mintCast 349.5 – Just Some Linux ISOs

Download

1:27 Innards
40:50 Feedback
48:51 Security
55:15 Outro

In our Innards section, we talk Docker, OpenVPN and Transmission

And finally, the feedback and a couple of suggestions

LINUX INNARDS:

  • My Docker transmission/chrome setup stopped working but I think this time it was because of the changes in openvpn.  I tested the ovpn file outside docker and it worked just fine.  But when I logged in to the docker session and ran the same file it threw an error and did not work.  
  • I had to go through several different iterations of installing virtualBox in order to get it to work.  I started with the base install from the mint repos.  But it did not work, I did a purge and added the repo for virtualBox and tried both 6.0 and 6.1 but neither seemed to work and would throw an error in regards to drivers.
  • Even after I remembered that this was a new motherboard and went in and turned on virtualization.  Then I did another purge and installed the main version of virtualBox and everything worked
  • Then I installed the MATE version of Mint with 2gb of RAM and 32gb of starting HDD space to be allocated dynamically.
  • Then I setup a shared folder between the host and the VM which has some issues that I will get to shortly
  • After that I made sure that the applications I needed were installed.  These applications are transmission-daemon, transmission-rss, openvpn and iptables
  • Transmission-daemon I had to make run as my user which was as easy as modifying the systemd setup and telling it to run as me
  • Transmission-rss is an application for which you run a simple command that checks a config file and then checks the rss feeds that I have given it.  Grabs the torrent files and then feeds them into transmission which then downloads the files
    • But because I installed the newest version of Ruby it is having trouble reading everything from the config files.  This should be easily fixed by reverting to an older version of Ruby but what it amounts to is the fact that ruby sees the config file differently.
    • I set up transmission rss to run as a cron job that goes off every ten minutes.  This can also be setup as a service that runs continually although I think that eats some resources for no reason
  • The next thing that I set up was openvpn as a system service. 
  • Then I needed to limit the traffic so that it would only go through the openvpn connection.  That was why I changed the user earlier on transmission to the main user instead of root.  So that the traffic is always limited.
  • This requires the use of iptables.  I generated a script based off some commands that I found on the interwebs, I would include the link here but I cannot find it again
#!/bin/bash

# Set our rules so the debian-transmission user group can only route through the vpn

NET=10.0.0.0/8

GROUP=USER

IFACE_INTERNAL=eth0

IFACE_VPN=tun0

ALLOW_PORT_FROM_LOCAL=9091

iptables -A OUTPUT -d $NET -p tcp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT

iptables -A OUTPUT -d $NET -p udp --sport $ALLOW_PORT_FROM_LOCAL -m owner --gid-owner $GROUP -o $IFACE_INTERNAL -j ACCEPT

iptables -A OUTPUT -m owner --gid-owner $GROUP -o $IFACE_VPN -j ACCEPT

iptables -A OUTPUT -m owner --gid-owner $GROUP -o lo -j ACCEPT

iptables -A OUTPUT -m owner --gid-owner $GROUP -j REJECT

# not needed - but added these to properly track data to these interfaces....when using iptables -L -v

iptables -A INPUT -i $IFACE_VPN -j ACCEPT

iptables -A INPUT -i $IFACE_INTERNAL -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

# track any forward (NAT) data for completeness - don't care about interfaces

iptables -A FORWARD
  • I have included the script here but what it does is limit all traffic from the USER group to go through tun0 which is the VPN.  It also limits local traffic to eth0 but since there is no eth0 it blocks local traffic for that user
  • The next thing to do is restart the VM to test that everything is working as it should.
  • After the restart the first thing to do is check your ip address either from the command line with something like curl ipinfo.io or with your web browser.
  • If the ip address is different from the one outside of the vm then you know that most everything is working.  Next thing is to kill the openvpn service and check again sudo systemctl stop openvpn and then try to load a webpage.  Nothing should come up
  • Restart the vpn sudo systemctl start openvpn.  Check your transmission page.  Check that you can download a torrent and that it will start.
  • Things that need to be fixed:
    • Transmission starts before the location is mounted which throws some errors that are easily fixed by restarting transmission
      • This may be fixable by forcing transmission to start later or by converting to an sshfs mount that goes through my dns service and having that setup as a systemd service that runs before transmission
    • The RSS feature for some reason (Ruby, I need to install an older version) doesn’t automatically move finished files to the proper location so that it can be moved to another location and picked up by plex. It also no longer uses the regex I have set up so that it will only download the versions that I want of whatever I am downloading.  It gets everything from the feed
    • Also need to set the vmbox to start up automatically at reboot
    • Even though I limited the amount of RAM to 2Gb I am now maxing out 16Gb of RAM so I am going to order more but I think this is more a recent issue with chrome eating memory again as I have seen the issue on another machine without this set up 
  • There are other ways that I could set this up instead of inside a virtual machine that would probably be easier 
    • Instead of a VM I could use a dedicated machine.  This would get rid of the mount timing issues that I have but would make the later transfer of files possibly problematic.  Pretty sure I could even do this with a Pi and that may be my next project although space may be an issue and I will still need to work out the kinks with Ruby
    • I could set up a router with a dedicated VPN and then have a machine that is only connected through that but that requires 2 dedicated devices and while is probably a much easier set up I would worry about ip leaks.  Also that would meant that when I wanted to use a vpn version of chrome I would either need an extension or a different set up on all my boxes
    • Last but not least and one that I will be visiting in the near future.  I could knuckle down and learn docker compose and fix these docker images myself

VIBRATIONS FROM THE ETHER:

  • Jim Daldry
  • Nick
  • LinuxLuva114

CHECK THIS OUT! 

Announcements:

Our next episode will be Sunday, November 29, 2020, at 2 pm Central Time, check for your local time!

https://everytimezone.com/s/1506acff

Wrap-up:

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible …

  • Owen Peery for our audio editing, Josh Lowe for all his work on the website, Hobstar for our logo, and Londoner for our time sync
  • Bytemark Hosting for hosting mintcast.org and our Mumble server
  • Archive.org for hosting our audio files
  • HPR for our backup Mumble room
  • The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem!>

One Reply to “mintCast 349.5 – Just Some Linux ISOs”

  1. Clay Stone

    Forgive my iptables ignorance, but if I’d like to poke a hole for vnc access on 5901, what would I need to tweak/add to the above script to get that to work. Everything works just as I need it, save vnc. Many thanks. Love the show.

Leave a Reply

Your email address will not be published. Required fields are marked *

Linux Mint

The distribution that spawned a podcast. Support us by supporting them. Donate here.

Archive.org

We currently host our podcast at archive.org. Support us by supporting them. Donate here.

Audacity

They’ve made post-production of our podcast possible. Support us by supporting them. Contribute here.

Episode Archives