Grab it here.

I decided to dump Ubuntu as my primary desktop for a couple of reasons. I think Ubuntu is a more polished desktop, and provides a better user experience over-all, especially for a regular user, and I like its Debian heritage and package system. But I do not like Unity. I am not going to debate it’s pros/cons here it has been done all over the interwebs. I simply don’t like it, and do not think it should be built the way it is. Unity should be built upstream, as an alternative shell to Gnome, not inside Ubuntu’s closed walls, and then customized for Ubuntu later on. Canonical could learn from red-hats previous mistakes and successes in this regard.

I was also very disappointed with the way Ubuntu handled the inclusion of Banshee and with the outcomes from that debacle.

I’ve always had a soft spot for Fedora and I like the community built around it, but I was also skeptical of the Fedora choice to ship Gnome-Shell. So I gave the Alpha a spin.

And I like it. It took a little getting used to, but I moved back to the old gnome-panel interface and I missed the changes now present in gnome-shell. So much that I decided months out from release to stick with Fedora 15 as my primary installation.

I am using this as a desktop, so my comments are really only relevant in that space, but a couple of thoughts.

SE Linux.

Technically SELinux is brilliant. But on a desktop it gets in the way, and the alerts will make no sense to a regular user. After an update I had to set my policy to permissive to simply be able to login again (Not a real complaint, it is Alpha). But until work is done to make the whole thing a lot clearer to non-technical users every howto is still going to start with, “Turn off selinux”. If I build a live respin, I will probably disable selinux on install.

GNOME Shell

The preferences are sparse, and this is by design, but I think most users, after getting used to the interface, are going to won’t more customization option. For the technically minded people install “dconf-editor”. If you want things a little simpler check out “gnome-tweak-tool“.

But personally, after getting comfortable with the shell, I think it is a better way to work. I like managing my work-flow with dynamic workspaces. A few extra keyboard shortcuts would come in handy.

I also have a usability problem with the notification tray. When there are multiple icons, you hover over the icon, which then moves to display the name of the application. If you need to click on an icon for options it has moved some arbitrary number of pixels away. It is only a little thing, but it annoys me no end. I think rather than shuffling icons, the title could simply be displayed as a pop-op, hint style.

Adding things and customization

Getting things to work with Fedora is just a little bit tricky. 32 bit flash on 64 bit system requires a visit to the wiki. Yum doesn’t process architecture dependencies properly, so whenever an app was only available 32 bit, like Skype, it would take a bit of a forum search to find a solution for installation. And I think that has always hindered Fedora adoption. The learning curve is just a bit steeper than Ubuntu. Sure a visit to a  Fedora FAQ will normally fix you up. but it takes a bit of investigation.

But all that said. I am back on very familiar Fedora soil, and I couldn’t be happier. I will try when writing blog posts to include instructions for Fedora/RHEL/CentOS and Ubuntu/Debian. I work with all of them. But I am a little lazy, so instead there will probably be a mash of howto’s each one on whatever distro the problem I was fixing was based.

I have been running Fedora 15. It is kinda buggy, (expected it’s alpha,) but I am actually finding gnome-shell growing on me.

Firefox 4 in included, but I still find I prefer Google Chrome, trouble is, it looks out of place on the desktop. I used this site and threw together a quick theme. It’s not perfect, but feel free to download it.

Turns out it is not an uncommon complaint: http://ubuntuforums.org/showthread.php?t=1013344

There are a heap more threads like this online.

Basically the option is hidden away in the Keyboard preferences.

See: https://wiki.archlinux.org/index.php/GNOME_2.28_Changes#Universal_Accessibility_Icon_Stuck_in_Panel



# aptitude install ushare

And run it:

# ushare -x -c /directory/containing/media

-x: Xbox compliant profile
-c dir: Location of media

This works straight away, the problem is that even though the xbox can decode and play .avi files, it will not attempt to play them when streamed from ushare because of the mime type they are presented as. But we can recompile ushare to make it work

Preparing your ubuntu install for building packages:


# aptitude install build-essential devscripts
# aptitude build-dep ushare
# apt-get source ushare


Now that you have the required software and the source code, enter the package source directory and build it.


# cd ushare-1.1a/


Edit src/mime.c. Replace the line

{ "avi",   UPNP_VIDEO, "http-get:*:video/avi:"},

with:

{ "avi",   UPNP_VIDEO, "http-get:*:video/x-ms-wmv:"},

Run debchange and add a comment for you new version:
# debchange -i

Build the package
# debuild

If you don’t have a gpg key setup for the email address used in the debchange, debsign will fail and the build will report an error, but it still should have built a deb package.

Move to the parent directory and install this package:

# dpkg -i ushare_1.1a-0ubuntu6_i386.deb

Now you can stream .avi files and the xbox will play them.

I am not using network-manager in the following examples. And honestly network-manager only makes life easier on a laptop, or desktop when operating wirelessly.

Make sure your network interface is set to dhcp, as network-manager is installed by default the relevant line may be commented out (also if your not using it, purge network-manager from your system). The relevant entries from my /etc/network/interfaces:


# The primary network interface
auto eth0
iface eth0 inet dhcp


Add an script in /etc/dhcp3/dhclient-exit-hooks.d. It should check if GDM is running, as after it has started up you should not change the hostname. My script read as follows:
/etc/dhcp3/dhclient-exit-hooks.d/set_hostname

# If you want to enable this script, change SETHOSTNAME to "yes"

SETHOSTNAME="yes"

if [ "$SETHOSTNAME" = "yes" ]; then
	if test -r /var/run/gdm.pid && ps -ef | grep $(cat /var/run/gdm.pid) | g
rep -q /usr/sbin/gdm ; then
	echo "$(date): GDM running, not changing host name"
	else
		hostname $new_host_name;
	fi
fi

That should be it. Though you may need to remove some incorrect entries from /etc/hosts, and remove /etc/hostname if the file contents are wrong.

Network Manager

The easiest openvpn client is network-manager. If you are using Ubuntu run:

# aptitude install network-manager-openvpn
# restart network-manager

• Now click on the network-manager applet, select configure VPN, and setup a new open-vpn connection.
• Set the gateway to you server
• Set the type to Password
• Point your CA to a copy of your server’s ca.crt and everything should just work

Everything Else

Linux, Windows and OSX all have ports of OpenVPN, and I have setup the client on each of them. Unless you want to pay for Viscosity on the mac, the chances are you will need a client configuration file.

Attached is a simple client configuration file that will work. Edit it to match your server’s settings where appropriate. You will need this and your ca.crt in the same directory. On Windows the file extenion is “.ovpn”. On linux my file is called /etc/openvpn/client.conf

##############################################
# Sample client-side OpenVPN 2.0 config file.
# for connecting to multi-client server.
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

dev tun
proto udp

# The hostname/IP and port of the server.
remote my-server-2.domain 1194

# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Certificate Authority
ca ca.crt

# Username/Password authentication is used on the server
auth-user-pass

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# Set log file verbosity.
verb 3

On linux to start the openvpn client simply type:
# openvpn -config /etc/openvpn/client.conf

To manage the connection on Windows I would suggest using OpenVPN GUI. And either tunnelblick, or Viscosity (non-free) on OSX.

Setup IP Forwarding/Masquerading/Firewall

To turn on IP Forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Set the change permanantly in /etc/sysctl.conf by uncommenting the line:
net.ipv4.ip_forward=1

To turn on IP Masquerading add the following IP Tables rule:

# iptables --table nat --append POSTROUTING \
--out-interface eth0 --jump MASQUERADE

Firewall
If you are running a firewall, and I strongly recommend you do on a public facing box you need to allow UDP on port 1194 into you box.
# iptables -A INPUT -udp -m udp --dport 1194 -j ACCEPT

But these rules need be persistant so we need to create a script to run when the interface starts up

# iptables-save > /etc/iptables.conf

Create a new file: /etc/network/if-up.d/iptables and paste in the following:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.conf

Set it to executable:
# chmod 755 /etc/network/if-up.d/iptables

Now when networking starts the firewall is brought up. If all you have done is what is above, your box is not really firewalled, as no traffic is dropped or blocked. For a basic firewall the following config, forwards everything, allows bind internally and only allows SSH and OpenVPN on the external interface.

/etc/iptables.conf (example):

#
*nat
:PREROUTING ACCEPT [36:18250]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [12:806]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
#
*filter
:INPUT ACCEPT [19:1037]
:FORWARD ACCEPT [420:191307]
:OUTPUT ACCEPT [314:39042]
# Allow everything on loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow SSH
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow DNS to this machine fron the private network
# (If you plan to run you own DNS, I run dns_masq)
-A INPUT -p tcp --dport 53 -s 10.8.0.0/16 -j ACCEPT
# Allow OpenVPN
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
# DROP the rest
-A INPUT -i eth0 -j DROP
COMMIT
#

Setup Open VPN

Installation

Install OpenVPN:

# aptitude install openvpn openssl


Edit /etc/default/openvpn. Comment all lines, and add:

AUTOSTART="openvpn"

Create Certificates and Keys

On you server as root:

# cd /etc/openvpn

Copy the the following directory

# cp -r /usr/share/doc/openvpn/examples/easy-rsa .
# cd easy-rsa/2.0/

Edit the file “vars”. Change the default values at the bottom of the file to match your details.

Import you ssl settings:
# . ./vars

run: # ./cleann-all. Do not run this every time as it will remove all existing certificates.

Create your Certificate Authority

# ./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

Now build the key and certificate for you server

# ./build-key-server server

Set the common name to “server”

Answer yes to signing the certificate and commiting it.

Now let’s create Diffie Hellman parameters:

# ./build-dh

Most other guides now get you to generate client certs, but we are using  username and password authentication so we do not need to do this.

Configure OpenVPN

Edit the file /etc/openvpn/openvpn.conf and add the following (the comments are unnecessary they are just there for explanation):

    dev tun
    ## udp is recommended, avoid TCP over TCP
    proto udp
    ## any port will do, this is the standard
    port 1194 

    ## certs we created earlier
    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

    user nobody
    group nogroup
    ## You can make this any private subnet you like
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    ## make this connection the default gateway for network traffic
    push "redirect-gateway def1"
    ## I am running dns_masq, you may want to put your server's DNS here
    ## or even google: 8.8.8.8
    push "dhcp-option DNS 10.8.0.1"

    log-append /var/log/openvpn

    ## User authentication settings. Usernames must be able to authenticate with PAM
    ## To use radius or another auth mechanism create /etc/pam.d/openvpn
    ## by default it is doing common-auth (a user must have a local accout and pasword)
    plugin /usr/lib/openvpn/openvpn-auth-pam.so login
    client-cert-not-required
    username-as-common-name

    ## A management interface allows you to telnet from local host to use
    ## telnet localhost 7505
    management localhost 7505

Restart OpenVPN: # /etc/init.d/openvpn restart

So this is the server done. We haven’t configured anything to connect to it yet.
Client how-to comming up next time.

Update. Client how-to is available

For an easy to install Ubuntu package use this PPA, from pmcenery.