First off, you need to obtain the Pulse Secure client as a deb file from your network administrator. I have version 8.2R5.

For some reason the client does not list any dependencies when installing so you must install the needed (32 bit) libraries by hand (PulseClient.sh does not work without changes):

$ sudo apt install libwebkitgtk-1.0-0:i386 libdconf1:i386 dconf-gsettings-backend:i386

It is also necessary to include Pulse’s libraries in ld’s search patch (LD_LIBRARY_PATH). This is done by running this:

$ echo "/usr/local/pulse" | sudo tee /etc/ld.so.conf.d/pulse.conf
$ sudo ldconfig

The above instructions work for Ubuntu 16.04. 16.10, 17.04 and 17.10. In 17.04 and 17.10 you also need to install net-utils to get ifconfig

$ sudo apt install net-utils

After using Linux Mint with Cinnamon for a long time I am now back with Ubuntu with GNOME (reluctantly, I may add).

One thing I have noticed is there does not seem to be an option in the settings to change your preferred terminal emulator.
Continue reading

(This guide applies to any Debian/Ubuntu based distribution)

For some reason (complexity perhaps) it is not possible to configure full-disk encryption and LVM from the graphical installer in the desktop edition. It is possible to select full-disk encryption but this only creates one filesystem (root).

I want to use LVM to allow me to have more than one filesystem without having to enter more than one password during boot-up. It is not impossible to install Ubuntu desktop (or Linux Mint as in this guide) with encryption and LVM but it does require a little more work.

Continue reading

I’ve been running KVM for quite a while on my lab server. It’s been running without issue but with the release of vSphere/ESXi 6.0 I felt it was time to move back to VMware.

I wanted to preserve the virtual machines already running so I set out to move these to ESXi. I ran into some issues which I’m not sure is a generic problem or specific to ESXi 6.0 but I’ll describe what I have done.

In order to convert the existing disk images to VMware’s vmdk format you should you use the program qemu-img from the package qemu-utils (in Ubuntu).

The process is straight-forward

  • $ sudo qemu-img convert -p -i DiskImage.img -O vmdk DiskImage.vmdk
  • Transfer disk image to ESXi (using scp (enable ssh in ESXi)) or NFS (as I did)
  • Create new virtual machine with custom options and add the converted disk
  • Boot

Unfortunate this did not work as expected, when booting the converted images, the Linux instances inside all crashed during boot with this error message (or something similar)

lib6.so: unsupported version 0 of verneed record

It turns out, two steps were missing; after transfering the converted disk image to ESXi, do this from the ESXi cli (via SSH)

# vmkfstools -i /vmfs/volumes/nfs1/DiskImage.vmdk -d thin /vmfs/volumes/datastore1/MyServer/DiskImage.vmdk

-d is the output format which can be zeroedthick, eagerzeroedthick or thin.

Now open the newly created vmdk file in vi and change the line ddb.adapterType from ide to lsilogic.

After doing this, add the image(s) to a newly created VM and boot.

(This was done in Ubuntu and will work with any Linux variant with qemu-img. If you want to do this in Windows, StarWinds V2V converter is said to be able to do the job)

As mentioned in my previous post i synchronize my wallpaper folder between my desktop computers.

While the are various ways of setting a random desktop background (XFCE – which I use – has this built in), I’ve had to conclude it’s just easier from the command line.

In XFCE it is not possible to do this from cron it seems, so I made a script which is run at start-up:

#!/bin/bash

IFS='
'

DIR="$HOME/etc/wallpaper"



while true
 do
        PIC=$(ls $DIR/*.* | shuf -n1)
        # Uncomment based on desktop environment
    # XFCE:
    #/usr/bin/xfconf-query -c xfce4-desktop -p /backdrop/screen0/monitor0/image-path -s ${PIC}
    #/usr/bin/xfconf-query -c xfce4-desktop -p /backdrop/screen0/monitor0/image-style -s 5
    # GNOME2
    #gconftool-2 --type=string --set /desktop/gnome/background/picture_filename ${PIC}
    #gconftool-2 --type=string --set /desktop/gnome/background/picture_options zoom
    # GNOME/Unity/Cinnamon
    #gsettings set org.gnome.desktop.background picture-uri file://${PIC}
    #gsettings set org.gnome.desktop.background picture-options zoom
    # Generic - uses feh
    #feh --bg-fill ${PIC}
        sleep 120
done

In order to make the script run at start-up, create the file $HOME/.config/autostart/wallpaper.desktop

[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=Rotate bg
Comment=
Exec=/home/alj/bin/setwallpaper.sh
StartupNotify=false
Terminal=false
Hidden=false

If you are not using a desktop environment like GNOME or XFCE, add the script to .xsession.

If you have the need to wake up machines on your local LAN from the outside, there are a few steps you need to take to get it working with OpenWRT (12.09)

  1. Select an unused IP address (which you are certain will never, ever be used). I will be using 192.168.1.254 in the following
  2. Log into OpenWRT and go to System → Startup → Local Startup (the text input at the bottom of the page) and add this line above exit 0:
    ip neigh add 192.168.1.254 lladdr ff:ff:ff:ff:ff:ff nud permanent dev br-lan
  3. Save (or Submit depending on the theme used)
  4. Go to System → Software and verify the package ip is installed. If not, do so.
  5. Go to Network → Firewall → Port forwards and add a new rule like this:
    forward(select custom to enter the internal IP address).
  6. Save and apply
  7. Reboot the router

That’s it. Now wake on lan should work from the WAN (Internet) as well.

This is what it looks like in the WoL Wake On Lan Wan Android app:

wake-on-wan

(via)

I’ve started to use copy.com instead of services like Dropbox, SpiderOak and similar.

Why? Because it’s fast (unlike Dropbox), it’s simple (unlike SpiderOak) and it’s able to run on all major platforms (Windows, OSX, Android, iOS and Linux, both graphical and console. Both are native Linux application).

This article explains how to install the agent on Linux – more specifically how to run the console agent on a Ubuntu-derived distribution.

Continue reading

I have recently moved my hosting to a couple of VPSes at ChicagoVPS and wanted to use IPv6 (via tunnelbroker.net)

ChicagoVPS uses OpenVZ which presents a couple of problems

$ ifconfig sit0
sit0: error fetching interface information: Device not found
$ sudo modprobe ipv6
FATAL: Module ipv6 not found.

It turns out, this is a fairly common problem though OpenVZ is supposed to support IPv6. Luckily, someone made a small userland program (tb-tun, which “tunnels” IPv6 tunnels through a TUN/TAP device.

First, it requires tun/tap device support to be enabled in the VPS, this is done in the control panel under settings

Control panel

Note! – Changing this setting will reboot your VPS without warning!

Next, make sure the build-essential package is installed (it’s included in the Ubuntu template at ChicagoVPS)

$ sudo apt-get install build-essential

Now, download and install the tb-tun program

$ mkdir tb-tun
$ cd tb-tun
$ wget https://tb-tun.googlecode.com/files/tb-tun_r18.tar.gz
$ tar zxvf tb-tun_r18.tar.gz
$ gcc tb_userspace.c -l pthread -o tb_userspace
$ sudo mv tb_userspace /usr/local/sbin

Before, continuing I recommend looking up the following information:

Server IPv4 Address - This is the IPv4 address of the Tunnelbroker gateway
Client IPv4 Address - This is the IPv4 address of your server
Client IPv6 Address - This is the IPv6 address of your server (for the tunnel end-point)
Routed /64 - This is your network

Next, you need to ensure your iptables configuration allows incoming encapsulated IPv6 traffic (protocol 41). Since ufw is a PITA to get to work on OpenVZ, I’m using iptables-persistant, which simply means adding one line to /etc/iptables-persistent/rules.v4

# IPv6 tunnel
-A INPUT -p 41 -s <Server IPv4 Address> -j ACCEPT

You also need to secure your server on IPv6, /etc/iptables-persistent/rules.v6

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Apply the new rules

$ sudo service iptables-persistent reload

Finally, you are ready to set up your tunnel in /etc/network/interfaces

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb <Server IPv4 address> <Client IPv4 address> sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add <Client IPv6 address>/64
        post-up ifconfig tb inet6 add <Routed /64>:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

In my setup it looks like this:

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb 209.51.181.2 192.210.137.214 sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add 2001:470:1f10:74b::2/64
        post-up ifconfig tb inet6 add 2001:470:1f11:74b::1:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

Now, I just have one question

Y U NO

(Actually I know, and understand, why. It’s still annoying though)

iptables is not always easy to deal with so I prefer to use Uncomplicated firewall (ufw) in Ubuntu, because it simplifies configuring and maintaining my firewall rules.

Unfortunately, ufw does not play nice with OpenVZ containers so I decided to find something else. In the end (after testing various things) I decided to install the package iptables-persistent which is not as sexy as ufw but gets the job done.

iptables-persistent uses two configuration files

/etc/iptables-persistent/rules.v4
/etc/iptables-persistent/rules.v6

both files can be generated during installation.

The a simple version of /etc/iptables-persistent/rules.v4 may look like this

*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j DROP

# Allow all traffic from tun-devices (VPN)
-A INPUT -i tun+ -j ACCEPT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You could modify this to only allow certain traffic
#  This is in addition to allowing established and related traffic as listed above
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections from trusted-host only - drop the rest
-A INPUT -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy (change to REJECT of you which to reject packets instead of dropping them)
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

After making changes to your rules files, apply them by running

$ sudo service iptables-persistent reload

If you have a computer on your local network you want to wake from the Internet and you have a TP-Link router (in this case a TL-WDR4300) you are in luck

First, create a “virtual server” (or port forwarding) in which we forward an arbitrary port to port 9 at the IP address of the machine you wish to turn on (Go to Forwarding → Add New):

Add virtual server

If you test as this point, it will work. But at a later point it will not. This is because the MAC address of the machine you wish wake will be flushed from the router’s ARP table.

The way to fix this is a bit illogical but it works. With the machine in questioned turned on, go to IP & MAC binding → ARP List, find the entry you need and click “Load”

Add ARP bind

Now, go to IP & MAC binding → Binding settings and tick of “Bind” for the entry of your machine (also make sure ARP binding is enabled) and then press save.

Create binding

You should now be able to wake your machine from anywhere in the world, using an online service or a client on your smartphone.

Wake on LAN from phone

I am aware of the potential problems of allowing this kind of traffic into my local network but since a malicious person would need to know both the external port and MAC address of the internal machine and is only able to start up my machine, I’m not too worried. If you worry, add a password to your wake on lan configuration.