How to Set Up Secure Remote Networking with OpenVPN on Linux, Part 1

It's always been prudent to wrap a warm comfy layer of encryption over your Internet travels to foil snoops of all kinds, and with our own government slurping up every bit wholesale it's more crucial than ever. OpenVPN is the top choice for protecting networking over untrusted networks. Today we'll learn a quick way to set up OpenVPN so you can securely access your home server when you're on the road.
A quick note on VPNs: there are many commercial VPNs that aren't worth the bits they're printed on. They're little better than SSL-protected Web sites, because they trust all clients. A true VPN (virtual private network) connects two trusted endpoints over untrusted networks. You can't just log in from whatever random PC you find, and this is good because (presumably) you understand that logging in to your private network from an infected host is a bad thing to do, no matter how secure the connection is. So you have to configure both your server and client.

OpenVPN Quickstart

You need two computers on different subnets, like a wired and wireless PC on the same network (or a couple of Linux guests in Virtualbox), and you need to know the IP addresses of both PCs. Let's call our example computers Studio and Shop. Install OpenVPN on both of them. OpenVPN is included in most Linux distributions, so you can install it with your favorite package manager. This example is for Debian, Ubuntu, and their myriad descendants:

$ sudo apt-get install openvpn openvpn-blacklist 

That installs the server and a little program to check the blacklist of compromised keys. You must install the blacklist checker! Because once upon a time Debian distributed a broken version of OpenSSL which had a broken random number generator, so keys created with this are assumed to be too vulnerable to trust. The random number generator was not really random, but predictable. This happened way back in 2008, and everyone who used the defective OpenSSL was supposed to hunt down and replace their weak keys. Even though it's been over five years, it's cheap insurance to use the blacklist checker.
Now let's test it by creating an unencrypted tunnel between our two PCs. First ping each machine to make sure they're talking to each other. Then make sure that OpenVPN is not running, because we're going to start it manually:

$ ps ax|grep openvpn

If it is, kill it. Let's say that Studio's IP address is 192.168.1.125, and Shop's is 192.168.2.125. Open an unencrypted tunnel from Studio to Shop:
$ sudo openvpn --remote 192.168.2.125 --dev tun0 --ifconfig 10.0.0.1 10.0.0.2
Then from Shop to Studio:

$ sudo openvpn --remote 192.168.1.125 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1

When you make a successful connection you'll see something like this:

Wed Oct 16 2013 ******* WARNING *******: all encryption and authentication 
features disabled -- all data will be tunnelled as cleartext
Wed Oct 16 2013 TUN/TAP device tun0 opened
Wed Oct 16 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Oct 16 2013 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
Wed Oct 16 2013 UDPv4 link local (bound): [undef]
Wed Oct 16 2013 UDPv4 link remote: [AF_INET]192.168.2.125:1194
Wed Oct 16 2013 Peer Connection Initiated with [AF_INET]192.168.2.125:1194
Wed Oct 16 2013 Initialization Sequence Completed

"Initialization Sequence Completed" are the magic words that confirm you did it right. You should be able to ping back and forth with the tunnel addresses, ping 10.0.0.1 and ping 10.0.0.2. When you build your tunnel you may use whatever IP addresses you want that don't overlap with your existing network. To close your tunnel press Ctrl+c.
Just for fun open an SSH session over your tunnel. Figure 1 shows a successful SSH login over a VPN tunnel, and it also demonstrates the fancy Message of the Day from Put a Talking Cow in Your Linux Message of the Day:

$ ssh carla@10.0.0.2

Figure 1: A successful SSH session over a VPN tunnel, and a fancy MOTD.

Hurrah, it works!

Encrypted VPN Tunnel

This is all fun and exciting, but pointless without encryption, so we'll set up a simple static key configuration. It's not as strong as a proper public key infrastructure (PKI) with root certificates and revocations and all that good stuff, but it's a good-enough solution for the lone nerd needing to call home from the road. OpenVPN helpfully includes a command to create the static key, so create a directory to store the key in, create the key, and make it read-only for the file owner:

$ sudo mkdir /etc/openvpn/keys/
$ sudo openvpn --genkey --secret /etc/openvpn/keys/static.key
$ sudo chmod 0400 /etc/openvpn/keys/static.key

This is a plain-text key that you can open in a text editor and look at if you're curious, and you can name it anything you want; you don't have to call it "static.key". Copy this key to both computers-- yes, the same key. It's not a private-public key pair, but just one single shared key.
Now we'll create some simple barebones configuration files for each computer. (On Debuntu etc. there are no default configuration files, but rather a wealth of example files in/usr/share/doc/openvpn/.) In my little test tab Studio is the server, and Shop is the wandering laptop that will log into the server. My server configuration file is/etc/openvpn/studio.conf, and this is all it has:

# config for Studio
dev tun
ifconfig 10.0.0.1 10.0.0.2
secret /etc/openvpn/keys/static.key

Make this file readable and writable only to the file owner:

$ sudo chmod 0600 /etc/openvpn/studio.conf

The configuration file on the client is similar, with the addition of the IP address of the server:

# config for Shop
dev tun
ifconfig 10.0.0.2 10.0.0.1
secret /etc/openvpn/keys/static.key
remote 192.168.1.125

Mind the order of your IP addresses on the ifconfig line, because they need to be in the order of local > remote. Now fire up OpenVPN on the server, specifying the server configuration file, and do the same on your client:

$ sudo openvpn /etc/openvpn/studio.conf
$ sudo openvpn /etc/openvpn/shop.conf

You'll see the same "Initialization Sequence Completed" message for a successful connection, and you must also look for the absence of this message, which should have appeared when you created your un-encrypted tunnel:

******* WARNING *******: all encryption and authentication features disabled

Firewalls and Dynamic IP Addresses

OpenVPN itself is simple to configure. The biggest hassles are dealing with firewalls and dynamic IP addresses. There are a skillion different firewalls in the world, so I shall leave it as your homework to figure out how to get through it safely. OpenVPN wants port 1194, and then you'll want to have a forwarding rule that points to the computer you want to access.
Dynamic IP addresses are another hassle. Dyn.com is an inexpensive way to manage dynamic IP assignment from your ISP. Or you might be able to pay your ISP a few bucks to get a static address.
At this point you could stop and call it good, because you can manually start OpenVPN on your server and leave it waiting for you, take your laptop out into the world, and connect to your server whenever you want. However, there are some refinements we can add such as daemonizing OpenVPN on the server, using Network Manager to make the connection automatically, and the biggest missing piece in OpenVPN howtos: how to access your remote resources. So come back next week for the rest of the story.

 http://www.linux.com/learn/tutorials/743590-secure-remote-networking-with-openvpn-on-linux

How to set up web-based network traffic monitoring system on Linux

When you are tasked with monitoring network traffic on the local network, you can consider many different options to do it, depending on the scale/traffic of the local network, monitoring platforms/interface, types of backend database, etc.
ntopng is an open-source (GPLv3) network traffic analyzer which provides a web interface for real-time network traffic monitoring. It runs on multiple platforms including Linux and MacOS X. ntopng comes with a simple RMON-like agent with built-in web server capability, and uses Redis-backed key-value server to store time series statistics. You can install ntopng network traffic analyzer on any designated monitoring server connected to your network, and use a web browser to access real-time traffic reports available on the server.
In this tutorial, I will describe how to set up a web-based network traffic monitoring system on Linux by using ntopng.

Features of ntopng

• Flow-level, protocol-level real-time analysis of local network traffic.
• Domain, AS (Autonomous System), VLAN level statistics.
• Geolocation of IP addresses.
• Deep packet inspection (DPI) based service discovery (e.g., Google, Facebook).
• Historical traffic analysis (e.g., hourly, daily, weekly, monthly, yearly).
• Support for sFlow, NetFlow (v5/v9) and IPFIX through nProbe.
• Network traffic matrix (who’s talking to who?).
• IPv6 support.

Install ntopng on Linux

The official website offers binary packages for Ubuntu and CentOS. So if you use either platform, you can install these packages.
If you want to build the latest ntopng from its source, follow the instructions below.
To build ntopng on Debian, Ubuntu or Linux Mint:

$ sudo apt-get install libpcap-dev libglib2.0-dev libgeoip-dev redis-server wget
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

In the above steps, “make geoip” will automatically download a free version of GeoIP databases with wget from maxmind.com. So make sure that your system is connected to the network.
To build ntopng on Fedora:

$ sudo yum install libpcap-devel glib2-devel GeoIP-devel
libxml2-devel redis wget
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

To install ntopng on CentOS or RHEL, first set up EPEL repository, and then follow the same instructions as in Fedora above.

Configure ntopng on Linux

After building ntopng, create a configuration directory for ntopng, and prepare default configuration files as follows. I assume that “192.168.1.0/24″ is the CIDR address prefix of your local network.

$ sudo mkir /etc/ntopng -p

$ sudo -e /etc/ntopng/ntopng.start

--local-networks "192.168.1.0/24"
--interface 1

$ sudo -e /etc/ntopng/ntopng.conf

-G=/var/run/ntopng.pid

Before running ntopng, make sure to first start redis, which is a key-value store for ntopng.
To start ntopng on Debian, Ubuntu or Linux Mint:

$ sudo /etc/init.d/redis-server restart
$ cd ~/ntopng-1.0/
$ sudo ./ntopng

To start ntopng on Fedora, CentOS or RHEL:

$ sudo service redis restart
$ cd ~/ntopng-1.0/
$ sudo ./ntopng

By default, ntopng listens on TCP/3000 port. Verify this is the case using the command below.

$ sudo netstat -nap|grep ntopng

tcp        0      0 0.0.0.0:3000            0.0.0.0:*      LISTEN     29566/ntopng

Monitor Network Traffic in Web-Based Interface

Once ntopng is successfully running, go to http://<ip-address-of-host>:3000 on your web browser to access the web interface of ntopng.
You will see the login screen of ntopng. Use the default username and password: “admin/admin” to log in.

Here are a few screenshots of ntopng in action.
Real-time visualization of top flows.

Live statistics of top hosts, top protocols and top AS numbers.

Real time report of active flows with DPI-based automatic application/service discovery.

Historic traffic analysis.
 



 http://xmodulo.com/2013/10/set-web-based-network-traffic-monitoring-linux.html

How to speed up slow apt-get install on Debian or Ubuntu

f you feel that package installation by apt-get or aptitude is often too slow on your Debian or Ubuntu system, there are several ways to improve the situation. Have you considered switching default mirror sites being used? Have you checked the upstream bandwidth of your Internet connection to see if that is the bottleneck?
Nothing else, you can try this third option: use apt-fast tool. apt-fast is actually a shell script wrapper written around apt-get and aptitude, which can accelerate package download speed. Internally, apt-fast uses aria2 download utility which can download a file in “chunked” forms from multiple mirrors simultaneously (like in BitTorrent download).

Install apt-fast on Debian-based Linux

To install apt-fast on Debian:

$ sudo apt-get install aria2
$ wget https://github.com/ilikenwf/apt-fast/archive/master.zip
$ unzip master.zip
$ cd apt-fast-master
$ sudo cp apt-fast /usr/bin
$ sudo cp apt-fast.conf /etc
$ sudo cp ./man/apt-fast.8 /usr/share/man/man8
$ sudo gzip /usr/share/man/man8/apt-fast.8
$ sudo cp ./man/apt-fast.conf.5 /usr/share/man/man5
$ sudo gzip /usr/share/man/man5/apt-fast.conf.5

To install apt-fast on Ubuntu or Linux Mint:

$ sudo add-apt-repository ppa:apt-fast/stable
$ sudo apt-get update
$ sudo apt-get install apt-fast

During installation on Ubuntu/Mint, you will be asked to choose a default package manager (e.g., apt-get, aptitude), and other settings. You can change the settings later by editing a configuration file.

Configure apt-fast

After installation, you need to configure a list of mirrors used by apt-fast in /etc/apt-fast.conf.
You can find a list of Debian/Ubuntu mirrors in the following locations.

• Debian: http://www.debian.org/mirror/list
• Ubuntu: https://launchpad.net/ubuntu/+archivemirrors

Choose mirrors which are geographically close to your location, and add chosen mirrors to /etc/apt-fast.conf in the following format.

$ sudo vi /etc/apt-fast.conf

Debian:

MIRRORS=('http://ftp.us.debian.org/debian/,http://carroll.aset.psu.edu/pub/linux/distributions/debian/,http://debian.gtisc.gatech.edu/debian/,http://debian.lcs.mit.edu/debian/,http://mirror.cc.columbia.edu/debian/')

Ubuntu/Mint:

MIRRORS=('http://us.archive.ubuntu.com/ubuntu,http://mirror.cc.columbia.edu/pub/linux/ubuntu/archive/,http://mirror.cc.vt.edu/pub2/ubuntu/,http://mirror.umd.edu/ubuntu/,http://mirrors.mit.edu/ubuntu/')

Individual mirrors for a given archive should be separated by commas as above. It is recommended that in the MIRRORS string, you include the default mirror site specified in /etc/apt/sources.list.

Install a Package with apt-fast

You can use apt-fast in the following format.

apt-fast [apt-get options and arguments]
apt-fast [aptitude options and arguments]
apt-fast { { install | upgrade | dist-upgrade | build-dep | download  | source  } [ -y | --yes | --assume-yes | --assume-no ]   ... | clean }

To install a package with apt-fast:

$ sudo apt-fast install texlive-full

To download a package in the current directory:

$ sudo apt-fast download texlive-full

You can verify parallel downloads from multiple mirrors as follows.

Note that apt-fast does not make “apt-get update” faster. Parallel download gets triggered only for “install”, “upgrade”, “dist-upgrade” and “build-dep” operations. For other operations, apt-fast simply falls back to the default package manager (apt-get or aptitude).

How Fast is apt-fast?

To compare apt-fast and apt-get, I tried installing several packages using two methods on two identical Ubuntu instances. The following graph shows total package installation time (in seconds).

As you can see, apt-fast is substantially faster (e.g., 3–4 times faster) than apt-get, especially when a bulky package is installed.


http://xmodulo.com/2013/10/speed-slow-apt-get-install-debian-ubuntu.html

How to Make a YouTube Instructional Screencast Video on Linux

A picture is worth a thousand words, and a well-crafted how-to video is darned near priceless. Linux has all the tools you need to make high-quality and useful instructional videos. We shall make a simple screencast with the wonderful Kdenlive video editor and the Audacity audio recorder and editor, and learn how to share this splendid screencast on YouTube.
All you need is your nice Linux PC with Kdenlive and Audacity installed, a good-quality microphone or headset, and a YouTube account. (Yes, there are many other free video-sharing services, and you are welcome to explore them.) YouTube is owned by Google, so Google tries to entice you into rampant sharing with everything and everyone in the world. Just say no if this is not what you want to do.
Our workflow goes like this:

• Capture screencast with Kdenlive
• Record soundtrack with Audacity
• Add soundtrack to Kdenlive
• Upload to YouTube
• The world views your video and is happy.

Kdenlive supports most popular digital video formats, including AVI, MP4, H.264, and MOV. It supports image files such as GIF, PNG, SVG, and TIFF, and audio file formats including uncompressed PCM, Vorbis, WAV, MP3 and AC3. You can even read and edit Flash files. In short, it should handle pretty much anything you throw at it.
Your soundtrack is just as important as your video track. Please, I beg you, pay attention to your audio. Keep it clean and simple, and keep the rambling digressions, verbal tics, and distracting background noises to a minimum. I prefer a good-quality headset for making narrations because you don't have to worry about microphone placement, and you can listen to yourself over and over without driving bystanders insane.
The Kdenlive documention is outdated and tells you that you need RecordMyDesktop to make screencasts. I have Kdenlive 0.9.4, and it does not need RecordMyDesktop.

Figure 1: Default profile settings.

Making the Screencast

If you're installing Kdenlive for the first time you'll get a configuration wizard at first run. Don't worry too much about the default settings because you can change them anytime. These are the settings I use for my screencasts: HD 720p 30 fps, 1280x720 screen size. How do you know what settings to use? YouTube tells you. To set these values go to Settings > Configure Kdenlive > Project Defaults > Default Profile > HD 720p 30fps (figure 1), and set the size of your screen capture in Settings > Configure Kdenlive > Capture > Screen Grab (figure 2). You may also choose a Full Screen Capture, though it's better to stick with the dimensions specified by YouTube, because if they're different YouTube adds pillarboxes to make them fit. Your eager viewers want to see a screen filled with glorious content, not pillarboxes.

Figure 2: Screencast screen size.

The default YouTube video player size is 640x360 at 320p, which is small and blurry. The player has controls for small, larger, and full-screen, plus multiple quality levels. These are for your viewers only, and you can't change the defaults, which is sad because nothing looks good at 640x360 at 320p. But you still want to make videos with the higher quality settings, and you can always add some text to remind your viewers to try the better settings.

Save Your Project

Before you do anything else go to File > Save as to save your project, and remember to save it periodically.

Screen Grab

Making your screen capture is easy as pie. Go to the Record Monitor, select Screen Grab, and then hit the Record button. This opens a box with dotted borders on your screen, and everything inside this box is recorded. So all you have to do is move and size the window you want recorded inside the box. Do your thing, then when you're finished click the stop button (figure 3).

Figure 3: Making the screen grab.

Clicking Stop automatically opens the Clip Monitor so you can preview your new clip. If you like it, drag it from the Project Tree to the Video 1 track. Now you can edit your new video. There are always bits you'll want to trim; a fast way to do this is to play your clip in the Project Monitor until you get to the end of the part you want to remove. Then Pause, then press Shift+r. This cuts your clip at the point on the timeline that you stopped, so now you have two clips. Click on the one you want to delete and press the Delete key, and poof! It is gone.
You'll want to drag your remaining clip to whatever point on the timeline you want it to start, and you might want to add some nice transitions. Some simple fades are good; simply right-click on your clip and click Add Effect > Fade > Fade from black and Fade to black, and Kdenlive will automatically place them at the beginning and end.

Adding a Soundtrack

Please see Whirlwind Intro to Audacity on Linux: From Recording to CD in One Lesson to learn the basics of recording with Audacity. Export your recording as a 16-bit WAV file and then import it into Kdenlive via Project > Add Clip. Drag your new audio clip down to one of the Audio tracks. An easy way to make your narration is to play your video track and talk as it plays. With a little luck you won't have to do a lot of cleanup, and your commentary will be in sync with the video.

Fig 4: Cut your track with Shift+r and drag one of the clips away from the cut to create a silent gap.

If you're a fast talker and get ahead of your video, you can easily add a space in the audio track. Simply cut your track with Shift+r, and drag one of the clips away from the cut to create a silent gap (figure 4).

Rendering Your Project

When you're happy with your edits and ready to export to your final format, click the Render button. This takes a few minutes depending on the speed of your computer and size of your project. There are presets for Web, and if you choose File Rendering you can tweak your settings (figure 5). I've gotten good results with File Rendering > H.264, Video bitrate 12000, and audio 384. H.264 is a super-compressed MPEG-4

Fig. 5: Choose File Rendering to tweak your Web settings.

format that delivers small file sizes and good quality.

YouTube Bound

Play your new video in VLC or MPlayer or whatever you like, and if it looks good then you're ready to upload to your YouTube account. In typical Google fashion your dashboard and video manager are disorganized and complicated, but keep poking around and you'll figure it out. Before you can do anything you'll have to put your account in good standing, which means getting a code number from Google via text or email. When you prove you're not a bot by entering the code number you'll be able to upload videos.
You can upload your videos and mark them as either private or public. Google has some editing tools you might like, such as auto-fix and music soundtracks, though in my nearly-humble opinion hardly anyone does background music correctly so it's just annoying. But you might be the first to do it right!
The most useful editing tool is automatic closed-captioning. I recommend using this on all of your videos, not only for people who can't hear very well but for anyone who has to keep the volume low, and to make sure everyone understands what you're saying. The captioning tool also creates a transcript.
Another useful tool is the annotations tool, which supports speech bubbles, titles, spotlights, and labels. Of course you can do all this in Kdenlive, so you can try both.
Well, here we are at the end and it seems we've barely begun. Please share your videos and YouTube tips and tricks in the comments. And while you're at it, please share your new video tutorial with us on video.linux.com and join the 100 Linux Tutorials Campaign.


http://www.linux.com/learn/tutorials/745745-how-to-make-a-youtube-instructional-screencast-video-on-linux

Play Store sells Nexus 5 bumpers, QuickCovers too

The new Nexus 5 is official – finally! – and as part of the Devices section of the Play Store, Google has added some accessories on the virtual shelves. This includes bumper cases in several colors and a QuickCover, similar to those on LG phones.

The Nexus 5 comes in Black or White only, but you can spice it up a bit with a bumper. There are 4 color options at the moment – Bright Red, Bright Yellow, Gray and Black.

They all cost $35 and all but the Black one are listed as “coming soon“. Presumably they’ll be available tomorrow, November 1, when the Nexus 5 goes on sale.
The LG QuickCover offers protection for the front and back. It comes in Black or White and will set you back $50. There’s no LG Quick Window though – an aperture to show part of the screen for notifications and basic control.

The QuickCovers are compatible with wireless charging and will automatically unlock the phone when you flip them open.
Google also showcased wirelss charging pads for the Nexus 5 phone and Nexus 7 tablet. These ones are square rather than the round chargers that came out with the Nexus 4. The new chargers should go up on the Play Store soon.


 http://blog.gsmarena.com/play-store-sells-nexus-5-bumpers-quickcovers-too/

Android in October 2013: Jelly Bean crosses the 50% mark

Google detailed the state of Android OS versions in October and it's has shown that Jelly Bean has passed the 50% adoption rate mark. The three JB releases have all gained ground at the expense of the outdated versions.
2.3 Gingerbread still powers 26.3% of all droids, having fallen more than two percentage points since last month. It's still the second most popular single version after 4.1 Jelly Bean, though.


Android 4.0 Ice Cream Sandwich has lost 0.8 percent points of it share and has fallen below the 20% . Honeycomb (3.2) is still at the 0.1% threshold.
As far as Jelly Bean is concerned - all three releases have improved their shares. 4.1 rose by 0.8 points, 4.2 gained 1.9 points, while 4.3 added another 0.8 points. We expect to see some of the share of the first two Jelly Bean releases transfer to 4.3 in the next few months as more updates come in.
Android 4.4 KitKat was announced at the very last moment of the survey, so it didn't make it to the charts. It probably won't have a significant market share next month either as it will only power Nexus devices by that point.


http://www.gsmarena.com/android_in_october_2013_jelly_bean_crosses_the_50_mark-news-7115.php