Easily create a VPN Gateway with a Raspberry Pi (or similar board)

I don't have an OpenVPN-capable router, but I needed to create an always-on openvpn CLIENT that would connect to my VPN service, so that it could be used as a gateway for other devices in my LAN. Using this gateway to access the internet, the internet traffic of those devices would be protected by the secure VPN connection.

I've looked around and I have found a great tutorial to achieve this: it was written by Superjamie for the Raspberry Pi and you can find it here.

Unfortunately I didn't have a Raspberry Pi available at the time, so I thought it would be interesting to do the same for what board I had available, which was an Orange Pi Zero.

I used DietPi as the base operating system for this project, and tried following Superjamie's tutorial, but since it didn't work on my Orange Pi / DietPi combo, I made a few adjustments, which I share with you here.
All credits for this still go to Superjamie, because that's where all the huge work comes from.

Please follow Superjamie's tutorial (again, you can find it here) with the following exceptions:

1. Install DietPi instead of Raspbian Jessie
2. Since DietPi's user already has root capabilities, you should write any commands from Superjamie's tutorial without typing the 'sudo' at the beginning of the command.
3. I've found out that the section of the tutorial called "Enable VPN at boot" was useless and harmful, as it would prevent OpenVPN to be launched correctly, therefore it must be skipped.
4. The VPN Kill Switch section of the tutorial didn't work for me. I have found out that it had to be modified a little bit to make it work, so I'm re-writing it below, in a version that makes it work:

VPN KILL SWITCH 

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.
Once this is done, the only way the Pi can get to the internet is over the VPN.
This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet connection where it could become visible.

[Note by Tech Delirium: please adjust IP addresses by using the correct ones for your network and the port numbers by checking the ports used by your VPN service]

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

[Note by Tech Delirium: Superjamie's tutorial didn't work for me, but adding the last line above does the trick and makes the kill-switch work]

And save so they apply at reboot:

sudo netfilter-persistent save

If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.

You can check the status and logs of the VPN client with:

sudo systemctl status openvpn@Japan
sudo journalctl -u openvpn@Japan

That's it! Now the board will connect to your VPN service at startup and if you set up you devices to use the Pi's as their gateway, that device's internet traffic will be tunneled via the VPN and will be protected. If the connection to the VPN service goes down, NO TRAFFIC will be allowed through, so you will have no leaks.

Easily install Logitech Media Server (Squeezebox Server) and Squeezelite on your Pi with Armbian Jessie

Do you have any spare Pi?
I am talking about the Raspberry Pi, Orange Pi, Banana Pi, Cubieboard, pcDuino, Odroid, NanoPi and the likes...

Why not transform it into a Sonos-like multimedia server and player?
It's soooo easy!

All we need is two nice pieces of software: the Logitech Media Server (aka Squeezebox server) and a player to connect to it, which is going to be Squeezelite.

First of all, download the right image of Armbian for your board HERE. 
Please choose "Jessie server" image, if available. This is the version for server usage, with no desktop environments.
Follow the instructions and setup the operating system (we have faith you can manage this on your own, since you have a spare development board...)

How to install the Logitech Media Server / Squeezebox Server

Now, we have to install the Logitech Media Server, but we have to download it first. From the command line give the following command:

wget http://downloads.slimdevices.com/nightly/7.9/sc/ffd0b97/logitechmediaserver_7.9.0~1480398011_arm.deb -O lms.deb

(Please notice that from http...to..._arm.deb there are no spaces)
And let's wait for the file to be downloaded.  If you get a file not found error, you'll have to visit this website with a browser:

http://downloads.slimdevices.com/nightly/?ver=7.9

Find the most recent version of the _arm.deb version available, right click on it to copy it's link, and substitute this link in the above command.

Once the Logitech Media Server installation package has been downloaded, proceed with its installation:

sudo dpkg -i lms.deb

That's it! The Logitech Media Server is now installed, and you can go to:

http://ip-address-of-the-board:9000

 from any browser to set it up.

How to install the Squeezelite player

To actually play/stream your music collection or listen to online radios, you'll also need a player. This can be installed on the same board as the Logitech Media Server (so you will have a Server and a Player on the same machine), or on different boards which will work as players that connect to the Server (you can have as many players as you want!)

So, let's install Squeezelite, the Player "side" of this combo.
First we need to refresh the packages list of our installation:

sudo apt-get update

 Then we can install squeezelite:

sudo apt-get install squeezelite

That's basically it! Squeezelite will be installed and will automatically be launched at startup.

If you are using an external usb soundcard you might need to tweak with the squeezelite configuration file, which is /etc/default/squeezelite

First you will need to find out the name of the soundcard, and to do this you have to issue the following command:

sudo /usr/bin/squeezelite -l

Check the output and identify the name of your sound card. Copy it, then open the configuration file:

sudo nano /etc/default/squeezelite

Find the following line:

SL_SOUNDCARD="sysdefault:CARD=ALSA"

and substitute sysdefault:CARD=ALSA with the name of the card you have copied before.

If you want to give your player a different name than your hostname, just edit this line:

SL_NAME="$(hostname -s)"

and change the string within the quotes to the name you want to give this player.

The other options usually don't need to be touched.
That was easy, wasn't it?

Enjoy your music on your Pi!

The OrangePI PC, a low cost alternative to the Raspberry PI.A short review.

A few months ago I was browsing AliExpress, when I stumbled upon a product called OrangePi.
I searched the internet for information about it, and I immediately discovered its official website, which is www.orangepi.org (there also exists www.orangepi.com but it looks to be the website of a UK vendor of the same boards).

Well, what is an OrangePi? Of course, the name recalls the most famous SBC (single board computer) ever, the RaspberryPi, and this is not a coincidence, as the OrangePi is a chinese SBC, clearly inspired by the Raspberry.

As of now, there are 7 different Orange Pi models (ranging from "Mini" to "Plus 2"). The most interesting in my opinion is the "OrangePi PC". Why? For its aggressive price of only $15 plus shipping!

The hardware of this board is interesting:

CPU:
H3 Quad-core Cortex-A7 H.265/HEVC 4K

GPU:
·Mali400MP2 GPU @600MHz
·Supports OpenGL ES 2.0

Memory (SDRAM): 1GB DDR3 (shared with GPU)

Onboard Storage: TF card (Max. 64GB) / MMC card slot

Onboard Network: 10/100M Ethernet RJ45

Video Input:
A CSI input connector Camera:
·Supports 8-bit YUV422 CMOS sensor interface
·Supports CCIR656 protocol for NTSC and PAL
·Supports SM pixel camera sensor
·Supports video capture solution up to 1080p@30fps

Audio Input: MIC

Video Outputs:
·Supports HDMI output with HDCP
·Supports HDMI CEC
·Supports HDMI 30 function
·Integrated CVBS
Supports simultaneous output of HDMI and CVBS

Audio Output: 3.5 mm Jack and HDMI

Power Source: DC input

USB 2.0 Ports: Three USB 2.0 HOST, one USB 2.0 OTG

Low-level peripherals:
·40 Pins Header,compatible with Raspberry Pi B+
·GPIO(1x3) pin
·UART, ground.

So, as you can see, we basically have a quad core ARM CPU, with 1GB of RAM, 3 USB ports, and a fair graphics card.
What it lacks (other Orange Pi models have this and/or that) are onboard wifi, a gigabit ethernet port and eMMC, but of course we can't have everything at this price.

I've ordered the Orange Pi PC on Aliexpress, from the official manufacturer, and 3 weeks later I received a neat package containing the board, a usb power cable and a not-too-sturdy transparent plastic case. All this for less than $25 including shipping!

I've been using it for a couple of weeks and... what can I say?
The board could be very interesting if only the community behind it was bigger and more active. It definitely can't compare to the Raspberry Pi community as of yet.
The support from the manufacturer could be better, as the images of operating systems they provide are old and faulty, and the claim that Raspberry Pi images can be used for this board(s) is absolutely misleading since RasPi images are not compatible at all.
Luckily there is a member of the community, called loboris, who is very active and has released many OSes to be used on these boards, among which Debian, Fedora, Slackware, Arch Linux and others.

I'm currently running his build of Ubuntu MATE 14.04 and I have to say he has done a great work: it's easy to install, and apart from a few glitches here and there, it works very well.

My original intention was to use this board as a very low cost syncthing server/node, and that's exactly what I did.
After installing the aforementioned Ubuntu MATE, I've downloaded the latest ARM version of syncthing and installed it on the OrangePi PC.
(For those who don't know what it is, syncthing is an open source alternative to BTSync or -basically- a completely self-hosted Dropbox alternative).
It works great, it's very fast, and for the money I've spent I'm very satisfied, considering that I was also able to "redirect" the Raspberry Pi 1 model B I was using for this task to something more useful (a squeezebox player, actually).

Unfortunately, Linux does not have the proper drivers to take advantage of the GPU hardware acceleration, therefore using this board as an XBMC/Kodi mini HTPC is not a good idea (yet). Some people are working on it, and I really hope they succeed, because a $15 Kodi machine with the ability to render HD video would be HUGE!

At the moment, the only way to take advantage of the GPU is by installing Android, although the image provided is buggy and not very reliable.
Still, if you like to fiddle with new hardware and explore new possibilities, you might want to give it a chance.

In my opinion the OrangePi PC is a nice product, which lacks the necessary support from the manufacturer, who looks too busy releasing new boards instead of developing a good OS for the boards they have already sold.

The community is growing, but the official forum must be hosted on a very old server, since it's so sloooooow. I hope they will at least upgrade this.

Still, for $15 this board is a steal. I would definitely buy it again, although I would still limit its use to simple tasks. If you have complex projects in mind, you can't beat the Raspberry Pi world and community, and the price difference is not that big.

How to install Syncthing on your Raspberry Pi

First of all, what is Syncthing? As the official website says:

Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the Internet.

In just a few words: it's an open source alternative to BTSync (formerly known as BittorrentSync)!
Since we like open source solutions, why don't we install it?

HOW TO INSTALL:

1) Let's check the latest release of syncthing on the official website:

https://github.com/syncthing/syncthing/releases


2) Now, connect via ssh to your Rapsberry Pi and download the latest armv5 version of syncthing:

For example:

wget https://github.com/syncthing/syncthing/releases/download/vx.yy.zz/syncthing-linux-armv5-vx.yy.zz.tar.gz

(IMPORTANT NOTE: x.yy.zz stands for the latest version number that you want to download, therefore if the latest version is, say, 0.10.23, the command will be:

wget https://github.com/syncthing/syncthing/releases/download/v0.10.23/syncthing-linux-armv5-v0.10.23.tar.gz

3) Untar it:

tar xvzf syncthing-linux-armv5-vx.yy.zz.tar.gz 

and rename the untarred folder:

mv syncthing-linux-armv5-vx.yy.zz syncthing


4) Now move to the syncthing directory:

cd syncthing

and start syncthing:

./syncthing

We are going to need to wait for the RSA key to be generated (have patience, it needs time!!):

pi@raspi ~/syncthing $ ./syncthing
13:07:22 INFO: Generating RSA certificate and key...
13:11:32 OK: Created RSA certificate file
13:11:32 OK: Created RSA key file
[FVCFD] 13:11:34 INFO: syncthing v0.10.22 (go1.2.2 linux-arm) jb@jborg-mbp 2015-02-26 15:48:25 UTC
[FVCFD] 13:11:34 INFO: My ID: HDUR8EHCIL3SJCHPA8UGMXIWKH8FHRTNCX6HBCOLOQ8FHSET7BV
[FVCFD] 13:11:34 INFO: No config file; starting with empty defaults
[FVCFD] 13:11:34 INFO: Edit /home/pi/.config/syncthing/config.xml to taste or use the GUI
[FVCFD] 13:11:34 INFO: Starting web GUI on http://127.0.0.1:8080/


5) Take note of the ID of your machine (in the example above it's the line that says: "[FVCFD] 13:11:34 INFO: My ID: HDUR8EHCIL3SJCHPA8UGMXIWKH8FHRTNCX6HBCOLOQ8FHSET7BV")


6) Since we are running a headless Raspberry Pi, we now need to enable the web GUI to be accessable from other machines:

nano /home/<user>/.config/syncthing/config.xml

To do this, just edit the line that says: <address>127.0.0.1:8080</address>
to: <address>0.0.0.0:8080</address>


7) Now we can connect to the Syncthing GUI from any computer in the network, just inserting the ip:port of the RasPi in any browser:

http://IP-of-RasPi:8080


8) Here we will be able to add other machines and the folders that need to be synced.

That's it!

Well, not entirely. If you want to make syncthing start at boot, just do as follows:

9) Let's create an init.d script for syncthing:

sudo nano /etc/init.d/syncthing

10) Copy the following lines and paste them inside it. Please don't forget to edit the two highlighted lines as per inline instructions)

===== BEGIN /etc/init.d/syncthing (do not copy this line) =====

#!/bin/sh
### BEGIN INIT INFO
# Provides: syncthing
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network
# Should-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Multi-user daemonized version of syncthing.
# Description: Starts the syncthing daemon for all registered users.
### END INIT INFO

# Replace with users you want to run syncthing clients for
# syncthing_USERS="<your name here>"
syncthing_USERS="pi"  #Replace with your user
DAEMON=/home/user/syncthing/syncthing   #Replace with the path to syncthing

startd() {
  for stuser in $syncthing_USERS; do
    HOMEDIR=$(getent passwd $stuser | awk -F: '{print $6}')
    if [ -f $config ]; then
      echo "Starting syncthing for $stuser"
      start-stop-daemon -b -o -c $stuser -S -u $stuser -x $DAEMON
    else
      echo "Couldn't start syncthing for $stuser (no $config found)"
    fi
  done
}

stopd() {
  for stuser in $syncthing_USERS; do
    dbpid=$(pgrep -fu $stuser $DAEMON)
    if [ ! -z "$dbpid" ]; then
      echo "Stopping syncthing for $stuser"
      start-stop-daemon -o -c $stuser -K -u $stuser -x $DAEMON
    fi
  done
}

status() {
  for stuser in $syncthing_USERS; do
    dbpid=$(pgrep -fu $stuser $DAEMON)
    if [ -z "$dbpid" ]; then
      echo "syncthing for USER $stuser: not running."
    else
      echo "syncthing for USER $stuser: running (pid $dbpid)"
    fi
  done
}

case "$1" in
  start) startd
    ;;
  stop) stopd
    ;;
  restart|reload|force-reload) stopd && startd
    ;;
  status) status
    ;;
  *) echo "Usage: /etc/init.d/syncthing {start|stop|reload|force-reload|restart|status}"
     exit 1
   ;;
esac

exit 0

===== END /etc/init.d/syncthing (do not copy this line) =====

11) save and exit nano ('Ctrl-X' and then 'Y' to save)


12) Let's make the script executable:

sudo chmod +x /etc/init.d/syncthing


13) Let's update the init.d sequence:

sudo update-rc.d syncthing defaults


14) Let's start the daemon (just the first time, it will autostart from now on):

/etc/init.d/syncthing start

Now it's really done! :)

Credits:

• http://www.dnacoil.com/tools/setting-up-syncthing-for-raspberry-pi/
• https://gist.github.com/arudmin/5a13e9105814c3f568ec

How to mount a Windows/NAS share on your Raspberry Pi

If you have a Raspberry Pi and a Windows machine (or maybe a NAS), you might want to share folders from the Windows machine/NAS to the RasPi.
One reason to do this (apart from sharing content between the two machines) would be to use the NAS as Mass Storage for the Pi.

This tutorial presumes you have already set up a shared folder on your NAS/Windows machine (we will call this \\Machine\SharedFolder), and that you have Raspbian installed on your RasPi's SD card.

These are the steps:

1. Create a mount point on the Raspberry Pi:

sudo mkdir /mnt/folder 

(obviously you can give it the name you prefer)

2. Open /etc/fstab to edit it:

sudo nano /etc/fstab

3. Add the following line at the end of the file:

//Machine/SharedFolder /mnt/folder cifs defaults,rw,credentials=/home/username/.cifscredentials 0 0 

where:
//Machine/SharedFolder stands for your Windows/NAS share
/mnt/folder stands for the folder you created in step 1
/home/username stands for your pi's username (default is "pi")

4. Now we have to create a file for storing Windows credentials:

nano /home/username/.cifscredentials

and insert your Windows credentials in it:

username=winuser
password=winpassword
domain=WORKGROUP 

5. Change the permissions to this file, in order to avoid undesired access to your credentials:

sudo chmod 600 /home/username/.cifscredentials

6. Let's see if it works:

sudo mount -a

If it worked, the following command will list the contents of the shared folder:

ls /mnt/folder

Is it all ok? Good!

7. Now reboot your Raspberry Pi (command is: sudo reboot) and when it comes back on, try again with:

ls /mnt/folder

The shared folder should have been mounted automatically.
Enjoy!