sigmoid

..oo..oo..oo..oo..oo..oo..

I installed a custom LEDE rom on my TP-Link TL-WA901ND since the default one build upstream had features that I wasn’t using and they consumed the free space of the device unnecessarily.

Namely, I removed support for IPv6, USB and telephony, as well as some associated packages and kernel modules (including ppp). I also included in the custom ROM dropbear (sshd), nano (text editor), and luci over SSL. You can download:

You can use LuCI to upgrade, or using the command line sysupgrade -v lede-ar71xx-generic-tl-wa901nd-v3-squashfs-sysupgrade-20170615.bin. I have not tested the factory rom.

Customizing the custom ROM :)

If you want to build, or customize the rom using my kernel config, read on.

You first need the LEDE (or OpenWRT) source code:

git clone https://git.lede-project.org/source.git lede

Read the instructions on how to “Use the build system to compile a firmware image”. This is assuming you have setup your system with the necessary tools to build the code. My Gentoo system didn’t require anything to be installed, but if yours doesn’t you can get some info here.

Once you have your system ready and updated your feeds, copy the config-tl-wa901nd-v3 kernel config in the root of the source code. If you want to customize it, do make menuconfig, then make -j1, or make -j5 if you have 4 cores, etc.

You may have to wait for quite a while for this to complete. Once done the images will be created in bin/targets/ar71xx/generic/. Note that if there are no errors, but you don’t see the lede-ar71xx-generic-tl-wa901nd-v3-squashfs-factory.bin and lede-ar71xx-generic-tl-wa901nd-v3-squashfs-sysupgrade.bin files, it means the packages and features you included in the rom’s kernel may have exceeded the amount of space the device has. You have to remove some features via the kernel configuration and try recompiling.

Precompiled static and shared OpenSSL v1.0.2l and v1.1.0f for MSVC 2008-2017 are now available in the Precompiled OpenSSL page. Build scripts and patches also available for anyone who wants to customize their builds.

Library names have changed upstream for v1.1.0f, but I follow the older pattern for my builds (i.e. libname[MT/MD][d]), as with the other branches.

Older versions of OpenSSL are moved in the Precompiled OpenSSL (Past Builds) page, however it is only there for archival purposes, do not use these builds for any production systems. Actually, if you are doing any serious work, you ought to build your own OpenSSL anyway.

This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.

Installing Plex Media Server and Letsencrypt client

Installing Plex Media Server on Gentoo is straight forward:

emerge -Dtva media-tv/plex-media-server

The post-installation instructions of the package will tell you:

Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings.
To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/

This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.

To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:

emerge -Dtva app-crypt/certbot

You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:

=app-crypt/certbot-apache-0.13.0 ~amd64

Obtaining and installing a Let’s Encrypt certificate for Plex

Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com, obtain the respective Letsencrypt free certificate:

certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com

If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/home-plex.mydomain.com/.

Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)

Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in /etc/plex/plex-renew-cert.sh, we’ll need the script again later):

#!/bin/bash
#
# store this script in /etc/plex/plex-renew-cert.sh
#

PLEX_HOSTNAME=home-plex.mydomain.com
PLEX_CERT_ENCKEY=your-randomly-generated-password

pushd /etc/plex > /dev/null
openssl pkcs12 -export \
               -out /etc/plex/${PLEX_HOSTNAME}.pfx \
               -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \
               -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \
               -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \
               -name "${PLEX_HOSTNAME}" \
               -passout pass:${PLEX_CERT_ENCKEY}
popd

# Set the right ownership and permissions to the generated PKCS #12 container file:
chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx
chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx


Make sure you replace home-plex.mydomain.com with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.

Set good permissions and execute it:

chmod 700 /etc/plex/plex-renew-cert.sh
/etc/plex/plex-renew-cert.sh

Check the cert container has been generated:

ls -l /etc/plex/home-plex.mydomain.com.pfx

You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:

openssl pkcs12 -in /etc/plex/home-plex.mydomain.com.pfx -noout
Enter Import Password:
MAC verified OK

Using the Letsencrypt PKCS #12 cert with Plex Media Server

To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface http://home-plex.mydomain.com:32400/web. Login with your Plex.tv account, go to "Settings > Network", fill in the following and “Save Changes”:

        Custom certificate location: /etc/plex/home-plex.mydomain.com.pfx
  Custom certificate encryption key: your-randomly-generated-password
          Custom certificate domain: home-plex.mydomain.com

Plex Media Server Letsencrypt Certificate Config

Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https://home-plex.mydomain.com:32400/web/. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.

Your done! …. Well, almost done!

Renewing the Let’s Encrypt certificates

Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.

This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:

#Mins  Hours  Days   Months  Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
                                         --config-dir /etc/letsencrypt \
                                         --preferred-challenges tls-sni-01 \
                                         -d home-plex.mydomain.com \
                                         --renew-hook "/etc/plex/plex-renew-cert.sh && /etc/init.d/plex-media-server start"

I have built ICU v59.1 with MSVC 2015 & 2017 which are available at the Precompiled ICU page.
In the respective archives you will find, as always, the dynamic and statically linked libraries.

Note that ICU cannot be built with any of the older MSVC compilers, as support has been dropped upstream. Thus only MSVC 2015 and 2017 are available from now on.

I am now compiling all libraries with the recently released MSVC 2017 compiler. You can find OpenSSL v1.1.0e and v1.0.2k, along with the batch build scripts, in the Precompiled OpenSSL page.