5 April 2020

Setup PiVPN Endpoint Device



So PiVPN is setup. We’ve added the user/client into PiVPN. Now we need to setup the endpoint so they can connect back to PiVPN.

When we set up PiVPN we had to make a choice. We had to choose whether we wanted to use WireGuard or OpenVPN for the “magic” behind our VPN. In my article, we set up PiVPN using WireGuard, which was the PiVPN default.

So… we are going to want to download and install the WireGuard client on our endpoint device(s). Go ahead and get the latest/greatest version of the WireGuard client for your Operating System directly from WireGuard.

https://www.wireguard.com/install/

I’ll go over how to add it via QR code on your mobile iOS device. As well as how to add it from a config file onto a Desktop PC.

Note: If you created both a full and split-tunnel VPN client/user, then you will need to repeat the steps below to add the second profile.


Mobile Devices

Using a mobile OS like Apple’s iOS or Google’s Android, or other system that can read a QR code is probably going to be the easiest way to setup the endpoint device with it’s PiVPN configuration and encryption keys.

On the RPi, it’s possible to use PiVPN to generate a QR code for each client/device that you setup. That QR code will hold all the info that WireGuard needs on the endpoint to properly configure it. Just remember to guard that QR code and keep it safe… as it is literally the keys to your Castle/Home Network.

On the RPi, enter the following command below:

pivpn -qr

PiVPN will then list the users you have created, and you can choose which user you want a QR code to be generated for.

In my example, I get the QR code for the user “P-W-W-F”

On your mobile iOS device, open the WireGuard app.
Tap “+” to add a new tunnel.
Then tap “Create from QR code”.

Your phone’s camera will open and allow you to scan the QR code.

Give the VPN connection a name when prompted. I used the name “PiVPN”.

Click “Allow” when prompted to allow WireGuard to “Add VPN Confiurations” to your device.

It will then proceed to auto-magically set everything up for you.
You’ll have a simple toggle available in the WireGuard app that you can use to enable/disable your VPN.


Desktop Devices

Setting up the WireGuard app on a desktop is not hard, but it’s not as easy as simply scanning a QR code. PiVPN will automatically generate a file that will contain the configuration and encryption keys for each user/client, as you create each of your users/clients. We just have to copy that file from the RPi on to our desktop.

When we create the user/client in PiVPN, it generated a file named “User/Client.conf” and placed in the RPi’s users’ home folder.

In my example below, when I created the user “P-W-W-F” it generated the file “P-W-W-F.conf” and placed in the folder “/home/pi/configs”.

From your Desktop, open WinSCP, and connect to your RPi.
On the RPi side, navigate to the folder that was listed when you created your user/client in PiVPN.
Copy that “User/Client.conf” file over to your desktop.

On your Desktop, open the WireGuard app.
Click on button to “Import tunnels(s) from file”.

Browse to the file you copied off of your RPi, and click ‘Open’.
It will load all of your settings. Click the ‘Activate’ button to turn on your VPN.

Your PiVPN VPN using Wiregaurd is now active. You are now connected to it and can access all of your resources safely and securely.
To disconnect, just click the “Deactivate” button.


Next Article in this series: Remove PiVPN user/client

5 April 2020

Installing Pi-Hole



Installing Pi-Hole is really simple. In fact it only takes entering one line to setup.

curl -sSL https://install.pi-hole.net | bash

By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.

A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!

You’ll see it start to load

Then you’ll have a few informational screens to click “Ok” through.

Note: Consider donating to Pi-Hole to keep the Pi-Hole project going – https://pi-hole.net/donate/

https://pi-hole.net/donate/

On this screen you choose the upstream DNS provider we want to use.
I’m going with Cisco’s OpenDNS, but can choose which ever you want.

Any of them are better then using your default ISP’s DNS. Regardless of what anyone tells you, none of them on this list are really that much better than any other. Yes, they each have a few different features that you’ll need to look into. But, let me be truthful with you, whichever one you do decide to choose it really just boils down to your personal preference. And… the best part is that you can easily change it anytime you want to use a different upstream DNS provider in the admin console, post-install.

Come back revisit this after you’ve gotten Pi-Hole up and running:
When you are ready to dive deeper down into the DNS hole, take a look at Steve Gibson’s DNS benchmark. Apparently one of the biggest considerations to take into account when choosing “the best” DNS is speed, and that is a metric which IS totally location dependent. He has an interesting tool that can help you run benchmarks against multiple DNS providers to see whom is “the best” for you.

Select the block lists you want to use.
I’m just leaving it default with all of the lists selected. These can all be changed (enabled/disable) later in the web admin interface.

Select which protocols (IPv4 and/or IPv6) that you wish to block ads on.
I’m leaving them both selected, which is the defaulted selection. These values can be changes later.

The next screen shows the RPi’s current IP address.
Mine is currently using a DHCP IP address, but we want set it to a static address. So I am going to click “No” here.

This screen is where the desired static IP address, and subnet mask (in CIDR format) gets set.
Your network will likely be different than mine, I’m setting mine to use the IP address 192.168.1.254.
As for the subnet mask, in most scenarios you can just use “/24”. That is CIDR shorthand for 255.255.255.0 and is basically saying that this subnet has 256 addresses in it; 192.168.1.0 to 192.168.1.255.

On this screen we enter the gateway.
This will most likely be your router’s IP address.
Mine is 192.168.1.1.

This screen shows us our updated settings.
Click “Yes” to accept the values you have entered.

Yes, we wish to install the web admin interface.

Yes, we wish for the web server to be installed and enabled.

Yes, we wish to log queries.

I want to see EVERYTHING!
You can change this to what you prefer. These will be the statistics you can see on the web admin interface. This value can get changed later from the web admin interface.
More info about this at: https://docs.pi-hole.net/ftldns/privacylevels

Pi-Hole will finish applying all of the settings it’s collected…

And then you are done. You did it!

The last screen of the Pi-Hole setup will show you the IP address and the URL for the web admin interface, as well as the admin password.

Press “Enter” to exit the installer and return to the command line.


Make your Pi-Hole the DNS of your network

Log into your router.

Navigate to it’s settings and clear any values that are currently set as it’s DNS.

Now enter the IP address of your Pi-Hole.

That’s it. Your network is now using Pi-Hole for all of it’s DNS queries.


Viewing your Network DNS Queries

Open a web browser and go to either the IP address of your RPi, or enter “pi.hole” as the URL.
In my example, I am either going to enter either “192.168.1.254/admin” or “pi.hole/admin”

That will load the Pi-Hole Web Admin Interface. Go ahead and click that login button. You’ll get even more details about what devices are doing on your network.

Pi-Hole does have some more advances features available in it that can allow it to act as your network’s DHCP server, on top of already serving up DNS. However I’ll save that for another time though…. For now, just sit back and enjoy fewer ads.


If you happened to this post by following my series about PiVPN, then click the following link to go to the next step: Part 3: Installing PiVPN

5 April 2020

Enabling SSH on Raspberry Pi

Raspbian ships with the SSH server disabled by default. Which is an excellent security baseline. However if you want to be able to remotely connect to your RPi, you’re going to need to enable it. Thankfully, it can be manually enabled from the desktop very easily.

Note: When enabling SSH on a Pi, or any device, you should change its default password to ensure that it remains secure. Especially if you are connecting that device to the internet.

These instructions are straight from the RPi documentation (which can be found here).

Launch “Raspberry Pi Configuration” from the “Preferences” menu
Navigate to the “Interfaces” tab
Select “Enabled” next to “SSH”
Click “Ok”

Alternatively, raspi-config can be used in the terminal:

Enter “sudo raspi-config” in a terminal window
Select “Interfacing Options”
Navigate to and select “SSH”
Choose “Yes”
Select “Ok”
Choose “Finish”

Alternatively, use systemctl to start the service

sudo systemctl enable ssh
sudo systemctl start ssh

The one special use case regarding enabling SSH that is not covered above is running your RPi “headless”. Which simply means that you are using the RPi without a display plugged into it.

For headless setup, SSH can be enabled by placing a file named “ssh”, without any extension, onto the boot partition of the SD card from another computer. When the Pi boots, it looks for the “ssh” file. If it is found, SSH is enabled and the file is deleted. The content of the file does not matter; it could contain text, or nothing at all.

If you have loaded Raspbian onto a blank SD card, you will have two partitions. The first one, which is the smaller one, is the boot partition. Place the file into this one.


Now you can use your favorite SSH tool to console into your Raspberry Pi device remotely.

I mostly work on Windows machines, and my go to SSH tool is called “Putty“. However, there’s LOTS of different SSH programs out there.
So… do some googling, try a few, and use whichever one you like best.


Going headless? See my article on setting up WiFi on a headless RPi


If you happened to this post by following my either of my series about Pi-Hole or PiVPN, then click the following link to go to the next step: Part 2: Installing Pi-Hole

26 March 2020

Howto: Folding@Home – VMware Fling


VMware is doing their part to help make it easy for folks to contribute to the Folding@Home (F@H) project. They have packaged together an appliance as an OVA file on VMware Flings that you can deploy on any of their virtualization products either on your hardware or in a cloud, using Workstation or Fusion, or ESXi hosts. That means that with just a few clicks you can download and deploy a VM running on the super light-weight PhotonOS that has the F@H client pre-installed and is ready-to-go.

You might be asking why this is so great, I mean the client isn’t exactly difficult to setup on other operating systems. Well you are correct. This fling is geared towards VMware virtualization enthusiasts and professionals that already have homelabs or datacenters, with idle compute power they want to contribute. By using those idle resources and dedicating an VM appliance towards contributing, it basically becomes a set-it-and-forget-it deal that will always be chugging along in the background.

If you are new to virtualization, then deploying this appliance can serve as a great way to learn about flings, appliances, and deploying a VM in general while contributing to a cause.

Note: If you intent to deploy this in your company’s data center, or your work pc/laptop, you should make sure to have permission to allow for it from the appropriate people in your organization before deploying, just to cover your ass.

Step 1: Create your Passkey

If you don’t already have a username and passkey, then the first thing you’ll need to do is create your user and get your passkey. You’ll use this later as you deploy the appliance. If you already have yours, then proceed to the next step.

https://apps.foldingathome.org/getpasskey

Just to let you know, when I signed up earlier this week, it took a few hours for me to receive my passkey from F@H. So don’t get upset if you don’t hear from them immediately after clicking “Get Passkey”.

Step 2: Download the Fling

The first thing we need to do is download the OVA from the WMware Flings website.
https://flings.vmware.com/vmware-appliance-for-folding-home

Step 3: Deploy

Workstation

1. Double-click on the OVA file you download to launch VMware Workstation. It will present you a wizard to “Import Virtual Machine”.
Enter a name and file path for your F@H appliance, then click ‘Next’.

2. Now to work down the options from the left pane…

-Enter a hostname
-Enter an IP address (leave blank if DHCP)
-Gateway
-DNS

-Enter password for the appliance; VMware1!
*This is the root password for the appliance

-Enter you F@H username
-Enter your F@H team (Leave as 52737 to contribute as part of VMware’s team)
-Enter your Passkey
-GPU (If using a GPU change to TRUE, if you are using a virtual machine with a GPU, this must be in passthrough mode)
-Enter F@H management networks info (can probably leave alone)
-F@H password defaults to the OS password (VMware1!)

Then click ‘Import’.

Go ahead and use my F@H username & passkey if you really want to fold as me… It just means my F@H user will get credit for any folding you do.

3. Once the import is complete, it should automatically power on. Go ahead and power it off. The first thing I recommend to do is upgrade the VM.

Click on “Upgrade this virtual machine” and follow the wizard to upgrade it to the highest version that is compatible in your environment. For me, it is Workstation 14.x.

Because this is an OVA file and so easy to re-deploy if I screw something up, I choose to just alter the VM, and not make a clone.

4. Next step is to edit the VM and add more CPUs, if desired. Click on “Edit virtual machine settings”.

Click on ‘Processors’. From the “Number of processors” dropdown you can choose how many processors you want to dedicate to this appliance. Then click ‘Ok’.

5. Go ahead and power on your F@H appliance.

ESXi / vCenter

1. In vCenter or on your ESXi host, right click on your Datacenter/Cluster/Host and select “Deploy OVF Template”.

2. Select the OVA file you downloaded earlier, and click ‘Next’.

3. Give your VM appliance a name, and click ‘Next’.

4. Walk thru the rest of the wizard. Choose your computer resource you wish to deploy it on to. Review the details. Select your storage. Select your network.

5. Customize the F@H template setting for your environment.
-Hostname
-IP address
-Gateway
-DNS
-OS ‘root’ password
-F@H username
-F@H passkey
-GPU
-F@H remote management password

Then click ‘Next’ and ‘Finish’ to deploy your new appliance.

6. Once deployed, make sure the vm is powered off. Right click on the vm and select ‘Edit Settings…”. Select CPU and from the dropdown adjust the CPU to the desired number you wish to dedicate to your appliance, and click ‘Ok’.

7. Power on your F@H vm and you are ready to start contributing.

Step 4: Troubleshooting

Once your appliance is up and running, there are a few command that you will find helpful.

Start and Stop
/etc/init.d/FAHClient start
/etc/init.d/FAHClient stop

Restart
/etc/init.d/FAHClient restart
Status
/etc/init.d/FAHClient status
Check the Logs
/etc/init.d/FAHClient log -v
Check CPU stats
top

With the huge growth of contributors to F@H, it has made getting work units more difficult. If you check your logs and see messages similar the what is in my screenshot below, then your appliance IS working, it is just waiting for work.

Leave it running and you’ll eventually see it start chugging along when it gets a work unit.

Also, on the F@H fling website you can also find two PDFs, one about deployment and another with FAQs. Give those a look if you run into any other issues.

26 March 2020

Howto: Folding@Home – Linux


The Folding@Home (F@H) team has released v7 (currently v7.5.1) of their F@H software. It has a newer simpler graphical interface aimed at making it easier for people to install and contribute to the project. Here is how to make it run on your Linux computer. Linux has been growing in popularity as a desktop OS, so it’s great to see projects like this include it as a viable platform for contributing to F@H.

You can find F@H’s official documentation for Linux here – https://foldingathome.org/support/faq/installation-guides/linux/

Install F@H

I’m going to use a 64-bit Ubuntu v19.10 desktop to show you how to install F@H. You can download the latest Ubuntu Desktop versions here.

1. Download the installer from here: https://foldingathome.org/alternative-downloads/ (link opens in new tab)

2. Click on the “fahclient_7.5.1_amd64.deb” installer.

2. Allow the file to open with the default software installer.

3. Click the ‘Install’ button.

4. Enter your password, if asked, to allow the F@H client to get installed.

5. Enter your F@H user and passkey, then click ‘Next’.
*Make sure to check the box to automatically start the FAHClient.

6. The install itself should be really quick.

7. Open a browser on your Linux machine and in the address bar go to: 127.0.0.1:7396

It will open the F@H webgui where you can watch your work progress or adjust settings.

8. Just like that you are contributing to F@H! The client will be running as a service in the background.

I know that I left my F@H username and passkey in my post. Go ahead and use my F@H username & passkey if you really want to… It just means my F@H user will get credit for any folding you do.

Category: Linux | LEAVE A COMMENT
25 March 2020

Bitnami – Set timezone

Having the correct timezone configured on your machine can save you a lot of “math headaches” when you try to comb through the machine’s event logs. It’s a pretty easy thing to configure in the overall scope of all things, yet it is one that is often over looked, even by veteran users. Never fear though… I will show you how you too can update your Bitnami instance to your preferred timezone.

Lets begin by logging in with ‘root’ priviledges to your Bitnami instance.
Once logged in, use the following command to see what timezone you are currently set to use.

date

As you can see in my example, I am currently set to the UTC timezone, also known as Universal Time.

To find our desired timezone and reconfigure this, we need to enter the following command.

sudo dpkg-reconfigure tzdata

Once you’ve entered the command above and hit ‘Enter’ it will launch a menu were we can find and select your desired timezone. I will changing my Bitnami instance to use the ‘Pacific\Honolulu’ timezone, also known as HST.

Once you click ‘OK’, the machine will show you that it has updated it’s clock to use your desired timezone.

You can further verify that your clock is set correctly by running the ‘date’ command again, just as we had at the beginning of this post.

date

Just like that, we have updated the timezone preference in Bitnami. It was simple to do just as i promised. No more “math headaches” for us when we read log timestamps!!!

NOTE: If you are just trying to update your timezone for WordPress that is running on Bitnami, then check out this post of mine: WordPress – Set Timezone

Category: AWS, Bitnami | LEAVE A COMMENT
25 March 2020

PhotonOS – Set timezone

PhotonOS is VMware’s minimalist Linux based OS that has been heavily optimized for vSphere environments. Many of VMware’s appliance and OVAs are based on this super light weight platform. The problem with appliances and OVAs, is that I have yet to find or launch one that is set to MY timezone by default. I guess that is the price I have to pay for living in Hawaii.

While having the timezone mis-configured probably won’t hurt the VM itself most of the time, it definitely makes reading timestamps and logs more difficult. I mean come on, we’ve all been there before, add or subtracting your timezone offset to figure out what time an event actually happened since we probably don’t live in the GMT or UTC timezones. Much to our luck, setting the timezone PhotonOS using SSH (or the console’s CLI) is pretty easy after you log in as ‘root’.

Enter the command below to get a list of all available timezones.

ls -lsa /usr/share/zoneinfo | more

If you live in a region that is divided into subregions, such as the ‘Pacific’, we can use the following command instead to list those zones.

ls -lsa /usr/share/zoneinfo/Pacific | more

Once you have found the name of your desired timezone you can use the following command to set it. I’m using “Pacific/Honolulu” as my desired timezone.

set Pacific/Honolulu timezone

Then make a symbolic link from localtime to “Pacific/Honolulu”, or your desired timezone…

ln -sf /usr/share/zoneinfo/Pacific/Honolulu /etc/localtime

The final step is to check and visually confirm that the timezone is correct. To do this, we simply run the following command.

date

Now we can finally make some sense out of our logs!!!

13 December 2019

dracut-initqueue

I was updating the firmware on some Dell FC630 servers when I came across this. I really thought that the server hung during the update and I was in for a long night of trying to fix it. Wait and see what the fix was…

So using the DellEMC Repository Manager tool, I created a linux based SmartBootableISO that included the desired updates for my hardware. I then connected to the server’s iDrac virtual console, mounted the iso, and booted the server to the iso image. Everything appeared fine as I watched the server boot up. Then I saw it throw the following message:

dracut-initqueue[686]: mount /dev/sr0/ is write-protected, mounting read-only

Then after waiting and staring for about 5 minutes I started to worry. What’s going on? Did it just freeze?

Well… No, thankfully it had not froze.

It was just mounting a file as read-only, which apparently took longer than you would think it would. After waiting even longer felt right, it finally got past this step, and the server proceeded along with it’s boot-up process. The wait time varied slightly between servers, ranging from about 7 to 10 minutes.

So if you happen to see the “dracut-initqueue” message, don’t panic, your server did not hang. Just wait it out… Grab a coffee or go have a restroom break. Use those few minutes to stretch. Your server will continue chugging along shortly.

30 November 2019

Bitnami – Disabling TLS v1.0 & v1.1

I was surprised when I ran the Qualys SSL Labs scan against my website that I got a lower score than I expected. The SSL Labs scan is a FREE deep analysis of the SSL configuration of your public facing website, that returns a score and grade of your server. It also provides some suggestions as to what you can do to improve your server’s score.

Well, it turns out there are two things that were hindering my score. One is easy to fix via a configuration change in Bitnamo, I’ll cover that in this article. The other isn’t necessarily hard, but it involves a DNS record known as a CAA, which I’m not going to cover in this article.

The quick easy fix was to change the versions of TLS that I allowed my server to use, by disabling the older versions of the TLS protocol, v1.0 and v1.1.

I used WinSCP to connect to my server, and went to the file. /opt/bitnami/apache2/conf/bitnami/bitnami.conf

Within the file you can set/remove the “SSL Protocol” directive. In my case, I set it to SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Once that change has been saved, all that’s left is to restart Apache. You can restart connecting over SSH to your server and issuing the following command sudo /opt/bitnami/ctlscript.sh restart apache

After you see Apache restart, go ahead and re-scan your website. I found that for my website, my score increased and thus my grade was better after disabling the older versions of TLS. Success!

30 November 2019

Stop the Ads @ Home – Pi-Hole

Advertising, love it or hate it, truly drives the internet. It is scary the amount of data companies skim about you from the ads that get served to and what you click onto. But with the right tools, you can do a lot to protect your privacy. One of the best thing you can do at home to protect your privacy and those stop unwanted ads, is to deploy Pi-hole.

As described on their homepage Pi-hole is “A black hole for Internet ads”, that is “Easy-to-install”, and “is a DNS sinkhole that protects your devices from unwanted content”. All of which can be done in a one-time setup, usually on a RaspberryPi, without installing any software on your devices.

Pi-hole acts upon your network. It takes on the role of serving as the DNS on your network, and optionally role of a DHCP server.

In most homes today, both of these roles are usually preform by your router/wifi access point. DNS, in its’ most simplistic terms, acts as the whitepages that helps your devices translate a URL to an IP addresses. DHCP allows your device to get a ‘dynamically’ assigned address on the network so that it can communicate with everythign else. So by utilizing some whitelists and blacklists, the PiHole can simply not serve the address to known advertising URLs. Cutting the ads off before the request ever leaves your house.

I’ve been using it at home for about 3 years now and absolutely love it. There are some ads that still come thru, and sometimes if I click on an ad, I’ll get a “page can’t be reached” message. It was different at first to get used to, but now… I would trade it for the world!



Another great piece of software to install on you RPi is PiVPN. It’s an easy and secure way to create a VPN (a private tunnel) to your home when you are out and about. The best part about it is that it can allow you to use Pi-Hole when your not at home. Check out my article here.