Downloads
You can download complete images here:
Releases
-
Valibox for the GL-Inet AR-150
SHA256:
f8eb8c4320ea2cf86d58035344c6a300f103e31a453e2e5f4cefb83be7490103
-
Valibox for the GL-Inet MT300A
SHA256:
188cea7dacafe29ee9b9bf6cc49ed1b335f0db3433b8eacc7249e72cd67aeae0
-
Valibox for the VirtualBox (ova file)
SHA256:
e1e264cf92bf4dd59a845438f00509b767df70ad248939b9fa6479300e5b619f
-
Valibox for the Raspberry Pi 4
SHA256:
46d8ec57d7ee50ba0e93e69dab3077eaaf11e0715003607ce5d5ccb9077b32fe
Beta version
There is no beta version at this moment.
SPIN Source code
Older versions
Changelog
1.11
- Updated OpenWRT to 21.02.0
- Valibox firmware upgrade functionality has been ported to Luci
- Added a Luci configuration screen for SPIN
- Added an initial version of the Bridge mode on the gl-ar150 version
- Replace image for Raspberry Pi 3 by image for Raspberry Pi 4
- Updated SPIN to 1.0:
* Added support for bridge mode, where SPIN is not running on an access point,
but as a bump in the wire
* Spinweb now shows some suggestions on what could be wrong when it is
unable to connect to the MQTT server
* Added support for TLS (and wss) in spinweb
* Added option to enable HTTP authentication in spinweb
* Added support for mosquitto user authentication in spinweb
* Updated the vis library in the bubble app
* Improved logging options, spind can now log to syslog, file, and standard out,
and log to multiple targets simultaneously
* Reduced traffic exchanged between PCAP reader and spind by aggregating
information before sending it
* Added support for network communication between PCAP reader and spind
* Bugfixes
- Fixed issue in call to mkstemp() (https://github.com/SIDN/spin/issues/77)
- Fixed several small issues in the PCAP reader connection code core2ext
- Fixed issue with spinweb query parameter mqtt_port
(https://github.com/SIDN/spin/issues/79)
- Fixed a number of issues with the generated mosquitto configuration when
spind runs its own instance of mosquitto
- Fixed the issue where tcpdump could fail until router was rebooted
- Improved cleanup routines when SPIN fails to start
1.10
- Updated Unbound to 1.13
- Updated OpenWRT to 19.07.5
- Updated SPIN to 0.12
* SPIN is now, by default, directly reachable on port 13026, rather that
needing a reverse proxy for handling web traffic. It is still advisable
to set one up yourself, to add TLS support and other security.
* Added the SPIN Pcap Reader functionality
* Added a 'passive mode', where SPIN does not modify firewall rules
* The 'bubble app' now shows labels edges with the services or destination
ports of the traffic, such as 'ntp' or 'https'. This is based on the
destination port number, and SPIN does not inspect whether the traffic
actually matches the service. For instance, all traffic on port 443 is
shown as 'https'.
* Replaced the lua-based web API to control the SPIN daemon with an
internal libmicrohttpd-based implementation. This eases initial
configuration and reduces the dependencies of the package, while
still allowing optional additional security features through a
(manually configured) http frontend such as nginx or apache
* Improved the pcap upload screen. It now shows more data fields, as well
as suggested entries.
* SPIN can now automatically start mosquitto if necessary
* SPIN can now automatically load conntrack kernel modules and enable
IP Accounting
* Fixed a compilation issue when using Clang
1.9
- Updated OpenWRT to 19.07.0
- Small improvement of valibox page CSS
- Updated SPIN to 0.11:
* Added '-c' option to spind for specifying a configuration file
* Added '-e' option to spind for specifying an external traffic data input socket
* Added experimental DOTS signal message processing (disabled by default)
* Added small command-line tool to send DOTS signal messages
* Device flow data now includes port numbers and ICMP types
* Fixed an issue where spind would crash if the logfile can't be opened
* Fixed an issue where clicking on empty space in the Web UI showed an error
* Fixed an issue where traffic captures would time out
1.8
- Added time.nl to the list of NTP servers
- Updated OpenWRT to 18.06.4
- Updated SPIN to 0.10:
* The MQTT Traffic channel protocol has changed; node information is now sent in a separate subchannel,
and flow information uses node id's instead of the full node data
* Added RPC functionality: some information and functionality can now directly be accessed. If UBUS is
available, SPIN uses that. Otherwise, it will listen for JSON-RPC commands on /var/run/spin_rpc.sock.
An overview of the RPC methods can be requested by the RPC method 'list_rpc_methods'
* The web API now provides and endpoint for all RPC methods as JSON-RPC
* The SPIN/commands channel is no longer used for interactive commands, and all functionality in spind
handling commands here has been replaced by the RPC mechanism
* The bubble app now uses the web API rpc endpoint for commands and direct information retrieval (except
traffic data). This improves performance and reliability, but it does mean that both spind and
spin_webui must be running.
* 'Most recent flows' information can now be retrieved for devices on the network
* SPIN (and the bubble app) now provide functionality to block traffic between two specific nodes (in
addition to the existing 'all traffic from and to one node').
* Added an 'extsrc' source, where pcap data can be sent to SPIN directly
* The 'mqtt_host' on the bubble app now defaults to the host of the app itself
* Bugfixes and refactoring: see the git repository for details
1.7
- Added VirtualBox (innotek-gmbh-virtualbox) to the list of supported builds (experimental)
- Added Raspberry Pi 3 (raspberry,3-model-b) to the list of supported builds (experimental)
- Removed GL-Inet 6416 from the list of supported builds
- Updated OpenWRT to v18.06.2
- Updated SPIN to 0.9:
* Removed kernel module and replaced with conntrack/nflog/nfqueue implementation
* Added internal module registration and callback architecture
* Made (mqtt) commands more consistent (removed 'filter' and 'except')
* Internal node cache is now regularly cleaned
* Added SPIN configuration support (direct and with UCI)
* Added operational statistics (published in mqtt SPIN/stat channel)
* Added initial version of responsive SPA front-end (http://valibox./spin)
* Added very early profile concept
* Added PoC-tool 'pcap-reader'
* Added PoC-tool 'peak-detction'
* Fixed a memory leak
* Small updates and bugfixes in visualiser
1.6
IMPORTANT: Version 1.6 contains configuration changes that require 'Remember current configuration settings' to be DISABLED for this update.
- Change base system from LEDE to OpenWRT (18.06.1)
- Check for Wifi password length during initial setup
- Better check for referer in Autonta
- Separation of nginx configuration snippets
- Updated SPIN prototype to 0.7:
* Web UI now uses lua-minittp
* Added 'Download PCAP traffic' option to the bubble app, you can directly run tcpdump from the web interface now.
* Added 'protocol' field to mqtt traffic format
* Added a web API for configuration and control, see https://github.com/SIDN/spin/blob/master/doc/web_api.md
* From the WEB API, there is a very rudimentary option to control firewall rules through profiles (as a stepping stone to MUD which is planned for the next release)
1.5
- Updated LEDE to 17.01.4 (commit afca23558a2fbfb2cb044ec69bfb9a7447121927)
- Valibox update screen now also shows changelog if there are no updates
- nginx no longer logs to the file system (issue #4)
- Updated SPIN prototype to 0.6:
* Added DNS query logging / visualisation
* Big efficiency update in kmod/spind communication, which should result in much less 'missed' packets
* The location of the MQTT server is now flexible in all tools and daemons
* Fixed color of bubbles and arrows (#27, #29, #31)
* Fixed block and interface buttons (#28, #35)
* Fixed valibox interface when using the IP address in the browser (#32)
* Added command-line option to set/unset features of spin_enforcer
* Updated Vis library
* Added early MUD prototype
* Added early prototype of Provider API (in spin_enforcer and incident_report_listener)
* Improved node merging
1.4
- Changed base system from OpenWRT to LEDE due to support for newer GL-Inet devices
- Updated base system (including patches for krack)
- Assorted cleanups in data logging
- Fixed issue with updater not recognizing X.509 certificate
- Fixed issue where wifi password was not always updated when set by user
- Updated SPIN prototype to 0.5:
* Renamed main spin daemon spin_mqtt to spind
* Added 'block' and 'allow' functionality to SPIN graph front-end
* Added experimental 'auto block' tool spin_enforcer
* Added verbosity option to capture module
* Added 'local' mode option to capture module (use IN/OUT chains only, not FORWARD)
* Improvements in capture module
* Fixed issue where ignoring a node did not always remove all relevant other nodes from view
* Fixed issue where user-set name was not shown until restart
* Fixed issue where ARP table was not always read completely
1.3.0
- Updated to latest OpenWRT trunk and packages
- Updated SPIN prototype to 0.4
- Replaced direct websockets with central MQTT server
- Collection, filtering and blocking is now done through a kernel module for efficiency and to solve compatibility issues with other iptables tools
- added visualisation of blocked traffic
- Fixed issue where user-set names were not remembered
- Fixed issue with spaces and other chars in password screen
1.2.0
- Added prototype version of the SPIN network traffic visualiser
- Ported AutoNTA to lua
- Massively increased speed of main pages
- Removed python dependencies
- Fixed a number of issues with the default configuration of the gl-mt300a image
1.1.3
- Updated Unbound to 1.6.0
- Improved initial password screen
- Remove listen on ULA in unbound
1.1.2
- Update to latest OpenWRT version
- Change defaults to match GL-inet values
1.1.1
- Enable NTA management by default
1.1.0
- Added initial wifi name and password settings page
- Added double-cookie protection of the 'Set NTA' and 'Update install' pages
- 'Ask NTA' page now shows the actual DNSSEC error
- The NTA management can now be turned off, so that you only see the DNSSEC error but cannot override it
- Update system now allows switching between release and beta
- Added 'keep settings' option to update system
- Various other improvements in update system
- Made all texts multilingual (currently the options are en_US and nl_NL)
- Added logging options (to syslog of OpenWRT)
- Added Valibox configuration tab in LuCI (to set language, logging, and disable NTA)
1.0.3
- Stop caching of dynamic internal pages
- HTML cleanup
1.0.2
- Use fixed local addresses instead of derived ones
1.0.1
- Fixed issue with setting the wrong internal IPv6 address
- Fixed issue where unbound would sometimes not start
- Improved layout of NTA pages
1.0.0
- Initial release
1.0.0
- Initial release
Device-specific notes and instructions
Raspberry Pi
To run the Valibox software on a raspberry pi, download the uncompressed image, and copy is to a clean SD card. On linux machines this can be done with the following command:
dd if=sidn_valibox_raspberrypi,4-model-b_1.11.bin of=/dev/sdX bs=2M conv=fsync
(where sdX is the appropriate device name for your SD card)
The default setup uses the wired connection of the raspberry pi as the ‘WAN’ interface, and offers a wireless access point on its built-in wifi adapter.
For more, and more general, information on running OpenWRT on a Raspberry Pi, see here
The default password for both the wireless network and the root user is ‘goodlife’; users are prompted to change this password before internet access is given.
VirtualBox
The virtualbox image uses an ‘internal’ and an ‘external’ network; depending on how you would like the Valibox to work for other machines (virtual or not), configuration may differ.
It expects 2 network interfaces that need to be set up in the VirtualBox management interface; the first one will be the ‘WAN’ interface, and the second one the ‘LAN’ interface.
The first interface will be the ‘external’ interface; set this to ‘bridged adapter’.
The second interface will be the ‘internal’ interface (i.e. acting as a router for its connected devices). Depending on how you would like to use the VM, you’ll need to set up the second interface differently, so client devices (or other virtual machines) can use it as the router. For more information, see for instance here
Note that if your ‘internal’ interface uses a different subnet than 192.168.8.0/24, you may need to edit some configuration files on the device (such as unbound.conf and mosquitto.conf).
We have not (yet?) thought of a good general way to use this version with IoT-devices. If you have ideas or wished for that, please let us know.
Installation guide for GL-Inet devices
Normal update
Standard installation:
- Connect a GL-inet to a computer or laptop
- Open a browser window and enter the URL http://192.168.8.1
- On the left-side menu, click ‘Upload Firmware’
- Then click ‘Upload Firmware’ in the upper right
- Select the valibox image file
Important! Disable the ‘keep settings’ checkbox!
- When the image has been verified, the Valibox software will be installed. This can take a number of minutes.
Boot override
Most devices have a second way of updating; this is worth a shot if the device does not start normally or you cannot access the administrator panels anymore.
This is the method for the GL-inet AR-150; for other versions or system, the process may differ.
More information can be found at http://www.gl-inet.com/how-to-enter-the-uboot-web-ui/
- Make sure the GL-inet is powered off
- Connect a UTP cable from your computer to the WAN port of the GL-inet.
- While holding the reset button, power on the device. Keep holding the reset button for 5 seconds.
- Configure your computer to have the IP address 192.168.1.2
- Open a browser and go to http://192.168.1.1
- Upload the image file to install the Valibox software