the itjerk

my adventures with technology

Category Archives: Linux

dnscrypt-proxy

Time to setup dnscrypt-proxy on my new Ubuntu 22.04 LTS box. I found the best way to do this was to also install resolvconf and use that to ensure that /etc/resolv.conf always get the dnscrypt port of 127.0.2.1. Previously I’ve used a bunch of different methods, but for this distro, I’m happy with my results.

sudo apt udpate
sudo apt install dnscrypt-proxy resolvconf
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Here you can change the settings for dnscrypt, by altering the server_names line (e.g. [‘cisco’], [‘cloudflare’]). Also ensure that the listen_addresses is empty. Restart the service if you make changes.

sudo systemctl restart dnscrypt-proxy

Next, open your Network Manager and go to the IPv4 settings. Turn off Automatic DHCP and set the address to 127.0.2.1. Restart the NetworkManager service.

sudo systemctl restart NetworkManager

Finally, edit the following resolvconf file to use the dnscrypt’s address in /etc/resolv.conf by adding the following line: nameserver 127.0.2.1

sudo nano /etc/resolvconf/resolv.conf.d/head

Now restart your computer.

You can test a number of ways. If you used [‘cisco’] you can do the following. Note in the ANSWER section “dnscrypt enabled”.

dig txt debug.opendns.com
; <<>> DiG 9.18.1-1ubuntu1-Ubuntu <<>> txt debug.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28688
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.opendns.com.		IN	TXT

;; ANSWER SECTION:
debug.opendns.com.	59	IN	TXT	"server m45.chi"
debug.opendns.com.	59	IN	TXT	"flags 20040022 0 50 180000000000000000003950000000000000000"
debug.opendns.com.	59	IN	TXT	"originid 585506578"
debug.opendns.com.	59	IN	TXT	"actype 2"
debug.opendns.com.	59	IN	TXT	"bundle 13458843"
debug.opendns.com.	59	IN	TXT	"source 76.229.202.213:57968"
debug.opendns.com.	59	IN	TXT	"dnscrypt enabled (7158645166363443)"

;; Query time: 4 msec
;; SERVER: 127.0.2.1#53(127.0.2.1) (UDP)
;; WHEN: Fri May 06 10:48:39 CDT 2022
;; MSG SIZE  rcvd: 313

Another way of checking is to visit https://www.dnsleaktest.com/ which will tell you your DNS resolver.

The only thing I don’t get is this: Why does this use the old address? For another day.

dnscrypt-proxy -resolve google.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
Resolving [google.com] using 127.0.0.1 port 53

Unable to resolve: [read udp 127.0.0.1:35375->127.0.0.1:53: read: connection refused]

ubuntu 22.04lts jammy jellyfish

Now that the new box is built, it’s off to make it work. As previously stated, I downloaded Ubuntu 22.04 LTS on DVD, but it had issues loading. I quickly made a bootable USB drive and was off to the races. I chose a minimal install without encryption and with updates. I can’t be bothered entering a password after every reboot, let alone remotely; but foremost, there’s nothing on the computer that needs to be encrypted.

Once completed, I first got the RAID1 with my music configured by creating a mount point, adding it to /etc/fstab and made an alias for it in my home folder. I then downloaded Roon, made it executable, installed its dependencies (curl, ffmpeg, cifs-utils) and then ran the installation script. On my Windows computer, I signed into Roon Desktop (btw, remember to sign out of any previous installations), added my music libraries and – most importantly – restored the latest backup of my previous Roon Core!

Next up was getting Duckdns so I can login remotely, UFW because it’s open for remote access, and configuring SSH for my website’s production host. Most of this was simple, though I did have to temporarily enable PasswordAuthentication on the production host for keys, and I also needed to reconfigure my router with the MAC address for the new motherboard to access the computer via port forwarding.

I then set to install the applications I need. Some are little tweaks like numlockx, while others were from that list I made – Audacious, Brasero, MOC, Easytag, etc, while fre:ac was a snap. I have issues with dt14-tmeter, which has always been prickly (fixed 04/26/22), and Totem which crashes and doesn’t play correctly under Wayland. I also imported bookmarks into Firefox and did quick run through of my top sites to get their passwords remembered.

I’m on the fence about tweaking out the UI, as the older I get the less I care about having it my way: Ubuntu and Gnome are good enough out of the box. I’m sure at some point I’ll get bored and add Gnome Extensions, Tweaks, get the Snap-free Firefox, change the colors etc, but for now, the computer is fine as it is. In the meantime, I will continue to use Xorg as everything seems to run best under it, including Totem, Audacious, etc.

One the web:
https://ubuntu.com/download/desktop

byopc 2022

With the arrival of Ubuntu 22.04 LTS, aka Jammy Jellyfish, it’s time to build a new Linux box. Hard to believe that another four years has already passed. I’m still happy with the old one, but the fans are a bit noisy, and I’d like to up performance. Note that this computer is an “always-on” dedicated music server for Roon software, containing a 4TB RAID1 with my music collection. And that’s just about all I use it for: ripping CDs to the library, running Roon server, the occasional DVD or CD burn, and of course, having the Linux environment at home to keep my itjerk skills up.

Over the years, I’ve found myself gravitate almost exclusively to the Windows environment for “day to day” computing. Why? It’s just fine for me. Other than running a few applications (mostly InDesign), the vast majority of my desktop experience is inside a web browser. Yours too, probably. And as someone that’s spent the past 20+ years in desktop support, I’m completely agnostic about Mac vs Windows vs Linux. Whatever costs less should be one’s top choice, not some brand fetish. Whether it’s a Dell or any Apple, Windows or macOS or Ubuntu, a properly maintained computer is both safe and secure. “Better” is subjective.

I’ve chose an Intel i3-10105 processor for the computer because a) it’s the cheapest I could find ($89) and b) it gives me plenty of “boost” from the current G4400 Pentium; more cores/threads/cache, faster clock, and only mildly less power efficiency (65w vs 54w). For the motherboard, I’ll need an LGA 1200 socket and a quick look at the Microcenter website yields the ASUS H510M-E Prime Intel microATX for $85. I’ll throw in a very fast 256GB NVMe M.2 drive for $32 for the boot drive and that’s about all I need. I have 8GB of DDR4 2133 RAM from the previous build that to reuse (along with case, power supply, etc). That’s a total bill of $202 for new computer “guts”.

The very first thing to do is ensure I have a backup of the RAID1. I’m going to transfer the RAID card and drives to the new mobo, which should go without a hitch (it did), but having a fresh backup gives me 100% peace of mind. I’m getting a new M.2 boot drive, so I’ll have the previous SSD to copy things over. Then, I’ll be sure to get a list of programs I’ll need to reinstall along with bookmarks, config files and my bash history (a wealth of knowledge!). With an initial minimum install of Ubuntu, I’ll need a few things, but mostly they and their dependencies relate to Roon, CD ripping and playback (notably Fre:AC and it’s config files!), plus a few DVD programs like Handbrake, DeeVeeDee and DVDAE. No need to bring extra software baggage to a clean install; if I forgot something, I can always install later.

One thing about the installation: maybe I’m getting old or maybe the lighting was just bad, but I did have to recheck some of my connections inside the case. RAM wasn’t clipped completely, USB header was off and I didn’t push the audio plug in all the way! The old SPDIF card I had doesn’t have the right pin config, so I’ll splurge $17 for a new one.

After downloading Ubuntu 22.04 LTS, I burned a DVD of the iso but it didn’t work. So I quickly made a USB drive and installation was fine. I did a minimal install, no encryption (PITA to enter a password and no way to do it remotely). I did get a couple boot warnings, but after I updated the mobo’s BIOS and the ACPI warning went away, while enabling VMX in the BIOS advanced settings corrected that. Still have “SGX disabled in BIOS” to deal with. One other thing, when the computer boots, it doesn’t display the RAID card’s screen. Hmmm.

Now on to Jammy Jellyfish!

roon firewall update

For some reason which I now forget, I signed up for the beta channel for Roon’s Linux server software. It updates maybe once a month, and very recently (with 1.8.x) everything stopped working right. A quick jump to the community boards and I found out that Roon Labs had changed the ports required for the software. Even more astonishingly, it’s undocumented. Here’s what I’m using.

22/tcp                     ALLOW       Anywhere                  
9003/udp                   ALLOW       192.168.0.0/24       # roon
9330:9339/tcp              ALLOW       192.168.0.0/24       # roon
8008:8009/tcp              ALLOW       192.168.0.0/24       # roon
30000:30010/tcp            ALLOW       192.168.0.0/24       # roon
8010                       ALLOW       Anywhere             # chromecast
1194/udp                   ALLOW       192.168.0.0/24       # roon
22/tcp (v6)                ALLOW       Anywhere (v6)        
8010 (v6)                  ALLOW       Anywhere (v6)        # chromecast


new raid1

The linux computer crashed. Upon restart, it wanted a disk check. Fair enough. But then when it rebooted, it went to the recovery console. Uh, oh, something is up. I went to Advanced Options and did a dpkg check, which found a few things to correct before I could reboot back into the GUI. At first I thought the OS drive was bad, but it ends up that the data drive was the one that had the error.

Upon the next reboot, my RAID card gave me a warning, “HDD may be not available. Please contact…” but when I went into the RAID menu, all drives were good. Hmmm. Does the ASMedia really read the disks’ SMART status? Once inside Ubuntu I then checked the SMART status of my drives using smartctl:

sudo smartctl -d sat --all /dev/sdx -H

The OS drive was fine, but the RAID said DISK IS LIKELY TO FAIL SOON, even though the RAID menu reported both disks as fine. While smarctl is very useful, it cannot look inside the ASMedia controller to let me know which disk was failing. Card said fine, OS said not fine. Who do I trust? Ubuntu. Bottom line: SMART is not to be ignored.

First, I immediately did a backup. Success. I then popped down to my local Microcenter and purchased two new (price matched!) 4TB Seagate IronWolf drives and setup a new RAID1. Why? Foremost, all the drives were still working, no data had been lost. So why not start fresh, reset the clock on the drives to Late 2021 and gain an extra TB of space?

It’s just a lot of time to complete a restore, but everything is safe again.

dr14.tmeter

Wow, figured out how to install this nifty python program that calculates dynamic range on flac files. Ubuntu 20.04 ships with Python3. There’s some drama between python versions 2 and 3 (e.g. latter merely a release candidate), so the best way is to first get pip and use it to install the program DR14-T.meter:

sudo apt update
sudo apt install python3-pip

Now we can use pip3 to install the dependencies, and then dr14.tmeter

sudo -H pip3 install numpy scipy
sudo -H pip3 install DR14-T.meter

Alternatively, you can use pip3 to install just for a specific user (in ~/):
pip3 install DR14-T.meter --user

Edit 04/2022:
To install on 22.04 LTS, I had to copy source code from github to local computer and install:
pip3 install -e dr14-t.meter-1.0.16

to calculate the dynamic range of an album, switch to the directory and run
dr14_tmeter ./

Scan Dir: /Music/Yes/1971_The_Yes_Album

02_Clap.flac: DR 15
01_Yours_Is_No_Disgrace.flac: DR 11
03_Starship_Trooper-_a._Life_Seeker_-_b._Disillusion_-_c._W├╝rm.flac: DR 12
04_I’ve_Seen_All_Good_People-_a._Your_Move_-_b._All_Good_People.flac: DR 10
05_A_Venture.flac: DR 11
06_Perpetual_Change.flac: DR 11
DR = 12

– The full result has been written in the files: dr14.txt
– located in the directory:
/Music/Yes/1971_The_Yes_Album

Success!
Elapsed time: 5.60 sec

On the web:
DR14_T.meter

uncomplicated firewall (ufw)

RoonUFW
I run a Roon Server or “Core” on my Ubuntu box to supply music to various endpoints on my local subnet. Because the computer also has a window to the outside world, I run a firewall, ufw. Like its namesake, it’s easy to configure, you can get the basics here. Anyway, I need to open a few ports so Roon Server can be discovered on my subnet, by creating an application profile and then adding a rule to the firewall.

First, we’ll create a file “roon” in the following location:
$ cd /etc/ufw/applications.d/
$ sudo touch roon
$ sudo nano roon

Here’s what’s in the file:
[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp

Note the context of the ports entry: The pipe separates udp from tcp, and ranges are set with a colon (and individual ports with a comma). Once you create the file, you can quickly check syntax by running ufw status, and it will let you know if you made any errors, which is handy. Once that’s created, it’s easy enough to add the rule to ufw, and check status again to see it working:

$ sudo ufw allow from 192.168.1.0/24 to any app roon
$ sudo ufw status

Status: active
To Action From
— —— —-
Roon ALLOW 192.168.1.0/24

I should note that the reason I’m doing this is because Roon doesn’t document what ports need to be open, and I’m having an issue with one piece of hardware being recognized on reboot. There’s probably another series of ports that I need to open up, so having a profile is an easy way to trouble shoot; once I make changes, I can edit the profile then update ufw with the following command:

$ sudo ufw app update Roon

Since Roon uses randomized ports, my interim fix is to allow access to the server from the endpoint in question:

$ sudo ufw allow from [endpoint ip]

Nothing scary here folks, just some computer and network basics.

wireguard vpn

On my to-do list for my newly christened Ubuntu box was to install a VPN. I had previously used OpenVPN-AS (Access Server), which is a lite version (two user) of OpenVPN that uses a web interface for most configuration. I also considered using “regular” OpenVPN but to be honest, there’s a fair amount of work in setting up keys, and I didn’t want to use scripts downloaded from github. Enter WireGuard.

Here’s the pitch. “WireGuard┬« is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec (and OpenVPN), while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.” In short, it’s easy to configure, lightweight to use, and it’s already in the Ubuntu 20.04LTS repo.

To install WireGuard, we install the program, create keys, configure the virtual network device (wg0), and then configure the client (Android).

#install WireGuard
$ sudo -i
$ apt update && install wireguard

#generate server keys (these are stored in /etc/wireguard/)
$ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat publickey

#configure the WireGuard interface wg0 (leaving peer empty for now)
$ cd /etc/wireguard
$ nano wg0.conf

[Interface]
Address = 192.168.6.1/24
SaveConfig = true
ListenPort = [port]
PrivateKey = [server privatekey]

[Peer]
PublicKey = [client publickey]
Allowed IPs = 192.168.6.2/32

#open port on firewall for WireGuard to listen
$ ufw allow [port]/udp

#enable and start Wireguard server
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl status wg-quick@wg0

#now that the service is started, let’s stop it, and configure our client.
#first we create client (keys we’re not going to save them)
$ sudo systemctl stop wg-quick@wg0
$ wg genkey | (
read privk
echo "android-private-key: $privk"
echo "android-public-key: $(echo "$privk" | wg pubkey)"
)

#edit wg0.conf and enter the publickey for your client, then restart WireGuard
$ sudo systemctl start wg-quick@wg0
$ sudo systemctl start wg-quick@wg0

#now let’s create a config_file for the client.
$ exit
$ cd ~/Desktop
$ nano config_file

[Interface]
#client
PrivateKey = [client privatekey]
Address = 192.168.6.2/24

[Peer]
#server
PublicKey = [server publickey]
AllowedIPs = 192.168.6.0/24
Endpoint = [ip or host name]:[port]
PersistentKeepalive = 15

#save the file and generate a qrcode to scan with your phone
$ qrencode -t utf8 < config_file

That’s it! I installed the WireGuard app on my Pixel phone, selected QR code for the connection and scanned the image, then the app asked me to name my new connection. All set, I connected and viola, I have my own VPN server.

Couple of notes. Pay attention to the IP addresses and masks; they must be exact. You can use whatever port you want for WireGuard to listen, and it works well with DuckDNS dynamic hostname. Multiple peers can be configured as well. The Android app could do a better job “hiding” both keys, but there you are.

On the web:
WireGuard

duplicate files

Finding duplicate files is big part of my Ubuntu data cleanup plan. Here’s some tips: Fdupes finds duplicate files via checksum; the first command will summarize what it finds in a recursive search, while the latter will delete the files (N means NO CONFIRMATION!). Warning: there’s no going back! The third command will change the date of pictures to what’s in the jpegs header, for easier sorting.

fdupes -rSm .
fdupes -rdN .
jhead -ft *

ubuntu 20.04 lts

Yes, the latest LTS distribution of Ubuntu, 20.04 aka Focal Fossa, has been released. I’m raring to upgrade my desktop but there’s always a bit of work involved. Of course, with the COVID-19 pandemic in full swing, I’ve got plenty of time on my hands. But a few other things first. Watch this space.

Here’s my thoughts:
1. I need my Ubuntu server to be dedicated to music (and video); that’s why I got into the Linux game in the first place, and I’m all-in with Roon. I’ll do a clean install of 20.04, get 99% of it setup in no time at all.
2. The local copy of my production website(s) needs to go to a virtual machine. Great solution to a small problem.
3. Backup for photos and documents. Why not pay for a cloud service? I don’t like the idea of having a few hard drives laying around, I’m too OCD for that. Get it organized, put it in the cloud.

Now that’s a plan.