The Ethereum Proof of Stake Shift

Ethereum began to shift to Proof of Stake (PoS) in 2020. Moving away from Proof of Work (PoW) mining allowed Ethereum users to earn yields on their ETH by setting up a small server for staking. However, while staking was possible, withdrawals were initially not possible, with no clear timeline for when this would be supported. Driven by my desire to learn, I decided to set up a validator knowing it would be years before I could withdraw.

Setting up an Ethereum validator is daunting, even for the tech-savvy. It involves open-source code, Linux hardening, generating a cryptographic seed phrase, and sending 32 ETH per validator to a smart contract. The process is now well-documented and understood, but I made several mistakes along the way.

Mistakes and Compromises

Catastrophes often result from multiple failures, and a lack of appropriate risk management. My first mistake was not informing my wife about my grand staking experiment using a material portion of our Ethereum. My second mistake was copying the newly created Ethereum validator seed phrase into my electronic notes during setup. I normally would never make this mistake with a private key material as I always inscribe my seed phrases on metal and store them in offline secure locations with a hardware wallet, but I am human and this validator setup process was new. These validator setup notes were backed up on a USB key, which were then backed up on a NAS that was compromised. Needless to say, there were many failures in this chain of events that will never happen again.

In December 2021, I received a suspicious email from an unknown contact. As I read their email, my worst fears were confirmed: my validator seed phrase was compromised, and the sender demanded a “reward.” I told my wife about the situation.

Navigating the Reward

Together, we decided to pay the “reward” to the greyhat, hoping they would honor the agreement to delete the validator seed phrase. While many experts advise against paying ransoms, I was grateful for the early notification, as it gave me a chance to fight back. A year later, as predicted, the greyhat returned, demanding even more “reward”. This time, I ignored their messages as I already had a plan in mind for my unique situation.

A Unique Situation

At that time in 2021, Ethereum did not allow withdrawals. This meant that neither I, the greyhat, nor any other potential attackers who had compromised my validator seed phrase could access the funds. This was an unusual situation. Typically, once a seed phrase is compromised, assets are quickly drained from the wallet by the attacker. On the blockchain, ownership is psuedo-anonymous. Despite knowing my seed phrase was compromised, no one could act on it.

I realized I could prove my validator ownership by signing a message with my deposit address, which was still securely inscribed on metal in a safe and certain that my attacker had no access to. However, the Proof of Stake consensus on the blockchain could not consider this evidence. To outpace the attacker, I needed more people to help broadcast my message before an attacker could.

The Birth of Consensus Layer Withdrawal Protection (CLWP)

I researched the Ethereum Proof of Stake network and discovered others who had their validator seed phrases compromised. I collaborated with researchers, like Jim McDonald, who were intrigued by using the deposit address to prove validator ownership. Unfortunately, the Ethereum withdrawal specifications in draft did not accommodate this method.

We found another way: social consensus. By convincing a broader community of the evidence and incentivizing their behavior, we developed the Consensus Layer Withdrawal Protection (CLWP). Documented in EIP-4736, CLWP proposed creating a list of verifiable messages to broadcast via Ethereum consensus nodes at the Shanghai Capella hard fork. The goal was to propagate CLWP messages faster than an attacker, leveraging a volunteer network “sneakernet” using submissions via a GitHub repository and low latency bots, with social arbitration moderation using Kleros curated lists. None of this social consensus changed Ethereum on-chain consensus, nor could guarantee success against an attacker. Volunteers were incentivized through altruism or self preservation of their own compromised validator by statistically shifting success in favor of legitimate validator owners.

The Outcome

With the help of many brilliant engineers and volunteers, we prepared for this sprint, documenting the evolving withdrawal specifications and convincing Ethereum client teams and users to adopt our ideas. The result? On 4/12/2023 at the Ethereum Shanghai Capella “Shapella” hardfork, the CLWP project helped 2,133 validators protect more than 68,256 ETH in principal and additional rewards, valued over $120 million USD (and worth much more now). Every single validator, including mine, was successfully protected.

In a twist, my validators were not protected by CLWP. Instead, due to a race condition timing attack bug discovered in the last days by an Ethereum Researcher, my validators were rescued by a secret sniping bot that was designed to outperform the CLWP protocol. Even the Ethereum consensus layer is a dark forest.

This journey taught me invaluable lessons, allowed me to assist others, and introduced me to some of the most brilliant minds in the cryptocurrency community. I hope my story inspires others to keep their seed phrases secure offline and view mistakes as opportunities for growth and learning.

Thank you

I cannot thank enough all the people who helped me. Special thanks to Tobes for running @EthCLWP and website, @jgm for his expert knowledge in ethdo and Ethereum withdrawals, @offchainglobal for organizing volunteers, @superphiz for getting the word out in the community, @ethStaker, ETH Magicians, Ethereum Foundation R&D for helping us connect to the best minds in the industry, @KlerosCurate for assisting us with moderating social consensus, @Allnodes and @LidoFinance for broadcasting CLWP, @poojaranjan19 at Eth Cat Herders for helping get the EIP through the process, Flashbots, all of the Consensus client teams @sigp_io @lodestar_eth @prylabs @Teku_ConsenSys for supporting CLWP, and the hundreds of people who volunteered to submit their validators withdrawal address and broadcast the messages.

To the greyhat who notified me that I was compromised: thank you. I hope one day to get a drink together. The world is more friendly than it seems when good people work together.

The post Ethereum CLWP Success: Protecting over $120 Million USD in Validator Assets appeared first on benchodroff.com.

What is it?

Unlike a USA Permanent Residence (PR) “Green Card” (GC) which is seen as a step towards citizenship through naturalization, China has no immigration process and this document instead provides a permissive form of a visa and a form of identification while inside China. However, you are and will forever still be a citizen of your existing country. As such, obtaining China PR status may provide additional benefits, visa simplification, and convenient proof of identity. Foreigners normally have a choice of “tax residency in China” depending on how long they stay each year in China. Obtaining a PR will force you to be declared a tax resident, but if you already stay in China at least 183 days/year, you already have this obligation.

Similar to other countires, a China PR card is not truly permanent as the name suggests. It expires after a maximum of ten years (can be reissued), or five years if a child, and can be rescinded if you are deported or do not spend at least 3/12 months and 1/5 years in China without prior permission. It does not provide residence registration. You will still need to register a temporary address with the local police with your passport regardless if you purchase a house or rent a home. You still sometimes need to use your passport for identification.

So why on earth would any person bother getting a “Foreign” (Sorry HK/TW/MO) “Permanent” (Nope) “Resident” (AI cameras not working?) “Identification” (No State ID?) when none of the words provide the full registration and capabilities they suggest. Maybe you just enjoy a challenge, but there are some benefits.

Why get one?

China PR provides many upside abilities such as:

• Work and change jobs without an employer sponsoring a visa. A spousal visa does not provide this ability.
• Multiple entry into China for up to 10 years. A normal work visa is limited to your employment contracts which often are capped at 3 years and are tied to your employer.
• Entry into China even if a crisis often cancels other visa types. (COVID-19…. WW3-22, Zombies-23)
• Automated checkin at many airport, train, hotel and other terminals/IT systems (not all do)
• Open accounts (Bank, Cellphone, Wechat, Alipay, others)  (not all do)
• Travel around China without a passport (police registration may still require a passport for ID number)
• Open to pay into housing and social security benefits 

For myself personally, it made sense to apply because I needed to ensure I could stay with my family if I ever lost my job, a crisis canceling visas, peace of mind of traveling in China with a Chinese issued ID to avoid a passport loss/theft/ or a requested seizure in Xinjiang (yes, that happens). It would be great if the Chinese IT systems also start allowing to do microloan payments for vending machines, bikes and cellphone battery rentals, or Taobao/JD for handling purchase from abroad, but I think those use cases are still not fully supported.

For my son, it made sense to have a China PR because it will allow him to remain in China without requiring a multiple entry visa. Even during the COVID19 pandemic, he technically was required to do visa runs to another country, even though he is a child of a Chinese citizen. This caused a lot of hassle in having to go to deal with the unfriendly Exit Entry Build officers to obtain visas, sometimes for only a 30 day extension. Having a PR ID avoids this situation.

How to apply?

Each province has its own exact rules, paperwork, and process. There are multiple categories in which you can attempt to apply. I applied in Guangzhou in 2022.

Here is the 2022 form you will have to fill out, but you should go to the Exit Entry Building and obtain the latest version as it will likely update periodically.

You must provide three identically completed applications in original form, as copies are not accepted of the application form itself. You must show the officer the original of the supporting evidence, and three photocopies for the submission – one for each application. I believe one application goes to the city (Guangzhou), another to the province (Guangdong), and another to the central government. Each is approved in order, and will take up to six months to complete from time of successful submission. The submission and all evidence is not provided online, so expect to have a mountain of printed paperwork.

The exact documents required will depend on the type of category you choose. Certain categories, such as the High Talent category, will have their own applications and approvals at company, local, province, and central government levels. As such, you can expect even the pre-conditions to take considerable time and cost to complete. I tried to ask the PSB for a digital copy of a book they gave me on the application process, but they said they did not have one because of “maybe national security concerns.” Here is a copy of the book I took with my cellphone (apologies) as there appears to be no restrictions on the material. There is an exact Chinese version of the book at the end, which should be used in case the English is confusing, as the Chinese provides the exact regulations.

End to end, from time of starting the process to completion it took me about 10 months. I already had many of the documents fully ready previously due to other visa applications. My China PR ID approval process took nearly exactly six months, as they advertised. Once you apply successfully, you will receive a submission confirmation paper with the application number. They assigned me a very courteous officer to handle the process, and was able to keep in touch via WeChat to check on the status.

Once ready, my case officer notified me to come to the office with my original passport used during the application and the confirmation piece of paper. You must personally physically show up at the office to pick up the PR ID Card, unless it is for a child, in which case one of the parents can pick it up without them present as long as they have the child’s original passport used and original submission confirmation paper. They won’t mail it under any circumstance, even if involuntarily locked down in another province for an undetermined amount of time.

How much does it cost?

As of 2022, the submission is 1500 RMB non-refundable payment that must be paid at a local bank. If you are approved, you will also have to pay 300 RMB at the counter using WeChat once they issue the card.

Gathering the supporting evidence is the real cost and complexity. If the document is from a foreign country, it must be apostille for use outside of the country by first the state of issuance’s Department of State (Examples: If a birth certificate is from Illinois, it must be apostille by Illinois. If the FBI Background Check report, it must be apostille at the federal level – US Department of State).

Once apostille allows the document to be used abroad, you then submit the document to the China Consulate in your country for approval for use in China, and then mailed back to yourself. Always use a mail service that can provide a tracking number and never rely on any domestic postal service anywhere. If the document is not in Chinese, you must then use an official Chinese notary to translate and notarize this document. As you can imagine, this can add up to a lot of cost – easily a few hundred to thousand RMB per document due to apostille, consulate, shipping, translation, notary, and copying costs. Each document only needs one original which you must show to the officer and then can retain, but you should have three copies made to be submit with each of the three original applications.

I personally completed the process by myself (some help from my wife, thank you), while residing in China, with limited ability to speak and write Chinese. While it is possible to hire an agency to ensure all the steps are completed, I hope the documents and advice I have provided may help others complete the work themselves. Best of luck.

The post Foreign Permanent Resident Identification in Mainland China appeared first on benchodroff.com.

NFC, or Near-Field Communication, tags are low cost, low bandwidth, small range, and are already supported by both iPhone and Android phones. Your phone likely already has this feature, but many are unaware of using it with these tags. The tags themselves come in multiple formats, but the ntag213 is a 25mm circle no thicker than a normal sticker that can store a small amount of data – such as a URL. Programming these tags can be done with any standard iPhone or Android phones using free software. Reading the tag requires no software to be installed on the phone, and the tag requires no battery as it uses the radio signals from your cellphone to power the incredibly tiny chips in the sticker.

Normally, to claim a POAP NFT, you are given a claim code or QR code to scan or type into the POAP app. However, we can take the list of claim URLs and write them to NFC ntag213 stickers to make a cost effective and very unique digital twin experience. Simply tapping the iPhone or Android against a regular looking sticker magically loads the URL to mint the NFT to the user’s web3 wallet. 

I ordered 1000 ntag213 25mm stickers from Taobao for only 0.35 RMB each. I then ordered 1000 vinyl 25mm stickers for 108RMB. In total, that is only $0.07 USD per sticker in material costs. Sadly, I have yet to find a vendor that “does it all” to print a vinyl sticker, attach it on the NFC tag, and program it with the unique URL. As such, I had to manually peel 1000 stickers and attach them to the tags. After attaching each sticker, you will then need to write the URL contents. I found a free application “NXP TagWriter” which claims to have CSV support, but in reality it doesn’t work on iPhone (but perhaps csv imports work on Android?). Luckily, they did have a dataset export/import feature which can import a json-like file. I made a small python POAP URL to json file converter by using the ndef python library to hex encode and format the tag data contents.

Upload the resulting json file to your iPhone or Android, import it with NXP TagWriter, and then multi-write the tags one by one. Now, hand the tags out at your next event. Most people were… amazed. They couldn’t believe that a sticker could be scanned by a phone, or that NFTs can be free. I hope this guide helps others recreate the POAP NFT via NFC sticker experience. 

The post NFT Stickers using NFC and POAP appeared first on benchodroff.com.

For this project, I used the “thinkst/opencanary” docker container on my Synology NAS. It creates a variety of psuedo-real services that log to a central file that can be easily monitored. Any bot, script kiddie, or even advanced persistent threat scanning the network may get curious, access this honeypot, and trigger the canary to issue an early warning alert. Thinkst also has an enterprise version and I’m willing to bet it’s worth the money because the free version is amazing for a self-hosted enthusiast, but their paid version looks turnkey.

The Synology NAS makes hosting docker containers easy. This particular container is going to require a bit more setup because it will be attempting to run services on ports that conflict with Synology’s own internal service ports, such as a tcp/80 webserver. We can use a docker “macvlan” network driver to create a special network interface that creates a unique IP address separate from your Synology NAS IP address.

The full instructions on how to set up Macvlan in Synology can be found here and I suggest reading these first.

However, the commands I used are specific to my Synology setup (I use bond0 instead of eth0 because I have bonded my ethernet ports together, and I picked 192.168.50.200/32 as an unused ip address that my router DHCP will not assign). You must SSH to the Synology NAS to issue this command because it is currently not possible to create a macvlan network through the GUI:

docker network create -d macvlan -o parent=bond0 --subnet=192.168.50.0/24 --gateway=192.168.50.1 --ip-range=192.168.50.200/32 canary_network

I next created a docker bridge “canary_bridge” network through the Synology GUI. This allows my Synology to communicate with the OpenCanary container using 192.168.10.2/32 IP address.

Finally, I downloaded the image “neomediatech/opencanary:latest” (it appears to be the best supported version of thinkst/opencanary in dockerhub), and launched it on both the “canary_network” and “canary_bridge” networks using the advanced settings during the launch. This ensures both my NAS and rest of the network can see this container. As the container is using macvlan, you do not need to map any ports in docker — everything on the container is magically directly visible to the network. Leave the “port settings” page blank. Never expose this container directly to the public internet “for fun”, as the canary services it runs are not secure and don’t trust a docker container to isolate from a hacker.

In the volume settings, you can specify a /data directory for the log file, and optionally provide a custom opencanary.conf file mapped to /root/.opencanary.conf. The example opencanary.conf template file can be found on the github repository – enable more of the services.

Once launched, you could port scan the IP address of the OpenCanary from another machine and see the services running (or use 192.168.10.1 if running the scan from the Synology):

nmap -F 192.168.50.200

When you access port 80 webserver, you will get a very convincing fake Synology NAS login page:

When a hacker attempts to login against these fake services, each attempt is logged. As nobody should ever need to login to these fake services, you can now use any log file alerting tool. You can also use the built in PyLogger SMTP service to relay these log messages to your email. Sadly, the SMTP log service has issues with TLS connections so you may need to fiddle with the settings… it took me a bit to get it all working.

Now you all know my secrets but hopefully this idea helps protect someone else.

The post OpenCanary honeypot on Synology NAS appeared first on benchodroff.com.

The Helium relies on libp2p. China’s Great Firewall (GFW) has very effective mechanisms that recognize libp2p domestically and inject connection resets during the SSL handshake. While you could put a commercial VPN in front of your Helium device, most of these solutions won’t allow opening a port. Helium is supposed to work around this problem by providing a relay service, but this relay mechanism is also being disrupted inside China. This will cause your node to remain fully synchronized but never participate in Proof of Coverage (witness/beacons). If you want to decentralize in China, you need to build your own bridge out of China to participate. I implemented a bridge to a Virtual Private Server (VPS) in the cloud outside of China by using a self hosted Wireguard VPN and client. Each Helium device would require its own VPS (or more specifically, its own unique external to China IP address with port 44158 opened, because relays are broken). Here are the steps to take to reproduce my setup.

The Panther X1 is internally a Raspberry Pi 4B with a LoRaWAN adapter. The Raspberry Pi is locked down but allows SSH connections. In order to install a VPN client on this device and troubleshoot it effectively, we will need to break into the device. Luckily, the Panther X1 isn’t that secure (note: the Panther X2 implements additional security).

Open the device up, remove the four rubber pads from the device, remove the four screws in the case, remove all the screws holding down the LoRaWAN adapter, and gently pull up on the adapter towards the antennas. You will find it separates from the pins on the Raspberry Pi board.

Once the LoRaWAN adapter is disconnected (you may keep the antennas connected, just move the board aside), remove all the screws for the Raspberry Pi. On the underside you will find a micro SD Card. Remove this card, and install it into a USB micro SD card reader on a Linux computer (on older MacOS you can use exFuse, and there may be a similar program for Windows – let me know in the comments). Find the device such as “/dev/sdb2”. The letter may be different on your computer, but it is the second partition which is formatted ext4 that we want. 

# Mount the device to a mountpoint that is available
sudo mount /dev/sdb2 /mnt
vim /root/.ssh/authorized_keys
# Append your SSH public key to the list (if you don't know what a SSH public key is, you will need to google it to learn more)
# Once completed, unmount the device
sudo umount /mnt

Once we have modified this file, we can now reinstall the micro SD card back into the Raspberry Pi. Now is a great time to install heatsinks on the Raspberry Pi CPU, RAM, and bridge — as the device gets to 80C otherwise. Finally, reattach the LoRaWAN adapter – pay attention to ensure the pins line up correctly. Reinstall the screws for the case and rubber feet. You can boot your Panther X1 back up and find that your SSH root account now accepts logins using your private key.

To install wireguard server and client, I followed this guide with some modifications below:

Wireguard VPN Server on VPS

sudo apt update
sudo apt upgrade
reboot
sudo apt install wireguard vim fail2ban
sudo -i
cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey
cat publickey
sudo vim /etc/wireguard/wg0.conf
# Replace PrivateKey with the server private key
# We will generate the Peer client PublicKey later... leave the section commented out for now

[Interface] 
## My VPN server private IP address (Don't change this unless required) 
Address = 192.168.12.1/24  
 
## My VPN server port ## 
ListenPort = 41194   

## VPN server's private key i.e. /etc/wireguard/privatekey 
PrivateKey = REPLACE ME

PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

# (come back and uncomment this once you set up the client!)
#[Peer]
## Client public key 
# PublicKey = REPLACE ME
#
## client VPN IP address (note the /32 subnet) - (Don't change this unless required) ##
#AllowedIPs = 192.168.12.2/32

sudo mkdir /etc/wireguard/helper
sudo vim /etc/wireguard/helper/add-nat-routing.sh

#!/bin/bash
# https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/
IPT="/sbin/iptables"
#IPT6="/sbin/ip6tables"          
IN_FACE="eth0"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="192.168.12.0/24"        # WG IPv4 sub/net aka CIDR
WG_PORT="41194"                  # WG udp port
HELIUM_PORT="44158"              # Helium tcp port
HELIUM_IP="192.168.12.2"         # Helium VPN client IP address
#SUB_NET_6="fd42:42:42:42::/112" # WG IPv6 sub/net

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# outside the wall you can achieve anything
$IPT -t nat -A PREROUTING -i $IN_FACE -p tcp --dport $HELIUM_PORT -j DNAT --to-destination $HELIUM_IP:$HELIUM_PORT

## IPv6 (Uncomment if ipv6 is required) ##
## $IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
## $IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
## $IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
## $IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT

sudo vim /etc/wireguard/helper/remove-nat-routing.sh

#!/bin/bash
IPT="/sbin/iptables"
#IPT6="/sbin/ip6tables"          
IN_FACE="eth0"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC 
SUB_NET="192.168.12.0/24"        # WG IPv4 sub/net aka CIDR
WG_PORT="41194"                  # WG udp port
HELIUM_PORT="44158"
HELIUM_IP="192.168.12.2"
#SUB_NET_6="fd42:42:42:42::/112" # WG IPv6 sub/net

# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -t nat -D PREROUTING -i $IN_FACE -p tcp --dport $HELIUM_PORT -j DNAT --to-destination $HELIUM_IP:$HELIUM_PORT

# IPv6 rules (uncomment if ipv6 is required) #
## $IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
## $IPT6 -D INPUT -i $WG_FACE -j ACCEPT
## $IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
## $IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT

sudo chmod +x /etc/wireguard/helper/*.sh
sudo ufw allow 41194/udp
# Allow the helium port to route traffic to wireguard client IP
sudo ufw route allow proto tcp to 192.168.12.2 port 44158
sudo ufw allow ssh
sudo ufw enable
sudo ufw status
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
sudo wg
# Make sure you have opened 41194/udp in your cloud provider security group! 
# Now, we need to update the server to allow relaying traffic
sudo vim /etc/sysctl.conf
# append the following to the end of that file:

# Wireguard
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1

# reload the /etc/sysctl.conf file:
sysctl -p

Wireguard Client on Panther X1

sudo apt update
sudo apt upgrade
reboot
sudo apt install wireguard vim fail2ban
sudo -i
cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey
cat publickey
# Go back to server /etc/wireguard/wg0.conf, fill in the public key into the [Peer] section
# Uncomment peer section, and then run on server: sudo systemctl restart wg-quick@wg0

# Set up client on Panther 
# Replace PrivateKey and PublicKey - pay attention to server vs client
# Replace Endpoint with your server's public IP address or DNS
sudo vim /etc/wireguard/wg0.conf

[Interface]
## This Desktop/client's private key ##
PrivateKey = REPLACE ME

## Client ip address ##
Address = 192.168.12.2/24

[Peer]
## Ubuntu 20.04 server public key ##
PublicKey = REPLACE ME

## set ACL ##
AllowedIPs = 0.0.0.0/0
## Your Ubuntu 20.04 LTS server's external address and port "156.283.123.9:41194" ##
Endpoint = REPLACEME:41194

## Key connection alive ##
PersistentKeepalive = 15
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
sudo wg
sudo vim /lib/systemd/system/wg-quick@.service

Modify the following lines to include network.target:

After=network-online.target nss-lookup.target network.target 
Wants=network-online.target nss-lookup.target network.target

Double check everything is working. I also experience occasional drops, so I have a watch script on the client which restarts the wireguard client if we lose connectivity, or starts it upon reboots. Don’t enable this until you are certain everything is working first. 

sudo vim /root/wireguard_watch.sh

#!/bin/bash
/usr/bin/ping -c 1 192.168.12.1 &> /dev/null && (/usr/bin/logger "INFO: Wireguard alive") || (/usr/bin/logger "ERROR: Wireguard dead, restarting wg-quick@wg0" ; /usr/bin/systemctl restart wg-quick@wg0)

sudo chmod +x /root/wireguard_watch.sh
sudo crontab -e

You will see an existing line in this file. Ignore it, and leave it alone. Add a new line which contains: 
* * * * * /root/wireguard_watch.sh > /dev/null

I also installed the Panther X1 Dashboard:

sudo -i
cd /root
git clone https://github.com/Panther-X/PantherDashboard.git
cd PantherDashboard
sudo sh install.sh

You can now access the dashboard at https://YourInternalPantherIPAddress using admin/admin as the login. 

From SSH, you can also explore the setup and troubleshoot the logs:

tail -f /opt/miner_data/logs/console.log

sudo docker exec helium-miner miner info height
sudo docker exec helium-miner miner peer listen

We can see the miner info height returns the epoch and block height which you can compare with https://explorer.helium.com. You can use the miner peer listen to see what your IP address is – it should show your Wireguard external server IP address if successful. You can safely ignore the 172.xxx IP address, as it is just the docker container. 

Outside the wall, we can achieve anything. Have fun!

The post Helium blockchain in China using a Panther X1 and Wireguard VPN appeared first on benchodroff.com.

Unlike Ethereum 1.0 which required very expensive and power hungry graphics cards, Ethereum 2.0 uses relatively little hardware and energy. Even a modest modern computer with a reliable internet connection can do the job. The only significant requirement is a NVME SSD if you plan to run an Ethereum 1.0 client, as the I/O requirements are high. I can run the entire Ethereum 1.0 and 2.0 stack on an incredibly efficient Intel NUC 10 i7 computer which consumes only 50 watts, runs silent, and is incredibly tiny. The total build cost was under $1600 in early 2021. This is higher in cost than normal because of the global microchip shortage. I also use a consumer grade UPS battery backup on my router, modem, and computer to ensure reliable operation. While many choose to run their setups on cloud computing, I prefer to keep my validator at home for the fun of it and lower total cost of ownership. As my home is in mainland China, I did check to see whether running any type of cryptocurrency mining (which validating would still qualify as) at home for personal purposes was still allowed – and they claim there are no laws against it: http://www.12348.gov.cn/english.html#/english/englishDetail?info_id=cdc1985e-e0cf-4df7-8602-65161f940532.

Assembling an Intel NUC takes only perhaps 30 minutes and is about the simplest computer you could build. I opted for an i7 to hopefully future proof some of the processing requirements. I included 32GB of RAM such that I could reliably run both a mainnet and testnet client simultaneously on the same hardware for testing purposes. You will only need less than 1TB of storage for the geth client, but I opted for 2TB to future proof the growth. My second computer is my old mining rig, but using two machines is not strictly required and arguably creates more complexity than benefits since you can only run a single validator.

I run a high availability configuration involving two physical servers for resiliency. As a validator node, you can only be active on a single machine, or your stake will get penalized severely by the network by being “slashed”. However, by using multiple servers, I am able to create redundancy on the Ethereum 1.0 geth client as well as the Ethereum 2.0 Lighthouse beacon node to help my single validator stay online. In addition, I have a third resiliency layer using a free account at https://infura.io which has both Ethereum 1.0 and 2.0 beacon node clients configured as a final fallback option for my validator. Monitoring is performed using https://beaconcha.in as well as a using Telegraf, Influxdb, and Grafana for alerting. While there is a Prometheus monitoring option, I have not yet configured it or found it necessary.

• The Ethereum launchpad has all the resources you need to get started: https://launchpad.ethereum.org/en/overview
• The Lighthouse documentation explains many of the parameters I am using: https://lighthouse-book.sigmaprime.io/
• I highly recommend joining the Ethstaker discord for questions: https://discord.gg/uN2wyUYutM
• Lighthouse also has their own discord too for technical help: https://discord.gg/RPS8GZyx3c

This is the gist of my setup. Of course, follow the documentation and more steps should be taken to harden your configuration.

# Set up UFW firewall to allow traffic between all servers/docker involved
ufw allow from 192.168.50.13
ufw allow from 192.168.50.16
ufw allow from 172.17.0.0/24
ufw allow 22/tcp
ufw enable

# Install Docker on Ubuntu 20.04
apt update
apt install -y docker-ce

# Pull Lighthouse for Ethereum 2.0
docker pull sigp/lighthouse:latest

# Pull geth for Ethereum 1.0 geth client stable
docker pull ethereum/client-go:stable

# Dockupdater is a great way to automatically update docker 
docker pull dockupdater/dockupdater:latest

Below are the docker scripts I use with [VARIABLES] redacted to protect my exact configuration. I have set up each docker container to auto restart so that if the computer reboots, it will come back online. Of course, be very careful with your validator. You can only run one validator at a time or you will get slashed. NEVER store your validator keys on more than one host, or it is inevitable you will make a mistake and get slashed. Always keep an encrypted backup of your validator keys offsite. It’s a lot of ETH to stake. Make sure you test thoroughly all possible scenarios like computer reboots, power outages, geth or beacon node failures, and harden your Linux security.

My docker containers are running as root as I could not find an easy way with docker-compose to run as an underprivileged user while automatically updating containers when new releases are made available. As a result, I have sacrificed some security for convenience by using dockupdater to automatically update the docker containers each time a new release is made available. Perhaps someone has a simple and better approach – please tell me.

I would love to learn how to run a slasher. Perhaps that will be a future article!

# Set up an Ethereum 1.0 Geth client
docker run --restart=always -d --stop-timeout 300 --name ethereum-node-mainnet -h ethereum-node-mainnet -v /opt/ethereum/mainnet/ethereum-mainnet:/root/.ethereum -p 28545:28545 ethereum/client-go:stable --http --http.addr 0.0.0.0 --http.port 28545 --http.api eth,net --http.corsdomain '*' --ipcdisable --gcmode full --syncmode snap --cache 2048 --metrics --metrics.influxdb --metrics.influxdb.endpoint "https://[INFLUXDBHOST]:8443" --metrics.influxdb.username "[USER]" --metrics.influxdb.password "[INFLUX_PASSWORD]" --metrics.influxdb.database geth --metrics.influxdb.tags host="[INFLUX_HOSTNAME]-mainnet" --txpool.accountslots 32 --txpool.globalslots 8192 --txpool.accountqueue 128 --txpool.globalqueue 2048 --txpool.journal ""

# Create an Ethereum 2.0 Lighthouse Beaconnode
docker run -d --restart=always --stop-timeout 300 --name lighthouse-bn-mainnet -h lighthouse-bn-mainnet -p 29000:9000 -p 25052:5052 -v /opt/ethereum/mainnet/lighthouse:/root/.lighthouse sigp/lighthouse lighthouse --network mainnet bn --target-peers 120 --staking --http --http-address 0.0.0.0 --metrics --eth1-endpoints http://[HOSTIP_1]:28545,http://[HOSTIP_2]:28545,https://mainnet.infura.io/v3/[INFURA_AUTH] --monitoring-endpoint https://beaconcha.in/api/v1/client/metrics?apikey=[BEACONCHAIN_KEY]&machine=[HOSTNAME]

# Create an Ethereum 2.0 Validator 
# Be careful to only run this on ONE host or you will get slashed
docker run -d --restart=always --stop-timeout 300 --name lighthouse-vc-mainnet -h lighthouse-vc-mainnet -p 25062:5062 -p 25064:5064 -v /opt/ethereum/mainnet/lighthouse:/root/.lighthouse -v /opt/ethereum/mainnet/validator_keys:/root/validator_keys sigp/lighthouse lighthouse --network mainnet vc --enable-doppelganger-protection --metrics --beacon-nodes http://[HOSTIP_1]:25052,http://[HOSTIP_2]:25052,https://[INFURA_AUTH]@eth2-beacon-mainnet.infura.io --http --monitoring-endpoint https://beaconcha.in/api/v1/client/metrics?apikey=[BEACONCHAIN_KEY]&machine=[HOSTNAME]

I welcome any suggestions, questions, or please leave a comment if this helped you. 

The post Validating Ethereum2 with Lighthouse in Docker appeared first on benchodroff.com.

Translation

Google Translate

The best for text translation. It supports an offline translation mode if you download the speech files. The key to getting a good English to Chinese translation is to use extremely short but complete sentences, avoid idioms, avoid jokes/sarcasm, and avoid any shorthand sentences. For example, do not translate “See you soon” (this common American shorthand incorrectly gets translated to “Zaijian” which means “Goodbye” ) but instead you should translate “I will see you soon.” (translates correctly as it is a correct sentence). The APP does not require a VPN to work, however, you should know that https://translate.google.com is blocked in China, but https://translate.google.cn is allowed. 

Microsoft Translator

The best for image translation. The Microsoft Translator app does an amazing job on taking a picture or screenshot, recognizing Chinese characters, and overlaying the original image with an English translation. While Google Translate can also do this, Microsoft wins hands down on this feature. This is especially useful when using Chinese language only applications, such as Taobao, which often do not support copy and pasting the Chinese content or options. You can take a screenshot of the Chinese app on an iPhone by clicking the left and right buttons of your phone simultaneously, then going into Microsoft Translator, and loading the screenshot. While this is a very tedious process, it is extremely useful when you have no better option.

Life

WeChat

WeChat is effectively your entire social life in China. This app supports a very good interface in English. Whether you chat with your friends, pay for a meal out, using local built in WeChat apps, or catching up on friend “moments”, you simply cannot survive in China without using WeChat. However, in order to enable WeChat with payments, you must do “Real Name Verification” which means you must have a mainland China bank card. Foreign and domestic credit cards can be linked to WeChat but are not capable of performing the Real Name Verification. Sadly, if you are a tourist it is (now) typically not possible to enable WeChat payments because nearly all banks will refuse to open an account for a foreigner without China employment.

Alipay

This APP is essential for many business payments and services. I find myself using WeChat more often than Alipay, but some places such as Taobao require Alipay. Overall, I don’t like Alipay with its sprawling and poorly designed capabilities that rarely support foreigners, but it’s an essential app.

Shopping

JingDong “JD”

If you are an Amazon-aholic, this is a very similar Chinese only experience. The quality of the items are very high with exceptional service and shipping speeds. You will need to find items that are sold directly by JD or JD logistics to ensure the highest quality and overnight delivery, but even small sellers tend to be more reputable than Taobao sellers. I am big fan and recommend the JD VIP club. I buy everything from 10kg bags of rice, shampoo, clothing, and electronics on here. 

Taobao

If it isn’t sold on Taobao, it probably isn’t available in China. While I prefer JD over Taobao due to quality and speed, I often shop Taobao if I want the best deal or a hard to find item. They key to being a smart shopper on Taobao is to look at who is selling the item. If it is a T-Mall item (which has its own app also owned by Alibaba), it is likely going to be very high quality. However, there are many individual shops that sell on Taobao. I would recommend checking to see how many items they have sold in the past. If it isn’t in the thousands, “buyer beware”. You want to buy from stores that have one or multiple “Diamond” pictures next to their store name which indicates they are a professional store with many previous sales. There are plenty of fakes and poor quality items, but using Taobao is still essential. I tend to buy odd items like a bottle of bourbon, cheap electronics, or even bulk purchases of aged Italian parmesan cheese. 

Travel

Baidu Maps

Baidu search is probably the worse search engine I’ve had to use but their maps are quite good for finding locations in China for driving, walking, and public transit routes. However, take all their navigation time estimates as flat out wrong in most circumstances.

Didi

There is rarely a need to actually drive yourself given how easy and affordable Didi makes it. This is a similar application to Uber, but I’m very impressed that they their APP has native English support with a built in translations for chats done with the driver. Top tip: if you use the Chinese language, you can enable extra Chinese only features such as “Sharing a ride” (saves money when you ride with others) and “Change the destination”. Yeah, that’s right – if you accidentally need to change the destination while in the English language, you will need to reload the application in Chinese to do so. Good luck. 

Fliggy

My favorite travel logistics service for mainland China. While the interface is slightly more complex than its competitor, Trip.com/CTrip, the benefits are that the prices tends to be cheaper and the integration to booking train tickets does not charge any 20RMB convenience charge – nice!

Food

Meituan

Nearly every restaurant imaginable has food delivery in China. Yes, even a gourmet Beijing Duck or an impressive boiling hotpot dinner can be boxed up and delivered pipping hot within a short amount of time. The application interface is exclusively in English, so I often resort to using a combination of Google Translate and Microsoft Translator with screenshots to navigate this essential application.

DianPing

While related to Meituan, this app focuses on just reviews. This Chinese only app is the best way to search local restaurants, shops, and experience for finding the best of any city. I would compare it as very similar to “Yelp” with a hint of “Trip Advisor”. As you find your favorite restaurants, you can star the restaurant in the app to build a list of favorite places to recommend to your friends.

JD Food Delivery

From foreigner supermarkets stocked with french Cheese, to your local wetmarket with 0.1RMB eggs, JD Delivery is the best grocery store delivery app. Each store charges a small (usually 6RMB) delivery fee, so it’s best to think of what you need to buy and group your order into a single stores purchase. As a foreigner, this makes purchasing groceries from wetmarkets so much easier because you can easily compare prices and search for exactly what you want. Deliveries are often done in less than an hour.

VPN

Shadowrocket

If you a foreigner it’s quite likely you are going to need a VPN to survive in China. Using a VPN inside China is perfectly legal (but you can’t sell VPN without the right licenses). Shadowrocket supports both Shadowsocks (SSR) and v2Ray — two of the most effective VPN technologies for jumping the Great Firewall. While this application does cost money, I view the features over the free alternatives as “worth it.” If you require a pretty good free version, check out Potatso2. This application does not provide the VPN service. For that, you can see my other blog post on how to pick a good commercial VPN provider for China. 

The post iPhone Apps for Foreigners Living in China appeared first on benchodroff.com.

While I could say what I use today (nexitallysafe.com, wannaflix.com, and two backup v2ray servers in Aliyun and AWS using CloudFlare relaying websockets) these will likely all be dead soon enough. I’m going to teach you to fish and point you to the self proclaimed non-experts at duyaoss.com which regularly review the best providers and provide detailed technical analysis. Use Google Chrome to translate the site if you can’t read Chinese.

Commercial Review

Not all internet service providers (ISP) will have the same performance with each VPN provider. The first way to getting reliable VPN speed is to use the right ISP where possible. For the best performance and least restrictions, I recommend China Unicom (few users) or China Telecom (very good). China Mobile should be avoided as their IPLC connection is terrible and they have too many users, but with the right VPN you can make the most of it. Let’s cut to the chase and see the reviews:

VPN Testing Results using China Unicom (and intro – read this first!)

VPN Testing Results using China Telecom

VPN Testing Results using China Mobile

Run Your Own v2Ray

Running your own v2ray server outside China for use in China will never be as fast as the best commercial providers because you cannot buy a relay node unless you happen to be mainland Chinese citizen, have a legitimate Commercial Business license (hard), and can obtain an Internet Data Center license (IDC) in China (impossible).

However, if you require a VPN which works even during a crackdown or want to have online privacy, I recommend running your own private v2ray servers and only using them in an emergency. How to setup a v2ray VPN is quite an advanced topic and you should use Google for better guides. However, you can see my v2ray configuration script here if it helps you: https://github.com/benjaminchodroff/v2ray-connect/

I highly recommend setting up v2ray with WebSockets and relaying it through CloudFlare for free. This ensures that even if your server gets banned, you can still access it via a CloudFlare relay which, while capped to <50Mbps, it is impossible for China to ban without China blocking much of the web. I recommend reading this for analysis of cloud providers that are commonly used for hosting VPN nodes for use with users in China.

The post Selecting a VPN for China appeared first on benchodroff.com.

My build was determined based on the lack of availability of GPU’s. I did not want to mix and match AMD and NVIDIA cards, but sadly this was the only available option. It would be much easier if I had six of the same GPU’s. If you are struggling to find a GPU I would recommend using the website nowinstock.com and sign up to their google group.

I used Ubuntu 16 LTS as the operating system. I started by using Etcher on my Mac to load the Ubuntu installation media on a USB stick. Once booted up, I installed Ubuntu on the SSD hard drive with no GPU’s running. While I could have used a USB stick as the main storage, I planned on needing the extra hard drive space for some other blockchain projects.

The biggest challenge was the motherboard. The MSI Z170A is notoriously a pain to work with and mine was no exception. Unfortunately, it was the only motherboard in stock that could support six GPUs. I updated the firmware on the motherboard bios because the included bios would not support six GPUs. I would strongly recommend using the integrated graphics and avoid connecting any GPUs or PCIe risers until your operating system is fully installed and ready to go. After the OS was loaded, I began the process of setting up the Ethereum mining software with a single GPU connected directly in the primary PCIe slot with no riser. I tried many versions of ethereum for mining but ultimately have settled on using Genfoil’s dual ethereum miner. You can find the download link and more discussion than you can ever read over here:
https://bitcointalk.org/index.php?topic=1433925.0

Once you have a basic single GPU mining rig working, keep adding one card and riser at a time. It is important to monitor the performance of the mining speeds each time you add a GPU to ensure it is running correctly. After four GPUs, I had to adjust the settings of my motherboard to set an advanced settings “Above 4G Decoding – Enabled”. I did not end up using Gen1 for PEG0 or PEG1 – I left these set at auto. Setting it to Gen1, as other guides recommended worked, but would result in a ~50% loss in mining performance. Here is an example of the other guide:
https://forum.z.cash/t/msi-z170-7-gpu-bios-setting-step-by-step/14473

You will want to join a mining pool because ethereum is not profitable to solo mine. My personal favorite has been using nanopool.com, although I tried many others too. You will need to create an ethereum wallet, save the private key in a safe place, and use the public key as your wallet address. I highly recommend using myetherwallet.com for storing your ETH safely.

I have dual mined SIACoin in the past but currently am dual mining Decred. You may want to check out the website whattomine.com to decide what coins you wish to mine based on the expected profitability.

It is very easy to spend a lot of time tuning and it is far too time consuming to explain all the options available, but I am happy to share my current settings:

My claymore startup script looks like this:

export GPU_MAX_HEAP_SIZE=100
export GPU_USE_SYNC_OBJECTS=1
export GPU_MAX_ALLOC_PERCENT=100
export GPU_SINGLE_ALLOC_PERCENT=100
/opt/claymore10.6/ethdcrminer64 -tstop 90 -allpools 1 -mode 0 -r 1 -mpsw dummydummy -epool eth-us-east1.nanopool.org:9999 -ewal $ETH/$NAME/$EMAIL -epsw x -dpool dcr.suprnova.cc:3252 -dwal $NAME -dpsw $PASSWORD -ftime 10 > /dev/null 2>&1 &


I use the following script to tune my AMD and NVIDIA cards prior to launching:

#!/bin/bash
sudo su -c 'nvidia-smi -pm 1'
# Set power limit to 200 watts per card
sudo su -c 'nvidia-smi -pl 200'
# Unrestrict all GPUs
sudo su -c 'nvidia-smi -acp UNRESTRICTED'
timeout 10 sudo su -c '/usr/sbin/gpucontrol 100 0 1210 0 >> /var/log/gpucontrol.log 2>&1'
timeout 10 sudo su -c '/usr/sbin/gpucontrol 100 0 100 1 >> /var/log/gpucontrol.log 2>&1'
timeout 10 sudo su -c '/usr/sbin/gpucontrol 100 0 100 2 >> /var/log/gpucontrol.log 2>&1'
timeout 10 sudo su -c '/usr/sbin/gpucontrol 100 0 1210 3 >> /var/log/gpucontrol.log 2>&1'
for i in `ls /sys/class/drm/card*/device/hwmon/hwmon*/pwm1`;do
timeout 10 sudo su -c "echo 255 > $i";
done
for i in `ls /sys/class/drm/card*/device/power_dpm_force_performance_level`; do
timeout 10 sudo su -c "echo high > $i";
done

As you can see, this script is calling a “gpucontrol script”:
#!/bin/bash
PERCENT=$1
GRAPHICS=$2
MEMORY=$3
CARD=$4
cp -f /home/benjaminchodroff/.Xauthority /root/
if [ -z "$CARD" ];
then
NUMGPU="$(nvidia-smi -L | wc -l)";
echo "Setting up ${NUMGPU} GPU(s)";
n=0;
while [ $n -lt $NUMGPU ];
do
DISPLAY=:0 nvidia-settings -a [gpu:${n}]/GPUFanControlState=1 -a [fan:${n}]/GPUTargetFanSpeed=$1 -a [gpu:${n}]/GPUPowerMizerMode=1 -a [gpu:${n}]/GPUMemoryTransferRateOffset[3]=$3 -a [gpu:${n}]/GPUGraphicsClockOffset[3]=$2;
let n=n+1;
done
else
n=$CARD;
DISPLAY=:0 nvidia-settings -a [gpu:${n}]/GPUFanControlState=1 -a [fan:${n}]/GPUTargetFanSpeed=$1 -a [gpu:${n}]/GPUPowerMizerMode=1 -a [gpu:${n}]/GPUMemoryTransferRateOffset[3]=$3 -a [gpu:${n}]/GPUGraphicsClockOffset[3]=$2
fi

There are so many helpful guides that I read – more than I can ever remember. The following links may help so I’m providing them here:

https://gist.github.com/wangruohui/df039f0dc434d6486f5d4d098aa52d07
https://www.meebey.net/posts/ethereum_gpu_mining_on_linux_howto/
https://askubuntu.com/questions/902636/nvidia-smi-command-not-found-ubuntu-16-04
https://askubuntu.com/questions/761136/ubuntu-16-04-nvidia-drivers-dont-work
http://support.amd.com/en-us/kb-articles/Pages/AMDGPU-PRO-Install.aspx

My rig is nothing fancy and certainly not bulletproof, but it allowed me to better understand blockchain mining for proof of work while making a few extra dollars.

The post Building a six GPU Ethereum Mining Rig appeared first on benchodroff.com.

You could rent a cloud server from Digital Ocean or AWS, but because I already own a Synology NAS at home I decided to use it instead. If you own a Synology NAS, you may not be aware that it can run docker containers. Docker will allow you to tap into a repository community of images that have already been prebuilt for a wide variety of applications including Shadowsocks. I already loved my Synology NAS, but once I started using docker it became indispensable.

Synology NAS Configuration

If you have not installed Docker on your Synology NAS before you simply need to go into the Synology Package Center on the device, search for “Docker”, and click to install it.

Now you can open the Docker service on the Synology NAS and go to “Registry” to search for “shadowsocks.” The first result will be “mritd/shadowsocks.” Select this image, click Download, and when prompted download the latest.

Once downloaded, you can deploy this image by going into the “Image” section, selecting the shadowsocks image, and clicking “Launch.” Set the following options in “Advanced Properties”:

• Enable auto-restart
• Under “port settings”, create a port mapping the local port 6500 to the docker port 6500 for UDP traffic
• Under “port settings”, create a port mapping the local port 6443 to the docker port 6443 for TCP traffic
• Under “environment”, create or modify the following environment variables:
  • SS_MODULE: ss-server
  • KCP_FLAG: true
  • KCP_CONFIG: -t 127.0.0.1:6443 -l :6500
  • KCP_MODULE: kcpserver
  • SS_CONFIG: -s 0.0.0.0 -p 6443 -m aes-256-cfb -k test123

These properties specify that we want to run shadowsocks in server mode “ss-server”. We are enabling the optional KCP tuning for UDP relay support running on TCP port 6443 and UDP port 6500 using the kcpserver module. We are starting shadowsocks to listen on all available ip addresses 0.0.0.0 for 6443/TCP with aes-256-cfb encryption and a password of “test123” (pick a better password). It is important to know that a single shadowsocks tcp/udp port combination can support as many simultaneous devices as you wish, but everyone who knows the password can connect to your home internet. Be careful who you share your password with!

Save, and start the image.

You will need to ensure your home router allows port forwarding for both the 6500/UDP and 6443/TCP port to the local IP address of your Synology NAS. If you have enabled a firewall on your Synology NAS under the Control Panel Security, you may also need to open these ports on the Synology too. Additionally, you will likely want to set up a dynamic DNS hostname service either on your home router or, better yet, use the built in dynamic DNS hostname mapping feature of the Synology NAS found in Control Panel, “External Access – DDNS”.

Now you need to configure your browser clients. I will provide examples for iOS and macOS, but clients for Linux and Windows also exist.

iOS Configuration

I use the “Potatso Lite” application for my iPhone iOS which you can find for free in the App Store. Once installed, add a server with the following information:

• Type: shadowsocks
• Host: [the dynamic DNS hostname of your NAS]
• Port: 6443
• Password: test123 (or the password you set)
• Encryption: aes-256-cfb
• Remark: (leave blank)

In advanced, enable “Forward UDP” – it turbocharges the performance using kcpserver.
In the general settings, I recommend using the “smart routing” feature because it significantly improves performance (although at a tradeoff of allowing China to see local country traffic).

macOS Configuration

For my Mac laptop I use shadowsocksR which you can download for free here:
https://github.com/qinyuhang/ShadowsocksX-NG-R/releases

This is a special China version of ShadowsocksR which is enhanced specifically for the great firewall. Once installed and running, it will automatically set up your Mac to have a proxy server which you can populate with your Synology NAS shadowsocks server. Add a server by navigating to “Server Preferences” and add the following details:

• Address: [the dynamic DNS hostname of your NAS]
• Port: 6443
• Password: test123 (or the password you set)
• Encryption: aes-256-cfb
• Remark: (leave blank)
• Leave the rest of the settings unchanged

Then add the following properties in the ShadowsocksR menu:

• “Auto Mode by PAC”
• In “Advanced Preferences”, check the “Enable the Udp relay” feature for enhanced performance using kcpserver.

How does this all work? Your browser is now configured to connect to a local proxy server (your shadowsocks client) which then connects to the shadowsocks server running in the docker container, which then relays the traffic to the destination. The shadowsocks server then sends the response back to your shadowsocks client using UDP and TCP, which your browser then receives via a standard proxy connection.

The solution is quite magical. The performance is vastly superior all the commercial VPN solutions I used. I can stream YouTube, post large photos to Instagram, and do just about anything as if I was at home.

The post Shadowsocks in Docker for bypassing China’s Great Firewall appeared first on benchodroff.com.