* Smart as in clever, not as in grooming. Hell no!
LXF June 2012 Issue 158
1 for Free Software
y ! D ivac ore DV -pr m Y er ns IN sup + to SH le os R -sty car PE ian u, I SUDeb Haik : , ils SD Ta -B PC
LXF158
The world’s smartest* and best Linux mag
Refresh your OS Five of the best non-Linux operating systems p30
#
Beat the CIA
Beat the
Design a CPU Oil Rush Android vs iOS Arduino
Browse securely
Crush cookies
Cloak your IP address
Stay anonymous
End Software Patents
10 pages top-class hacof kery
Build a virtual CPU
PHP Work with MySQL Python Talkin g tasks
Alternative operating systems
Learn how computers work by making one p58
Arduino
It’s better to activate a Blinkenlight than curse the darkness p90
Code Concept s
IS YOUR FREE DVD MISSING?
Speak to your newsagent now!
Vim
Ciarán O’Riordan
Winter is coming
It’s a completely absurd situation… we can’t rely on the courts to fix this
Patent madness at the heart of Europe p50
Printed in the UK
Text editing
Advanced Vim
Write code faster and save the world
Online chatter
Learn to love IRC
Because FYI AAMOF ATM LXF PPL need some help
Also inside . . . Make a map
Help government spies by tracking yourself p52
It’s all about oil!
Why panic-buy petrol when it’s more fun to bomb oil fields? p22
Android vs iOS
Test phones, meet girls p56 Character building
Create a font
Not to be used for baptising babies
www.TuxRadar.com LXF158 JUNE 2012
£6.49
Printed in the UK
IRC
Keep everyone out with our ultimate privacy guide
Welcome 1 for Free Software
#
What we do
We support the open source community by providing a resource of information, and a forum for debate. We help all readers get more from Linux with our tutorials section – we’ve something for everyone! We license all the source code we print in our tutorials section under the GNU GPLv3. We give you the most accurate, unbiased and up-to-date information on all things Linux.
Who we are
This month’s cover feature looks at keeping your data safe from the prying authorities. So, what do you want to keep safe from The Man?
Gary Walker
Shush! The thought police are onto me. Freedom is slavery. Ignorance is strength. WE ARE THE DEAD.
Ben Everard
Nothing. Definitely nothing. I’m clean, you understand me? Wait, was that a knock at the door? Quick, the red pill…
Mike Saunders
My project to hack into the computers of the world’s leading financial institutions and make them all run MikeOS.
Andrew Gregory
I don’t want anyone to get their hands on my Frontier: Elite 2 saved games. I earned those combat points!
Mayank Sharma
Efrain HernandezMendoza
My secret subscription to the illegal streaming site www.live Mexicansegunda divisionfootball.com
Jonathan Roberts
My Lovefilm password. The Return of The King has been on my rental list for eight years. They’re going to send it soon, I can sense it.
My plans to lead the Cornish invasion of Devon. Today Ilfracombe, tomorrow the world my friends.
David Cartwright
Nick Veitch
The penguin breeding programme I’m running in my bathroom. I have the air conditioning set permanently to -12˚C.
You are your data It’s not about a lack of trust. It’s about control. Many of us now spend so much of our lives online, generating huge quantities of data, that this data has become as individual and personal as our DNA. And like our DNA, it can infer information about us that we don’t want other people to know. Controlling your data, and ensuring your privacy, is the only way of knowing your online DNA won’t become trivialised, exploited or shared without your consent. This is vitally important, not just because there are many places in the world where people can’t speak freely, but because in the future personal data is only going to increase. We need to set a limit and state what’s acceptable and what’s unacceptable. If we don’t, I think future generations will inherit too loose an attitude towards their data and, in doing so, relinquish too much control to the agencies that collect it. That bit sounds a little paranoid, but I feel the commercial use of data, in particular, will always submit to the lowest common denominator. And no one wants a search for cancer treatment to result in higher personal insurance premiums. When we asked our readers on TuxRadar.com whether privacy is only for those with something to hide, the vast majority of respondents said no, so I don’t think we’re alone. This is the motivation for our feature. Not just to help you protect what’s yours, but to build a general awareness of how much is collected. The only person you can really trust to do the right thing with your data is yourself, and that’s only if you’re aware of how this data is generated and how it might be used.
My vast collection of illegally downloaded Christina Aguilera MP3s, not least her cruelly underrated Christmas album.
Graham Morrison Editor graham.morrison@futurenet.com Susan Linton
The spacecraft I’m secretly constructing in the garage. I plan to abandon this doomed earth and discover Planet Linton by 2020.
Shashank Sharma
The large hadron collider I’ve spent the past 30 years building under the rosemary bush in my garden. It’s mine, all mine!
Neil Bothwick
The offshore millions I’ve accrued from writing Answers for Linux Format over the past 85 years. It’s not taxable, right?
Subscribe today And get an LXF binder!
www.tuxradar.com
June 2012 LXF158 3
Contents There’s nothing wrong with having something to hide.
Reviews
Oil Rush ............................. 22 Part strategy, part shoot-em-up, part terrifying warning from the future.
Kill people for oil, then retire to a lucrative after-dinner speaking job.
XBMC 11 Eden .................. 24
Turn your Linux box (or Raspberry Pi) into a fully-fledged media centre.
Gnome 3.4......................... 26
Beat the
And tell Theresa May and GCHQ where to get off, too p42
The desktop to bring them all and in the darkness, bind them gets a better browser.
New applications abound in the latest Gnome 3 release.
Audacity 2.0.......................27
Audio editing the free software way, now with added VAMP and other acronyms.
Renoise 2.8........................ 28 This digital audio workstation hits all the right notes (geddit?) for our reviewer.
Roundup: Alternative operating systems p30
What on Earth is… The Journal? p62
Talking heads To get software excluded [from patentability] we had to argue that software isn’t technology
Renoise is brilliant. Buy it now.
4 LXF158 June 2012
Ciarán O’Riordan explains the madness p50 www.linuxformat.com
On your free DVD Tails
Take the pain out of configuring Tor
Alternative OSes
Try something a little bit different
PLUS: HotPicks and tutorial code
p112
Treat yourself or a loved one to an LXF subscription! p40
Don’t miss...
Map your walks...................52 Share your adventures with the world.
Android vs iOS................... 56 A clash of the mobile titans.
Design a CPU...................... 58
You too can be as cool as Alan Turing.
Coding Academy
Tutorials Typography Build your own font ..........76
Python...................................................... 94 Get your Python scripts talking to each other and feel like the coding equivalent of a Parselmouth.
Shashank Sharma shows you how to turn your handwritten scrawl into a usable font.
Coding Concepts ....................................98
The best coder is the laziest coder. Loops save you time and effort, so it’s essential to understand them.
PHP..........................................................100
Make your PHP applications play nicely with a MySQL database and understand the fuel that powers the interwebs.
Regulars at a glance
Helvetica has its advocates, but you really can’t beat Comic Sans.
News............................. 6 Subscriptions ...........40 Answers ...................106 It’s bizarre, but Microsoft loves us –
Celebrate the springing of Spring
YOUR PROBLEMS SOLVED
maybe a bit more than Ubuntu does.
with an LXF subscription.
Mobile broadband, slowing down
User groups................14 What on Earth is? ....62 From Kingston town, home of the
Introducing The Journal – a new way
mighty Maureen Lipman.
to record system logs.
booting, mass transfers and more.
Next month ..............110 The wait is almost unbearable, but
Mailserver...................16 Sysadmin...................64 We’re sorry, but we had to cut the
Featuring SELinux and a lesson from
reference to castrated monarchy.
the crazy world of quilting.
LXF159 will be with you soon.
Hotter than April in the UK – and
operating system? Look no further.
that’s at least 11˚C.
A blast from the pst in the form of
Because life is too short to regret missing an issue of LXF.
Security OpenVPN........................... 84
Use a VPN to grant users access to your network, while keeping the scum out.
It might well be good to talk, but it’s even better to chat online with strangers.
Electronics Arduino ..............................90
Build a multiplexed light output and create your own tiny bit of light pollution.
Distrowatch...............38 Back issues ............. 105 MINIX, plus Sabayon and more.
Get to grips with the advanced features of this popular text editing tool.
Online chat IRC...................................... 86
Roundup ....................30 HotPicks ....................68 Looking for an alternative free
Text editing Vim .....................................80
Our subscriptions team is waiting for your call.
www.tuxradar.com
June 2012 LXF158 5
Reviews Entertainment hub
XBMC 11 Eden
Ben Everard discovers Eden, XBMC 11 Eden to be precise, and finds out that it looks very pleasant indeed. In brief... XBMC is a media player and entertainment hub. Also consider: VLC, Mythbox and Totem.
T
he latest version of XBMC comes in flavours for Windows, Mac OS X, iOS, Apple TV and Linux. According to the changelog, there are 106 new or updated features, from tweaking the user interface to improving support for different CPU architectures. So there should be a reason for everyone to upgrade. We tested the XBMCbuntu live DVD put together by the team to showcase the technology. It’s built on Lubuntu, and boots straight into the XBMC application. This gives a full XBMC experience out of the box. Or at least it should – we found that the volume was turned down too low to enjoy videos. The Audio menu in the video provided a Volume Amplification option, and while this increased the volume, it
“We almost forgot to mention it runs on the Raspberry Pi.” noticeably decreased the audio quality. The Audio Output screen in System Settings also couldn’t help us. In the end, we found the solution in the Master Volume slider in Programs > XBMC Audio Mixer. Why the sound controls need to be spread around three separate locations, we don’t know. On the home screen, there are seven options: Weather, Pictures, Videos, Music, Programs, Play Disk and System. We imagine most people will spend
Features at a glance
Positive outlook
You can now get a weather forecast tailored to your location (based on IP lookup).
24 LXF158 June 2012
Take your pick
Add-ons enable you to browse many online video repositories.
XBMC replaces a traditional desktop with an interface that’s more suited to use with modern media devices.
most of their time in Videos and Music. Both give users the option to view appropriate files stored on the computer, and to download plugins to view content in various online stores. Generally, this worked well, although it leaves some applications stuck between the two – for example Facebook Media, which can take videos and pictures from the popular social network and display them in XBMC. Since it fits in neither medium, it gets dumped under the Programs menu. Several of the add-ons in the Video menu failed to play on our system. We suspect that this is because the hosts were filtering out IP addresses from some countries. Fortunately, there are a number of third-party add-ons that enable playing of British TV, such as BBC iPlayer and 4OD. Installing them couldn’t be easier; simply download the ZIP file and then go to System > Addons > Install from Zip file and select the newly-downloaded ZIP. It isn’t the XBMC developers’ fault that some addons are limited by country – this restriction is put in place by the organisations hosting the streams. If you can’t find what you’re looking for in the official add-on repositories, check out wiki.xbmc.org/index. php?title=3rd_party_add-on_
www.linuxformat.com
repositories for a wider selection. Perhaps the fact that our biggest gripe is with the layout tells you how good this software is. It looks gorgeous, and the screen is well set up for controlling from a distance – there are no fiddly little buttons to click, and you can enter text using just a pointing device (but why have they used an alphabetic layout rather than QWERTY for the on-screen keyboard?). Oh, we almost forgot to mention it runs on the Raspberry Pi. So, if you can get your hands on one of these little devices, you can turn any TV into a smart TV for a paltry $35. LXF
Verdict XBMC 11 Eden Developer: Team XBMC Web: www.xbmc.org Price: Free
Features Performance Ease of use
9/10 9/10 7/10
Great for browsing video streams and home-made smart TVs… once you find your way around the menu structure, that is.
Rating 8/10
Ciarán O’Riordan While we merrily use our Linux boxes there’s a secret army at work, fighting to protect our freedom. Ciarán O’Riordan is one of their number: as a member of End Software Patents and former contributor to the Free Software Foundation’s work on reforming patent laws, he’s one of the clever and dedicated people fighting for the freedom we take for granted. We sought him out at FOSDEM, in Brussels.
Interview
Linux Format: Most of our readers in the UK or EU will probably think that we don’t have software patents. But something you said earlier implied that they can still be enforced even though they aren’t on the legislature. How does that work? Ciarán O’Riordan: Governance of patents in general is split between patent office, the legislation and the courts, and so normally the way it happens is that each body should be the checks and balances for the other bodies. What’s happening now is that the legislation says that programs for computers are excluded from patentability. But the patent office have developed a very strange interpretation of this. What they’ve essentially done is read the text as saying programs for computers are excluded as such, and this means programs for computers as programs for computers. But if you want to patent a program for a computer as a memory device containing something… if you name it something other than a program for a computer, then all of a sudden it’s no longer a program for a computer as a program for a computer. It’s not a plain English reading of the text, but it’s what they’ve been doing for a long time, and we have the courts looking at the
50 LXF158 June 2012
So, there are no software patents in the EU hey? That’s what we thought until we met End Software Patents. patentability question, and the UK courts are saying: “well, it’s so hard to interpret this law and the EPO (European Patent Office) has already interpreted it this way, so let’s be uncontroversial and we’ll use their interpretation.” One judge even mentioned that he was doing that for consistency, which is a funny way to put it because the patent office always do their evaluation before the court. The only way a court can be consistent is to follow exactly what the patent office has already decided. It’s a very strange situation, where you have the European patent office, which is not part of the European Union; it’s not part of the UK; it’s answerable to nobody, yet they’re making the decisions that are being followed by the UK’s highest court. We have to get new legislation in, but there’s a massive amount of work. In 2002, when we were working on the EU Software Patents Directive – people left their jobs to work on this sort of thing. I moved country to work on this, and that was the amount of lobbying it took just to get the proposal stopped, so to actually get a victory would be even more work. The problem is that whenever it looks like we’re going to get a victory, the people on the other side will try to stop the process. LXF: Is the problem getting hold of people who know enough about software patents, and European law, who speak enough Slovenian or Maltese, or any of the other languages of the EU? CO’R: The language barrier isn’t so much of an issue. People mostly use English. The bigger problem is getting the software developers to understand how law works. What you have to remember is
www.linuxformat.com
that if the word ‘technology’ is in the text, ‘technology’ doesn’t mean what the dictionary says it means; ‘technology’ means what some judge 10 years ago said technology means. So we have issues such as fields of technology, and the TRIPs (Trade Related aspects of Intellectual Property rights) agreement says innovations in all fields of technology are patentable. The result is that to get software excluded we had to argue that software isn’t technology. Obviously, for software developers this is a bit weird, but when you look at copyright convention, the Berne Convention for the Protection of Literary and Artistic Works says that software is to be protected as literary work. So software is a work of authorship, and works of authorship don’t have to be technologies. LXF: Is the situation the same all over the EU? CO’R: The current proposal is that they want to have an EU patent. Now, the EU has 23 languages. The problem is that if you want to have a patent for the EU then you have to register it at each patent office, and in each language that the patent office accepts, so you end up having to translate your patent into 23 languages. So to make software patents cheaper, the European Union wants to create this single patent. Sometimes they propose that they will only publish it in English, with machine translations in every other language. Sometimes they propose English, French and German, and then Spain gets annoyed, and then Italy gets annoyed – and if Spain and Italy get their way then Poland wants its way as well. To avoid that, the EU wants to publish everything in just English, or just English, French and German, and have these patents valid in the whole EU; and they’ll
Ciarán O’Riordan
translate the patent only if there is litigation. But, of course, by then it will be too late, because that means that somebody will presumably already have violated the patent; so if there are 20,000 patents and you don’t speak English, French or German, you don’t know what those patents are. LXF: That’s Kafkaesque… CO’R: But for us, this is actually one of the good aspects, because this is one of the reasons that the proposal has taken so long. It’s been delayed over and over again. It isn’t actually part of the problem for free software developers, it’s a democratic problem for us in general. For free software developers, the main problem is that if you’re going to have these central patents the next logical step is which court will interpret them, because if each national court is going to interpret them then you’re going back to the old oN situation, where the UK said no and France said yes and Germany said no, etc. So the logical next step is that we need to have a centralised court. That gives you a specialised
court that can be reviewed by the European Court of Justice, or maybe by national courts, but those courts will see this court as a court of experts, so they end up being afraid to disagree with it, as we’ve already seen in the UK. So this court of patent lawyers will basically replace the national courts. We’re going to see the patent office granting patents, the legislation being ignored and the courts approving these granted patents. LXF: Are there any politicians who you think get it? CO’R: The European Parliament – the politicians there are actually pretty good. That’s the body the Free Software Foundation managed to convince in 2003 and 2005 to accept our amendments to exclude software from patentability. In 2003
SoftwaRE PatENtS
they adopted all our amendments, and that was basically a complete victory. If the text was adopted as is, Europe would be completely safe today. However, then the European Council, and then the Council of Ministers, discarded all these amendments. So, in 2005 when the European parliament got to look at it a second time, they were going to adopt all our amendments again, but then they said: “What’s the point if the council is just going to discard them all again? There’s no point in us doing our work of amending.” So they just rejected the directive outright. That was kind of a victory for us because we avoided the worst-case scenario, but it’s also what Microsoft and IBM and SAP wanted, because they saw they were losing so they pulled the plug on the whole project; so they were also happy to not have lost. For us, legislation is the best way to fix the problem, but we have to be in a strong position in terms of knowing we’re going to win, and we’ve got to make sure the process reaches the end phase and the legislation gets adopted. LXF
“To get software excluded, we had to argue that software isn’t technology.”
June 2012 LXF158 51
What on Earth The Journal
What on Earth is
The Journal? Jonathan Roberts discovers a new tool for recording system logs. Haven’t we talked about journals on a Q previous occasion?
we have, when we were talking about A Yes Zeitgeist. But that was a piece of desktop
software, designed to record which files you access in order to help you find them again.
Q
And this new Journal, that’s different how? This time, The Journal is a system logger. It doesn’t aim to make it easier to find files, but to record information about how the system is performing: resource usage, security information and error messages are all stored in the system logs.
A
62 LXF158 June 2012
Linux already records this it writes some of the logs. Some other Q But A Well, information. There are all those .log files applications have their own logging
in /var/log/messages, right? That’s right. When system processes have some information that ought to be recorded, they send a message to a piece of software that runs in the background. This message is sent via a protocol known as syslog, and the background application that receives and handles this message is the syslog daemon.
A
Ah, yes, many background processes are Q known as daemons. So this syslog
daemon, it writes the logs?
www.linuxformat.com
systems, and their own log file formats too. The log files dealt with by syslog are usually written in plain, human text readable files.
however many there are, why do we Q OK, need a new logging system? Linux is doing really well these days, in lots of important places; surely the current logging system can’t be bad? It’s not bad. In fact, it has many impressive features, but it’s also 30 years old. In that time, weaknesses have been found, inconsistencies have developed in the different
A
The Journal What on Earth implementations, and new programs have come along that want to use log data in ways that syslog’s original creators could never have imagined. That all sounds a bit vague; have you got Q any specific examples?
I have. In fact, the developers of A Sure The Journal managed to come up with 14
different examples.
I thought you said syslog wasn’t Q 14! that bad.
A
It’s not, and developers who are working on popular syslog implementations have questioned whether all of these examples are fair criticisms. They have conceded that some of the criticisms are legitimate, however. These include the lack of rules governing what format the logs should be recorded in, and the lack of indexing as a result of log files being nothing more than plain text files. They don’t sound so bad. There are so Q many different applications on Linux that they must have wildly different logging requirements. A fixed logging format might inhibit their freedom. Having few rules about the format of a message does make the system flexible and powerful, but it makes analysing the logs unnecessarily complex. Imagine that you wanted to write a program that examines the kernel’s logs, the X server’s logs and the mail server’s logs; you may find yourself having to deal with three different formats. It’ll take longer, you’ll have to write more code and there’s a much greater chance of making a mistake.
A
OK, so there are real problems here. Q I’m guessing The Journal deals with these problems, then? Exactly. The first issue is dealt with by establishing a fixed format for log messages. Each entry in a log file is made up of a number of key/value fields. This way, any program analysing logs will know that all it has to do is look for the correct key in any particular entry, and it will find the value it’s looking for.
A
So, the file format is like a dictionary? Q The key is the word you’re looking up,
A
Q A linear search? What’s that?
That sounds like Q Authenticate? a security thing.
information it likes, and syslog does nothing to ensure that it’s true. This can be used by malicious programs to emulate legitimate ones, manipulate logs and hide their activities. There are lots of other features, too. You can learn more about them by reading the detailed document that first announced The Journal (http://tinyurl.com/853f73n).
interesting. But does this Q Hmm... address the speed of looking
check that out. Another thing: what Q I’ll chance does this have of being
up information? No, not directly. But one of the other important features of The Journal should help. In The Journal, every log message should have a long number associated with it – called a UUID. The number wouldn’t be unique for every message, but unique for every kind of message. This means that tools could be written that would quickly identify all logs of
adopted? Nobody likes change, especially when there’s a working alternative. That’s a really good question. Since it’s integrated in to systemd, which is already adopted by a lot of distributions, there’s a good chance many will also start to take advantage of The Journal. But there’s quite a bit of resistance to the whole idea of The Journal. Some people question whether its security
A
A
As it stands, any service can send A Yes. a message to syslog and record whatever
A
“The Journal is a component of systemd, the new service manager and boot system.” a particular type, and then they could look through the fields of just those messages and find the information they were looking for. sounds promising, but for Q aThat completely new system it doesn’t sound like there are that many new features. There are plenty of other new features in The Journal, too. One thing we haven’t talked about so far is that The Journal is actually a component of systemd, the brand new service manager and boot system that has been adopted by lots of Linux distributions.
A
imagine that you’ve got a string A Basically, of Christmas tree lights. One bulb isn’t Oh yeah, we talked about that before. Q When working, so they’ve all stopped working. To find you start your computer, all kinds the offending bulb, you’re going to have to try every single bulb! Now imagine that situation, but with tens of thousands of bits of data.
A
and the value the definition? Yes, that’s right. Compare that with syslog’s plain text files, where the data type, the data and all kinds of other information were all mixed in together – and mixed in a different way in almost every log! Not only does this make access easier, but it also retains a lot of flexibility. An entry can contain any number of different fields, but they’ll always be recorded in a predictable, easy-to-access way.
Q
Right, that does sound like it’s a real problem. However, I’m not at all convinced by your argument that plain text files are a problem – surely that just means they can be read using the humble text editor, and knowledge of how the file format works is never likely to be lost. It’s the Unix way! Well, yes and no. Plain text does have the benefits that you described, but it also means that they can’t be indexed and are slow to access. If you wanted to search through the logs to find, for example, all HTTP requests from a particular IP address, you’d have to do a linear search – in computing terms, this is very slow.
them start quicker and providing ways to restart and stop them. Well done! I’m glad to see you listen when we talk. Because systemd manages the services, many of which are programs that want to log data, it knows a lot about them. Since The Journal is integrated with systemd, it can take advantage of all this information. For instance, it can collect, and more importantly authenticate, a lot of contextual information which is useful for debugging: process IDs, executable locations, etc.
of ‘processes’ start up – background programs that make your computer work. Systemd organises these services, making
www.tuxradar.com
features are as good as claimed, others complain about it abandoning plain text files, and still others think it would have been better to improve syslog, rather than re-inventing the wheel. And that’s not even taking in to account the need for developers from many other projects to rework their programs to take advantage of The Journal’s new features.
Q An uphill battle, then? You could say that. We shouldn’t forget, Ahowever, that the developers behind
The Journal are also responsible for some other controversial additions to the Linux stack, including PulseAudio. These were eventually adopted by the vast majority of Linux distributions, for whatever reasons, so it seems they know what they’re doing. LXF
June 2012 LXF158 63
Tutorial Security Open up your LAN safely Security
with a Virtual Private Network
Using a VPN
Want to give authorised users access to your network, while keeping the internet’s riff-raff out? Neil Bothwick shows you how with OpenVPN.
A
Our expert Neil Bothwick Neil has a computer in every room, but won’t disclose the location of his central server for security reasons.
common complaint for Linux users goes along the lines of: “I want to make service XYZ available over the internet but only to authorised users. How do I do this securely?” where XYZ could be VNC, NFS, Samba or a local web server. The solution to this problem depends on the exact service you want to forward and what methods it has for authentication and security. Some are better than others, but it still means potentially having to take care of several services and making sure all are secure. You don’t have the same problem on your local network because, unless anyone can use your computers, you have only authenticated users. An alternative to exposing individual parts of your network to the web at large is to allow authorised users to join the network from outside, as if they were connected to the local network directly. This is what a Virtual Private Network (VPN) does – it sets up a secure, encrypted tunnel between a computer and the network. While the tunnel goes over the public internet, all traffic between your computer and the network stays inside the tunnel, encrypted and secure. The are a few different VPN implementations, but we will use OpenVPN here. This, as the name implies, is a completely open system that uses the well established OpenSSL for connections. Before you do anything else, set up your router to forward port 1154 to the computer that will be acting as the OpenVPN server on your LAN, or you won’t be able to connect. At its simplest, you can connect a computer to a network by running the first command on a computer on the network, the OpenVPN server, and the second command on the remote computer you want to connect to the network, the client: sudo openvpn --remote clientaddress --dev tun 1 --ifconfig 10.0.1.1 10.0.1.2 sudo openvpn --remote serveraddress --dev tun 1 --ifconfig 10.0.1.2 10.0.1.1 The --remote option gives the name or IP address of the computer to connect to, while the two addresses given to --ifconfig are allocated to the local and remote computers
Create your certificates, for the server and clients, using the build scripts provided with OpenVPN.
84 LXF158 June 2012
www.linuxformat.com
Don’t foreget to set your router to forward incoming requests to port 1194 to the same port number on the computer running the OpenVPN server.
respectively, which is why they’re reversed in the second command. These addresses should be in one of the reserved private ranges, but on a different subnet to your LAN or horrible things will happen. The VPN is a separate network, with the server acting as a gateway between it and your LAN. If you get an unknown device error about tun on either computer, load the tun module with sudo modprobe tun While this works, in so far as it connects to one computer on your network, it’s hardly convenient, as you need someone to run the command at each end of the link, and you need to know IP addresses in advance, which isn’t much help when connecting from a mobile broadband dongle or using wireless hotspots at various caffeine suppliers.
The answer
The solution is to run the server permanently (or at least when it’s likely to be needed) on your LAN, to allow connections from any IP address and use certificates to authenticate any computers that try to connect. Most of the set-up is done on the server, in a terminal as the root user (Ubuntu users prefix everything with sudo). Your OpenVPN installation should include scripts to manage this in /usr/ share/openvpn/easy-rsa. We need to edit these, so copy the easy-rsa directory to /etc/openvpn to stop your settings being clobbered by an update. Edit the vars file to set the KEY_* variables – do not leave any of them blank. The next step is to create a master Certificate Authority (CA) certificate with: source ./vars/ ./clean-all ./build-ca You will be asked a number of questions, but you can normally press Enter at each one, as the answers are preset
Security Tutorial in the vars file. This creates a certificate in the keys directory, which is used to sign any server and client certificates we are about to create. Make the server certificate with: ./build-key-server servername As before, accept the defaults, but set the Common Name to the name of the server, then respond with y when asked if you want to sign and commit the certificate. Now run this command for each client that you want to connect, using the same client name on the command line and in response to the Common Name question. ./build-key clientname This script builds a key that is enough to connect to the VPN, so anyone with access to the computer can do so. If this is a laptop and you have no other form of protection against a thief doing this, use build-key-pass instead of build-key to create a key locked with a password. There is one more file to build, with: ./build-dh Copy ca.crt and that computer’s .crt and .key files to the /etc/openvpn directory of each computer. On the server, you also need to copy ca.key and the dh1024.pem file that the build-dh command created. Do this securely, using either a physical medium or SSH – don’t email them, as anyone with these files can connect to your network. Make sure the permissions on the secret .key file are set to rw-------, copying via a FAT formatted USB key will set them to something more permissive, and unacceptable. The server and client each need a configuration file in /etc/openvpn. The sample files, usually installed in /usr/ share/doc/openvpn/examples/sample-config-files, are the best starting point. Copy server.conf to /etc/openvpn/ openvpn.conf, and on the server edit it. Most of the file is comments, and the default settings are good, but make sure the ca, cert, key and dh settings correspond to the files you created, preferably using full paths. Copy the client.conf file to /etc/openvpn/openvpn.conf on the client and edit it. Change the remote line to point to the IP address (or hostname) of your server and the port it will listen on (the default is 1194). You can have more than one remote line, in which case they will be tried in turn until a connection is made. remote gateway.example.com 1194 remote 123.124.125.126 1194 Use the public IP address of your internet connection. If your gateway is behind a router, forward port 1194 to the gateway server in your router’s configuration. Edit the cert and key lines to contain the names of the client’s certificate and key files. If you changed any of the defaults in the server
Start the server and client from a terminal when testing. It will let you know exactly what it is doing.
config, make sure that you change any corresponding settings here. Now you can see how things work by running: /etc/init.d/openvpn start on the server and then on the client. Running ifconfig on each computer should show a tun interface with an address in the 10.8.0.* range (unless you changed this in the configs), and you should be able to ping between them. Once you have verified it’s working, you can use your distro’s services manager to have OpenVPN start at boot on your server.
Reaching the whole network
So far, we’ve connected two computers, but we want the client to be able to access the whole of the local network, not just the server. OpenVPN has altered the routing table on the client to pass all traffic for the 10.8.0.0 network over the VPN. To have the server route traffic for the LAN to the correct destination, add this to its configuration file: push “route 192.168.1.0 255.255.255.0” using the appropriate address and netmask for your LAN. This not only sets up routing on the server, but the server uses this to send the correct routing settings to a client when it connects. If you give the route -n command after opening the VPN on the client, it will show something like: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 This will work well, providing your OpenVPN server is also the gateway for the network, which means that the other computers on the LAN will send all non-LAN traffic to it anyway. If this is not the case, you have two choices. You can alter the routing tables of any computers on the network that you want to be accessible from the VPN by running this command on them: route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.1 or you can alter your router’s configuration to route all traffic to the 10.8.0.0 network via your server – 192.168.1.1 in this example. Some routers support OpenVPN directly, particularly those using the DD-WRT or OpenWrt operating systems. If you have such a router, you can transfer the responsibility to it using the web interface. The details vary according to the firmware it is running, but it’s basically a case of pasting the contents of your certificate, key and configuration files into text boxes in the router’s web interface. LXF
www.tuxradar.com
If you use a router that supports OpenVPN, such as this DD-WRT based device, you can run the server on your router and avoid the need to have one particular computer running all the time.
June 2012 LXF158 85
June 2012
1 for Free Software
#
Back page
Merriment and off-topicness from the Linux Format team (and you)
From the podcast... Jon: We've been told we're a bit too down on Ubuntu, but Mark Shuttleworth has said that Ubuntu adoption has overtaken Red Hat Enterprise Linux's adoption.
Andrew: So does that mean Canonical are also on their way to making a billion dollars this year, like Red Hat are?
Jon: It is good news that Ubuntu is growing and the work and effort they put in is starting to pay off.
Graham: And if people want to become sysadmins and have Ubuntu experience, a lot of those will be transferable to jobs.
Graham: Don't spoil it Andrew!
TuxRadar
Andrew: Sorry, it's because I hate them… I don't really!
Jon: Whatever dodgy statistics might have been quoted, growth in Linux, whatever form it takes, is good.
This snippet taken from Season 4 Episode 4 of the TuxRadar podcast – get the latest episodes on your LXFDVD in the Podcast folder, or go to www.tuxradar.com/podcast
Anatomy of a geek desktop
Billy info (for the animal behaviour experts): The notepad in the foregound is slightly crumpled because yesterday that daft bugger Billy knocked over a glass of Old Speckled Hen and turned my notepad into corrugated paper. Sue and I think that Billy is slightly effeminate. We have formed this opinion because of his adoration for the Alpha male in the household hierarchy, and
On the left, you can see an HP printer/ copier/scanner F2480, and underneath the printer is my home-built Mini-ITX PC, using an Intel Board DQ45EK with E5400 Pentium Dual Core CPU and 4GB ram, and a 64GB Crucial SSD. The case is a Jou-Jye Nu 568i with integrated card reader.
This month's lair of geekdom comes from Mark and Sue…
114 LXF158 June 2012
In the centre is a Dell 20-inch VGA widescreen 1600x900 monitor reference IN201ON case, RAM and motherboard from www.mini-itx.com. Monitor, SSD and CPU from www.novatech.co.uk/ novatech. On the monitor, there's an image of Audacity within Ubuntu 10.04. I recorded the Paul Jones Blues programme on my digital radio, imported it into Audacity and am currently separating a track from the rest of the recording. I then export it as an MP3, identify it using tagtool and pop it in my Music folder.
www.linuxformat.com
the way that he sprints around the garden. The best way to describe his running style is to imagine you are driving peacefully in the countryside in the south of England and you see a pheasant on the road. The bird is spooked by the car and runs haphazardly left and right, zig-zagging hither and thither like one of the characters in Little Britain. I'm sure you now have the mental image…