Recently we published a webinar on our Facebook page about the use of Data Diodes . We thought it would be illustrative and instructive to run the webinar from behind the protection of our AROW Data Diode.
Creating the webinar content was straightforward, a standard Powerpoint presentation with live audio narration, and we used Open Broadcast Studio to create the streaming version of the display. We ran the whole thing on a standard Windows laptop, connected to the protected side of our Data Diode. Connection to the diode is a simple matter of cabling the GBE ethernet port to the laptop ethernet port. We use mpegts as our container, utilising the native TCP properties of the data diode.
So far so good, we can stream the display across the diode, and to check, we can connect another pc running VLC direct to the diode output. VLC decodes and displays the screen capture from our laptop.
The next problem is connecting to Facebook Live. This has recently (Nov 2019) changed to require a more secure protocol, RTMPS. Real Time Messaging Protocol with SSL security.
If our laptop was not behind a diode, this would be simple. OBS can be configured to accept the unique key, and the streaming protocol is built-in. However of course one of the problems using a diode is that there can be no handshake, exchange of keys or any part of a protocol that requires communication with the host.
So to overcome this, we need to insert a proxy server on the unprotected side of the diode. We need to take the streamed output of the diode and transcode it to provide the protocol, and the secure key that Facebook Live demands. Step up ffmpeg. The latest version (>4.2) includes support for RTMPS, and it will accept our mpegts stream and carry out all of the transcoding necessary.
Of course this needs a platform to run on. Normally our test and development setup uses some hefty servers, for network stress-testing, fault simulation and so on. This time for fun we thought we would try a Raspberry Pi!.
Version 4 of this single board computer is a well-appointed offering. A full-spec GBE Ethernet port, and a substantial amount of RAM, together with a 4-core processor is worth investigating. For this experiment we stuck with Raspbian as the OS, but for a permanent situation, nothing less than SELinux would be required. We also needed to add in the missing software components – ffmpeg, some dependency libraries and some handy networking tools for debugging.
At the time of writing, ffmpeg needs to be built from sources to incorporate all we need to support the RTMPS protocol on Raspbian. This is quite straightforward.
First, grab those dependencies. From the RPI terminal,
sudo apt-get install libssl-dev libomxil-bellagio-dev
The first of these are the headers and library for open ssl, the second is optional and allows the RPI to use its gpu for hardware acceleration when converting h264.
Now get the ffmpeg source and clone it to a simple directory
sudo git clone https://git.ffmpeg.org/ffmpeg.git ffmpeg
sudo ./configure –arch=armel –target-os=linux –enable-gpl –enable-libx264 –enable-nonfree –enable-openssl –enable-omx –enable-omx-rpi
sudo make -j4
sudo make install
Now we have ffmpeg installed.
Facebook Live has a syntax requirement of [path_to_url][secret_key]
You obviously need a Facebook account to get the path and key, and there are Facebook instructions on streaming a live broadcast.
We also need to dive into the ffmpeg command line syntax.
We need an input, some rate modifier, some codec conversion and an output. This for our purposes is:
ffmpeg -re -i tcp://10.0.1.11:9876 -c:v libx264 -f flv “rtmps://live-api-s.facebook.com:443/rtmp/[KEY]”
where tcp://10.0.1.11:9876 is the AROW IP address and port for tcp, and KEY is our secret key.
We need two ip addresses on our RPI, we could use the WiFi port to connect to our business network and the outside world, or we can add a second IP address to the RPI and keep everything wired. (The RPI has only one physical GBE port).
For completeness and as a demo we choose the second.
To add a second IP address, simply create a DHCPCD hook.
In a file named /etc/dhcpcd.exit-hook add the line
‘ip address add 10.0.1.12/24 dev eth0’
This address won’t be routed to the outside world, and is only used to connect to AROW.
Now the details for OBS on our laptop. OBS can transcode to mpegts, but only via its Record output setup (in V24.03).
To get to this, got to File/Settings/Output set the Output mode to ‘Advanced’, open the Recording tab and select type as ‘Custom Output(ffmpeg)’. Set the ffmpeg Output type to ‘Output to URL’, then type in the AROW ip address viz. tcp://10.0.0.9:9876 and the container format to ‘mpegts’
So now we are all set. Log in to your Facebook page and navigate to the Live control window. Fire up the RPI, set the ffmpeg converter going, then start the OBS capture for your window, using the Start Record button ( not Start Streaming). After a few seconds, depending on your network speed, the Facebook preview window should start showing the contents of your laptop window. Hit Go Live and the world will see your laptop display window, plus any audio, so you can begin your narration.
Happy safe streaming!
Note: Of course, the instructions here are more about setting up the OBS and RPI systems. The AROW Data Diode just needs connections and IP addresses, since it needs no other software to support streaming.
And the principles apply to any streaming situation where you need to protect your network, but communicate using protocols that require key exchange or other bi-directional handshaking..