personal blog
git clone git://
Log | Files | Refs | README

commit 26bb1a822c06e21f01bee838e71a1c4e5e2a09ce
parent fcd9dbde6041bcee416146abda11f2828c8c3799
Author: pyratebeard <>
Date:   Thu, 14 Jan 2021 10:56:14 +0000

all posts from 2017

Acontent/ | 164+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Acontent/ | 147+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Acontent/ | 19+++++++++++++++++++
Acontent/ | 64++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Acontent/ | 122+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Acontent/ | 241+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Acontent/ | 25+++++++++++++++++++++++++
Acontent/ | 29+++++++++++++++++++++++++++++
Acontent/ | 65+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
9 files changed, 876 insertions(+), 0 deletions(-)

diff --git a/content/ b/content/ @@ -0,0 +1,164 @@ +## degoogle part 1 + +Having always been concious of privacy I was surprised to realise how deep down the Google hole I had fallen. Ease of use is probably why it happened. It dawned on me that almost every app I was using on a daily basis had Google before it, all logged in from one account, and all syncing my data so that everything was seamless. I didn't like it. Having everything synced did make my life easier switching from laptop, to PC, to my phone, and back again; however, there was this little voice in the back of my head complaining about how much information one company knew about me. + +At the time I had 35GB of Google Drive storage, due to an offer when purchasing a SIM card. This offer was due to run out and drop me back down to the default amount of 15GB. As a fairly heavy user I needed the extra space, so I figured it was a good time to start looking around at new cloud backup providers. While I was looking for alternative storage I decided to see how easy it would be to replace all the Google applications currently used. + +So, in July 2016, the experiment began. + +### Part One + +Over a couple of days (which turned into weeks) I started investigating some alternatives to my most used Google applications. I'm not going to list all the alternatives I found and tested, I may do some posts regarding my testing if anybody is interested. + +In no particular order here is the list of Google applications I used on a regular basis: + +* Search +* Authenticator App +* Mail +* Contacts +* Drive +* Chrome +* Calendar +* Maps +* Keep +* Chromecast +* Photos +* Translate +* Hangouts +* Android +* Youtube + +The following are the replacements I have settled on (in the same order as the list above): + +* [DuckDuckGo](#duckduckgo) +* [Authy](#authy) +* [Protonmail](#protonmail) +* [? - contacts](#contacts) +* [Mega](#mega) +* [Firefox](#firefox) +* [? - calendar](#calendar) +* [Waze](#waze) +* [Evernote](#evernote) +* [? - chromecast](#cast) +* [Nothing](#photos) +* [WorldLingo](#translator) +* [Whatsapp/Telegram](#whatsapp) +* [CyanogenMod](#cyanogenmod) +* [Youtube](#youtube) + + +<br /> +#### DuckDuckGo +[Website]( + +This search engine had replaced Google for me a long time before attempting the switch. I can't remember when I first heard of DuckDuckGo, but after I had got use to their [!bangs]( I have not looked back. If I do ever want to use Google Search I will go through [StartPage]( + +<br /> +#### Authy +[Website]( + +Two-factor authentication is very important (security is NOT a dirty word!) and so I replaced the Google Authenticator app with Authy. I didn't have an issue moving all the accounts across, and you can enable multi-devices if you require the same authentication across more than one device. I haven't used this feature yet but it is handy to have. + +<br /> +#### Protonmail +[Website]( + +My replacement to Gmail split in two. I have my own email server (upcoming log!) and use my own domain, I had a second Gmail account for more professional places such as LinkedIn so I opted for Protonmail as the replacement. This was primarily because it is free, and encrypted. The free tier offers 500MB of storage and 150 messages a day. This suited my needs as I wouldn't be using it often. + +<br /> +#### Contacts + +One of the most useful features with Gmail is having all your contacts stored. When I moved to a new phone I only had to sign in to Google and instantly all my contacts are available. I never saved to the phone or the SIM, and that meant I could access them online if my phone was ever out of reach. + +I am yet to find an alternative to this. Currently I am performing my own sync between my phone and Mega, but it is not the same. + +<br /> +#### Mega +[Website]( + +You may have heard of Mega already, developed by the (in)famous [Kim Dotcom]( after his original venture, MegaUpload, was shutdown. Mega however strives to do things by the book while focusing on security. Their web based app is clean and easy to use. There is a desktop sync client, as well as mobile device apps. There is also a Firefox Extension to "reduce loading times, improve download performance and strengthen security". + +Apart from their security one of the other big selling points was the storage capacity. A standard free tier account recieves 50GB of storage! That is well over what I needed to replace Drive. + +<br /> +#### Firefox +[Website]( + +Switching to Firefox wasn't such a big deal for me. I had been an avid Firefox user prior to Chrome. At the time I wasn't keen on the fact that when you opened Firefox it loaded all tabs straight away, in Chrome it only loaded the focused tab. For me this was almost a deal breaker as I tend to leave a lot of tabs open. This feature seems to have been added at time of writing... so happy me! There is also the ability to create an account so you can sync your tabs and settings across multiple devices. This is useful as I use Firefox on a number of devices. + +<br /> +#### Calendar + +This is one application I haven't decided on a replacement for yet. Google Calendar was very useful for my girlfriend and I as we would share our calendars and be able to see what both of us were up to. If anybody has recommendations then let me know! + +<br /> +#### Waze +[Website]( + +Google Maps wasn't used too much as my truck had built in SatNav. It was handy on the odd occassion when the built in maps weren't up to date. As a replacement I switched to Waze. The interface is a bit more 'childish' but it links to other Wazers nearby for up to date information. Their website also has a Live Map. + +One thing Waze doesn't do is pedestrian directions. Prior to moving to Ireland I was living in London so [Citymapper]( was a life saver. An incredible app with up to date transport information and even a list of routes to take. Very handy when one of the tube lines was busy. Unfortunately Dublin isn't on Citymapper yet, but I'm making do. + +<br /> +#### Evernote +[Website]( + +Keep and Evernote aren't directly comparable. I was already using Evernote so it made sense to keep my notes on there as well. A pretty decent app which can be used in your browser or through a mobile app. + +<br /> +#### Cast + +This is another one I haven't found a replacement for. My Chromecast was used quite a lot for streaming Youtube and from my media server. I haven't tried any alternatives but couldn't decide on anything based on reviews. In the end I gave my Chromecast to my girlfriend... so I still get to use it. Win. + +<br /> +#### Photos + +A replacement wasn't needed for this as it was only used as the backdrop on the Chromecast. + +<br /> +#### Translator +[Website]( + +The translator wasn't used too often, occassionaly in Belgium when ordering beer. World Lingo is suitable enough for my uses, but it's only available through a browser. I can't say I spent too much time looking for a replacement app, I will probably start looking next time I'm in Belgium and need it urgently. + +One of the features I liked with Translator was the ability to point the camera at written text and see it translated. If there is another app which can do this then I would love to check it out. + +<br /> +#### Whatsapp +[Website]( + +Whatsapp isn't a replacement as such, it was already being used to keeping in touch with all my friends. Hangouts was only used between myself and a colleague, but they have moved to Whatsapp now so I don't need to worry about it. + +Another messenging application I use quite a bit is [Telegram]( Unfortunately a messenging app is only as useful as the number of people on it. As most people use Whatsapp I have to list that as my primary. + +<br /> +#### CyanogenMod +[Website]( - archive link as website is now defunct. + +When I started this expriment I was using and Android mobile. During the first phase I continued to use Android and the Google Play Store, which meant I was logged in with my Gmail account. The plan was to move away from stock Android on to CyanogenMod and use alternatives to Play Store. + +There will be more on this in Part Two so stay tuned! + +<br /> +#### Youtube +[Website]( + +Everybody knows youtube, it's the site with the [piano playing cat](! This hasn't been left to last on purpose, but it was the most annoying. There isn't really any alternative to Youtube, and the only reason I included it was because since Google took it over you can not create a non-Google account! I was going to create an account with my new email address, but logging into Youtube is logging into Google. I really didn't like that. + +As it stands I still use Youtube although I don't log in, which means I find it harder to track my favourite channels. Not the end of the world but it is a bit of a pain in the ass. [Vimeo]( has been getting better in terms of content but it's not on par yet. + + +<br /> + + +As you can see an alternative was found for most of the Google equivalents. Switching away from Google didn't cause any majors in my day to day life, the hardest part was changing my email address over on all my logins, and getting people to update their contact details. + +Certain things that I miss from Google are being able to save email attachments straight into Drive. There is also the Contacts which [was mentioned](#contacts), and not being able to log in to Youtube. Aside from them I enjoyed phase one of my No Google life. As I write this I am now a month into phase two, which I will write up and post soon. + +The most interesting part for me was finding all the alternatives. There are so many great developers and companies doing incredible work which is being overshadowed by the Google giant. Every day more and more people are being interested in their online security, and so these alternative applications are slowly being more widely used. + +If anybody would like to discuss my No Google life experiment, or anything about online privacy and security then get in touch on [twitter]( or email me: root [at] pyratebeard [dot] net. Be sure to encrypt and sign your email for bonus geek points :) + +Until next time... + + diff --git a/content/ b/content/ @@ -0,0 +1,147 @@ +## raspberry pi setup + +#### Mmmm Pi +By now everybody has at least of the [Raspberry Pi]( It's an affordable (~£30) little computer designed to enable anybody to learn to code and build projects. It has become a great hit in education and there have been some incredible uses from drones to (mini)supercomputers. Most people however seem to use it as a media server (based on people I know). + +I actually won my first Pi. My team was voted the regional winner in our category for the 2016 NASA Space Apps Challenge. The prize was a Raspberry Pi 3, which has some advantages over previous versions - namely a more powerful CPU, wireless LAN (Wifi) and bluetooth. + +There were some good intentions to build a drone, and I spent a long time looking at other people's projects. In the end my Pi sat on my desk collecting dust. Finally I decided I was going to do two things with it, first I was going to use it to run my own VPN, and second I wanted to set up my mail server on it. I have decided to use [Raspbian]( + +*Raspbian?!* Yes, as some of you may know I am not a fan of the Debian based distros. I tend to choose Arch Linux or Fedora. As a Linux engineer my work is saturated with Red Hat so it's good for me to know Fedora. +So Rasbian was not my first choice, but it is the choice that worked out of the box. I had some issues installing Arch Linux ARM, and post installation issues with Fedora ARM. +As you'll see later Raspbian installs quickly and with no issues. This meant I could move on to the fun bit instead of fault finding. + +#### VPwhat? +A VPN is a Virtual Private Network. It allows you to connect to your own 'private' network through any other 'public' network securely. If you imagine you home network is your private network, if you go to a friends house you can connect to their wifi (public network). If you then connect to you VPN everything you do is being tunneled through your own private network. + +The reasons for this are primarily security. By tunnelling your network activity through your VPN then you can be safe from any monitoring on the public network and even the ISP. Another advantage is that the VPN is basically an extension of your home network, which means you can access all the devices and files you have at home. + +VPNs are used extensively by corporations so their employees can access the company network from anywhere in the world. They are also used by people who travel alot and are therefore connecting to many different public networks. + +#### Mail electronically +Some of you may have read my first post about [DeGooglefying](/log/2017/04/degoogle-part-1) (yes it's a word) my life. As part of this transition I moved to using my own domain for emails, and I though the Pi would be a great little mail server. + +#### # Raspbian install +Before we can set up our VPN we need to put an OS on the Pi. As mentioned above I have opted for Raspbian. At the time of writing the stable release is 'Jessie', I chose the Lite version as I don't need a desktop for my uses. + +After downloading the zip archive extract the [image file]( If you're using Windows you will need to use an application such as [Etcher]( to write the image file to an SD card, which will be used in the Pi. For this guide I'm using Linux, so I can use the `dd` utility. + +A quick side note on SD cards. One thing that catches a lot of people out is the read and write speeds. Most cards will show you the read speed, which can be quite high. If you pay close attention to the small print the write speeds aren't always very high. I went for a card which had pretty high read AND write speeds so that I get the best I/O for my OS. The card I am using is a [PNY 32GB Elite-X microSDHC U3]( (from around £20), which has read speed of ~90Mbps and benchmarked write speeds between 70 -> 85Mbps. These speeds vary depending on the devices but for it will be suitable for the Pi. + +Run the `lsblk` command to see the current devices, plug your SD card into your Linux machine the run again to get the device name of the SD card +``` +lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT +sdd 8:48 1 29.9G 0 disk +``` + +If your machine automatically mounts the device you will need to unmount it +``` +umount /dev/sdd +``` + +Copy the image file to our SD card. We are using a bytesize of 4M as recommended on the Raspbian site, if this doesn't work you can try 1M +``` +dd bs=4M if=2017-04-10-raspbian-jessie-lite.img of=/dev/sdd +``` + +You can now see that the partitions have been created on the card (a 32GB card may seem like a waste of space but we will come back to that later) +``` +lsblk +NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT +sdd 8:48 1 29.9G 0 disk +├─sdd2 8:50 1 1.2G 0 part +└─sdd1 8:49 1 41M 0 part +``` + +As of November 2016 Raspbian does not enable ssh by default. This can be an issue if you don't have a monitor or TV with a HDMI port, or a HDMI cable! We can get around that by mounting the newly created boot partition and adding a file called "ssh". +``` +mount /dev/sdd1 /mnt +touch /mnt/ssh +umount /mnt +``` +If you are able to plug your Pi into a monitor or TV it is worth watching it boot, always nice to have "eyes on" in case of any errors. + +Once this has finished remove the SD card from your machine and plug into the slot on Pi. I will always use ethernet with my Pi, so plug it in and power it up. The first time you boot it is best to leave it for a few minutes. The system does some checks and then boots up. You should have a solid red light and a flashing green light. + +There are a couple of ways to find what the IP address is of your Pi. If you have it plugged in to a monitor the IP address will be showing in the boot messages. If, however, you're attempting a headless setup then you can use `nmap` or `arp`. Both are straight forward. + +``` +nmap -sn +``` + +``` +arp -n +``` + +Connect using `ssh`. The default user is `pi` and the default password is `raspberry` +``` +ssh pi@ +``` + +These next few steps depend on your own personal preferences, so feel free to skip/adjust them as necessary. + +Create a new privileged user +``` +sudo useradd -g users -G sudo -m -d /home/pyratebeard pyratebeard +sudo passwd pyratebeard +exit +``` + +Log back in as your new user and remove the default user `pi` +``` +sudo userdel -r pi +```` + +Change the hostname +``` +sudo hostnamectl set-hostname phishpi +``` + +Open up the hosts file and change the last line from +``` + raspberrypi +``` +to whatever you changed your hostname to +``` + phishpi +``` + +Open up the ssh config file +``` +sudo vi /etc/ssh/sshd_config +``` + +We're going to change the following lines (they aren't listed together) +``` +Port 22 +PermitRootLogin without-password +X11Forwarding yes +``` +to +``` +Port 2222 +PermitRootLogin no +X11Forwarding no +``` +*you can change the port to whichever one you prefer. + +Now restart the ssh daemon +``` +sudo systemctl restart ssh +``` + +Keep in mind that when you want to ssh in to the Pi from now on you will need to specify the port, for example +``` +ssh -p 2222 pyratebeard@phishpi +``` + +Finally we want to perform an upgrade +``` +sudo apt-get update && sudo apt-get upgrade +sudo reboot +``` + +After this you can start installing your favourite terminal apps, and any applications you want to run off your Pi. There are plenty of other system settings you can configure based on your personal preference, I would certainly set up SELinux and do some system hardening relevant to my needs, but that could take up a whole post by itself! + +As mentioned at the start, the purpose of my Pi is to run a VPN and a mail server. The upcoming log posts will cover these steps. diff --git a/content/ b/content/ @@ -0,0 +1,19 @@ +## html emails in mutt + +I love minimal terminal based applications where ever I can use them. This means that I use [mutt]( for viewing emails on my Linux system. One thing that is becoming more common is the use of HTML emails, which don't display very well in the terminal. Instead of seeing the content as the sender would like you to, all you see is the HTML code. + +By adding the following lines to your ".muttrc" config file +``` +alternative_order text/plain text/html +auto_view text/html +``` + +and creating a new ".mailcap" file in your home directory with the following (change browsers Firefox and Lynx to your preferred applications) +``` +text/html; /usr/bin/firefox %s >/dev/null 2>&1; needsterminal +text/html; lynx -dump %s; nametemplate=%s.html; copiousoutput +``` + +next time you open HTML emails in mutt the content is displayed in your browser. + +Thanks to []( for the tip. diff --git a/content/ b/content/ @@ -0,0 +1,64 @@ +## termux on android + +Do you prefer working in the terminal than with horriblely flash GUIs? I prefer it so much I even do away with typical icon based launchers on my Android phone and use a [terminal]( + +Sometime I need more than just a launcher, and this is where [termux]( comes in. Termux is an "Android terminal emulator and Linux environment app". You can download it from [Play]( or [F-Droid]( and install without rooting your device. It comes with a number of shells to choose from and install packages using `apt`. + +Once installed there is no setup required, however there are a few things that you can do to improve the environment. These steps are personal preference, and as always use the commands at your own risk! + +First make sure everything is up to date +``` +apt update && apt upgrade +``` + +If you look in the current directory you will see there is nothing there +``` +pwd + /data/data/com.termux/files/home +ls -l +``` + +You can set up links to the shared internal storage by running +``` +termux-setup-storage +``` + +This creates symlinks to a number of directories in your phone's storage +``` +pwd + /data/data/com.termux/files/home +ls -1 + storage +ls -1 storage/ + dcim + downloads + movies + music + pictures + shared +``` + +Use the command `ls -l` to see the links. + +A number of packages are provided +``` +busybox --help +``` + +I tend to install a number of others (in no particular order) +``` +apt install openssh vim zsh less irssi tmux git stow htop +``` + +Then we can pull down our dotfiles! +``` +git clone +cd dotfiles +stow {vim,zsh,irssi,tmux} +chsh -s zsh +``` + +Now exit termux using `exit` or Ctrl-D and when you restart you should be in a more comfortable environment. + +There we go. A rather quick and simple run through of termux. All this information can be found on their [help page]( For more help or information contact me in the usual ways, or join the #termux IRC channel on freenode. + diff --git a/content/ b/content/ @@ -0,0 +1,122 @@ +## setting up arch + +_Note_ This guide assumes you have a working Arch Linux installation. See my [previous post](/log/2016/11/arch-linux-install) for how to get started. + +If you followed my Arch Linux install guide you should have rebooted your system and have a login prompt. If you enter the username and password you set you will log in to the system, but it's looking a bit plain. Now some people do work in the [TTY]() ([nixers]( has an annual "Week in the TTY") but most of us prefer a graphical environment... even a minimal one. + +To get started we need to install some packages. We will be installing the [X Window System](, a window manager, and a terminal emulator. +``` +sudo pacman -S xorg xorg-xinit awesome rxvt-unicode +``` + +I have chosen to install the [awesome]( window manager and the [urxvt]( terminal emulator. There are so many combinations of software, which is one of the reasons I enjoy the Linux community, so don't worry if you prefer other tools. Install and use whatever works for you and don't be ashamed of your choices. Although I would say to try out other tools, you never know when you'll come across something better. + +Now we need to get the window manager running. Copy some template configuration files and make some changes. The filenames begin with a dot '.' which in Linux indicates a hidden file. Most configuration files in your home directory will be hidden, and are known as 'dotfiles'. More on this later. +``` +cp /etc/X11/xinit/xserverrc ~/.xserverrc +cp /etc/X11/xinit/xinitrc ~/.xinitrc +vi ~/.xinitrc +``` + +Comment out the following lines by entering a # at the start of the line +``` +twm & +xclock -geometry 50x50-1+1 & +xterm -geometry 80x50+494+51 & +xterm -geometry 80x20+494-0 & +exec xterm -geometry 80x66_0_0 -name login +``` + +Write the following at the end of the file +``` +exec awesome +``` + +Save and quit. + +Now run the command +``` +startx +``` + +And you should see the window manager start up. If you press the keys Win-r and type in _urxvt_ then a terminal will appear. If you ever need to drop out of the graphical environment for press the keys Win-Shift-Q to exit to the TTY. + +The default awesome environment is nice enough, but I am what is known as a ricer. This means that I spend far too much time altering my dotfiles to customise my environment so that it works for me, and looks however I want it to. I store all my dotfiles in a git repository and use a tool called 'stow' to easily enable and disable them as required. A lot of this is personal preference, so as mentioned before don't feel compelled to copy exactly. + +To set up my dotfiles I need a few more packages. I need git, so I can pull my repository down, and stow. +``` +sudo pacman -S git stow +git clone "" +cd dotfiles +``` + +If you take a look at the README file it will quickly explain the tools I have files for and how to use stow to enable them. Let's install some more packages so we can get comfortable +``` +sudo pacman -S vicious zsh vim tmux qutebrowser ranger irssi mutt mpd ncmpcpp +``` + +Here is a quick run down of the applications that have just been installed +``` + vicious > plugins used by my awesome config + zsh > z shell + vim > text editor + tmux > terminal multiplexer + qutebrowser > web browser + ranger > file manager + irssi > irc client + mutt > email client + mpd > audio player daemon + ncmpcpp > audio player interface +``` + +Most of the applications I use are based in the terminal. If you're not use to working in the terminal it may be a big learning curve, but once you get the hang of it you may find it improves your workflow. + +We're ready to enable our dotfiles. +``` +stow {awesome,urxvt,zsh,vim,tmux,qutebrowser,ranger,irssi,mutt,mpd,ncmpcpp} +cd ~ +ls -la +``` + +You should now see lots of hidden files which are pointing to the dotfiles. These are known as symbolic links or symlinks and are basically pointers to the file you want to use. + +Before I restart awesome I need to install the font that I prefer, and is in the configs. +``` +git clone "" +cd tamzen-font-git/ +makepkg +``` + +Set the default shell to zsh +``` +chsh -s /usr/bin/zsh +``` + +Now restart awesome by pressing Win-Ctrl-r, and open a new terminal with Win-Return. I'm not going to go through using all the applications in this post, maybe I'll write some guides if people are intested. Read the all important man pages for information on how to use the tools. + +So that's it pretty much. You should now be able to get online, write some code, and listen to some music. What more do you need? Oh yeah, coffee... +``` +curl -Ls | sh +``` + +Happy now? + +Here is a list of other software I use on a regular basis + +``` + openssh > ssh connection tool + keychain > ssh-agent manager + hub > git enhancement + mpv > video player + calcurse > calendar & todo list + freerdp > remote desktop protocol client + docker > container platform + bind-tools > dns tools + htop > interactive process viewer + sxiv > image viewer + snownews > rss newsreader + scrot > screen capturing application + keybase > client +``` + +If you have any other recommendations for software let me know! diff --git a/content/ b/content/ @@ -0,0 +1,241 @@ +## raspberry pi vpn + +As mentioned in my previous [post](log/2017/05/raspberry-pi-setup), I want to use my Raspberry Pi as a VPN server. If you followed along with the install guide you should have a basic Raspbian OS running on your Pi. You may have installed other software, or configured the Pi however you prefer. If you have made any changes it _may_ alter the following VPN setup. + +For this guide I will be continuing on with the basic install as it was after the previous post. + +**Note** - Using a VPN from outside your home network will require port forwarding on your router. Through the router admin console you should be able to forward all traffic to your Pi's 'tun0' device, which is created later. You will also need your external IP address. Use a site such as []( + +#### Open(VPN) your world +There are a number of VPN server options out there, but the most popular is [OpenVPN]( It is incredibly easy to install, and works with the default configuration. There is a web based management console which enables you to adjust the settings quickly. + +First things first, let's make sure our Pi is up to date then we can install OpenVPN. We will also install `easy-rsa`, OpenVPN's CA utility +``` +sudo apt update +sudo apt upgrade +sudo apt install openvpn easy-rsa +``` + +As root copy config file from OpenVPN's example files. If the command doesn't work with sudo, run as root as shown below (needs root password) +``` +cd /usr/share/doc/openvpn/examples/sample-config-files/ +su -c "gunzip -c server.conf.gz > /etc/openvpn/server.conf" +``` + +Open the config file for editing +``` +sudo vi /etc/openvpn/server.conf +``` + +Change the Diffie hellman parameter from 1024 to 2048 +Before +``` +dh dh1024.pem +``` +After +``` +dh dh2048.pem +``` + +Remove comment (';') from the DHCP redirect line +``` +push "redirect-gateway def1 bypass-dhcp" +``` + +Remove comment (';') from the two DNS lines. If you want to change the DNS servers edit the IP addresses on these lines. I have opted to stick with the defaults which are OpenDNS +``` +push "dhcp-option DNS" +push "dhcp-option DNS" +``` + +Finally reduce privileges by running as nobody, remove the comment (';') from the following lines +``` +user nobody +group nogroup +``` +Save and exit your text editor. + +Now we need to set up the firewall. Firewall configuration on Linux is a sore subject for a lot of people, especially when trying to use the `iptables` commands. To make life easier you can opt to use a tool such as `ufw` which makes configuring the rules really easy. My guide will use the `iptables` commands because the only way to learn is by doing! + +Forward IPv4 traffic +``` +echo 1 > /proc/sys/net/ipv4/ip_forward +``` + +Make persistant. In /etc/sysctl.conf, uncomment line +``` +net.ipv4.ip_forward=1 +``` + +Show iptables rules (should be blank) +``` +sudo iptables -L +``` + +We are going to set up a number of rules. First we need to allow established outgoing connections. This makes life easier as we don't always know which port will be used for an outgoing connection, such as HTTP. If you prefer you can set this rule seperately for each port you open, but for ease we will set it globally. +The second rule is to allow incoming SSH connections. If you changed the port number used for SSH (see my Raspbian Install Guide) then you need to specify the port number. +The third rule we need to set if to allow OpenVPN traffic. This port number can also be changed in the OpenVPN config file, the default is 1194. +Then we need to allow TUN interface connections. We will also allow TUN connections to be forwarded through our other interface. +Finally we need to NAT the OpenVPN traffic using our TUN interface. +``` +sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +sudo iptables -A INPUT -i eth0 -p udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +sudo iptables -A INPUT -i tun+ -j ACCEPT +sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE +sudo iptables -I FORWARD -i tun0 -o eth0 -s -d -m conntrack --ctstate NEW -j ACCEPT +sudo iptables -A FORWARD -i tun+ -j ACCEPT +sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT +``` + +Save the firewall changes in a backup file, then make the rules persistent after a reboot. +``` +sudo iptables-save > 20170527_iptables_rules.bak +sudo invoke-rc.d iptables-persistent save +``` + +If you ever need to apply the saved rules, if iptables is flushed for example, run the following +``` +sudo iptables-apply 20170527_iptables_rules.bak +``` + +You can now run `sudo iptables -L` again to see all the rules you have entered +``` +Chain INPUT (policy ACCEPT) +target prot opt source destination +ACCEPT tcp -- anywhere anywhere tcp dpt:2222 ctstate NEW,ESTABLISHED +ACCEPT udp -- anywhere anywhere udp dpt:openvpn ctstate NEW,ESTABLISHED +ACCEPT all -- anywhere anywhere + +Chain FORWARD (policy ACCEPT) +target prot opt source destination +ACCEPT all -- ctstate NEW +ACCEPT all -- anywhere anywhere +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED +ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED + +Chain OUTPUT (policy ACCEPT) +target prot opt source destination +ACCEPT all -- anywhere anywhere ctstate ESTABLISHED +``` + +The next step is to generate the keys using `easy-rsa`. Copy the "easy-rsa" directory into our OpenVPN config directory, then create a new "keys" directory +``` +sudo cp -r /usr/share/easy-rsa/ /etc/openvpn/ +sudo mkdir /etc/openvpn/easy-rsa/keys +``` + +Before we generate the keys we need to change the following fields in "/etc/openvpn/easy-rsa/vars" +``` +export KEY_COUNTRY="US" +export KEY_PROVINCE="CA" +export KEY_CITY="SanFrancisco" +export KEY_ORG="Fort-Funston" +export KEY_EMAIL="me@myhost.mydomain" +export KEY_OU="MyOrganizationalUnit" +export KEY_NAME="EasyRSA" +``` +Change the values to reflect your location and details. Also choose a name for your key (i.e. "server"), we will need this later. Save and quit your text editor + +Generate the Diffie-Hellman pem file, this will take a while +``` +sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048 +``` + +When that has finished we can generate the certificates. It is easier to do this as root as we need to source the variables. When running `build-key-server` change the server name to the one you specified in the "vars" config file +``` +sudo -i +cd /etc/openvpn/easy-rsa +source ./vars +./clean-all +./build-ca +./build-key-server server +exit +``` + +Copy the newly generated keys to your OpenVPN directory +``` +sudo cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn +``` + +Now we can start our OpenVPN server +``` +sudo systemctl start openvpn +sudo systemctl status openvpn +``` + +We then have to generate keys for the clients we want on our VPN. It is good practice to have individual key pairs for each client, and not to share one key pair. This makes life easier if a device is lost or stolen, we only have to revoke one device's key pair. + +Generate the keys for the first client, changing the name to the device you will be using (run as root again) +``` +sudo -i +cd /etc/openvpn/easy-rsa +source ./vars +./build-key client +exit +``` + +Create a new directory to keep things tidy then copy an example client configuration file, and the keys we have just created +``` +mkdir ~/client +sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/client.ovpn +sudo cp /etc/openvpn/easy-rsa/keys/{client.crt,client.key,ca.crt} ~/client +``` + +Next open up the config file "client.ovpn". Uncomment the "nobody" and "nogroup" lines as before, also comment out the certificate and key lines +``` +user nobody +group nogroup +;ca ca.crt +;cert client.crt +;key client.key +``` + +Also change the line specifying the IP address of your OpenVPN server. +From +``` +remote my-server-1 1194 +``` +To +``` +remote 1194 +``` + +Replace the IP address with your network's _external_ IP address. + +Save and quit your text editor. + +Instead of copying the .ovpn file the two certs and the key across to our client, we can echo the contents of our certs into our .ovpn file and only copy the one file across to our client. + +The syntax for this is in XML, for example +``` +<tag_name> +contents +</tag_name> +``` + +So we can run the following commands (as root) +``` +sudo -i +cd /home/pyratebeard/client +echo "<ca>" >> client.ovpn +cat ca.crt >> client.ovpn +echo "</ca>" >> client.ovpn +echo "<cert>" >> client.ovpn +cat client.crt >> client.ovpn +echo "</cert>" >> client.ovpn +echo "<key>" >> client.ovpn +cat client.key >> client.ovpn +echo "</key>" >> client.ovpn +exit +``` + +Securely copy the "client.ovpn" file across to your device. + +For the purposes of this demonstration we are going to use a mobile phone as our device. + +Install and open the OpenVPN Connect app on your mobile. Import the profile file we copied across and hit connect. After a couple of seconds you should be connected to your VPN. Congrats! + +As mentioned at the start you will have to enable port forwarding on your router to allow traffic from outside your network into the Pi. + diff --git a/content/ b/content/ @@ -0,0 +1,25 @@ +## firefox desktop dir + +This is probably really picky, but I'm not a fan of the Desktop directory that Firefox defaults to for downloads. As soon as I install Firefox I change the default download dir, but I had noticed that Firefox still created the dir when it started, and it would be the default location when an upload window was opened. + +This had been one of those things that I had lived with, never really looking in to a fix. For some reason today I decided to have a look to see if this behaviour could be fixed, and thankfully I found an answer straight away. + +The file `$HOME/.config/user-dirs.dirs` sets a number of default directories, one of which is the Desktop directory. At first I attempted to change the value in the file, and this worked until I rebooted my system. After a reboot the file was regenerated and the Desktop value was back. + +If you have the `xdg-users-dirs` package installed you can run the following +``` +xdg-user-dirs-update --set DESKTOP $HOME/ +``` + +If you don't have the package installed you can stop XDG from regenerating the directory by doing the following +``` +cat >> $HOME/.config/user-dirs.conf << EOF +enabled=False +EOF +``` + +Solutions found at the following links +- [Arch Linux forums]( +- [AskUbuntu]( +- [UNIX StackExchange]( + diff --git a/content/ b/content/ @@ -0,0 +1,29 @@ +## simple python webserver + +Sometimes it can be handy to run a webserver on your local machine for testing purposes. It is not, however, always possible to install a webserver such as Apache. Never fear! Python has you covered. + +With one python command you can run a local webserver in which ever directory you're in. First we need to install python +``` +pacman -S python +``` + +Next check the version +``` +python -V +``` + +If you have `Python 2.x` then run the command +``` +python -m SimpleHTTPServer <port> +``` + +If you have `Python 3.x` then run the command +``` +python -m http.server <port> +``` + +If you don't specify the port then the default is `8000` for both commands. + +Use `Ctrl-c` to stop the webserver. + +That's it, simple! diff --git a/content/ b/content/ @@ -0,0 +1,65 @@ +## ssh into android + +In a [previous post](/log/2017/06/termux-on-android) I talked about installing [termux]( on an Android device. This tool makes it easy to ssh into our other Linux systems, but what if we want to ssh into our Android device? + +Unfortunately password login doesn't work on Android and if you haven't rooted your device you have limited permissions. Instead we can use ssh keys. + +If you don't already have an ssh key pair then on you Linux system run +``` +ssh-keygen -t rsa +``` + +If you accepted the defaults this will create two files under your user's .ssh directory, `id_rsa` and ``. + +Make sure `sshd` is running on your Linux machine (requires the OpenSSH package) +``` +systemctl status sshd +``` + +If it's not installed run the following (if it's just not running omit the first command) +``` +sudo pacman -S openssh +sudo systemctl start sshd +``` + +Also make a note of the IP address +``` +ip a +``` + +Next, from termux on your Android device copy down the public key you just created +``` +scp pyratebeard@ ./ +``` + +Now add the public key to the `authorized_keys` list +``` +cat >> .ssh/authorized_keys +``` + +Almost there. Finally we need to install OpenSSH on termux and start the daemon +``` +apt install openssh +sshd +``` + +Make a note of the IP address of your Android device +``` +ip a +``` + +That's it! You can now ssh from your Linux machine onto your Android device using port 8022 +``` +ssh -p 8022 +``` + +If you need to specify a user for the above command then from termux run +``` +whoami +``` +and add the user to the ssh command +``` +ssh -p 8022 -l u0_a161 +``` + +