Category Archives: Linux

Create .ovpn file from openVPN configuration files

The .ovpn file format is an embedded version of the usual 3-4 files openvpn format. It can be very handy when dealing with mobile setups like android or iOS or on some mac applications like Tunnelblick. According to my recent openvpn post you only need to follow this code:

client
remote example.com
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup

<ca>
-----BEGIN CERTIFICATE-----
# insert content of your ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
 # insert content of your user.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert content of your user.key
-----END PRIVATE KEY-----
</key>

Remember to transfer that key securely, do NOT send this via unencrypted email to you external device 🙂

 

OpenVPN Server with easy-rsa on Ubuntu 14.04 easy setup

In case you want to run an simple openVPN server on your own host, but like me think most of the tutorials do not focus enough on plain commands, feel free to follow this little instruction set:

# install openvpn and easy-rsa
sudo apt-get install openvpn easy-rsa
# copy sample config files
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# unzip files in the designated folder
sudo gunzip /etc/openvpn/server.conf.gz
# copy easy-rsa scripts (required for easy key generation)
sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa2
# sometimes the keys folder is missing, which is why we generate it to be sure
sudo mkdir /etc/openvpn/easy-rsa2/keys -p
#since 14.04 openvpn requires an additional key in the vars file
sudo sh -c 'echo "export KEY_ALTNAMES=\"Irgendwas\"" >> /etc/openvpn/easy-rsa2/vars'
# copy current openssl version to match default config sudo cp /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf openssl.cnf
# customize vars file with the est editor in the world: (but you could use vi,nano,... too)
sudo vim /etc/openvpn/easy-rsa2/vars

Set your /etc/openvpn/server.conf to:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa2/keys/ca.crt
cert /etc/openvpn/easy-rsa2/keys/server.crt
key /etc/openvpn/easy-rsa2/keys/server.key
dh /etc/openvpn/easy-rsa2/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Back in the terminal we will now start the crypto-foo:

# get root to simplify following commands
sudo -i
# change dir to the easy-rsa scripts folder
cd /etc/openvpn/easy-rsa2/
# set variables into current bash session
source ./vars
# clean existing dir (attention! deletes everything in keys folder)
./clean-all
# generate certificate authority key
./build-ca
# generate server key
./build-key-server server
# generate diffie hellmann parameter (can take some time)
./build-dh

And now you are basically done. In cases of firewalls remember to open the openVPN port (which is set in /etc/openvpn/server.conf and defaults to 1194).

To add a client with an own keypair use distinct key-name values:

sudo -E ./build-key client1
sudo -E ./build-key client2
sudo -E ./build-key client3

or in case you want it password protected (which requires to enter the password everytime you’ll connect):

sudo -E ./build-key-pass client1
sudo -E ./build-key-pass client2
sudo -E ./build-key-pass client3

Now safely(!) distribute the keys to your client machines, using PGP, secure USB sticks or printed paper 🙂 according to the following scheme:

Original by yed licensed under CC BY-SA 4.0

You might

Do not forget to start your server:

/etc/init.d/openvpn start server

If you want to use these files on the client with your Network-Manager, install the required plugin:

sudo apt-get install network-manager-openvpn

and set the following options:

openVPN-NetworkManagerIt is also possible to generate a .conf or .ovpn file, which is required by some apps e.g. on android and iOS but will be handled in a separate post soon.

my first Thinkpad T450s experiences

Leave a reply

tl;dr probably my device was laptop version of a lemon car, which took me nuts, but still I want to have (a properly working) T450s again

IMG_20150221_193556

I recently got a brand new Thinkpad T450s, which I was waiting for since December and yet I am writing this post from my old sloppy Asus F3JA. You might just ask yourself why – well, the reasons are multifarious, but in the end lead to send it back to the producer. First the positive things: the 14” FullHD display is amazing, the magnesium case very stable and nice – the background led keyboard really impressed me and increased my coding experiences. Both of the integrated and the external battery held longer than every device I had but still…

iwlwifi drove me mad, unable to hold a connection longer than a few minutes – it interupted my workflow significantly. Furthermore several parts like brightness, power saving settings didn’t work properly and blended me at night while burning power. Last but not least, the squeak of doom:

Youtube Video

Every time you put your hand on the laptop it groaned as like it didn’t like to be used. After two days I shred the 320Gb SDD the times by overwriting it with random data and sent it back as a warranty case. Hopefully this device will be replaced as all of the errors I had didn’t occur on my colleagues T450s, who has got it in the same order and time.

But still and in conclusion: I really like the T450s, it is very light, feels right, is really powerful and mobile. Its 14” fit perfectly into an usual european A4 (default paper size) bag and its case keep it intact. Overall I really look forward to get a properly working version of this little fellow soon.

Defending the planet using docker and ssl

Leave a reply

In the recent days I moved this blog to a new server mainly to fix the latest SSL issues like POODLE- , Heartbleed – and SSL downgrade attacks. In order to save money I used the free of charge startSSL.com-signed certificate, which offers to sign in private generated certificate sign requests for your main site and one sub domain.  This does not just keep the little padlock next to the address pane green but furthermore allows a higher rank in google searches in future.

But moving a blog from a physical server usually means a lot of programming pain: files have to be moved, databases exported and imported back again, configuration files need to be adjusted and so on. To avoid this unnecessary work in future I was researching some possible solutions. First of all, its nothing new at all – visualization and containerization are multiple years old technologies.   The most remarkable approach in my optionion is docker. Its more lightweight than VMWare or VirtualBox, while supporting most of the features they offer. With its help you can run multiple instances of linux machines on a (single) physical host. Besides that is a real security feature as it keeps every process inside its on container never allowing to affect the functionality of the others even during security breaches.

Its also possible to version a dockerized application and share them over github.  In case of wordpress there are multiple versions available: docker-wordpress by jbfink, docker-wordpress-nginx by eugeneware, both of them lack of dockers VOLUME support, but after adding this, they still saved a lot of work.

In conclusion this blog is now in its own container, using its own http nginx, mysql and php instances. The container in turn is made public by a ssl reverse proxy nginx, which in case its required can be supplied by varnish caching in future.

Howto flash an image to Raspberry Pi or Banana Pi using dd and a progressbar

Most tools don’t show reliable progress informationwhen flashing an operating system to an ssd card. In case you use dd to copy, this issue can be solved by the nice pv tool with:

pv -tpreb /path/to/image.img | dd of=/dev/yourUSBorSDSlotTarget bs=1M

which results in:

pvScreenshot21.01.2015

And really lighten up the time when flashing your Pi devices like Raspberry Pi or BananaPi.

 

Synchronize the time in ROS offline environments without chrony

As our [amazon &title=CubieTruck&text=CubieTruck] is faced with strange issues when using chrony and internet access is not a general prerequisite on ROS setups, i needed to figure out a new way to synchronize the time with no internet ntp server available. For some reasons, even my local ntp was broken, which is why I try to set the time according to the ros master on all clients by this simple bash command:

ntpdate `echo $ROS_MASTER_URI | grep -oE "b([0-9]{1,3}.){3}[0-9]{1,3}b"`

it simply extracts the IPv4 part of the $ROS_MASTER_URI environment and uses ntpdate to set the time on the excecuting client system.

In case you only want to know the exact time derivation consider using the ntpdate parameter -q which only emulates the request.

Using Chrony on CubieTruck

Don’t.

Unless you really know what are you doing.

To synchronize the clock and fix a minimal time shift I was detecting, I followed the idea of the TurtleBot2 to use chrony to fix that Chrony is a little daemon that connects to your linux clock or hwclock and detect shifts. For some reason this lead to total chaos on the amosero.
I suppose chrony hasn’t been build for multicore dynamically speeded processors like the A20, which is why the shifting has been erratic and up to 2 seconds per minute.

sudo apt-get remove chrony

Fixed all timing errors on the [amazon &title=CubieTruck&text=CubieTruck]. Also it’s a bit disturbing how little changes can inflict complex setups.

 

 

ROS – [rosout-1] process has died, exit code -11

Leave a reply

Some days ago I started roscore and got faced with an error message like that:

process[rosout-1]: started with pid [16089]
[rosout-1] process has died [pid 16089, exit code -11, cmd /opt/ros/indigo/lib/rosout/rosout __name:=rosout __log:=/home/rosuser/.ros/log/9b3b3980-0b60-11e4-80f9-0015afdb2ab9/rosout-1.log].
log file: /home/rosuser/.ros/log/9b3b3980-0b60-11e4-80f9-0015afdb2ab9/rosout-1*.log

Okay, so roscore seemed to have crashed and created a log file according to the given path. But the logfile was empty *please imagine dramatic sound effects here*. But what do you do, if a programm (rosout?) crashes without log file and an error message like the above?

You insert your well done system wide backups like snapshots from zfs,btrfs, virtual machines, lvm or anything. If you forgot to do so… *fail sound here* you might need to manually check what changed since the last time it worked.

And so I did. For several days.

I soon figured out, that this error applied to all rosccp related ROS-programms – but left all rospy parts alive, which finally put my on track that there has been an kernel update of my ubuntu 14.04, which I unfortunately installed in a moment of weak decisions.
So reverting that would have been been an option, further my lib-boost version seemed to have changed – since ROS is very sensible to that, this might have been the problem. Therefore I tried everything by manually reverting updates, reinstalling packages, recompile everything from source, searching system logs and soon really considered to reset my system by installing good old 13.04 with ROS hydro…

But wait! Sometimes you strike lucky and time solves all issues. Today I’ve just upgraded my ROS from their repos and tadaaa – everything works again.

But why do I write this into an post? Because its easy to avoid situations like that and I want to share my hard learned lessons with you the easy way:

  1. Get your ROS version straight – Do you really need the latest ROS on the latest kernel?
    The answer for your system is probably no. I am currently running stable ROS Hydro and ‘unstable’ ROS Indigo on Ubuntu 14.04 on latest kernel. It works – but it would have been way easier to stick on Hydro all the way.
  2. avoid apt-get dist-upgrade on critical ROS machines
  3. use backups and / or virtual machines
  4. rospy didn’t cause any problems so far – in case performance isn’t the most important thing, think about using python
  5. avoid to put all your catkin_ws code into one git repository  if its running on multiple architectures (x86,x64, arm6,arm7) – alone the openni2_driver took nearly all my sanity during learning that lesson….

That is enough for today, but after this list, I really think about tracking all hard learned lessons in more public and better organised location – ROS best practices? We’ll see.

 

 

show apt-get history in Ubuntu / Debian

Leave a reply

Sometimes you need some information about your apt-get install / upgrade / remove history. (for example if you destroyed your ROS-Install on your laptop).

By adding a little code snippet to your .bashrc you achieve a very useful tool.

function apt-history(){
      case "$1" in
        install)
              cat /var/log/dpkg.log | grep 'install '
              ;;
        upgrade|remove)
              cat /var/log/dpkg.log | grep $1
              ;;
        rollback)
              cat /var/log/dpkg.log | grep upgrade | 
                  grep "$2" -A10000000 | 
                  grep "$3" -B10000000 | 
                  awk '{print $4"="$5}'
              ;;
        *)
              cat /var/log/dpkg.log
              ;;
      esac
}

Now running

apt-history install
[...]
2014-07-14 19:08:13 install ros-indigo-desktop-full:i386 <none> 1.1.3-0trusty-20140711-1919-+0000

brings you all install entries with timestamp and version information.  Note: instead of install ‘upgrade‘ and ‘remove‘ works too. ‘rollback‘ brings you version information you’ll might need for what I now call downgrade.

Using TU-BAF VPN on Ubuntu with NetworkManager and VPNC

Leave a reply

Using the VPN of the Technical University Bergakademie Freiberg on Ubuntu 14.04 and previous version can be really easy. Please check if you are running NetworkManager like you should by default.

Now install the network-manager-vpnc extension by:

sudo apt-get update && sudo apt-get install -y network-manager-vpnc

Using system settings > Network Connections, or the nm-applet (the small network icon in your task bar) > Edit Connections
you should be able to follow this images:ScreenshotNMApplet

ScreenshotAddVPNScreenshotAddVPN2Now set the empty fields to the values below, for user name, choose your default credential:

ScreenshotAddVPN3

click on Advanced button:ScreenshotAddVPN4

Now the VPN should start by clicking inside the nm-applet:

ScreenshotAddVPN5

Please also see the official pages (german):

http://tu-freiberg.de/urz-21
http://urz.tu-freiberg.de/urz/netze/vpn/index.html