First off, you need to obtain the Pulse Secure client as a deb file from your network administrator. I have version 8.2R5.

For some reason the client does not list any dependencies when installing so you must install the needed (32 bit) libraries by hand (PulseClient.sh does not work without changes):

$ sudo apt install libwebkitgtk-1.0-0:i386 libdconf1:i386 dconf-gsettings-backend:i386

It is also necessary to include Pulse’s libraries in ld’s search patch (LD_LIBRARY_PATH). This is done by running this:

$ echo "/usr/local/pulse" | sudo tee /etc/ld.so.conf.d/pulse.conf
$ sudo ldconfig

The above instructions work for Ubuntu 16.04. 16.10, 17.04 and 17.10. In 17.04 and 17.10 you also need to install net-utils to get ifconfig

$ sudo apt install net-utils

After using Linux Mint with Cinnamon for a long time I am now back with Ubuntu with GNOME (reluctantly, I may add).

One thing I have noticed is there does not seem to be an option in the settings to change your preferred terminal emulator.
Continue reading

(This guide applies to any Debian/Ubuntu based distribution)

For some reason (complexity perhaps) it is not possible to configure full-disk encryption and LVM from the graphical installer in the desktop edition. It is possible to select full-disk encryption but this only creates one filesystem (root).

I want to use LVM to allow me to have more than one filesystem without having to enter more than one password during boot-up. It is not impossible to install Ubuntu desktop (or Linux Mint as in this guide) with encryption and LVM but it does require a little more work.

Continue reading

I’ve started to use copy.com instead of services like Dropbox, SpiderOak and similar.

Why? Because it’s fast (unlike Dropbox), it’s simple (unlike SpiderOak) and it’s able to run on all major platforms (Windows, OSX, Android, iOS and Linux, both graphical and console. Both are native Linux application).

This article explains how to install the agent on Linux – more specifically how to run the console agent on a Ubuntu-derived distribution.

Continue reading

I have recently moved my hosting to a couple of VPSes at ChicagoVPS and wanted to use IPv6 (via tunnelbroker.net)

ChicagoVPS uses OpenVZ which presents a couple of problems

$ ifconfig sit0
sit0: error fetching interface information: Device not found
$ sudo modprobe ipv6
FATAL: Module ipv6 not found.

It turns out, this is a fairly common problem though OpenVZ is supposed to support IPv6. Luckily, someone made a small userland program (tb-tun, which “tunnels” IPv6 tunnels through a TUN/TAP device.

First, it requires tun/tap device support to be enabled in the VPS, this is done in the control panel under settings

Control panel

Note! – Changing this setting will reboot your VPS without warning!

Next, make sure the build-essential package is installed (it’s included in the Ubuntu template at ChicagoVPS)

$ sudo apt-get install build-essential

Now, download and install the tb-tun program

$ mkdir tb-tun
$ cd tb-tun
$ wget https://tb-tun.googlecode.com/files/tb-tun_r18.tar.gz
$ tar zxvf tb-tun_r18.tar.gz
$ gcc tb_userspace.c -l pthread -o tb_userspace
$ sudo mv tb_userspace /usr/local/sbin

Before, continuing I recommend looking up the following information:

Server IPv4 Address - This is the IPv4 address of the Tunnelbroker gateway
Client IPv4 Address - This is the IPv4 address of your server
Client IPv6 Address - This is the IPv6 address of your server (for the tunnel end-point)
Routed /64 - This is your network

Next, you need to ensure your iptables configuration allows incoming encapsulated IPv6 traffic (protocol 41). Since ufw is a PITA to get to work on OpenVZ, I’m using iptables-persistant, which simply means adding one line to /etc/iptables-persistent/rules.v4

# IPv6 tunnel
-A INPUT -p 41 -s <Server IPv4 Address> -j ACCEPT

You also need to secure your server on IPv6, /etc/iptables-persistent/rules.v6

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Apply the new rules

$ sudo service iptables-persistent reload

Finally, you are ready to set up your tunnel in /etc/network/interfaces

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb <Server IPv4 address> <Client IPv4 address> sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add <Client IPv6 address>/64
        post-up ifconfig tb inet6 add <Routed /64>:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

In my setup it looks like this:

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb 209.51.181.2 192.210.137.214 sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add 2001:470:1f10:74b::2/64
        post-up ifconfig tb inet6 add 2001:470:1f11:74b::1:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

Now, I just have one question

Y U NO

(Actually I know, and understand, why. It’s still annoying though)

iptables is not always easy to deal with so I prefer to use Uncomplicated firewall (ufw) in Ubuntu, because it simplifies configuring and maintaining my firewall rules.

Unfortunately, ufw does not play nice with OpenVZ containers so I decided to find something else. In the end (after testing various things) I decided to install the package iptables-persistent which is not as sexy as ufw but gets the job done.

iptables-persistent uses two configuration files

/etc/iptables-persistent/rules.v4
/etc/iptables-persistent/rules.v6

both files can be generated during installation.

The a simple version of /etc/iptables-persistent/rules.v4 may look like this

*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j DROP

# Allow all traffic from tun-devices (VPN)
-A INPUT -i tun+ -j ACCEPT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You could modify this to only allow certain traffic
#  This is in addition to allowing established and related traffic as listed above
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections from trusted-host only - drop the rest
-A INPUT -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy (change to REJECT of you which to reject packets instead of dropping them)
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

After making changes to your rules files, apply them by running

$ sudo service iptables-persistent reload

As always with a new Ubuntu release comes the problem of getting Cisco’s VPN client to install (and no, using vpnc instead is not really an option since the VPN concentrator doesn’t play nice and drops the connection from time to time)

The problem this time is the kernel version of Ubuntu 11.10 – The new 3.0 series kernel.

I’ve made a patch which will make the kernel module compile and install on the 3.0 kernel.

If you have the vanilla Linux client, you still need the patches hereIf the installation/compile fails, make sure you have installed all relevant patches as will as the packages needed to install (ia32-libs build-essential linux-headers-`uname -r`).

At some point Veritas has release the Cluster Manager (Java Console) for Linux. Of course, Linux means Red Hat (and other RPM based flavours). Luckily it isn’t too hard making it work on Ubuntu (and friends).

First, get the software – This requires a SymAccount. And no, I will not send you the software

Now, prepare your Ubuntu box

$ sudo apt-get install alien fakeroot

And finally convert and install the package

$ fakeroot alien -c VCS_Cluster_Manager_Java_Console_5.1_for_Linux.rpm
$ sudo dpkg -i vrtscscm_5.1.00.20-1_all.deb

Now, from a terminal or otherwise (ALT-F2 in various Ubuntus) run

$ /opt/VRTSvcs/bin/hagui

Or create a desktop entry for the Cluster Manager to put it in the menu

Create the file ~/.local/share/applications/hagui.desktop

[Desktop Entry]
Version=1.0
Name=Veritas Cluster Manager
GenericName=Veritas Cluster Manager
Comment=Manage Veritas clusters
Exec=/opt/VRTSvcs/bin/hagui
Terminal=false
Icon=ClusterManager
Type=Application
Categories=System

Copy ClusterManager.png to ~/.icons

The fix itself is the same as for Python 2.5 – only the line numbers have changed.

Open the file /usr/lib/python2.7/locale.py and find the line containing en_gb (line 921) and add these lines (this works for Danish locales):

    'en_dk':                                'en_DK.ISO8859-1',
    'en_dk.iso88591':                       'en_DK.ISO8859-1',
    '[email protected]':                           'en_DK.ISO8859-15',

In order to avoid this change getting overwritten by packages updates, I use dpkg-divert:

$ sudo dpkg-divert --add --rename --divert /usr/lib/python2.7/locale.py.real /usr/lib/python2.7/locale.py
$ sudo cp /usr/lib/python2.7/locale.py.real /usr/lib/python2.7/locale.py

If you wish to remove the diversion (if the package is fixed to support you locale at some point) simply run

$ sudo dpkg-divert --rename --remove /usr/lib/python2.7/locale.py

When I switched from Apache2 to nginx, the software used to run my pastebin needed to be changed (I used Perl NoPaste, which is CGI based and I didn’t feel like messing with FastCGI wrappers). Instead I chose LodgeIt.

LodgeIt is not just another pastebin, it features a clean user interface, different color schemes for sourcecode, reply to pastes, support for all languages Pygments supports, and XMLRPC support

LodgeIt spawns it’s own webserver, which I placed behind nginx.

  1. Install required packages
    sudo apt-get install python-imaging python-sqlalchemy python-jinja2 python-pybabel python-werkzeug python-simplejson mercurial python-pygments
  2. Go to the directory where you want LodgeIt to live and check out the Mercurial repository
    hg clone http://dev.pocoo.org/hg/lodgeit-main
  3. cd into lodgeit-main, open manage.py and change the lines
    dburi
    SECRET_KEY
  4. Download the init script and place it in /etc/init.d and change the lines
    APP_PATH
    DAEMON_OPTS
    RUN_AS
  5. Configure autostart
    sudo update-rc.d lodgeit defaults
  6. Start the program
    sudo service lodgeit start

The init-script is also available for viewing

The nginx configuration is pretty easy – the only caveat is the fact that nginx does not support IPv6 for upstream servers, which is why lodgeit is configured to explicitly to listen on 127.0.0.1 (and not localhost which on a IPv6-enabled host is ::1).

server {
                listen [::]:80;
                server_name my.server;

                access_log /var/log/nginx/my.server-access.log;
                error_log /var/log/nginx/my.server-error.log;

                location / {
                                proxy_pass http://localhost:20000/;
                }
}