ThousandEyes Pi4 Wi-fi Deployment at Black Hat USA

This information paperwork the setup and set up procedures used to deploy ThousandEyes at Black Hat 2023. This report covers configuration of the TE agent on Raspberry Pi 4, together with each stressed and wi-fi configurations. Wanted {hardware} for the quite a lot of setup purposes also are indexed.

Please notice that TE Endeavor Brokers will most effective display knowledge for layer 3 hops, and won’t display wi-fi get right of entry to level knowledge. This is applicable to deploying the TE Endeavor Agent at the Raspberry Pi and configuring it for wi-fi. The one TE agent that may give wi-fi AP knowledge is the TE Endpoint Agent, which is meant to be put in on laptops and private gadgets.

There are a number of other {hardware} contingencies that will have to be accounted for earlier than convention setup can happen.

1. A keyboard that may hook up with the USB port at the Raspberry Pi
2. Laptops that may hook up with the Pi Micro SD for TE agent provisioning. We used a number of other answers for this:
   • An SD card to Micro SD adapter, which attached to the SD reader on a Mac pc (the SD reader isn’t to be had on all fashions)
   • A Vivitar Micro SD to USB-C adapter, which attached to the USB-C port on a Mac pc
   • A Micro SD to USB adapter that got here with the Raspberry Pi 4 Cana Equipment. This used to be attached to a USB to USB-C Mac adapter
3. Monitors that may hook up with the Raspberry Pi Micro HDMI port. This can also be so simple as a regular HDMI track that connects to the Pi by the use of HDMI to Micro HDMI, however those weren’t to be had all through the setup days of the convention. We used two answers:
   • A conveyable track that attached to the Pi by the use of an HDMI to Micro HDMI cable
   • An adapter that attached to the Pi by the use of Micro HDMI, attached to a Mac HDMI adapter, with the Mac HDMI adapter attached to a USB-C port at the Mac pc

Black Hat 2023 Pi 4 Kits

10x Raspberry Pi 4 Cana Kits, every with the next:

• 32GB Micro SD card
• Micro SD to USB adapter
• Case
• Heatsink
• Fan

Instance of constructed Pi with heatsinks and fan connected:

Notice that we had overheating problems with the fan set to tug air out of the case. Orienting the fan to blow into the Pi case used to be simpler for our deployment.

The Raspberry Pi can learn Micro SD playing cards. The set up process is to obtain the TE Pi installer from the TE GUI, attach the Micro SDs to the provisioning laptops, after which use balenaEtcher to put in the TE symbol to the Micro SD.

From the ThousandEyes GUI, navigate to Cloud & Endeavor Brokers > Agent Settings.

Click on on Upload New Endeavor Agent.

If the provisioning laptops do not need a Micro SD card reader then adapter answers will probably be had to set up the TE symbol to the Micro SD. For Black Hat 2023, we used a mix of the next {hardware} with Mac laptops.

2x Vivitar Mac USB-C to Micro SD adapter

1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (incorporated with some Pi bundles—the USB has an extra slot for the Micro SD card, which then plugs right into a USB port—on this case, the Mac adapter proven).

1x Micro SD to SD adapter

Growing the wi-fi configuration for the Pi can happen both earlier than or after booting the Pi for the primary time with the Micro SD symbol that used to be configured within the prior phase. If you need to create the wi-fi configuration earlier than booting the Pi, please practice the stairs on this phase. On the other hand, if wi-fi isn’t getting used or wi-fi configuration can happen after booting the Pi, this phase can safely be skipped. Please notice that configuring wi-fi after booting the Pi would require enabling SSH at the TE agent, in conjunction with any considered necessary firewall laws to succeed in the Pi over port 22.

Additionally notice that this phase calls for particular {hardware} and device, as coated within the subsequent paragraphs. If the wanted {hardware} and device isn’t to be had, the wi-fi configuration can nonetheless be completed the use of handbook procedures given in later sections.

Earlier than starting the configuration, notice that the SSID and SSID password will have to be onerous coded. If the TE agent can not hook up with the hardcoded SSID after reboot, the wi-fi connection will fail. If the hardcoded SSID and password wish to be modified after the preliminary setup, it is going to be essential to (re)allow SSH at the TE agent.

Additionally notice that the TE agent record formulation will have to be fixed onto a pc to accomplish those steps. At Black Hat 2023, we had been most effective ready to perform this step the use of a Linux OS. Makes an attempt to mount the Micro SD on Mac didn’t as it should be mount the TE agent walls.

• Log in to a Linux formulation and fasten a Micro SD with the TE agent put in (this process used to be coated within the prior phase). Use the Micro SD connection technique supplied at the beginning of the information.
• Run the df command to make sure the fixed walls. The beneath screenshot displays the df output earlier than and after connecting the Micro SD card, with the 2 fixed walls visual after working the two^nd df command. Notice the partition paths highlighted in crimson, as they are going to be had to create the doit.sh script in Step 5.

• Create a record named rc.native in a designated listing. The particular title ‘rc.native’ is essential for the script to run all through the TE agent bootup procedure.
• Create the script record:

# vim rc.native

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
/configure_te_pi.sh
go out 0

• Sort ‘:’ then ‘wq!’ to avoid wasting the adjustments and go out the record.
• Create the configure_te_pi.sh script in the similar listing because the rc.native record. Exchange the <SSID> and <SSID password> fields within the beneath script with the SSID and PSK that the Pi will hook up with. The SSID and PSK will also be modified later, however this may occasionally require enabling SSH at the TE agent after which connecting to it.
• Create the script record:

# vim configure_te_pi.sh

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
apt-get replace -y
apt-get set up te-va-unlock -y
apt-get set up net-tools ifmetric wireless-tools -y
ifconfig wlan0 up
wpa_passphrase <SSID> <SSID password> > /and many others/wpa_supplicant.conf
wpa_supplicant -B -i wlan0 -c /and many others/wpa_supplicant.conf -D wext
ifmetric eth0 200
sed -i ‘1iauto wlan0niface wlan0 inet dhcp’ /and many others/community/interfaces
dhclient wlan0
systemctl masks apt-news.carrier
systemctl masks esm-cache.carrier

• Sort ‘:’ then ‘wq!’ to avoid wasting the adjustments and go out the record.
• Create the doit.sh script in the similar listing because the prior two scripts. Notice that the trails to the /writeable and /system-boot mounts will wish to be stuffed in with the trails accrued in Step 1.
• Create the script record:

# vim doit.sh

• Sort ‘i’ to edit, and kind or paste the next, editing the trails to check the output in Step 1:

#!/bin/bash
cp rc.native /media/<username>/writeable/and many others
cp configure_te_pi.sh /media/<username>/writeable/and many others
chmod +x /media/<username>/writeable/configure_te_pi.sh
chmod +x / media/<username>/writeable/and many others/rc.native
umount /media/<username>/system-boot
umount /media/<username>/writable

• Sort ‘:’ then ‘wq!’ to avoid wasting the adjustments and go out the record.

An instance of the script created for the output in Step 1 is equipped beneath.

#!/bin/bash
cp ~iredden/rc.native /media/iredden/writable/and many others
cp ~iredden/configure_te_pi.sh /media/iredden/writable
chmod +x /media/iredden/writable/configure_te_pi.sh
chmod +x /media/iredden/writable/and many others/rc.native
umount /media/iredden/system-boot
umount /media/iredden/writable

• Run the doit.sh script. The doit.sh script will carry out the configuration after which unmount the walls, as proven beneath.

With the above steps entire, the Micro SD card can also be got rid of from the pc and attached to the Raspberry Pi. The Pi will execute the scripts all through bootup and hook up with wi-fi, if the SSID configured is reachable and the PSK is right kind. Please see the following phase for setup directions and different issues.

Additionally notice {that a} stressed connection to the Pi remains to be beneficial for preliminary setup. Despite the fact that the Pi TE agent can effectively pull a wi-fi IP cope with all through preliminary bootup, the TE agent won’t show a wi-fi IP cope with on a attached track, just a stressed one.

As soon as the TE symbol has been put in at the Micro SD, attach the Micro SD to the Raspberry Pi.

It will be important to grasp the IP cope with assigned to a TE agent after preliminary boot to be able to entire preliminary registration. Whilst a Pi with a wi-fi configured TE agent can pull a wi-fi IP all through its preliminary bootup, it is going to now not show the wi-fi IP on a attached track, just a stressed IP cope with. Because of this, it’s nonetheless beneficial to attach an ethernet cable to a wi-fi Pi earlier than preliminary energy on and use the assigned eth0 IP to accomplish preliminary setup. The one choice to a stressed connection on preliminary boot is to spot the wi-fi IP cope with of the TE agent by way of method instead of a attached track, corresponding to by the use of direct get right of entry to to the wi-fi AP that the TE agent connects to.

Two items of {hardware} are used to accomplish the preliminary setup of the Raspberry Pi TE agent: (1) a keyboard that may hook up with the Pi by the use of USB, and (2) a display screen that may hook up with the Pi by the use of Micro HDMI. Preliminary setup can also be carried out with out the keyboard if (a) an IP cope with is assigned to the TE agent by the use of DHCP, and (b) the DHCP cope with can also be known by the use of the attached display screen or by way of different method. In a similar fashion, preliminary setup can also be finished with out the display screen if there’s in a different way to spot the DHCP IP cope with assigned to the TE agent, corresponding to admin get right of entry to to the transfer attached to the TE agent.

Regardless of the above possible choices, a attached keyboard and track are beneficial for ease of deployment and any wanted troubleshooting.

For the keyboard, we used a Bluetooth keyboard with a indifferent USB fob, however any keyboard that may hook up with the Pi by the use of USB will paintings.

For the display screen, we used two separate {hardware} answers.

The primary resolution is a Kenowa moveable track with an HDMI to Micro HDMI cable. The HDMI facet of the cable connects to the Kenowa, and the Micro HDMI facet of the cable connects to the Raspberry Pi.

The second one resolution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac pc. The Pi connects to the Elgato by the use of a micro HDMI to HDMI cable. The Elgato makes use of a normal HDMI cable to hook up with the HDMI facet of a Mac HDMI to USB-C adapter, with the USB-C facet of the Mac adapter connecting without delay to a Mac pc.

With the {hardware} configurations within the prior sections entire (i.e. the Pi is attached to an ethernet port, track, and keyboard), attach the Pi energy adapter to start out preliminary boot.

As soon as the Pi is powered on, the TE agent set up will take a couple of mins to run (extra if web get right of entry to isn’t to be had). As soon as the bootup is entire, the Pi will show a message if an IP cope with used to be assigned to the ethernet port by the use of DHCP.

If no IP cope with used to be assigned to the ethernet port by the use of DHCP, the TE agent will show a distinct message declaring no IP cope with is configured. If that is so, it is going to be essential to both manually assign an IP cope with to the ethernet port the use of a keyboard, or establish the IP cope with of the wi-fi interface the use of admin get right of entry to to the attached wi-fi AP.

• As soon as the IP cope with of the TE agent is understood, hook up with the IP by the use of HTTPS and check in with username admin and password welcome.

• Alternate the default password to one thing extra protected and click on Alternate Password.

• The GUI must mechanically take you to Agent within the left menu.

• Preserving the ThousandEyes Bodily Equipment GUI open, create a brand new tab for your browser and hook up with the ThousandEyes internet GUI, then click on on Cloud Endeavor Brokers > Agent Settings.

• Click on at the Upload New Endeavor Agent

• Replica the Get admission to Staff Token. Notice: the Replica button won’t paintings, by which case click on the attention icon to turn the token and replica it manually.

• Go back to the TE agent GUI and paste the Account Staff Token into the Agent Click on Proceed.

• The GUI will mechanically load the Evaluation Equipment Standing and Diagnostics fields must exchange to inexperienced because the registration completes. Click on the Whole button.

• Click on at the Community tab.

• Configure the hostname for the agent.

• Scroll all the way down to the DNS configuration and input the inner and Exterior DNS servers. By means of Default, the agent will use the 208.67.222.222 and 208.67.222.220 exterior Umbrella DNS servers. Those can also be moved to DNS server 3 and four if inner DNS servers are most well-liked.

Jailbreaking the TE agent is essential for escalating to root and acting the instructions essential to construct the scripts for the wi-fi configuration.

We must replace the Ubuntu OS earlier than working the jailbreak command. Hook up with the TE agent by the use of SSH, then run the next two instructions to first replace the OS after which jailbreak the set up:

$ sudo apt-get replace
$ sudo apt-get set up te-va-unlock

With the TE agent effectively jailbroken, we will now escalate to root and carry out the remainder of the configuration.

Earlier than starting this phase, notice that the SSID and SSID password will have to be onerous coded. If the TE agent can not hook up with the hardcoded SSID after reboot, the wi-fi connection will fail. If the hardcoded SSID and password wish to be modified after the preliminary setup, it is going to be essential to (re)allow SSH at the TE agent and hook up with it over SSH.

• Escalate to root and create a record named rc.native within the /and many others listing. The title is essential for the script to run all through the TE agent bootup procedure.

Create the script record:

$ sudo su
# cd /and many others
# vim rc.native

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
/configure_te_pi.sh
go out 0

• Sort ‘:’ then ‘wq!’ to avoid wasting the adjustments and go out the record. 
• Run the next to set the script permissions:

# chmod +x /and many others/rc.native

• Create the configure_te_pi.sh script within the most sensible degree / listing. Exchange the <SSID> and <SSID password> fields within the beneath script with the proper values. The SSID and password will also be modified later, however this may occasionally require a later SSH connection to the agent.
• Create the script record:

# cd /
# vim configure_te_pi.sh

• Sort ‘i’ to edit, and kind or paste the next, changing the <SSID> and <SSID password> fields with the proper values:

#!/bin/bash
apt-get replace -y
apt-get set up te-va-unlock -y
apt-get set up net-tools ifmetric wireless-tools -y
ifconfig wlan0 up
wpa_passphrase <SSID> <SSID password> > /and many others/wpa_supplicant.conf
wpa_supplicant -B -i wlan0 -c /and many others/wpa_supplicant.conf -D wext
ifmetric eth0 200
sed -i ‘1iauto wlan0niface wlan0 inet dhcp’ /and many others/community/interfaces
dhclient wlan0
systemctl masks apt-news.carrier
systemctl masks esm-cache.carrier

• Sort ‘:’ then ‘wq!’ to avoid wasting the adjustments and go out the record.
• Run the next to set the script permissions:

# chmod +x /configure_te_pi.sh
Reboot the Pi and take a look at to verify that the wi-fi NIC can hook up with the ThousandEyes internet account.

• From the ThousandEyes internet GUI, navigate to Cloud & Endeavor Brokers > Agent Settings.

• Establish a registered TE agent with a wi-fi interface, then click on on it.

• Find the Basic Data The personal IP cope with of the TE agent will probably be displayed, which is the IP cope with that the TE agent used to hook up with the ThousandEyes internet supervisor. If the TE agent has each an ethernet and wi-fi port, you’ll be able to click on the Machine Data hyperlink to verify which IP cope with is assigned to every interface.

• Navigate to Cloud & Endeavor Brokers > Check Settings.

• Increase some of the exams after which increase the Brokers

• Click on at the Endeavor button and increase the dropdown subsequent to an agent with wi-fi enabled. If the agent has each a stressed and a wi-fi interface enabled, they are going to each be displayed as within the screenshot beneath.

About Black Hat

GitHub with scripts

For TE brokers to function as it should be, they are going to wish to each hook up with ThousandEyes over the web and feature firewall ACL get right of entry to to accomplish any configured exams. Confer with the next report for lists of ports and protocols in line with area.

All the way through trying out of the wi-fi TE agent for Raspberry Pi, it used to be spotted that the brokers misplaced connectivity with the ThousandEyes internet supervisor after a variable period of time. Troubleshooting a couple of failed brokers known logs related to updates to the apt-news.carrier and esm-cache.carrier processes instantly earlier than failure of the wlan:

syslog

Aug  6 02:17:04 registration-wireless systemd[1]: Began PackageKit Daemon.
Aug  6 02:17:20 registration-wireless systemd[1]: Beginning Replace APT Information…
Aug  6 02:17:20 registration-wireless systemd[1]: Beginning Replace the native ESM caches…
Aug  6 02:17:21 registration-wireless systemd[1]: apt-news.carrier: Succeeded.
Aug  6 02:17:21 registration-wireless systemd[1]: Completed Replace APT Information.
Aug  6 02:17:22 registration-wireless systemd[1]: esm-cache.carrier: Succeeded.
Aug  6 02:17:22 registration-wireless systemd[1]: Completed Replace the native ESM caches.
Aug  6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Misplaced service

Additional info at the two facilities can also be discovered right here: