In order to easily authenticate with IRC networks such as OFTC and Freenode, it is possible to use client TLS certificates (also known as SSL certificates). In fact, it turns out that it's very easy to setup both on irssi and on znc.
Generate your TLS certificate
On a machine with good entropy, run the following command to create a keypair that will last for 10 years:
openssl req -nodes -newkey rsa:2048 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=<your nick>"
Then extract your key fingerprint using this command:
openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g'
Share your fingerprints with NickServ
On each IRC network, do this:
/msg NickServ IDENTIFY Password1!
/msg NickServ CERT ADD <your fingerprint>
in order to add your fingerprint to the access control list.
Configure ZNC
To configure znc, start by putting the key in the right place:
cp user.pem ~/.znc/users/<your nick>/networks/oftc/moddata/cert/
and then enable the built-in cert plugin for
each network in ~/.znc/configs/znc.conf:
<Network oftc>
...
LoadModule = cert
...
</Network>
<Network freenode>
...
LoadModule = cert
...
</Network>
Configure irssi
For irssi, do the same thing but put the cert in ~/.irssi/user.pem and
then change the OFTC entry in ~/.irssi/config to look like this:
{
address = "irc.oftc.net";
chatnet = "OFTC";
port = "6697";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
and the Freenode one to look like this:
{
address = "chat.freenode.net";
chatnet = "Freenode";
port = "7000";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
That's it. That's all you need to replace password authentication with a much stronger alternative.
I recently ran into problems trying to package the latest version of my planetfilter tool.
This is how I was able to temporarily work-around bugs in my tools and still produce a package that can be built reproducibly from source and that contains a verifiable upstream signature.
pristine-tar being is unable to reproduce a tarball
After importing the
latest upstream tarball
using gbp import-orig, I tried to build the package but ran into this
pristine-tar error:
$ gbp buildpackage
gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
pristine-tar: failed to generate tarball
So I decided to throw away what I had, re-import the tarball and try again.
This time, I got a different pristine-tar error:
$ gbp buildpackage
gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
pristine-tar: failed to generate tarball
I filed bug 871938 for this.
As a work-around, I simply symlinked the upstream tarball I already had
and then built the package using the tarball directly instead of the
upstream git branch:
ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz ../planetfilter_0.7.4.orig.tar.gz
gbp buildpackage --git-tarball-dir=..
Given that only the upstream and master branches are signed, the
.delta file
on the
pristine-tar branch
could be fixed at any time in the future by committing a new .delta file
once pristine-tar gets fixed. This therefore seems like a reasonable
work-around.
git-buildpackage doesn't import the upstream tarball signature
The second problem I ran into was a missing upstream signature after
building the package with
git-buildpackage:
$ lintian -i planetfilter_0.7.4-1_amd64.changes
E: planetfilter changes: orig-tarball-missing-upstream-signature planetfilter_0.7.4.orig.tar.gz
N:
N: The packaging includes an upstream signing key but the corresponding
N: .asc signature for one or more source tarballs are not included in your
N: .changes file.
N:
N: Severity: important, Certainty: certain
N:
N: Check: changes-file, Type: changes
N:
This problem (and the lintian error I suspect) is fairly new and hasn't been solved yet.
So until gbp import-orig gets proper support for upstream signatures, my
work-around was to copy the upstream signature in the export-dir output
directory (which I set in ~/.gbp.conf) so that it can be picked up by the
final stages of gbp buildpackage:
ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz.asc ../build-area/planetfilter_0.7.4.orig.tar.gz.asc
If there's a better way to do this, please feel free to leave a comment (authentication not required)!
I recently ran into problems with generating TOTP 2-factor codes on my laptop. The fact that some of the codes would work and some wouldn't suggested a problem with time keeping on my laptop.
This was surprising since I've been running NTP for a
many years and have therefore never had to think about time synchronization.
After realizing that ntpd had stopped working on my machine for some reason,
I found that systemd
provides an easier way to keep time synchronized.
The new systemd time synchronization daemon
On a machine running systemd, there is no need to run the full-fledged
ntpd daemon anymore. The built-in systemd-timesyncd can do the basic
time synchronization job just fine.
However, I noticed that the daemon wasn't actually running:
$ systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
└─disable-with-time-daemon.conf
Active: inactive (dead)
Condition: start condition failed at Thu 2017-08-03 21:48:13 PDT; 1 day 20h ago
Docs: man:systemd-timesyncd.service(8)
referring instead to a mysterious "failed condition". Attempting to restart the service did provide more details though:
$ systemctl restart systemd-timesyncd.service
$ systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
└─disable-with-time-daemon.conf
Active: inactive (dead)
Condition: start condition failed at Sat 2017-08-05 18:19:12 PDT; 1s ago
└─ ConditionFileIsExecutable=!/usr/sbin/ntpd was not met
Docs: man:systemd-timesyncd.service(8)
The above check for the presence of /usr/sbin/ntpd points to a conflict
between ntpd and systemd-timesyncd. The solution of course is to remove
the former before enabling the latter:
apt purge ntp
Enabling time synchronization with NTP
Once the ntp package has been removed, it is time to enable NTP support in
timesyncd.
Start by choosing the NTP server pool nearest
you and put it in /etc/systemd/timesyncd.conf. For example, mine reads
like this:
[Time]
NTP=ca.pool.ntp.org
before restarting the daemon:
systemctl restart systemd-timesyncd.service
That may not be enough on your machine though. To check whether or not the time has been synchronized with NTP servers, run the following:
$ timedatectl status
...
Network time on: yes
NTP synchronized: no
RTC in local TZ: no
If NTP is not enabled, then you can enable it by running this command:
timedatectl set-ntp true
Once that's done, everything should be in place and time should be kept correctly:
$ timedatectl status
...
Network time on: yes
NTP synchronized: yes
RTC in local TZ: no
In addition to selecting the right monitor after docking my ThinkPad, I wanted to set the correct sound output since I have headphones connected to my Ultra Dock. This can be done fairly easily using Pulseaudio.
Switching to a different pulseaudio output
To find the device name and the output name I need to provide to pacmd, I
ran pacmd list-sinks:
2 sink(s) available.
...
* index: 1
name: <alsa_output.pci-0000_00_1b.0.analog-stereo>
driver: <module-alsa-card.c>
...
ports:
analog-output: Analog Output (priority 9900, latency offset 0 usec, available: unknown)
properties:
analog-output-speaker: Speakers (priority 10000, latency offset 0 usec, available: unknown)
properties:
device.icon_name = "audio-speakers"
From there, I extracted the soundcard name
(alsa_output.pci-0000_00_1b.0.analog-stereo) and the names of the two
output ports (analog-output and analog-output-speaker).
To switch between the headphones and the speakers, I can therefore run the following commands:
pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output
pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output-speaker
Listening for headphone events
Then I looked for the ACPI event triggered when my headphones are detected by the laptop after docking.
After looking at the output of acpi_listen, I found jack/headphone HEADPHONE plug.
Combining this with the above pulseaudio names, I put the following in
/etc/acpi/events/thinkpad-dock-headphones:
event=jack/headphone HEADPHONE plug
action=su francois -c "pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output"
to automatically switch to the headphones when I dock my laptop.
Finding out whether or not the laptop is docked
While it is possible to hook into the docking and undocking ACPI events and run scripts, there doesn't seem to be an easy way from a shell script to tell whether or not the laptop is docked.
In the end, I settled on detecting the presence of USB devices.
I ran lsusb twice (once docked and once undocked) and then compared the
output:
lsusb > docked
lsusb > undocked
colordiff -u docked undocked
This gave me a number of differences since I have a bunch of peripherals attached to the dock:
--- docked 2017-07-07 19:10:51.875405241 -0700
+++ undocked 2017-07-07 19:11:00.511336071 -0700
@@ -1,15 +1,6 @@
Bus 001 Device 002: ID 8087:8000 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
-Bus 003 Device 081: ID 0424:5534 Standard Microsystems Corp. Hub
-Bus 003 Device 080: ID 17ef:1010 Lenovo
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
-Bus 002 Device 041: ID xxxx:xxxx ...
-Bus 002 Device 040: ID xxxx:xxxx ...
-Bus 002 Device 039: ID xxxx:xxxx ...
-Bus 002 Device 038: ID 17ef:100f Lenovo
-Bus 002 Device 037: ID xxxx:xxxx ...
-Bus 002 Device 042: ID 0424:2134 Standard Microsystems Corp. Hub
-Bus 002 Device 036: ID 17ef:1010 Lenovo
Bus 002 Device 002: ID xxxx:xxxx ...
Bus 002 Device 004: ID xxxx:xxxx ...
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
I picked 17ef:1010 as it appeared to be some internal bus on the Ultra
Dock (none of my USB devices were connected to Bus 003) and then ended up
with the following
port toggling script:
#!/bin/bash
if /usr/bin/lsusb | grep 17ef:1010 > /dev/null ; then
# docked
pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output
else
# undocked
pacmd set-sink-port alsa_output.pci-0000_00_1b.0.analog-stereo analog-output-speaker
fi
While upgrading Libravatar to a more recent version of Django, I ran into a mysterious 400 error.
In debug mode, my site was working fine, but with DEBUG = False, I would
only a page containing this error:
Bad Request (400)
with no extra details in the web server logs.
Turning on extra error logging
To see the full error message, I configured logging to a
file by
adding this to settings.py:
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': '/tmp/debug.log',
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
},
}
Then I got the following error message:
Invalid HTTP_HOST header: 'www.example.com'. You may need to add u'www.example.com' to ALLOWED_HOSTS.
Temporary hack
Sure enough, putting this in settings.py would make it work outside of debug mode:
ALLOWED_HOSTS = ['*']
which means that there's a mismatch between the HTTP_HOST from Apache and the one that Django expects.
Root cause
The underlying problem was that the
Libravatar config file was missing the square brackets
around the
ALLOWED_HOSTS setting.
I had this:
ALLOWED_HOSTS = 'www.example.com'
instead of:
ALLOWED_HOSTS = ['www.example.com']
A laptop that was installed using the default Ubuntu 16.10 (xenial) full-disk encryption option stopped booting after receiving a kernel update somewhere on the way to Ubuntu 17.04 (zesty).
After showing the boot screen for about 30 seconds, a busybox shell pops up:
BusyBox v.1.21.1 (Ubuntu 1:1.21.1-1ubuntu1) built-in shell (ash)
Enter 'help' for list of built-in commands.
(initramfs)
Typing exit will display more information about the failure before
bringing us back to the same busybox shell:
Gave up waiting for root device. Common problems:
- Boot args (cat /proc/cmdline)
- Check rootdelay= (did the system wait long enough?)
- Check root= (did the system wait for the right device?)
- Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/mapper/ubuntu--vg-root does not exist. Dropping to a shell!
BusyBox v.1.21.1 (Ubuntu 1:1.21.1-1ubuntu1) built-in shell (ash)
Enter 'help' for list of built-in commands.
(initramfs)
which now complains that the /dev/mapper/ubuntu--vg-root root partition
(which uses
LUKS and
LVM) cannot be found.
There is some comprehensive advice out there but it didn't quite work for me. This is how I ended up resolving the problem.
Boot using a USB installation disk
First, create bootable USB disk using the latest Ubuntu installer:
- Download an desktop image.
Copy the ISO directly on the USB stick (overwriting it in the process):
dd if=ubuntu.iso of=/dev/sdc1
and boot the system using that USB stick (hold the option key during boot on Apple hardware).
Mount the encrypted partition
Assuming a drive which is partitioned this way:
/dev/sda1: EFI partition/dev/sda2: unencrypted boot partition/dev/sda3: encrypted LVM partition
Open a terminal and mount the required partitions:
cryptsetup luksOpen /dev/sda3 sda3_crypt
vgchange -ay
mount /dev/mapper/ubuntu--vg-root /mnt
mount /dev/sda2 /mnt/boot
mount -t proc proc /mnt/proc
mount -o bind /dev /mnt/dev
Note:
When running
cryptsetup luksOpen, you must use the same name as the one that is in/etc/crypttabon the root parition (sda3_cryptin this example).All of these partitions must be present (including
/procand/dev) for the initramfs scripts to do all of their work. If you see errors or warnings, you must resolve them.
Regenerate the initramfs on the boot partition
Then "enter" the root partition using:
chroot /mnt
and make sure that the lvm2 package is installed:
apt install lvm2
before regenerating the initramfs for all of the installed kernels:
update-initramfs -c -k all
I use Let's Encrypt TLS certificates on my Debian servers along with the Certbot tool. Since I use the "temporary webserver" method of proving domain ownership via the ACME protocol, I cannot use the cert renewal cronjob built into Certbot.
To disable the built-in cronjob, I ran the following:
systemctl disable certbot.service
systemctl disable certbot.timer
Then I put my own renewal script in /etc/cron.daily/certbot-renew:
#!/bin/bash
/usr/bin/certbot renew --quiet --pre-hook "/bin/systemctl stop apache2.service" --post-hook "/bin/systemctl start apache2.service"
pushd /etc/ > /dev/null
/usr/bin/git add letsencrypt ejabberd
DIFFSTAT="$(/usr/bin/git diff --cached --stat)"
if [ -n "$DIFFSTAT" ] ; then
/usr/bin/git commit --quiet -m "Renewed letsencrypt certs"
echo "$DIFFSTAT"
fi
popd > /dev/null
# Generate the right certs for ejabberd and znc
if test /etc/letsencrypt/live/jabber-gw.fmarier.org/privkey.pem -nt /etc/ejabberd/ejabberd.pem ; then
cat /etc/letsencrypt/live/jabber-gw.fmarier.org/privkey.pem /etc/letsencrypt/live/jabber-gw.fmarier.org/fullchain.pem > /etc/ejabberd/ejabberd.pem
fi
cat /etc/letsencrypt/live/irc.fmarier.org/privkey.pem /etc/letsencrypt/live/irc.fmarier.org/fullchain.pem > /home/francois/.znc/znc.pem
It temporarily disables my Apache webserver while it renews the certificates and then only outputs something to STDOUT (since my cronjob will email me any output) if certs have been renewed.
Since I'm using etckeeper to keep track of config changes on my servers, my renewal script also commits to the repository if any certs have changed.
Finally, since my
XMPP server
and
IRC bouncer
need the private key and the full certificate chain to be in the same file,
so I regenerate these files at the end of the script. In the case of
ejabberd, I only do so if the certificates have actually changed since
overwriting ejabberd.pem changes its timestamp and triggers an
fcheck notification (since it
watches all files under /etc).
External Monitoring
In order to catch mistakes or oversights, I use ssl-cert-check to monitor my domains once a day:
ssl-cert-check -s fmarier.org -p 443 -q -a -e francois@fmarier.org
I also signed up with Cert Spotter which watches the Certificate Transparency log and notifies me of any newly-issued certificates for my domains.
In other words, I get notified:
- if my cronjob fails and a cert is about to expire, or
- as soon as a new cert is issued.
The whole thing seems to work well, but if there's anything I could be doing better, feel free to leave a comment!
Here are the notes I took while manually expanding an non-LVM encrypted RAID1 array on an Ubuntu machine.
My original setup consisted of a 1 TB drive along with a 2 TB drive, which meant that the RAID1 array was 1 TB in size and the second drive had 1 TB of unused capacity. This is how I replaced the old 1 TB drive with a new 3 TB drive and expanded the RAID1 array to 2 TB (leaving 1 TB unused on the new 3 TB drive).
Partition the new drive
In order to partition the new 3 TB drive, I started by creating a
temporary partition on the old 2 TB drive (/dev/sdc) to use up all of
the capacity on that drive:
$ parted /dev/sdc
unit s
print
mkpart
print
Then I initialized the partition table and creating the EFI partition
partition on the new drive (/dev/sdd):
$ parted /dev/sdd
unit s
mktable gpt
mkpart
Since I want to have the RAID1 array be as large as the smaller of the two
drives, I made sure that the second partition (/home) on the
new 3 TB drive had:
- the same start position as the second partition on the old drive
- the end position of the third partition (the temporary one I just created) on the old drive
I created the partition and flagged it as a RAID one:
mkpart
toggle 2 raid
and then deleted the temporary partition on the old 2 TB drive:
$ parted /dev/sdc
print
rm 3
print
Create a temporary RAID1 array on the new drive
With the new drive properly partitioned, I created a new RAID array for it:
mdadm /dev/md10 --create --level=1 --raid-devices=2 /dev/sdd1 missing
and added it to /etc/mdadm/mdadm.conf:
mdadm --detail --scan >> /etc/mdadm/mdadm.conf
which required manual editing of that file to remove duplicate entries.
Create the encrypted partition
With the new RAID device in place, I created the encrypted LUKS partition:
cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/md10
cryptsetup luksOpen /dev/md10 chome2
I took the UUID for the temporary RAID partition:
blkid /dev/md10
and put it in /etc/crypttab as chome2.
Then, I formatted the new LUKS partition and mounted it:
mkfs.ext4 -m 0 /dev/mapper/chome2
mkdir /home2
mount /dev/mapper/chome2 /home2
Copy the data from the old drive
With the home paritions of both drives mounted, I copied the files over to the new drive:
eatmydata nice ionice -c3 rsync -axHAX --progress /home/* /home2/
making use of wrappers that preserve system reponsiveness during I/O-intensive operations.
Switch over to the new drive
After the copy, I switched over to the new drive in a step-by-step way:
- Changed the UUID of
chomein/etc/crypttab. - Changed the UUID and name of
/dev/md1in/etc/mdadm/mdadm.conf. - Rebooted with both drives.
- Checked that the new drive was the one used in the encrypted
/homemount using:df -h.
Add the old drive to the new RAID array
With all of this working, it was time to clear the mdadm superblock from the old drive:
mdadm --zero-superblock /dev/sdc1
and then change the second partition of the old drive to make it the same size as the one on the new drive:
$ parted /dev/sdc
rm 2
mkpart
toggle 2 raid
print
before adding it to the new array:
mdadm /dev/md1 -a /dev/sdc1
Rename the new array
To change the name of the new RAID array back to what it was on the old drive, I first had to stop both the old and the new RAID arrays:
umount /home
cryptsetup luksClose chome
mdadm --stop /dev/md10
mdadm --stop /dev/md1
before running this command:
mdadm --assemble /dev/md1 --name=mymachinename:1 --update=name /dev/sdd2
and updating the name in /etc/mdadm/mdadm.conf.
The last step was to regenerate the initramfs:
update-initramfs -u
before rebooting into something that looks exactly like the original RAID1 array but with twice the size.
Here is how I managed to extend my OpenVPN setup on my Linode VPS to include IPv6 traffic. This ensures that clients can route all of their traffic through the VPN and avoid leaking IPv6 traffic, for example. It also enables clients on IPv4-only networks to receive a routable IPv6 address and connect to IPv6-only servers (i.e. running your own IPv6 broker).
Request an additional IPv6 block
The first thing you need to do is get a new IPv6 address block (or "pool" as Linode calls it) from which you can allocate a single address to each VPN client that connects to the server.
If you are using a
Linode VPS,
there are
instructions on how to request a new IPv6 pool.
Note that you need to get an address block between /64 and /112. A
/116 like Linode offers won't work in OpenVPN. Thankfully, Linode
is happy to allocate you an extra /64 for free.
Setup the new IPv6 address
If your server only has an single IPv4 address and a single IPv6 address,
then a simple DHCP-backed network configuration will work fine.
To add the second IPv6 block on the other hand, I had to change my network
configuration (/etc/network/interfaces) to this:
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet dhcp
pre-up iptables-restore /etc/network/iptables.up.rules
iface eth0 inet6 static
address 2600:3c01::xxxx:xxxx:xxxx:939f/64
gateway fe80::1
pre-up ip6tables-restore /etc/network/ip6tables.up.rules
iface tun0 inet6 static
address 2600:3c01:xxxx:xxxx::/64
pre-up ip6tables-restore /etc/network/ip6tables.up.rules
where 2600:3c01::xxxx:xxxx:xxxx:939f/64 (bound to eth0) is your main
IPv6 address and
2600:3c01:xxxx:xxxx::/64 (bound to tun0) is the new block you
requested.
Once you've setup the new IPv6 block, test it from another IPv6-enabled host using:
ping6 2600:3c01:xxxx:xxxx::1
OpenVPN configuration
The only thing I had to change in my
OpenVPN configuration
(/etc/openvpn/server.conf) was to change:
proto udp
to:
proto udp6
in order to make the VPN server available over both IPv4 and IPv6, and to add the following lines:
server-ipv6 2600:3c01:xxxx:xxxx::/64
push "route-ipv6 2000::/3"
to bind to the right V6 address and to tell clients to tunnel all V6 Internet traffic through the VPN.
In addition to updating the OpenVPN config, you will need to add the
following line to /etc/sysctl.d/openvpn.conf:
net.ipv6.conf.all.forwarding=1
and the following to your firewall (e.g. /etc/network/ip6tables.up.rules):
# openvpn
-A INPUT -p udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state NEW -i tun0 -o eth0 -s 2600:3c01:xxxx:xxxx::/64 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o tun0 -d 2600:3c01:xxxx:xxxx::/64 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
in order to ensure that
IPv6 packets are forwarded from the eth0 network interface to tun0
on the VPN server.
With all of this done, apply the settings by running:
sysctl -p /etc/sysctl.d/openvpn.conf
ip6tables-apply
systemctl restart openvpn.service
Testing the connection
Now connect to the VPN using your desktop client and check that the default
IPv6 route is set correctly using ip -6 route.
Then you can ping the server's new IP address:
ping6 2600:3c01:xxxx:xxxx::1
and from the server, you can ping the client's IP (which you can see in the network settings):
ping6 2600:3c01:xxxx:xxxx::1002
Once both ends of the tunnel can talk to each other, you can try pinging an IPv6-only server from your client:
ping6 ipv6.google.com
and then pinging your client from an IPv6-enabled host somewhere:
ping6 2600:3c01:xxxx:xxxx::1002
I recently setup a music server on my home server using the Music Player Daemon, a cross-platform free software project which has been around for a long time.
Basic setup
Start by installing the server and the client package:
apt install mpd mpc
then open /etc/mpd.conf and set these:
music_directory "/path/to/music/"
bind_to_address "192.168.1.2"
bind_to_address "/run/mpd/socket"
zeroconf_enabled "yes"
password "Password1"
before replacing the alsa output:
audio_output {
type "alsa"
name "My ALSA Device"
}
with a pulseaudio one:
audio_output {
type "pulse"
name "Pulseaudio Output"
}
In order for the automatic detection (zeroconf) of your music server to work, you need to prevent systemd from creating the network socket:
systemctl stop mpd.service
systemctl stop mpd.socket
systemctl disable mpd.socket
otherwise you'll see this in /var/log/mpd/mpd.log:
zeroconf: No global port, disabling zeroconf
Once all of that is in place, start the mpd daemon:
systemctl start mpd.service
and create an index of your music files:
MPD_HOST=Password1@/run/mpd/socket mpc update
while watching the logs to notice any files that the mpd user doesn't have access to:
tail -f /var/log/mpd/mpd.log
Enhancements
I also added the following in /etc/logcheck/ignore.server.d/local-mpd to
silence unnecessary log messages in
logcheck emails:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Started Music Player Daemon.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Stopped Music Player Daemon.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Stopping Music Player Daemon...$
and created a cronjob in /etc/cron.d/mpd-francois to update the database
daily and stop the music automatically in the evening:
# Refresh DB once an hour
5 * * * * mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet update
# Think of the neighbours
0 22 * * 0-4 mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
0 23 * * 5-6 mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet stop
Clients
To let anybody on the local network connect, I opened port 6600 on the
firewall (/etc/network/iptables.up.rules since I'm using Debian's
iptables-apply):
-A INPUT -s 192.168.1.0/24 -p tcp --dport 6600 -j ACCEPT
Then I looked at the long list of clients on the mpd wiki.
Desktop
The official website suggests two clients which are available in Debian and Ubuntu:
- Ario (
apt install ario) - GNOME Music Player Client (
apt install gmpc gmpc-plugins)
Both of them work well, but haven't had a release since 2011, even though there is some activity in 2013 and 2015 in their respective source control repositories.
Ario has a simpler user interface but gmpc has cover art download working out of the box, which is why I might stick with it.
In both cases, it is possible to configure a polipo proxy so that any external resources are fetched via Tor.
Android
On Android, I got these two to work:
I picked M.A.L.P. since it includes a nice widget for the homescreen.
iOS
On iOS, these are the most promising clients I found:
since MPoD and MPaD don't appear to be available on the AppStore anymore.