Set up a Wireguard VPN in 15 minutes

Wireguard is the new kid on the block when it comes to VPNs. It offers significant advantages compared to the traditional choices of OpenVPN and IPSec. It is very lean with about 5,000 lines of code. Thanks to that, the codebase has already gone through a security. More importantly, it is extremely easy to set up (especially compared to IPSec). On top of that, it is also much faster (mainly in comparison to OpenVPN). Currently, Wireguard is in the process of being implemented in the Linux kernel. However, it is already available as a Linux kernel module. In this post, you will learn how to set up a simple VPN consisting of a server with public a IP address and two other machines running behind a NAT. First, some theory. Wireguard uses a peer to peer architecture, where each peer has their own private and public key pair. So, the peers authenticate each other by exchanging public keys. And this creates a bidirectional tunnel. As you can see, the key exchange is almost as easy as with SSH. The communication itself uses standard Linux network interface.

Configure a Debian server

Above, I have said that Wireguard is peer to peer. So, where does server suddenly come from? Well, since directly connecting machines behind a NAT is not an easy affair (you would need to use Dynamic DNS or a similar technique), you will need a peer with a public IP address, that the peers behind NAT will connect to. For the sake of clarity, I am just going to go ahead and call this peer a server and the rest clients. Before you start, enable packet forwarding on the server. In order to do that, you need to edit /etc/sysctl.conf and uncomment this line:

net.ipv4.ip_forward=1

Then run:

$ sysctl -p

In Debian, Wireguard is available in the unstable repository. You enable this way:

$ echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable

After that, you can install the wireguard package. To build the module, you also need to install kernel headers:

$ apt update
$ apt install linux-headers-amd64 wireguard

Afterwards, enable the kernel module:

$ modprobe wireguard

Next, you need to generate the private and public keys:

$ cd /etc/wireguard
$ umask 077
$ wg genkey | tee privkey | wg pubkey > pubkey

The above commands create two files - /etc/wireguard/privkey and /etc/wireguard/pubkey. Now you just need to add configuration for the interface in /etc/wireguard/wg0.conf. It should look similar to this:

[Interface]
PrivateKey = PrivkeyOfServer
Address = 10.10.10.1/24

Later on, you will need to add peers. But for now, we are done. The default port for Wireguard is 51820, so make sure it’s open.

Read more…

Use passphrases instead of passwords

The other day I wanted to buy a concert ticket from a website I haven’t visited before. That meant creating a new account (even though that shouldn’t really be necessary). I went through the ordeal of filling in my details, clicked “Confirm” and bam… the password was not good enough. As is usual, the password needed to contain an uppercase letter, a numeral, a symbol, a Chinese character and 10 emojis (couldn’t you have told me earlier?). At this point, most people would just say screw it and use a variation of one their few passwords. Perhaps adding their birthdate or something along the lines. I draw that conclusion from publicly available lists of breached passwords. To be honest, I don’t blame them. Remembering tens of passwords is hard, even without all the weird characters. But even if you don’t feel like setting up a password manager, there is a better and safer alternative. Passphrases.

What are passphrases?

As you might have guessed, passphrases use several words, or a sentence, instead of a single word. Nowadays, you can readily use spaces in password. That’s why I would recommend using whole sentences. That typically makes your password much longer. And as a bonus, using commas etc., you will easily fulfill the special character criteria. However, it is important to choose a unique phrase, not something you would easily find on the Internet. While it might be tempting to just use “Winter is coming to Winterfell”, that’s about as good as “12345”. I recommend using something based on a memory.

Read more…

Red Meat Is Not the Culprit

Nowadays, eating red meat is more and more stigmatized. Not only do the media portray it as unhealthy, but lately even as the biggest factor behind environmental issues. EAT-Lancet paper is just the latest in the series of such alarmist articles. As you can see from the outline, it recommends a diet based on highly processed plant-based foods. No surprise, considering that processed food giants, such as Nestle and Kellogg’s, sponsored it. But fortunately, numerous people have already rebuked the misconceptions, that the paper mentions. Personally, I have liked this Revolution Health Radio interview with Diana Rodgers. You can find it here:

What the EAT-Lancet Paper Gets Wrong, with Diana Rodgers

If you find it intriguing, I recommend Impacts and Ethics of Eating Meat as well.

Install MiniDLNA to Stream Media

DLNA is a standard for sharing digital media. It is supported by most modern TVs, phones and other devices. So, if you have a Raspberry Pi file server, you can easily use it to stream media. To achieve that, we will install MiniDLNA. This guide assumes you are using Raspbian 9, but the commands should be similar on different flavors of Linux.

Read more…

How to Connect External Hard Drive to Raspberry Pi

, updated

I have already explained how to do a basic Raspberry Pi server install. But if you want to do something more exciting with it, perhaps running a Nextcloud instance or setting up a torrent box, you will need more space than just an SD card. That’s why in this post I will show you how to connect external hard drive to Raspberry Pi.

Read more…

Automatic ClamAV Scans With Email Notifications

You might consider antivirus software unneccessary on a Linux box. But if you are running a public facing server, it might be a good idea to run it regardless. Why is that? Even though malware probably can’t affect your server much, it can still use it to infect users. To prevent that, we will learn how to install and set up automatic ClamAV scans with email notifications. In the examples below, I am using Debian 9, but the commands should be the same for any Linux distribution.

Install and configure ClamAV

You can easily install the antivirus by running the following command:

$ apt install clamav clamscan

ClamAV is pretty well configured out of the box. Usually, I only change the frequency of virus signature database updates. You can do that in /etc/clamav/freshclam.conf by changing the Checks line. Since I run the scan once a day, I lower the frequency of updates to that as well.

Checks 1

Read more…

Use EditorConfig For Your Project

This might be the first time you’re hearing about EditorConfig. But don’t worry, I was in the same boat just a couple of months ago. So, what is it? It is a simple file format, that helps keeping coding styles consistent across different editors. And more importantly, across different team members.

How does it work?

EditorConfig consists of two components. Firstly, .editorconfig file, that you put in the root of your project. Secondly, a plugin for the editor of your choice. The .editorconfig file is written in .ini format. You can define things such as number of spaces to indent or whether to use tabs or spaces. Moreover, you can use different settings for different file formats. For complete explanation, head over to the official site. In order to enforce the settings from .editorconfig, you need a plugin for your editor. For the most popular ones, such as Vim, Emacs, Atom, Sublime Text or Brackets, the are plugins readily available. The Jetbrains IDEs even include EditorConfig support in their core.

Read more…

Darkest Dungeon: The Color of Madness Is out

Red Hook Studios have just released Darkest Dungeon: The Color of Madness. It’s the latest DLC for the critically acclaimed gothic roguelike. In case you haven’t head about it, this RPG is set in Lovecraftian world. So, it is not for the faint of heart. Your heroes will starve, despair, get sick and die. And they will stay dead.

Features

The expansion brings several new features:

  • Wave-Based Survival in a New Environment: The Farmstead! Nonstop action! Fight through endless groups of monsters in an effort to reach the comet’s crash.
  • Resupply! Bolster your party with consumables obtained from mysterious new curios between waves of combat.
  • An All-New Enemy Faction. The Miller and his loyal workmen have become lifeless husks, consumed by the ever-growing crystalline influence that has spread from the comet across the farm…
  • 2 New Bosses
    • The Miller
    • Thing From the Stars (mini-boss)
  • Twisted New Trinkets. Available for purchase from the Jeweler, a new vendor in the Nomad Wagon. Put your gold away—he trades only in Comet Shards!
  • New tunes! The Farmstead boasts the longest, most involved combat score to date!

I have taken part in the beta testing a I can definitely say you should grab this one. And while you are at it, why don’t you get yourself a copy of Crimson Court as well? If you still need convincing, check the launch trailer:

Improve Your Privacy with DNS Over TLS

HTTPS is quickly becoming standard, in no small part thanks to Let’s Encrypt. HTTPS helps keeping ISPs and other third parties from spying on users. But there is one more gaping hole, the DNS protocol. And DNS over TLS aims to plug it.

What is DNS?

Wait a sec, what’s this DNS stuff?” might be your reaction. DNS, or domain name system, is the Internet’s yellow pages. It translates URLs into IP addresses. So, whenever you type an address into your browser, the computer sends a request to a DNS server. In turn, the DNS server tells it which server to connect to. Most DNS servers use DNSSEC to sign their answers. Thanks to that you be sure the answer you got is not bogus. Unfortunately, the whole communication is in plain text and therefore visible to anyone en route. This is where DNS over TLS comes into picture.

Read more…

Improve Wordpress Load Speed with WP Super Cache

Wordpress is the most popular CMS in the world, powering over 30% of all websites. It owes its popularity to easy of use and a huge number of plugins. The plugins make it possible to turn Wordpress into anything from personal blog a to e-shop. Like others of its kind, Wordpress generates the pages dynamically. In other words, everytime it is accessed, it loads data from database and uses PHP to create a page it serves the visitor. As a result, Wordpress load speed is slower a it requires more resources. That is important point too keep in mind, since over 40% of users leave a page if does not load within 3 seconds.

Caching

This is where caching comes into picture. It combines the speed of static sites with the robustness of Wordpress. Instead of generating page on every load, Wordpress saves the resulting page. Other visitors just see this pregenerated static page. This significantly improves Wordpress load speed and saves server resources. And when you post a new article or a comment, the cache is automatically invalidated. So, you don’t have to be afraid, that visitor will see an outdated version.

Read more…