: You are working to build an Yocto image and one recipe fails with

git -c core.fsyncobjectfiles=0 ls-remote  failed with exit code 128, output:
fatal: unable to access '': server certificate verification failed. CAfile: none CRLfile: none

Quick hack is to disable the verification temporary. Don’t forget to enable it again!

git config --global http.sslverify false


Mount partition inside an image

Assume you have an big image sda.img that contains multiple partitions and you want to mount only one of these partitions.

losetup /dev/loop101 sda.img
sfdisk -d /dev/loop101
/dev/loop101p10 : start=      229376, size=      786432, ...
losetup --detach /dev/loop101

The you take the value 229376 and calculate the offset by multiplying 512 (sector size).

>>> 512*229376

This value you take into account in the next losetup command:

losetup -o 117440512 /dev/loop101 sda.img
mkdir /tmp/partition
mount /dev/loop101 /tmp/partition

That’s it!

libvirt kvm qemu

Enable serial console on Ubuntu virtual machine

Frequent Problems

Debian Mirror Server for sources.lst

No USB devices under Linux Virtualbox


Cross Compiling


Reverse Engineering Tools

Example - Raspberry Pi as network capture device

Enable forwarding and NAT

$IPTABLES -F -t nat
echo 1 > /proc/sys/net/ipv4/ip_forward

Install DHCP server

Use apt-get install isc-dhcp-server and configure /etc/dhcp/dhcpd.conf and /etc/default/isc-dhcp-server.conf.

You have to provide the dns server and the default gateway inside the subnet definition:

subnet {
    option routers;
    option domain-name-servers,;

Further details can be found here

Search for DHCP server with NMAP

nmap -sU -p 67 --script=dhcp-discover <target>


Load archive

# Edit /etc/unbound/unbound.conf: enable include: ...*.conf
cp 01_CacheForwarder.con /etc/unbound/unbound.conf.d/
service unbound restart
dig @localhost
cp 02_Validate.conf /etc/unbound/unbound.conf.d/
curl -o /etc/unbound/root.hints
# Enable root-hints: "/etc/unbound/root.hints"
unbound-anchor -v
dig @localhost
# If it works answer is ;;flags: qr rd ra ad;
# Update root.hints:
cp /etc/cron.weekly
chmod 0755

BASH scripting


declare -a list=("a 2" "b 3" "c 5")

for e in ""; do

  echo $list[0]
  echo $list[1]


How to set text mode as default mode

systemctl set-default


CAN Interface Modules

See python-can project here.

CAN bus virtualization

Useful from above site are e.g. how to use virtualization for socket can:

$ sudo modprobe vcan
$ sudo ip link add dev virtcan0 type vcan
$ sudo ip link set up virtcan0 

Remote Debugging

start target binary on remote

arm-linux-gnu-gdbserver localhost:4711 ./targetbinary --help

on your host start gdb for target and connect to target system

arm-linux-gnu-gdb build/src/targetbinary
gdb>target remote
gdb>b main

Qemu Serial Device

original setting:

-serial mon:stdio -serial /dev/ttyS1 

this works fine:

-serial telnet:localhost:4321,server,nowait

does not work:

-chardev tty,path=/dev/ttyS2,id=hostserial -device pci-serial,chardev=hostserial

git hooks

# Edit file .git/hooks/pre-commit and set it to executable:
cargo fmt
# '-D warnings' turns warning to errors and leads to the hook to fail
exec cargo clippy -- -D warnings