Easily create a VPN Gateway with a Raspberry Pi (or similar board)

I don't have an OpenVPN-capable router, but I needed to create an always-on openvpn CLIENT that would connect to my VPN service, so that it could be used as a gateway for other devices in my LAN. Using this gateway to access the internet, the internet traffic of those devices would be protected by the secure VPN connection.

I've looked around and I have found a great tutorial to achieve this: it was written by Superjamie for the Raspberry Pi and you can find it here.

Unfortunately I didn't have a Raspberry Pi available at the time, so I thought it would be interesting to do the same for what board I had available, which was an Orange Pi Zero.

I used DietPi as the base operating system for this project, and tried following Superjamie's tutorial, but since it didn't work on my Orange Pi / DietPi combo, I made a few adjustments, which I share with you here.
All credits for this still go to Superjamie, because that's where all the huge work comes from.

Please follow Superjamie's tutorial (again, you can find it here) with the following exceptions:

1. Install DietPi instead of Raspbian Jessie
2. Since DietPi's user already has root capabilities, you should write any commands from Superjamie's tutorial without typing the 'sudo' at the beginning of the command.
3. I've found out that the section of the tutorial called "Enable VPN at boot" was useless and harmful, as it would prevent OpenVPN to be launched correctly, therefore it must be skipped.
4. The VPN Kill Switch section of the tutorial didn't work for me. I have found out that it had to be modified a little bit to make it work, so I'm re-writing it below, in a version that makes it work:

VPN KILL SWITCH 

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.
Once this is done, the only way the Pi can get to the internet is over the VPN.
This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet connection where it could become visible.

[Note by Tech Delirium: please adjust IP addresses by using the correct ones for your network and the port numbers by checking the ports used by your VPN service]

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

[Note by Tech Delirium: Superjamie's tutorial didn't work for me, but adding the last line above does the trick and makes the kill-switch work]

And save so they apply at reboot:

sudo netfilter-persistent save

If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.

You can check the status and logs of the VPN client with:

sudo systemctl status openvpn@Japan
sudo journalctl -u openvpn@Japan

That's it! Now the board will connect to your VPN service at startup and if you set up you devices to use the Pi's as their gateway, that device's internet traffic will be tunneled via the VPN and will be protected. If the connection to the VPN service goes down, NO TRAFFIC will be allowed through, so you will have no leaks.

Easily install Logitech Media Server (Squeezebox Server) and Squeezelite on your Pi with Armbian Jessie

Do you have any spare Pi?
I am talking about the Raspberry Pi, Orange Pi, Banana Pi, Cubieboard, pcDuino, Odroid, NanoPi and the likes...

Why not transform it into a Sonos-like multimedia server and player?
It's soooo easy!

All we need is two nice pieces of software: the Logitech Media Server (aka Squeezebox server) and a player to connect to it, which is going to be Squeezelite.

First of all, download the right image of Armbian for your board HERE. 
Please choose "Jessie server" image, if available. This is the version for server usage, with no desktop environments.
Follow the instructions and setup the operating system (we have faith you can manage this on your own, since you have a spare development board...)

How to install the Logitech Media Server / Squeezebox Server

Now, we have to install the Logitech Media Server, but we have to download it first. From the command line give the following command:

wget http://downloads.slimdevices.com/nightly/7.9/sc/ffd0b97/logitechmediaserver_7.9.0~1480398011_arm.deb -O lms.deb

(Please notice that from http...to..._arm.deb there are no spaces)
And let's wait for the file to be downloaded.  If you get a file not found error, you'll have to visit this website with a browser:

http://downloads.slimdevices.com/nightly/?ver=7.9

Find the most recent version of the _arm.deb version available, right click on it to copy it's link, and substitute this link in the above command.

Once the Logitech Media Server installation package has been downloaded, proceed with its installation:

sudo dpkg -i lms.deb

That's it! The Logitech Media Server is now installed, and you can go to:

http://ip-address-of-the-board:9000

 from any browser to set it up.

How to install the Squeezelite player

To actually play/stream your music collection or listen to online radios, you'll also need a player. This can be installed on the same board as the Logitech Media Server (so you will have a Server and a Player on the same machine), or on different boards which will work as players that connect to the Server (you can have as many players as you want!)

So, let's install Squeezelite, the Player "side" of this combo.
First we need to refresh the packages list of our installation:

sudo apt-get update

 Then we can install squeezelite:

sudo apt-get install squeezelite

That's basically it! Squeezelite will be installed and will automatically be launched at startup.

If you are using an external usb soundcard you might need to tweak with the squeezelite configuration file, which is /etc/default/squeezelite

First you will need to find out the name of the soundcard, and to do this you have to issue the following command:

sudo /usr/bin/squeezelite -l

Check the output and identify the name of your sound card. Copy it, then open the configuration file:

sudo nano /etc/default/squeezelite

Find the following line:

SL_SOUNDCARD="sysdefault:CARD=ALSA"

and substitute sysdefault:CARD=ALSA with the name of the card you have copied before.

If you want to give your player a different name than your hostname, just edit this line:

SL_NAME="$(hostname -s)"

and change the string within the quotes to the name you want to give this player.

The other options usually don't need to be touched.
That was easy, wasn't it?

Enjoy your music on your Pi!

How to install Huion graphic tablets on Linux

The graphic tablet market is basically dominated by Wacom, which makes very good tablets, but at a high price.

Enter Huion, a chinese company that manufactures cheap graphic tablets that are a good alternative to Wacom, especially for people who never used a graphic tablet before, or for those on a tight budget.

These graphic tablets all work on Windows and Mac OSX with the provided drivers (or -better- by downloading the latest version from Huion's website).

Linux users have to work a little in order to see their Huion tablet work under their beloved operating system. So here is a little how-to to solve this issue.

First of all, most Huion tablets are natively supported via kernel, starting from kernel version 3.17, therefore if you are using a kernel >=3.17, you shouldn't have any problem.

If you are using a kernel <3.17 you are going to need to follow these simple steps (instructions are valid for debian-based distros, like Ubuntu and its derivates):

1. Go to project DIGImend on GitHub;
2. Download the latest release of digimend-kernel-drivers
3. unzip/untar the downloaded package in a new directory (for example: ~/digimend )
4. open a terminal
5. make sure you have the appropriate linux-headers installed

sudo apt-get install linux-headers-`uname -r`

6. move to the directory where you have unzipped/untarred the drivers package:

cd ~/digimend

7. in the terminal give the command:

make

8. when it finishes give the command:

sudo make install

Ignore any "Can't read private key" messages that might show up. This won't be a problem unless you set up kernel module signature verification. But most people won't so, don't worry.

Now you can plug your Huion graphic tablet and enjoy using it under Linux.

Don't have a graphic tablet yet? Buy one now! 

How to install Syncthing on your Raspberry Pi

First of all, what is Syncthing? As the official website says:

Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the Internet.

In just a few words: it's an open source alternative to BTSync (formerly known as BittorrentSync)!
Since we like open source solutions, why don't we install it?

HOW TO INSTALL:

1) Let's check the latest release of syncthing on the official website:

https://github.com/syncthing/syncthing/releases


2) Now, connect via ssh to your Rapsberry Pi and download the latest armv5 version of syncthing:

For example:

wget https://github.com/syncthing/syncthing/releases/download/vx.yy.zz/syncthing-linux-armv5-vx.yy.zz.tar.gz

(IMPORTANT NOTE: x.yy.zz stands for the latest version number that you want to download, therefore if the latest version is, say, 0.10.23, the command will be:

wget https://github.com/syncthing/syncthing/releases/download/v0.10.23/syncthing-linux-armv5-v0.10.23.tar.gz

3) Untar it:

tar xvzf syncthing-linux-armv5-vx.yy.zz.tar.gz 

and rename the untarred folder:

mv syncthing-linux-armv5-vx.yy.zz syncthing


4) Now move to the syncthing directory:

cd syncthing

and start syncthing:

./syncthing

We are going to need to wait for the RSA key to be generated (have patience, it needs time!!):

pi@raspi ~/syncthing $ ./syncthing
13:07:22 INFO: Generating RSA certificate and key...
13:11:32 OK: Created RSA certificate file
13:11:32 OK: Created RSA key file
[FVCFD] 13:11:34 INFO: syncthing v0.10.22 (go1.2.2 linux-arm) jb@jborg-mbp 2015-02-26 15:48:25 UTC
[FVCFD] 13:11:34 INFO: My ID: HDUR8EHCIL3SJCHPA8UGMXIWKH8FHRTNCX6HBCOLOQ8FHSET7BV
[FVCFD] 13:11:34 INFO: No config file; starting with empty defaults
[FVCFD] 13:11:34 INFO: Edit /home/pi/.config/syncthing/config.xml to taste or use the GUI
[FVCFD] 13:11:34 INFO: Starting web GUI on http://127.0.0.1:8080/


5) Take note of the ID of your machine (in the example above it's the line that says: "[FVCFD] 13:11:34 INFO: My ID: HDUR8EHCIL3SJCHPA8UGMXIWKH8FHRTNCX6HBCOLOQ8FHSET7BV")


6) Since we are running a headless Raspberry Pi, we now need to enable the web GUI to be accessable from other machines:

nano /home/<user>/.config/syncthing/config.xml

To do this, just edit the line that says: <address>127.0.0.1:8080</address>
to: <address>0.0.0.0:8080</address>


7) Now we can connect to the Syncthing GUI from any computer in the network, just inserting the ip:port of the RasPi in any browser:

http://IP-of-RasPi:8080


8) Here we will be able to add other machines and the folders that need to be synced.

That's it!

Well, not entirely. If you want to make syncthing start at boot, just do as follows:

9) Let's create an init.d script for syncthing:

sudo nano /etc/init.d/syncthing

10) Copy the following lines and paste them inside it. Please don't forget to edit the two highlighted lines as per inline instructions)

===== BEGIN /etc/init.d/syncthing (do not copy this line) =====

#!/bin/sh
### BEGIN INIT INFO
# Provides: syncthing
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network
# Should-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Multi-user daemonized version of syncthing.
# Description: Starts the syncthing daemon for all registered users.
### END INIT INFO

# Replace with users you want to run syncthing clients for
# syncthing_USERS="<your name here>"
syncthing_USERS="pi"  #Replace with your user
DAEMON=/home/user/syncthing/syncthing   #Replace with the path to syncthing

startd() {
  for stuser in $syncthing_USERS; do
    HOMEDIR=$(getent passwd $stuser | awk -F: '{print $6}')
    if [ -f $config ]; then
      echo "Starting syncthing for $stuser"
      start-stop-daemon -b -o -c $stuser -S -u $stuser -x $DAEMON
    else
      echo "Couldn't start syncthing for $stuser (no $config found)"
    fi
  done
}

stopd() {
  for stuser in $syncthing_USERS; do
    dbpid=$(pgrep -fu $stuser $DAEMON)
    if [ ! -z "$dbpid" ]; then
      echo "Stopping syncthing for $stuser"
      start-stop-daemon -o -c $stuser -K -u $stuser -x $DAEMON
    fi
  done
}

status() {
  for stuser in $syncthing_USERS; do
    dbpid=$(pgrep -fu $stuser $DAEMON)
    if [ -z "$dbpid" ]; then
      echo "syncthing for USER $stuser: not running."
    else
      echo "syncthing for USER $stuser: running (pid $dbpid)"
    fi
  done
}

case "$1" in
  start) startd
    ;;
  stop) stopd
    ;;
  restart|reload|force-reload) stopd && startd
    ;;
  status) status
    ;;
  *) echo "Usage: /etc/init.d/syncthing {start|stop|reload|force-reload|restart|status}"
     exit 1
   ;;
esac

exit 0

===== END /etc/init.d/syncthing (do not copy this line) =====

11) save and exit nano ('Ctrl-X' and then 'Y' to save)


12) Let's make the script executable:

sudo chmod +x /etc/init.d/syncthing


13) Let's update the init.d sequence:

sudo update-rc.d syncthing defaults


14) Let's start the daemon (just the first time, it will autostart from now on):

/etc/init.d/syncthing start

Now it's really done! :)

Credits:

• http://www.dnacoil.com/tools/setting-up-syncthing-for-raspberry-pi/
• https://gist.github.com/arudmin/5a13e9105814c3f568ec

How to mount a Windows/NAS share on your Raspberry Pi

If you have a Raspberry Pi and a Windows machine (or maybe a NAS), you might want to share folders from the Windows machine/NAS to the RasPi.
One reason to do this (apart from sharing content between the two machines) would be to use the NAS as Mass Storage for the Pi.

This tutorial presumes you have already set up a shared folder on your NAS/Windows machine (we will call this \\Machine\SharedFolder), and that you have Raspbian installed on your RasPi's SD card.

These are the steps:

1. Create a mount point on the Raspberry Pi:

sudo mkdir /mnt/folder 

(obviously you can give it the name you prefer)

2. Open /etc/fstab to edit it:

sudo nano /etc/fstab

3. Add the following line at the end of the file:

//Machine/SharedFolder /mnt/folder cifs defaults,rw,credentials=/home/username/.cifscredentials 0 0 

where:
//Machine/SharedFolder stands for your Windows/NAS share
/mnt/folder stands for the folder you created in step 1
/home/username stands for your pi's username (default is "pi")

4. Now we have to create a file for storing Windows credentials:

nano /home/username/.cifscredentials

and insert your Windows credentials in it:

username=winuser
password=winpassword
domain=WORKGROUP 

5. Change the permissions to this file, in order to avoid undesired access to your credentials:

sudo chmod 600 /home/username/.cifscredentials

6. Let's see if it works:

sudo mount -a

If it worked, the following command will list the contents of the shared folder:

ls /mnt/folder

Is it all ok? Good!

7. Now reboot your Raspberry Pi (command is: sudo reboot) and when it comes back on, try again with:

ls /mnt/folder

The shared folder should have been mounted automatically.
Enjoy!