Wednesday, April 2, 2014

howto - openvpn on gentoo

Today i gonna show you how to setup openvpn with self signed certificates and it's clients via cli or networkmanager (both using openvpn). I did made such setup a few days ago and i though i'll share my experience.

Server configuration:

Software:

I assume you have gentoo installed and running. Network should work too. Next we are going to install the needed packages. Depending on the openvpn version you also have to install easy-rsa. Openvpn prior to 2.3 have easy-rsa scripts included. I did install the latest unstable version, thus had to install easy-rsa as-well.
root # emerge -av openvpn
root # emerge -av easy-rsa

Since we need tun devices for openvpn you also have to make sure that tun devices are enabled in the kernel config (this is also needed on the clients):
root # cat /usr/src/linux/.config | grep CONFIG_TUN  
CONFIG_TUN=m


Certificates:

The scripts for generating the certificates are usually stored under /usr/share/easy-rsa/. Now edit following variables in the vars file: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Make sure these parameters are not left blank.

Edit vars file:
root # cd /usr/share/easy-rsa/
root # vim vars

Generate the ca file:
root # . ./vars  
root # ./clean-all  
root # ./build-ca  

The above sequence now defaults most parameters from the vars file. Only the common name has to be entered explicitly.

Generate the server certificate:
root # ./build-key-server server

Like in the previous step, most parameters are defaulted. When the Common Name is queried, enter "server". The last two queries require a positive responses:
Sign the certificate? [y/n]  
1 out of 1 certificate requests certified, commit? [y/n]

Generate client certificates:
root # ./build-key client1
root # ./build-key client2

Make sure using unique common names for each client. If you want password protected certificates use ./build-key-pass or if you want pkcs12 key files use ./build-key-pkcs12 instead. Again, the last two queries require a positive responses.

Generate Diffie Hellman parameters (needed by the server).
root # ./build-dh

Now we generated lots of files in the keys sub-directory. For the server we need following files: ca.crt, server.crt, server.pem and dh1024.pem

Now create a new folder in the openvpn configuration directory and copy those files into this folder:
root # mkdir -p /etc/openvpn/vpn  
root # cd keys  
root # cp ca.crt dh1024.pem server.crt server.key /etc/openvpn/vpn  


Configuration:

First open the server config:
root # vim /etc/openvpn/openvpn.conf

Below my example configuration:
An overview about all server configuration possibilities can be found at [1].
port 11194
proto tcp
dev tun
ca vpn/ca.crt
cert vpn/server.crt
key vpn/server.key
dh vpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 20 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 3
client-to-client
Some descriptions:
ca, cert, key, dh - options which should point to the certification files which we copied before. As seen on my example configuration you don't have to set the full path, just the relative path to /etc/openvpn/.
server - supplies a subnet range for the clients
client-to-client - vpn clients can "see" each other


Client configuration:

First you have to copy separately for every client following files from the keys directory (/usr/share/easy-rsa/keys) to the client (like via usb-stick): ca.crt, client1.crt and client1.key. Save it somewhere secure, ideally under /usr/openvnp/vpn.
root # mkdir -p /etc/openvpn/vpn
root # cp ca.crt client1.crt client1.key /etc/openvpn/vpn/


KDE-Networkmanager:

Make sure you have both networkmanagement and networkmanager-openvpn installed:
root # emerge -av networkmanagement networkmanager-openvpn

Next, Networkmanager:

Open Network Settings, switch to the VPN tab and add a new OpenVPN Connection.







Here you can give your connection an unique name. You also have to enter the Gateway which is the public ip address of your openvpn server. Also point to the right location of your ca, client certificate and client key file.

Under Opttional Settings you have to add the correct port of your server. Since openvpn runs on tcp with support for lzo compression you also has to check "Use LZO compression" and "Use TCP connection".










In the IPv4 Address tab you can add an additional DNS Server. This is useful if you have an local dns-server which is used to resolve local computer names.

If you don't want to have all trafic routed over the vpn tunnel, check "Use only for resources on this connection" under Routes.











That's all - now you can simple connect to your vpn with clicking on your vpn connection.


Openvpn init-Script:

Like any client you need to install openvpn first:
root # emerge -av openvpn

On Gentoo it's possible to create more tunnels by replacing VPN with other names. Each connection has its own configuration and can be stopped and started individually. The default is simply to use openvpn.conf and not symlink the service. You can of course use both methods. I'm going to show it with a separate openvpn configuration. First link the the new connection to the openvpn init-Script.
root # ln -s /etc/init.d/openvpn /etc/init.d/openvpn.VPN

Now create your config as /etc/openvpn/VPN.conf An overview about all client configuration possibilities can be found at: [2]
client  
dev tun  
proto tcp  
remote 1.2.3.4 11194
resolv-retry infinite
nobind  
user nobody  
group nobody  
persist-key  
persist-tun  
ca vpn/ca.crt  
cert vpn/client1.crt  
key vpn/client1.key  
comp-lzo  
remote-cert-tls server
Again ca, cert and key options are relative paths to /etc/openvpn.

After finishing the configuration you can start your openvpn connection with:
root # /etc/init.d/openvpn.VPN start

Done!


For the future it might be also interesting how to revoke someone's key. Below is a short howto for revoking certificates:

Revoking client certificates:

First switch do the easy-rsa directory:
root # cd /usr/share/easy-rsa/

Following command will generates a CRL file (crl.pem - certificate revocation list) and adds client's certificate to the revoke list.
root # . vars
root # ./revoke-full client

After doing so your output should be similar like:
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
client.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client/emailAddress=me@myhost.mydomain
error 23 at 0 depth lookup:certificate revoked

In order that openvpn is really going to drop connections from those certificates you have to add following to the server configuration.
crl-verify crl.pem

Make sure openvpn have access to this file. I suggest to copy this file directly to the openvpn configuration directory (/etc/openvpn)



Further help can be found here: Official Openvpn howto: https://openvpn.net/index.php/open-source/documentation/howto.html
Gentoo wiki openvpn guide: http://wiki.gentoo.org/wiki/OpenVPN
Revoking certificates: http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
[1] https://openvpn.net/index.php/open-source/documentation/howto.html#server
[2] https://openvpn.net/index.php/open-source/documentation/howto.html#client

Tuesday, March 18, 2014

tor and chromium

Caution: I know using tor with chromium isn't actually a good idea - see [1]. Hopefully that changes in the near future.

Since the Snowden revelations we know that basically everything on the internet is being monitored by the NSA and probably other security agencies. Many times i was thinking what i could do to improve my privacy and i guess tor over chromium is a small step in the right direction.


TOR [2] wasn't something new to me but i never felt to play with it. However now i had a good reason to look at it and make it as easy as possible to use. TOR isn't actual difficult to use - just install, start and setup up the proxy in your favorite browser.
However, i doesn't want it to use it all the time since quite often you have enter captchas in order to enter some sites (i know it's not tor's fault - shame on you google). Furthermore disabling the proxy every time when i wanted to surf without TOR wasn't something which i would call simple. So i created a special shortcut, which not just starts chromium with the tor proxy enabled, but also starts it in incognito mode and as another user.

First install and start tor:
 emerge -av tor  
 rc-update add tor default  
 /etc/init.d/tor start  

Next, set up a new user:
 useradd -m anonymous  

Set the password for the user: (i choose to use a extra password as this means bookmarks in my "tor-browser" are extra secured to others)
 passwd anonymous  

Now create a new shortcut (mine was done via KDE Systemsettings - Shortcuts and Gestures - Custom Shortcut):
 kdesu -u anonymous chromium --incognito --proxy-server="socks://localhost:9050"  

This starts chromium in incognito mode, as user "anonymous" with tor! Bookmarks are stored under the user anonymous and are only available if you start the "tor-browser" or login as user anonymous.


[1] https://www.torproject.org/docs/faq#TBBOtherBrowser
[2] https://www.torproject.org/

Wednesday, February 19, 2014

turn off monitor when locking the screen

Recently i was looking for a convince way to lock and turn off my screens. The reason behind was that sometimes i only want to listen to music while doing something else which doesn't involve the PC. Usually i could wait for the screen to turn off by itself which happens usually after around 10 minutes. However, since i don't even use an screensaver i just wanted it to immediately turned off.
Now i found a nice way todo that...

I've created a new shortcut with following command:
 xset dpms force off; qdbus org.kde.ksmserver /ScreenSaver Lock  

Bound to META+L it does exactly what it should do: It turns off the screen and locks it.

Tuesday, February 11, 2014

simplescreenrecorder - awesome sreen capturing software

Some time ago i was looking for a good screen capturing software for linux. The only one which i was aware of was recordmydesktop and ffmpeg. However, since my experiences with those were rather bad i was looking for something else. Luckily i found simplescreenrecorder [1].



Simplescreenrecorder, or shortly SSR, is a quite powerful screen recorder. Especially the possibility capturing games via it's glinject library is, i think, something unique. Even capturing 32bit games on a 64bit system is possible since you can build the glinject libary for 32bit too. On the official homepage there is a good howto capture steam games. [2]


Gentoo:
For those who want to test ssr, there is also a good overlay from Anders Larsson which provides a ebuild for simplesreenrecorder. [3]


Issues - not really ;)
Unfortunately i also came across two limitations which however isn't ssr's fault but are simply sane restrictions - not everyone has a triple monitor setup. Fortunately the author was really helpful with my "issues" and helped me to get around those restrictions.


Issue 1 - triple monitor:
My first issue [4] was that i couldn't capture all screens on my triple monitor setup. The reason was because i was hitting the size limit of shared memory segments, as set by:
 /proc/sys/kernel/shmmax  
Simple increasing the size via:
 echo 67108864 | sudo tee /proc/sys/kernel/shmmax  
fixed this issue for me. However, MaartenBaert (the author of ssr) said i could hit other limitations as well so this might not work everywhere.


Issue 2 - high resolution (2560x1600):
My second issue [5] was rather a silly one. I simply couldn't capture any game with glinject, which just printed following error:
 [SSR-GLInject] GLFrameGrabber for [0x13cde30-0x180000f-0x180000f] frame is too large to capture!  
Fortunately i only had to increase the "Maximum image sice (megapixels):" to 4 (default was 2).



Thx again to MaartenBaert for explaining the issue to me!


Videos:
I also created 3 videos, showing the possibilities of ssr. Even though the quality of the videos are quite bad, it shows three games on my triple-monitor setup. You can find those videos on youtube:

Amnesia: https://www.youtube.com/watch?v=1ZmplYgezGg
Anomaly warzone earth: https://www.youtube.com/watch?v=vlbMB6n6VSU
Defcon: https://www.youtube.com/watch?v=QSOcXYGL8L0 (i don't know why but on youtube the video had a wrong resolution for me - had to download it to get the correct one)



[1] http://www.maartenbaert.be/simplescreenrecorder/
[2] http://www.maartenbaert.be/simplescreenrecorder/recording-steam-games/
[3] https://github.com/anders-larsson/gentoo-overlay
[4] https://github.com/MaartenBaert/ssr/issues/63
[5] https://github.com/MaartenBaert/ssr/issues/66

Wednesday, December 18, 2013

steam on gentoo

Since over one year now we have steam for linux and even though i have a really great working xen machine i played around with steam on linux. I was quite happy to got beta-access an so i've started to test from nearly the beginning of the beta-tests.

Steam:
In the beginning the client had some graphical glitches and minor issues but overall it was stable. After a year the client seems to be in a really good shape now. I hadn't any issues for a long time and since the open source drivers (r600g) also got huge improvements i played mainly on linux recently.


So far i've 53 games on steam which supports linux, that's about half of what i've own. I didn't test all of them but most of them work out of the box (with steamruntime - more on that later). Especially valve's linux support is excellent. Portal, Half-Life Series, Left 4 Dead 2 are perfectly playable with the open source drivers. Others like Serious Sam 3 or Painkiller do work too but they're not so enjoyable like valve's games.


Gentoo and Steam:
Gentoo's support for steam is rather bad actually. There is an open bug but not yet an ebuild in tree. However on gentoo's wiki is an nice article about steam. I made my own research about steam and found out that it's actually pretty simple to get it run.

Basically there are two possibilities how to run steam which are with or without "steamruntime". steamruntime is a switch which tells steam to use internal libraries or system libraries. However steamruntime not just comes with libraries which are needed for steam itself but also by many games. While most gentoo user's would immediately choose to use system libraries (myself too) there are really good reason not to do it for steam. I'll gonna explain them here in detail.


Steamruntime:
Steam is a 32bit program and thus you need either a x86 system or a amd64 multilib system. Many users (including me) are already on 64bit and thus would need a multilib system or emul packages. Steam with steamruntime would come with all it's dependencies (even on amd64) which means there are actually no other dependencies needed for steam.
But those so called "bundled libs" are usually bad because they are often old and outdated, vulnerable and shouldn't be used anymore. True! - so far. However:
  • steam's bundled libraries reside in ~, making them only available for steam itself (not for the whole system)
  • steam has many huge dependencies like cups, pulseaudio, networkmanager which you would need to install, even if you don't need them (steam works without a running pulseaudio, cups, networkmanager)
  • you need 32bit version's of those libraries/programs, which means you need emul packages, which means installing even more old, vulnerable software - but in this case to the whole system.
  • steamruntime not only installs steam's dependencies but also many game dependencies. So if a game doesn't work you have manually check which dependencies are missing.
  • valve only supports "steamruntime".
However, many will think now using system libraries would mean using the latest and greatest software, but that's not completely true. In fact, you would need many emul packages which are outdated by design. And with opengl emul package (not the multilibed version) you would even use outdated graphic drivers - and this makes, especially on games, a huge difference.
Please note this is mainly only true on amd64. Steam on x86 looks a bit different.


Conclusion:
What i think is the best solution so far is following:
Use steam with steamruntime and make sure using only the multilib version's of needed dependencies [eg. abi_x86_32]. Steam basically has only one dependencies which must be available on any system, which is mesa, or in our case 32bit mesa. (I didn't count 32bit glibc/gcc since they come with an multilib system anyway.) Anything else comes with steamruntime.
I highly recommend using the new multilib versions of mesa instead of the emul package since you won't get the latest drivers with them and you also would install other useless dependencies.

If you're using the steam-overlay it's pretty easy by setting the "steamruntime" use-flag (which should be set as default anyway). However you might need to mask other emul-packages since they are still the default on stable systems.

Friday, March 22, 2013

gentoo/xen awesomeness

...or the possibilities of linux as an gaming platform...



+Gentoo +Linux is incredible, really! :D

Recently i've made an blogpost about gaming via xen. I showed a picture playing 2 games at the same time. One game on Windows, one game on Linux over 3 screens.
Since there are not that much games which supports multimonitor on linux - at least not correctly, i've searched for other games and came across +0 A.D. which is an strategy game like Age of Empires.
While it's still in alpha state, it's already really good playable. However, most importantly it supports multi monitors really well.
Today i'm going to show a video about this setup...


Setup:

So, what is showed in this video. The host system is - surprise, surprise -  Gentoo unstable 64bit with an xen enabled kernel-3.8. The Guest system is Windows 7. On Linux runs KDE 4.10.1 on VT7, awesome on VT8 (where i'll gonna start 0 A.D.) and on VT11 is running cmus - my favorite music player. That's actually nothing really new, really new is: Synergy!

Caution: Playing over 3 screens isn't bug-free at all! Especially when having different resolutions.
For example, the left and the right screen are cut at the bottom (see above). While that doesn't make much difference in playing 0 A.D., i couldn't actually start a game because the "Start game" button is in the bottom right. (but i could load a game) While this seems to be a hardware limitation (looks like i need two other 30" screens ;) ), two other games which i've tried (Amensia and Defcon) suffers form a bug where i can't move the mouse beyond not even the half of the screen (i can move it from the left side to about 30% of the middle screen). However this might be already fixed with recent mesa-9.1 since this works in 0 A.D. while +Steam games running with old emul mesa-9.0.1 libs.


Synergy:

On my first post about xen i'll got an comment from a user who ask me if i ever tried synergy on my setup to fix my input "problem". Until now my usual solution was an usb-switcher, where i could switch my input devices (keyboard & mouse) between my host and guest system. This actually worked - but never that good. The reason i'll never tried out synergy was because i was quite convenient with my actual solution and i always thought with synergy i have an much worse input lag - well, i was wrong.
Recently i've tested synergy and i was quite impressed. There is nearly no input lag and i think it fits perfectly well for causal gamers like me.
However, there are few settings to made, otherwise games wouldn't be playable with synergy.


How synergy works:

Synergy is a software which shares input's from one system (input server) on multiple other system's (input clients). The really good thing is, it's available on linux, windows and mac and it's even open source. First i've installed synergy on the system where the input (keyboard and mouse) is directly connected and set it up as the synergy server. All the other system's which should be accessible over synergy are client's. On my computer it would mean my host system (linux) would be the server while my guest system (windows) would be a client which tries to connect to the server directly after boot up.


Setting up synergy:

1.) Start the synergy server on the host and click on "Server Configuration". Set up an new client which should have access to the host. In my case i've put the client above the host, so that if i cross the top border of my host, my mouse appears in the guest system.

2.) Change the setting "Use relative mouse moves" in the "Advanced server settings" tab. This is important. While the mouse would work in windows without problems, in games you couldn't play anything. I don't know what exactly happens, but it looks like the mouse speed is incredible increased.

3.) I also made an keyboard shortcut which toggles switching between the systems. That's also important, because that keeps the mouse on the actual system (you don't want to switch accidently to linux while your gaming).

4.) Start the server.
5.) Install synergy on the client, add the server ip-address and click start. Synergy should immediately connect to the server. Now you should be able to use mouse & keyboard from the host system. Also check the option to start synergy directly after boot so that you don't have to start it every time..


The video:

For those who are interested, latest synergy is also in portage (even stable) and the windows version can be downloaded on their website. Below is now the video showing all the stuff whats possible :D


Thursday, March 21, 2013

qemu control script


Since i've played with +QEMU i always searched for an easy way to create or modify my guest. Start or stopping them was easy with my init script, but creating new one always involved many steps. Even though it isn't complicated i wanted something simpler.


So i've started to write an new script and called it qemu control or simple qc. Over the time it got more and more features and now i though maybe someone else could be interested, especially in case someone uses my init script.
In the last days i've cleaned up the init script to make it more readable. Now it shouldn't be to difficult to get into the code, however i'll gonna show how it's used.



Usage:

First of all, what can you do with it? Since my vm's are all on lvm partitions, qc works only with lvm partitions. It can create new vm's, copy exiting one, delete, modify configs, convert to qcow2 and compress vm's. More on every single feature below.
For every new guest it also creates default init scripts (based on my own one), while it also removes it when deleting a vm.
Everything (except deleting) can be done even when a vm is running, because the script always creates snapshots of the given vm.


Features:

 ./qc copy  
Copies an exiting vm (even when running) including their init script config, but changes its setting to suit the new vm. It also changes the vm host name (if possible) to the given name.

 ./qc new  
Creates an new empty lvm partition for an vm, including an changed default config which suit the vm. This doesn't install the guest os.

 ./qc edit   
Edit an exiting configuration file (based on my own init script) of an qemu guest.

 ./qc del  
Deletes a vm, including their init script config.

 ./qc convert [path]  
Converts a exiting lvm partition to a qcow2 file. It's also possible to directly compress it afterwards. You can also add an default path.

 ./qc compress [path]  
Only compresses a lvm partition into a gz file (like for backups). You can also add an default path.

Default init script and config can be set in the script. Also things like default logical volume name, snapshot size and image size can be set in the script. Logical volume name and path must be set anyway.

Note: I'm usually using pigz to compress the vms since it's much faster on multicore systems. If you don't have it you can either change it to gzip or simple install pigz (its in portage).


Download:

The script is a work in progress and it's probably still in a bad shape, however for those who are interested, you can download the script on github. The link is: https://github.com/mm1ke/qc