Modify

Opened 5 years ago

Closed 5 years ago

Last modified 2 years ago

#10019 closed defect (fixed)

he.net was changed updating tunnel ip API

Reported by: alexey.bondarchuk@… Owned by: jow
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: 6in4 Cc:

Description

Old url update return next message:

-ERROR: Invalid API key or password

Page https://ipv4.tunnelbroker.net/ipv4_end.php explain new API:

Usage: https://ipv4.tunnelbroker.net/ipv4_end.php?ip=IPV4ADDR&pass=MD5PASS&apikey=USERID&tid=TUNNELID
 -or-: https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID (auto-detect IP)
       https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID&ip=IPV4ADDR

IPV4ADDR: Your IPv4 endpoint.  Set to AUTO to determine your IP based on the IP you requested this page from.  Previously passed as ipv4b.
MD5PASS : The MD5 hash of your password.  You may be able to 'echo -n YOURPASSWORD | md5sum' to produce the MD5 hash of your password.
USERID  : The UserID shown on the main page of tunnelbroker.net when you log in.  Previously referred to as user_id.
TUNNELID: The ID of the tunnel you're updating the endpoint on.  This can be found on the tunnel information page.  Previously referred to as the Global Tunnel ID / tunnel_id.

The following parameters are only usable when accessing this script over https.
USERNAME: Your tunnelbroker.net username.
PASSWORD: Your tunnelbroker.net password.

The legacy parameter names will continue to work for the forseable future.  Naming of them changed to be more in line with industry convention and their roles.

First.
Using https instead http in new API require downloader with support of it.

Second.
I try new update urls, and only second (with USERNAME:PASSWORD) was work fine:

/tmp $ wget https://ipv4.tunnelbroker.net/ipv4_end.php\?ip\=AUTO\&pass\=MD5_My_Passwd\&apikey\=My_Userid\&tid\=12345 -qO res --no-check-certificate
/tmp $ cat res
-ERROR: Invalid API key or password%
/tmp $ wget https://My_Userid:My_Passwd@ipv4.tunnelbroker.net/ipv4_end.php\?tid\=12345 -qO res --no-check-certificate
/tmp $ cat res
+OK: Tunnel endpoint updated to: 111.22.33.3

Attachments (0)

Change History (12)

comment:1 Changed 5 years ago by hannu.nyman@…

Did you already try to edit the 6in4 hotplug file, where that URL is set?

Line 45 is the URL definition in the hotplug file:
https://dev.openwrt.org/browser/trunk/package/6in4/files/6in4.hotplug

In a running Openwrt system that file can be found as '/etc/hotplug.d/iface/90-6in4'

Based on your test example, the URL string at line 45 might possibly need to be:
"https://$username:$password@ipv4.tunnelbroker.net/ipv4_end.php?tid=$tunnelid"
You might test that.

comment:2 Changed 5 years ago by alexey.bondarchuk@…

It was first thing, which I wanted to do, but first I desided to test manually and I got this result:

root@router:~# cd /tmp
root@router:/tmp# wget https://My_Login:My_Passwd@ipv4.tunnelbroker.net/ipv4_end.php?tid=12345 -qO res
wget: not an http or ftp url: https://My_Login:My_Passwd@ipv4.tunnelbroker.net/ipv4_end.php?tid=12345

Also i try http, but:

root@router:/tmp# wget http://My_Login:My_Passwd@ipv4.tunnelbroker.net/ipv4_end.php?tid=12345 -qO res
root@router:/tmp# cat res
-ERROR: Missing parameter(s).
Usage: https://ipv4.tunnelbroker.net/ipv4_end.php?ip=IPV4ADDR&pass=MD5PASS&apikey=USERID&tid=TUNNELID
 -or-: https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID (auto-detect IP)
       https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID&ip=IPV4ADDR

IPV4ADDR: Your IPv4 endpoint.  Set to AUTO to determine your IP based on the IP you requested this page from.  Previously passed as ipv4b.
MD5PASS : The MD5 hash of your password.  You may be able to 'echo -n YOURPASSWORD | md5sum' to produce the MD5 hash of your password.
USERID  : The UserID shown on the main page of tunnelbroker.net when you log in.  Previously referred to as user_id.
TUNNELID: The ID of the tunnel you're updating the endpoint on.  This can be found on the tunnel information page.  Previously referred to as the Global Tunnel ID / tunnel_id.

The following parameters are only usable when accessing this script over https.
USERNAME: Your tunnelbroker.net username.
PASSWORD: Your tunnelbroker.net password.

The legacy parameter names will continue to work for the forseable future.  Naming of them changed to be more in line with industry convention and their roles.

root@router:/tmp# 

So, we need downloader with ssl support.

comment:3 follow-up: Changed 5 years ago by hnyman

There is also an HTTPS enabled GNU wget available.
See https://dev.openwrt.org/browser/packages/net/wget/Makefile

However, the default is to use the built-in Busybox wget, which probably does not enable HTTPS by default.

Grep from my build .config file:

CONFIG_BUSYBOX_CONFIG_WGET=y
CONFIG_BUSYBOX_CONFIG_FEATURE_WGET_STATUSBAR=y
CONFIG_BUSYBOX_CONFIG_FEATURE_WGET_AUTHENTICATION=y
CONFIG_BUSYBOX_CONFIG_FEATURE_WGET_LONG_OPTIONS=y
# CONFIG_BUSYBOX_CONFIG_FEATURE_WGET_TIMEOUT is not set
# CONFIG_PACKAGE_wget is not set
# CONFIG_PACKAGE_wget-nossl is not set

I installed the GNU wget 1.12 package, and wget https works now nicely:

root@OpenWrt:~# opkg install wget
Package wget (1.12-3) installed in root is up to date.
root@OpenWrt:~# wget https://dev.openwrt.org/ticket/10019 --no-check-certificate
--2011-08-29 17:31:19--  https://dev.openwrt.org/ticket/10019
Resolving dev.openwrt.org... 78.24.191.177
Connecting to dev.openwrt.org|78.24.191.177|:443... connected.
WARNING: cannot verify dev.openwrt.org's certificate, issued by `/C=US/ST=A...:
Self-signed certificate encountered.
WARNING: certificate common name `www.openwrt.org' doesn't match requested host name `dev.openwrt.org'.
HTTP request sent, awaiting response... 200 OK
Length: 17175 (17K) [text/html]
...
2011-08-29 17:31:20 (423 KB/s) - `10019.1' saved [17175/17175]

root@OpenWrt:~#

So, using the 6in4 package with Hurricane Electric tunnelbroker.net tunnel seems to require installing the GNU wget package and then modifying the URL string.

You might install the GNU wget, and then test the correct URL again.

comment:4 in reply to: ↑ 3 Changed 5 years ago by Alexey Bondarchuk <alexey.bondarchuk@…>

Client IP update become work because of the installation of GNU wget, saving of userid and password as plain text, modification of 6in4.hotplug:

--- 6in4.hotplug	2011-08-29 21:17:31.000000000 +0300
+++ 6in4.hotplug.new	2011-08-29 21:17:27.000000000 +0300
@@ -37,17 +37,14 @@
 			uci_set_state network "$cfg" ipaddr "$wanip"
 
 			[ -n "$tunnelid" ] && [ -n "$username" ] && [ -n "$password" ] && {
-				[ "${#password}" == 32 -a -z "${password//[a-f0-9]/}" ] || {
-					password="$(echo -n "$password" | md5sum)"; password="${password%% *}"
-				}
 
 				(
-					local url="http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&user_id=$username&pass=$password&tunnel_id=$tunnelid"
+					local url="https://$username:$password@ipv4.tunnelbroker.net/ipv4_end.php?tid=$tunnelid"
 					local try=0
 					local max=3
 
 					while [ $((++try)) -le $max ]; do
-						wget -qO/dev/null "$url" 2>/dev/null && {
+						wget --no-check-certificate -qO/dev/null "$url" 2>/dev/null && {
 							logger -t 6in4-update "Updated tunnel #$tunnelid endpoint to $wanip"
 							ifup "$cfg"
 							break

comment:5 Changed 5 years ago by hnyman

I was just writing my own version, but you got there first ;-)

I registered to HE and made my own testing. I noticed the same, that the MD5 conversion needs to be removed from the 6in4 script.

Otherwise I agree with your patch, but one additional parameter should be added to the wget command line:

"--auth-no-challenge"

wget --no-check-certificate --auth-no-challenge


That will force the GNU wget to pass the username & password on the first try, otherwise there will be first a "401 unauthorized" error on the first try and then an automatic retry by wget.

This hint was got from: http://www.tunnelbroker.net/forums/index.php?topic=1926.msg11608#msg11608

comment:6 follow-up: Changed 5 years ago by hnyman

Alternative patch:

"http://ipv4.tunnelbroker.net/ipv4_end.php?ip=AUTO&apikey=$username&pass=$password&tid=$tunnelid"

If the "UserID" (something like 't8ddddd2343f4e04.9ddd389' found in the HE account info on the main screen) is used instead of the plaintext username in the tunnel configuration, the first version of the commands works with this patch. And that version seems to work also with plain http, so that the need for GNU wget might be skipped. GNU wget is a rather large package, so avoiding it would be good.
(My current firmware has that GNU wget now in the flash, so I can't test without it, but I see no reason why this wouldn't work with Busybox wget.)

The parameter names have changed slightly and userID replaces username in tunnel config info, but otherwise just one line in 6in4.hotplug needs changing:

Index: 6in4.hotplug
===================================================================
--- 6in4.hotplug	(revision 28121)
+++ 6in4.hotplug	(working copy)
@@ -42,7 +42,7 @@
 				}
 
 				(
-					local url="http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&user_id=$username&pass=$password&tunnel_id=$tunnelid"
+					local url="http://ipv4.tunnelbroker.net/ipv4_end.php?ip=AUTO&apikey=$username&pass=$password&tid=$tunnelid"
 					local try=0
 					local max=3
 

Parameters were: ip=automatic, apikey=UserID, pass=MD5password, tid=TunnelID

Hopefully somebody else can also test this.

comment:7 in reply to: ↑ 6 Changed 5 years ago by Alexey Bondarchuk <alexey.bondarchuk@…>

I forgot that USERID is not user login to tunnelbroker.net.
I test first url with correct USERID and md5 hashed password, and http protocol work correct.

comment:8 Changed 5 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

comment:9 Changed 5 years ago by hnyman

@jow:

If you patch the HE.net login process with the simple http version in my comment 7 above, please consider also adding an explanatory text about the "UserID" instead of "username" to Luci.

One suggestion below:

Index: /luci/trunk/modules/admin-full/luasrc/model/cbi/admin_network/ifaces.lua
===================================================================
--- /luci/trunk/modules/admin-full/luasrc/model/cbi/admin_network/ifaces.lua	(revision 7385)
+++ /luci/trunk/modules/admin-full/luasrc/model/cbi/admin_network/ifaces.lua	(working copy)
@@ -360,7 +360,7 @@
 end
 
 if has_pppd or has_pppoe or has_pppoa or has_3g or has_pptp or has_6in4 then
-	user = s:taboption("general", Value, "username", translate("Username"))
+	user = s:taboption("general", Value, "username", translate("Username"), translate("For HE.net 6in4 tunnels, use UserID instead of username"))
 	user.rmempty = true
 	user:depends("proto", "pptp")
 	user:depends("proto", "pppoe")

I re-compiled my firmware with the simple http version, and it seems to work ok.

comment:10 Changed 5 years ago by anonymous

bump

comment:11 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

comment:12 Changed 2 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.