All posts by nicholas

Install Cinnamon on a Chromebook with Crouton

I really love using Crouton on my Chromebook Pixel LS 2015. I was sad to see that there is no cinnamon desktop environment target with the latest versions of crouton. Below is what I did to get Cinnamon on my chromebook. Much of what I did was taken from https://gist.github.com/sohjsolwin/5939948

  1. Create a base chroot
  2. Enter your chroot
sudo apt-get update
sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:tsvetko.tsvetkov/cinnamon
sudo apt-get update
sudo apt-get install cinnamon

Once Cinnamon was installed I needed to know how to start it manually. Thanks to the Arch Linux forums for explaining it. You have to create a .xinitrc file in your home directory within your chroot.

echo "exec cinnamon-session" > ~/.xinitrc

Trying to manually start cinnamon by typing startx didn’t work – I got a blank screen and had to hard reset to get anything to come back. Thanks to github I learned you need to use xinit instead of startx.

Lastly, we need to create a suitable startcinnamon script.

wget https://gist.github.com/sohjsolwin/5934362/raw/f68fc0942798902a0bd48f40c17dc0cd5cf585ea/startcinnamon

Modify the file to remove the startx command with xinit. Also remove everything after xinit. My file is as follows:

APPLICATION="${0##*/}"

USAGE="$APPLICATION [options]

Wraps enter-chroot to start a Mint session.
By default, it will log into the primary user on the first chroot found.

Options are directly passed to enter-chroot; run enter-chroot to list them."

exec sh -e "`dirname "$0"`/enter-chroot" "$@" xinit

Make this file executable (chmod +x startcinnamon) and move it to the /usr/local/bin directory of your chromebook (not your chroot.) Now all you need to do is enter

sudo startcinnamon

and your cinnamon desktop should come up!


 

Update 2016-01-04

These two scripts seem to work a little bit better. Place this one within your chroot under /usr/local/bin/startcinnamon:

#!/bin/sh -e
# Copyright (c) 2015 The crouton Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Launches GNOME; automatically falls back to gnome-panel

exec crouton-noroot gnome-session-wrapper cinnamon

Place this one in /usr/local/bin outside your chroot (on your chromebook itself.)

#!/bin/sh -e
# Copyright (c) 2015 The crouton Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

set -e

APPLICATION="${0##*/}"

USAGE="$APPLICATION [options]

Wraps enter-chroot to start a GNOME session.
By default, it will log into the primary user on the first chroot found.

Options are directly passed to enter-chroot; run enter-chroot to list them."

exec sh -e "`dirname "\`readlink -f "$0"\`"`/enter-chroot" -t cinnamon "$@" "" \
    exec startcinnamon

Install Ubuntu chroot on your Chromebook

I recently got a Chromebook Pixel 2015 LS. It is a very nice device. Chromium OS is great but a power user like myself wants a little more functionality out of this beautiful machine.

Fortunately it’s not too difficult to get an Ubuntu chroot running side by side with chromium. The Google developers have made a script to automate the process.

Below is my experience installing an Ubuntu Trusty chroot on my chromebook 2015 LS.

Prepwork

  • Enter developer mode:
    Press ESC, Refresh, power simultaneously (when the chromebook is on)

    • Every time you power on the chromebook from now on you’ll get a scary screen. Press CTRL-D to bypass it (or wait 30 seconds)
    • If you hit space on this screen instead of CTRL+D it will powerwash (nuke) your data
      A scary screen will pop up saying the OS is missing or damaged. Press CTRL D, then press Enter when the OS verification screen comes up.
  • Wait several minutes for developer mode to be installed. Note it will wipe your device to do this.

Install Crouton

Now that we’re in developer mode we will use a script called crouton to install an Ubuntu chroot (thanks to lifehacker for the guidance.)

  1. Download Crouton:  https://github.com/dnschneid/crouton
  2. Press CTRL ALT T to open terminal
  3. Type ‘shell’ (without quotes) and hit enter
  4. sudo sh ~/Downloads/crouton -r trusty -t touch,extension,unity-desktop,keyboard,cli-extra -e -n unity
    1. Note the arguments are suited to my needs. You will want to read up on the documentation to decide which options you want, i.e. desktop environment
  5. Install this crouton extension to integrate clipboard (in conjuction with the ‘extension’ parameter above)

General points of interest / lessons learned

  • Don’t enter the chroot and type startx. It will hard freeze your chromebook.
  • You don’t need to blow your chroot away if you want a different desktop environment, simply install desired environment on your existing chroot
  • To switch between chroots pres Ctrl + Alt + Shift + F2 or F3 (back or forward arrows on top row, not to be confused with the arrows on the bottom right of the keyboard)

High DPI

High DPI screens are a pain to deal with. Here are my tweaks:

  • Go to System settings / Displays / Scale for menu and title bars. I like 1.75
  • Alternatively you can change your resolution. If you mess up and X won’t start properly, delete ~/.config/monitors.xml (thanks to askubuntu)
  • Use the setres script to enable other resolutions in the display manager
    • setres 1440 960
  • Firefox fix tiny text:
    • go to about:config and modify layout.css.devPixelsPerPx, set to 2

Other tweaks:

  • Make trackpad match Chrome:
    • System settings / mouse and trackpad / Check “Natural Scrolling”
  • Remove lens suggestions:
    • Install unity-tweak-tool, notify-osd, overlay-scrollbar, unity-webapps-service
    • Run unity-tweak-tool and uncheck “search online sources” from the search tab
  • Move docky bar to the left:
    • sudo apt-get install gconf-editor
    • Press Alt+F2, enter: gconf-editor and in this configuration editor, navigate to “apps -> docky-2 -> Docky -> Interface -> DockPreferences -> Dock1″
    • On the right side there are some properties with their corresponding values, including the position of the dock which you can change from “Bottom” to “Top/Left/Right” to move Docky to the upper part of the desktop.
  • Install Mac OSX theme
  • Install elementary OS chroot

Garbled mouse cursor when switching between chroots

Sometimes the mouse cursor would get all weird when switching between my chroots. The fix is to install the latest Intel drivers within your chroot.

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository https://download.01.org/gfx/ubuntu/14.04/main
wget --no-check-certificate https://download.01.org/gfx/RPM-GPG-KEY-ilg -O - | sudo apt-key add -
wget --no-check-certificate https://download.01.org/gfx/RPM-GPG-KEY-ilg-2 -O - | sudo apt-key add -
sudo apt-get update
sudo apt-get upgrade

That’s it.. for now 🙂


 

Update 07/27/2015

I discovered that creating chroots was taking a very long time due to the mirror being chosen. I discovered the -m parameter of crouton which allows you to specify a mirror of your choosing. My updated setting is thus:

sudo sh ~/Downloads/crouton -r trusty -t touch,extension,kde-desktop,keyboard,cli-extra -e -n unitykde -m http://mirrors.xmission.com/ubuntu

If you happened to do a CTRL + C to cancel an existing chroot install that was going slowly, you can simply append the -m parameter above along with -u -u to resume with the updated mirror:

sudo sh ~/Downloads/crouton -r trusty -t touch,extension,kde-desktop,keyboard,cli-extra -e -n unitykde -m http://mirrors.xmission.com/ubuntu -u -u

Install OpenWRT on ASUS RT-16N

My parents’ ASUS RT-16N has been running dd-wrt for years now. I recently enhanced it with optware but something went horribly wrong after a few days. A drive out to their house revealed that the whole unit had spontaneously reset itself to factory defaults.

OpenWRT has come a long way since I last investigated it. I decided to give it another try as it’s till actively being developed whereas dd-wrt is not.

The wiki article on this device is a little bit out of date. I had to update it a little bit to get it to work.

To install OpenWRT on this device, SSH into it and run the following commands:

cd /tmp
wget http://downloads.openwrt.org/barrier_breaker/14.07/brcm47xx/generic/openwrt-brcm47xx-generic-squashfs.trx mtd -r write openwrt-brcm47xx-generic-squashfs.trx linux

That part went smoothly. The last part to configure was wireless N. After some searching I came across this post on the OpenWRT forums which worked nicely for me.  SSH into the router and do the following to enable full wireless N functionality:

opkg update
opkg install kmod-brcmsmac
opkg install kmod-brcmutil
rmmod b43
rmmod b43legacy
rmmod wl
rmmod brcmsmac
rmmod brcmutil
modprobe brcmsmac

# make sure to delete the old config files ... you have to ...
rm -f /etc/config/wireless 
wifi detect > /etc/config/wireless
vi /etc/config/wireless

Now comment out # "option disabled 1"

I had to take navid’s steps a little bit further by tweaking /etc/config/wireless a bit to add some features. My working wireless configuration is below:

config wifi-device 'radio0'
 option type 'mac80211'
 option channel '11'
 option hwmode '11ng'
 option path 'bcma0:0'
 list ht_capab 'GF'
 list ht_capab 'SHORT-GI-20'
 list ht_capab 'SHORT-GI-40'
 option txpower '19'
 option country '00'

config wifi-iface
 option device 'radio0'
 option network 'lan'
 option mode 'ap'
 option ssid 'SSID'
 option encryption 'psk2'
 option key 'SSIDKEY'

Success! Fully functional OpenWRT on my parents’ Asus RT-16N.

Owncloud server did not acknowledge the last chunk error

I experienced an issue with Owncloud today where small files wouldn’t synchronize properly. The error message was

The server did not acknowledge the last chunk. (No e-tag were present)

I could not find a way around this issue. Some googling revealed this page on github. It appears I’m not the only one with this issue.

Deep in the thread, asinteg-daehn provided a workaround for the issue. It’s not ideal, but it works. Rename the file to something else, wait for it to sync, then rename it back.

Update:
Currently only found a WORKAROUND: Renaming of all affected files.

  • open activity dialog of OC Client
  • go to each affected file by double clicking on it’s error message
  • rename it by e.g. a prefix “_” -> “_myfile.txt”
  • resync succeeds
  • now rename it back
  • resync should succeed, too

This is very annoying, but a simple workaround.

It worked for me. Hopefully it will work for you too.

Install OTRW2 on DD-WRT

Optware done the right way 2 is a set of scripts designed to enhance the functionality of your DD-WRT router. I’ve recently installed it on my parents’ router so I can more or less have a full Linux box running in their house (it makes my life easier.)

The tutorial for install it is pretty comprehensive. These are my notes on the experience.

  • USB devices needs to be ext2 formatted (fat won’t do.) This is because the script makes a bunch of symlinks to that device.
  • Mount ext2 formatted drive as /opt (Services / USB / Disk Mount Point)
  • Reboot router if you made any changes to mountpoints.

SSH into the router and run the following:

wget -O /tmp/prep_optware http://dd-ware.googlecode.com/svn/otrw2/prep_optware
sh /tmp/prep_optware

Installation takes some time. Wait one minute after installation complete message and reboot router.

Once rebooted, use the service command to see which services are available. Green means the service is enabled.

service mypage on

Enables the mypage service, but you still have to reboot. Reboot router after any changes to services to enable / disable them.

Small overview of services as taken from dd-wrt forums:

rotate_log = move the log file to /opt/var/log/
pixelserv = addblocking on you network.
unfsd = nfs server
zabbix = zabbix client (useless since its included in kong build)
pound = reverse proxy which you can use since you host multiple sites
sshhack = block ips hammering ssh with incorrect credentials.
stophack = BLock ips which are trying to hack server (only combined with pound or vlighttpd)
stophammer = block ips which are hammering ports
nzbget & transmission for downloading.
fixtables rearranges the firewall entries

A full explanation on how otrw2 enhances your router and what each package does is located here.

All in all, pretty straightforward once you get the right filesystem on your media and have it mounted on the right mountpoint. OTRW2 gives your router a whole lot more usefulness and the ability to install a wide range of packages on it.

 

 

Manually configure D-Link DCS-930L wireless camera

I recently acquired a pair of D-Link DCS-930L wireless cameras for cheap. I got them to supplement my iSpy home security setup. These cameras come with all sorts of cloud management software that I’m not interested in. I just want to configure them to be wireless cameras for my iSpy system to handle.

There is a trick to configuring these cameras for wi-fi without installing any software or buying a D-Link cloud router. You simply have to plug the camera into an enternet connection, configure your computer to be on the same network as the camera, navigate to the camera’s management webpage, and make a few changes. Let’s begin. (I got my information from the manual for this device, located here.)

  1. Use the supplied ethernet cable to plug the camera’s ethernet port into your computer’s ethernet port. You will have to manually configure your computer’s IP address to be on the 192.168.0.0/24 subnet (something like 192.168.0.2.)
  2. The default IP address for this camera is 192.168.0.20. Go there in a browser.
  3. Default username: admin, blank password
  4. Navigate to the Setup tab (at the top), then click Wireless setup (on the left)
  5. Join your AP by doing a site survey and connecting to your wireless network. Enter your security key (if any) in the passphrase box.
  6. Reboot to have settings take effect (Maintenance (top) System (left) reboot the device)
  7. Un-plug ethernet cable (it doesn’t appear to connect wirelessly if ethernet is plugged in)

Now that we’re up and running we need to tell iSpy (or any other camera software) to connect to the camera. A very helpful guide to URLs these cameras use is located on iSpy’s webpage.

 

The URL for MJPEG capture is:

http://<IP ADDRESS>/MJPEG.CGI

The URL for JPEG capture is:

 http://<IP ADDRESS>/image.jpg

Be sure to fill in <IP ADDRESS> with the IP your camera gets from Wi-Fi, of course.

Success!

I read you can install openwrt on these devices.. but that’s a post for another day.

Install fresh Windows 8.1 on Lenovo G50-S70

Inspired by Lenovo’s bone headed move to install the superfish malware on its machines, I decided to wipe my mother’s Lenovo G50-S70 laptop and start anew. It was supposed to be easy but I ended up running into some issues with this new fangled hardware.

Microsoft has released a very easy tool to create boot ISO images and / or USB media to install Windows 8.1. For Windows 8.1 certified devices like the Lenovo G50 this is extra nice because the key is embedded in the UEFI BIOS – no need to write down or memorize a key.

After creating a USB drive, however, I was greeted with a lovely error message:

Select the driver to install.

It seemed that the install media didn’t see the G50’s hard drive. I could not get past this error message. All drivers on Lenovo’s website are .EXE files which don’t extract well – even when extracted, the installer didn’t like them.

The solution is to boot into a Windows PE environment and run the Windows installer from there. I chose this PE image, which worked quite nicely. Once booted from this PE disk, I was able to mount the install media and run setup.exe manually. This time the installer saw the hard drives and installed Windows 8.1 as you would expect. Success.

Make Notepad++ open files in separate windows

I love Notepad++. When working in Windows it’s my go-to text editor. One thing I don’t like about it, though, is that it seems to only work in one window by default.

It turns out there is a way to change Notepad++ to work more like Notepad – that is, each file you open opens up in a new window instead of a tab in the same window. There doesn’t appear to be a menu option to enable this functionality; however it is still possible to get Notepad++ to behave more like Notepad that way, thanks to this post.

The trick is to create an empty file named asNotepad.xml and to place that file in the directory where Notepad++ is installed (C:\Program Files (x86)\Notepad++ in my case.)

That’s it! once the empty asNotepad.xml file is in the Notepad++ program directory, it acts more like notepad in the sense that each file is opened in a new window. Handy.

Migrate from Sophos UTM to pfSense part 1

I’ve been using a Sophos UTM virtual appliance as my main firewall / threat manager appliance for about two years now. I’ve had some strange issues with this solution off and on but for the most part it worked. The number of odd issues has begun to build, though.

Recently it decided to randomly drop some connections even though logs showed no dropped packets. The partial connections spanned across various networks and devices. I never did figure out what was wrong. After two days of furiously investigating (including disconnecting all devices from the network), the problem went away completely on its own with no action on my part. It was maddening – enough to drive me to pfSense.

As of version 2.2 pfSense can be fully virtualized in Xen, thanks to FreeBSD 10.1. This allowed me the option to migrate. Below are the initial steps I’ve taken to move to pfSense.

Features checklist

I am currently using the following functions in Sophos UTM. My goal is to move these functions to equivalents in pfSense:

  • Network firewall
  • Web Application Firewall, also known as a reverse proxy.
  • NTP server
  • PPPOE client
  • DHCP server
  • DNS server
  • Transparent proxy for content filtering and reporting
  • E-mail server / SPAM protection
  • Intrusion Detection system
  • Anti-virus
  • SOCKS proxy
  • Remote access portal (for downloading VPN configurations, etc)
  • Citrix Xenserver support (for live migration etc)
  • Log all events to a syslog server
  • VPN server
  • Daily / weekly / monthly e-mail reports on bandwidth usage, CPU, most visited sites, etc.

I haven’t migrated all of these function over to pfSense which is why this article is only Part 1. Here is what I have done so far.

Xenserver support

Installing xen tools is fairly straightforward thanks to this article. It’s simply a matter of dropping to a shell on your pfSense VM to install and enable xen tools

pkg install xe-guest-utilities
echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh 
service xenguest start

PPPoE client

The wizard works fine for configuring PPPOE, however I experienced some very strange issues with internet speed. Downstream would be fine but upstream would be incredibly slow. Another symptom was NAT / port forwarding appearing not to work at all.

It turns out the issue was pfSense’s virtualized status. There is a bug in the virtio driver that handles virtualized networking. You have to disable all hardware offloading on both the xenserver hypervisor and the pfSense VM to work around the bug. Details on how to do this can be found here. After that fix was implemented, speed and performance went back to normal.

DNS server

To get this working like it did in Sophos you have to disable the default DNS resolver service and enable the DNS forwarder service instead. Once DNS forwarder is enabled, check the box “register DHCP leases in DNS” so that DHCP hostnames come through to clients.

Syslog

Navigate to Status / system logs / settings tab and  tick “Send log messages to remote syslog server” and fill out the appropriate settings.

Note for Splunk users: the Technology Add-on for parsing pfsense logs expects the sourcetype to equal pfsense (not syslog). Create a manual input for logs coming from pfsense so it’s tagged as pfsense and not syslog (thanks to this post for the solution on how to get the TA to work properly.)

VPN

OpenVPN – wizard ran fine. Install OpenVPN Client Export utility package for easy exporting to clients. Once package is installed go to VPN / OpenVPN and you will see a new tab – Client Export.

Note you will need to create a user and check the “create certificate” checkbox or add a user certificate to existing user by going to System / User manager, Editing the user and clicking the plus next to User Certificates. The export utility will only show users that have valid certificates attached to them. If no users have valid certificates the Client Export tab will be blank.

Firewall

One useful setting to note is to enable NAT reflection. This allows you to access NATed resources as if you were outside the network, even though you are inside it. Do this by going to System / Advanced and clicking on the Firewall / NAT tab. Scroll halfway down to find the Network Address Translation section. Change NAT reflection mode for port forwards to Enable (Pure NAT)

It’s also very helpful to configure host and port aliases by going to Firewall / Aliases. This is roughly equivalent to creating Network and Host definitions in Sophos. When you write firewall rules you can simply use the alias instead of writing out hosts IPs and ports.

So far so good

This is the end of part 1. I’ve successfully moved the following services from Sophos UTM to pfSense:

  • Network firewall
  • PPPOE client
  • Log all events to a syslog server
  • VPN server
  • NTP server
  • DHCP server
  • DNS server
  • Xenserver support

I’m still working on moving the other services over. I’ve yet to find a viable alternative to the web application firewall but I haven’t given up yet.

Fix NAT not working with pfSense in Xenserver

After a few very frustrating experiences I’ve decided I want to migrate away from Sophos UTM for my home firewall. I enjoy Sophos’ features but do not enjoy the sporadic issues it’s been giving me.

My colleagues all rave about pfSense and how awesome it is so I thought I would give it a try. I have a completely virtualized setup using Citrix Xenserver 6.5 which has prevented me from trying pfSense in the past. The latest release, version 2.2.2, is based on FreeBSD 10.1, which includes native Xen device support. Now we’re talking.

Installation was quick and painless. After some configuration, the basic internet connection function was working swimmingly. As soon as I tried to forward some ports from my WAN interface to hosts on my network, though, things did not go well at all. I began to doubt my ability to configure basic NAT.

It looks simple enough – go to Firewall / NAT, specify the necessary source and destination IPs and Ports, and click apply. Firewall rules were added automatically. Except it didn’t work. I enabled logging on everything and there were no dropped packets to be found, but they were clearly being dropped. I thought it might be something weird with Sophos being upstream so I built my own private VM network but the issue was the same. NAT simply didn’t work. Silently dropped packets. I am not a fan of them.

I was about to give up on pfSense but something told me it had to be a problem with my virtualization setup. I ran a packet capture via Diagnostics / Packet capture and after much sifting I found this gem:

checksumAll of my packets sent to the WAN interface returned [Bad CheckSum] that I was only able to discover via packet capture – they weren’t in the logs anywhere.

Armed with this information I stumbled on this forum post and discovered I am not alone in this. There apparently is a bug with FreeBSD 10.1 and the virtIO network drivers used by Xen, KVM, and others that causes it to miscalculate checksums, resulting in either dropped or very slow packets (I experienced both.)

The solution is to disable tx checksum offloading on both the PFsense side and the hypervisor side. In pfSense this is done by going to System / Advanced / Networking and checking “Disable hardware checksum offload”

To accomplish this on the xenserver side, follow tdslot’s instructions from the forum post linked above, replacing vm-name-label with the name of your pfSense VM:

Find your PFsense VM network VIF UUID’s:

[root@xen ~]# xe vif-list vm-name-label="RT-OPN-01"
uuid ( RO)            : 08fa59ac-14e5-f087-39bc-5cc2888cd5f8
...
...
...
uuid ( RO)            : 799fa8f4-561d-1b66-4359-18000c1c179f

Then modify those VIF UUID’s captured above with the following settings (discovered thanks to this post)

  • other-config:ethtool-gso=”off”
  • other-config:ethtool-ufo=”off”
  • other-config:ethtool-tso=”off”
  • other-config:ethtool-sg=”off”
  • other-config:ethtool-tx=”off”
  • other-config:ethtool-rx=”off”
xe vif-param-set uuid=08fa59ac-14e5-f087-39bc-5cc2888cd5f8 other-config:ethtool-tx="off"
xe vif-param-set uuid=799fa8f4-561d-1b66-4359-18000c1c179f other-config:ethtool-tx="off"

Lastly, shutdown the VM and start it again (not reboot, must be a full shutdown and power on.)

It worked! NAT worked as expected and a little bit of my sanity was restored. I can now make the switch to pfSense.