uncomplicated firewall (ufw)

I run a Roon Server or “Core” on my Ubuntu box to supply music to various endpoints on my local subnet. Because the computer also has a window to the outside world, I run a firewall, ufw. Like its namesake, it’s easy to configure, you can get the basics here. Anyway, I need to open a few ports so Roon Server can be discovered on my subnet, by creating an application profile and then adding a rule to the firewall.

First, we’ll create a file “roon” in the following location:
$ cd /etc/ufw/applications.d/
$ sudo touch roon
$ sudo nano roon

Here’s what’s in the file:
[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp

Note the context of the ports entry: The pipe separates udp from tcp, and ranges are set with a colon (and individual ports with a comma). Once you create the file, you can quickly check syntax by running ufw status, and it will let you know if you made any errors, which is handy. Once that’s created, it’s easy enough to add the rule to ufw, and check status again to see it working:

$ sudo ufw allow from 192.168.1.0/24 to any app roon
$ sudo ufw status
Status: active
To Action From
— —— —-
Roon ALLOW 192.168.1.0/24

I should note that the reason I’m doing this is because Roon doesn’t document what ports need to be open, and I’m having an issue with one piece of hardware being recognized on reboot. There’s probably another series of ports that I need to open up, so having a profile is an easy way to trouble shoot; once I make changes, I can edit the profile then update ufw with the following command:

$ sudo ufw app update Roon

Since Roon uses randomized ports, my interim fix is to allow access to the server from the endpoint in question:

$ sudo ufw allow from [endpoint ip]

Nothing scary here folks, just some computer and network basics.

wireguard vpn

On my to-do list for my newly christened Ubuntu box was to install a VPN. I had previously used OpenVPN-AS (Access Server), which is a lite version (two user) of OpenVPN that uses a web interface for most configuration. I also considered using “regular” OpenVPN but to be honest, there’s a fair amount of work in setting up keys, and I didn’t want to use scripts downloaded from github. Enter WireGuard.

Here’s the pitch. “WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec (and OpenVPN), while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.” In short, it’s easy to configure, lightweight to use, and it’s already in the Ubuntu 20.04LTS repo.

To install WireGuard, we install the program, create keys, configure the virtual network device (wg0), and then configure the client (Android).

#install WireGuard
$ sudo -i
$ apt update && install wireguard
#generate server keys (these are stored in /etc/wireguard/)
$ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat publickey

#configure the WireGuard interface wg0 (leaving peer empty for now)
$ cd /etc/wireguard
$ nano wg0.conf

[Interface]
Address = 192.168.6.1/24
SaveConfig = true
ListenPort = [port]
PrivateKey = [server privatekey]

[Peer]
PublicKey = [client publickey]
Allowed IPs = 192.168.6.2/32

#open port on firewall for WireGuard to listen
$ ufw allow [port]/udp

#enable and start Wireguard server
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl status wg-quick@wg0

#now that the service is started, let’s stop it, and configure our client.
#first we create client (keys we’re not going to save them)
$ sudo systemctl stop wg-quick@wg0
$ wg genkey | (
read privk
echo "android-private-key: $privk"
echo "android-public-key: $(echo "$privk" | wg pubkey)"
)

#edit wg0.conf and enter the publickey for your client, then restart WireGuard
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl start wg-quick@wg0

#now let’s create a config_file for the client.
$ exit
$ cd ~/Desktop
$ nano config_file

[Interface]
#client
PrivateKey = [client privatekey]
Address = 192.168.6.2/24

[Peer]
#server
PublicKey = [server publickey]
AllowedIPs = 192.168.6.0/24
Endpoint = [ip or host name]:[port]
PersistentKeepalive = 15

#save the file and generate a qrcode to scan with your phone
$ qrencode -t utf8 < config_file

That’s it! I installed the WireGuard app on my Pixel phone, selected QR code for the connection and scanned the image, then the app asked me to name my new connection. All set, I connected and viola, I have my own VPN server.

Couple of notes. Pay attention to the IP addresses and masks; they must be exact. You can use whatever port you want for WireGuard to listen, and it works well with DuckDNS dynamic hostname. Multiple peers can be configured as well. The Android app could do a better job “hiding” both keys, but there you are.

On the web:
WireGuard

duplicate files

Finding duplicate files is big part of my Ubuntu data cleanup plan. Here’s some tips: Fdupes finds duplicate files via checksum; the first command will summarize what it finds in a recursive search, while the latter will delete the files (N means NO CONFIRMATION!). Warning: there’s no going back! The third command will change the date of pictures to what’s in the jpegs header, for easier sorting.

fdupes -rSm .
fdupes -rdN .
jhead -ft *

Finally, if you want to pipe them into a file to see what is found:

fdupes -r ./stuff > dupes.txt