Useful Resources

Reference material or other items like datasheets, articles, or whitepapers. Useful for consideration in projects or general technical reference.

Background

A “terminal server” or centralized shared desktop server has obvious benefits. Here are just a few:

  • Central application management
  • Securely access home automation or BMS systems remotely
  • Use cheap thin clients or even older machines that are now too slow
  • Cross platform – this works with Windows, Mac, and Linux machines
  • Remotely accessible from anywhere
  • Reduced support requirements
  • Privately use another desktop from work or home
  • Save on the expense of premium hardware on every desktop
  • More secure application deployment within trusted network zones
  • License Free! – this type of terminal server requires no expensive licensing

Solution

I built a terminal server running Xubuntu 22.04 with local users. To enable the use of RDP protocol clients (because Windows, Linux, and Mac machines already have RDP clients) I installed the xrdp package. You can perform the following steps to turn any Xubuntu desktop instance into a full terminal server:

sudo apt install xrdp
sudo systemctl enable --now xrdp
sudo ufw allow from any to any port 3389 proto tcp

When adding new users to the box, simply add any desktop user the usual way in Ubuntu:

Once the user is added, give them whatever permissions are desired. If you have various applications and a printer already setup on this box, then the user will have access to them to print from within their session. Once setup, give the user their credentials and have them login for the first time.

From another Linux desktop, they can use the “Remmina” app to open a session, or from Windows use Remote Desktop, etc:

Hit “Save and Connect”

Upon logging in, they will see the login greeter:

Once logged in, the terminal server desktop appears:

From within this session, the desktop experience is perfect for running centralized applications, or browsing the internet from the terminal server’s location.

Background

I had a need to create a shared desktop Ubuntu machine that would be used by more than one person, but I wanted it to function more like an internet kiosk, and not be changeable by the end user. After playing with Raspbian OS for other projects, I knew about the overlayfs method of making the SD card read only. This is often done to protect the SD card from being prematurely worn by constant writing. In this application, I wanted to do something similar using the Ubuntu OS on more powerful J4125 hardware. After some initial googling, I learned about the overlayroot package. Installing and setting it up is fairly easy and can be done in mere minutes. Read on…

Solution

First thing we will want to do is install the Ubuntu operating system and all the software applications we might want. We want to set up the machine exactly how we will want it BEFORE we enable the overlayroot read only FS. Set all preferred desktop settings, packages, themes, browser settings, backgrounds, desired user accounts, adding printers, etc FIRST!

After we have the desktop provisioned the way we want it, the next step is to “freeze” this configuration by installing and enabling overlayroot:

sudo apt install overlayroot

Once you have it installed, you will need to modify a configuration file to enable it. Edit the following file – you only need to change the following variable: overlayroot=””

sudo nano /etc/overlayroot.conf

overlayroot="tmpfs"

Save and close the file. There are other options for this config, but they are out of the scope of this article. For more information, please consult the config file, it is loaded with documentation in the comments.

Last step, reboot the machine. Your machine will come up in a read only state. Any changes made to the system will be eliminated after reboot! This is perfect for a shared computer where you don’t want multiple people mucking up the machine, and cleanup is as easy as rebooting.

Undo The Overlayroot

If you should wish to undo the overlayroot to update the system, or add/change something, you can do so by passing the following argument on the grub boot:

overlayroot=disabled

Here’s how:

reboot the machine, and at the grub prompt hit “e” to edit the chosen boot command and put the above option on the boot line like so:

menuentry 'Ubuntu, with Linux 3.5.0-54-generic (Writable)' --class ubuntu --class gnu-linux --class gnu --class os {
	recordfail
	gfxmode $linux_gfx_mode
	insmod gzio
	insmod part_msdos
	insmod ext2
	set root='(hd0,msdos1)'
	search --no-floppy --fs-uuid --set=root 28adfe9d-c122-479a-ab81-de57d16516dc
	linux	/vmlinuz-3.5.0-54-generic root=/dev/mapper/faramir-root ro overlayroot=disabled
	initrd	/initrd.img-3.5.0-54-generic
}

Keep in mind this is a ONE TIME modification to the boot line, once booted, make all your changes and then reboot again, and the system will be restored to the overlayroot read only state. If you would wish to permanently undo the overlayroot, then clear the overlayroot=”tmpfs” variable in /etc/overlayroot.conf BEFORE rebooting.

I bought a used Dell R430 server from Ebay. It still had the old hostname showing in the system details on the iDrac. Without the OMSA tool installed on the server, it is hard to change the displayed name. The OMSA tool also enables a lot of other admin functionality as well. I read many guides on how to install the tool for my system, so I’m posting it here in hopes this will help someone.

Step 1

Install the repository. Dell maintains a complete repo for Ubuntu/Debian users at:
https://linux.dell.com/repo/community/openmanage

You need to review the support matrix on that repo for your server model, generation, and supported OS. In my case, for my R430 (13th generation) I installed version 10.0.3.0.0. Here’s how I added the repo:

sudo gpg --keyserver keyserver.ubuntu.com --recv-key 1285491434D8786F
sudo gpg -a --export 1285491434D8786F | sudo apt-key add -
echo 'deb http://linux.dell.com/repo/community/openmanage/10300/focal focal main' | sudo tee -a /etc/apt/sources.list.d/linux.dell.com.sources.list
sudo apt update

Step 2

Once apt was updated to include the repo, all that is left to do is install the tool:

sudo apt install srvadmin-all

After installation, reboot the server (the installation makes many changes) and then start the OMSA service:

sudo /opt/dell/srvadmin/sbin/srvadmin-services.sh start

After starting the service, you should then be able to access the admin page using a local account at:

https://<server.ip>:1311

Once logged in, you will then see the dashboard:

If you have an Amazon device, like Alexa, Ring, etc, you soon will be sharing your internet connection publicly (at least a small portion of it).  Amazon is quietly opting-in device owners to create a new public network called Sidewalk.   This new feature will be turned on by default.   You can turn it off fairly easily by performing the following steps:

 

Should you choose to opt-out of Amazon Sidewalk, here’s how:

Open the Alexa app on your iPhone or Android
Tap More
Tap Settings
Tap Account Settings
Tap Amazon Sidewalk
Toggle the switch to Off to disable your participation

You can always change your mind later and join back in.

Abstract

You may be one of those people (like me) who prefers web content rendered in dark mode.  Often the preference for the choice is due to less eye strain and glare.  Light text on dark background is much easier on the eyes.  There’s also another thing to consider: for those who use AMOLED screens, darker pixels means using less energy for displays.  My preference is for the first reason – it’s a lot easier on my eyes when I spend hours in front of a computer as both a staple in my profession and for my hobby – that’s a LOT of screen time! (and assault on my eyes).

Solution

Fortunately, the solution is a simple one (if you’re a Chrome user).  You can enter this string in the URL field: chrome://flags/#enable-force-dark and choose Enable.  The result is pretty darned sweet!

ABSTRACT

We have an electronic Z-Wave lock on our back door.   This lock works great with our Domoticz home automation system over the Z-Wave interface.  The lock allows users to each have their own  code, but an epic fail is that you have to take the lock apart to create/change/delete codes.  I hate the way codes are managed on this lock and the task is quite onerous.  There HAS to be a better way!  My needs require:

  • to be able to have family members be able to have ability to unlock the door
  • to be able to allow access for hired house help (babysitters,contractors)
  • to easily create and distribute some kind of physical token (other than a key) that can be easily revoked/changed if lost
  • solution has to operate reliably with our existing home automation infrastructure

Of course ESP8266  and MFRC522 to the rescue!

SOLUTION

First, the shopping list (bring your own 5 volt power source):

You can build just about ANYTHING with the ESP8266 so long as you have a problem to solve, and couple imagination to the problem – you can do magic!  That’s just what I did here.  I had an RFID chip reader antenna module (MFRC522) and proceeded to see how others have implemented an RFID badge reader.   I found one project that implemented a basic reader with a relay switch to activate a solenoid.  Since I don’t have a solenoid on my lock, I had to make modifications to the code from Luis’ project:

  • use MQTT to signal to Domoticz to unlock the door over my own MQTT broker like the rest of my sensors
  • log when invalid tags are scanned
  • enter a unique client and topic name to uniquely identify the reader on the system

Here’s my fork of Luis’ code which adds improvements that include server-side MQTT support and an example for Domoticz home automation.  To connect the reader to the door lock, I had to get the Domoticz IDX address of the lock and build a statement into the code that would be sent when the database returned a match.  The statement looks like this where XXX is the IDX of the locking device:

echo shell_exec(`mosquitto_pub -h $pubHost -u $pubUser -P $pubPass -t $topic -m “{\”command\”:\”switchlight\”,\”idx\”:123,\”switchcmd\”:\”Off\”}”`);

The project workflow is as follows:

  • User scans their tag
  • 8266 calls out over WiFi to a local server to check a database of RFID tags using an HTTP POST
  • fobcheck.php script receives the POST value containing the tag ID and checks the database
  • If the database returns a match, fobcheck.php runs a shell command to the server-side MQTT client to instruct the door to unlock

The completed reader is simply powered from a 5V power source outside and placed in a convenient location near the door.   Here’s what I used to build the reader in a weatherproof case: (click for larger image)

The fobs can be attached to any keychain for easy use and are relatively cheap so if they are lost or stolen, can be easily deactivated.

To manage users, I use a database back end where each tag has a record which contains the assigned user, tag ID, and enablement value (1 for active, 0 for inactive):

To allow the ESP8266 to read the database, I wrote a PHP connector script.  It connects to the database when the ESP8266 sends an http POST request:

 

Click for larger image:

BACKGROUND

There are a number of products out there which use different methods for filtering content.  Because my home network is very customized, many of the consumer products out there don’t offer the flexibility I need as a parent without “dumbifying” my network.  I have invested a great deal of time and some money on setting up and using second hand enterprise network gear from Cisco and Ubiquiti and I did not want to sacrifice all that.  My requirements for a solution were:

  • had to be impossible to circumvent
  • had to be effective at blocking undesireable traffic, yet be flexible enough for “adult” needs
  • had to fit my network topology and environment
  • had to be secure
  • had to be easy to manage

THE SOLUTION

Because my network is built using mostly Cisco enterprise gear (router and switches), I had a lot of flexibility.  I created something I like to call “Jailed DNS”.  Jailed DNS is where you prevent local network devices from using another DNS resolver outside the network.  For those who don’t know what DNS is, I will refer you to this resource which gives a basic understanding of what DNS is, and how it is used as part of the fundamental internet machinery.  In my implementation here, the intent was to provide a local DNS server on my network that would be responsible for all internet lookups.  Here is a basic diagram of my home network (click for larger view).  You will see that the network is broken up into several zones (known as vlans).   These vlans operate as discreet internal networks that have their own subnets and host groupings.   There are many advantages to partitioning a network in this way:

  • Limit broadcast traffic within a physical switch
  • Apply different network policies to different groups of devices
  • Isolate sensitive devices from the rest of the network (control & automation)

 

In this example, you can see restricted and unrestricted areas of the network.  When devices on the unrestricted network talk to the local DNS server (DNS Jail), their query is forwarded to a public DNS server like 1.1.1.1.  This DNS server does not discriminate any queries sent to it and will refer devices to the requested resources.  Devices on the other restricted areas of the network, will query the local DNS Jail, and the DNS Jail will know to forward lookup requests to OpenDNS.  OpenDNS is configured to block a few things:

  • Undesired content categories (ie. porn, BitTorrent, etc)
  • Security scam related sites (phishing, scam, hacking, etc)
  • Blacklisted domains (ie. YouTube, Roblox, etc)
  • Anything else I would rather my kids or guests not visit

In order for a DNS Jail to work effectively, you have to have the ability to prevent local devices from using external DNS servers, or it won’t work.   I achieved this in my Cisco Router’s IOS settings by creating the following in my internet ACL (Access Control List): 

This setting does two things:  1) it prevents DNS requests from leaving the network and going out on to the internet   and 2) it allows ONLY the DNS Jail server (10.0.1.10) in this case, to be the ONLY host allowed to send queries outside the network (DNS Recursion and Forwarding).   This is one of the most important steps.   Many routers have settings to do this – consult your router’s docs.

Once this was completed, I had to create two “views” on the DNS Jail server.  The views define how the server responds based on the source network subnet of the requesting device.   This is how the DNS Jail is able to decide to forward requests to 1.1.1.1  or to OpenDNS for content restriction.   Here, you can see how I configured my DNS Jail, which is a copy of BIND9 (DNS Server) running on my network (click for a larger view).  You can see all the subnets of the “Area51” view that are for unrestricted devices, and the “Majic12” view that contain the restricted subnets.   Oh!  and look at that magic statement in there: forwarders {} where I declare the IP addresses of the OpenDNS servers which will receive forwarded requests and do the content filtering magic.

 

Once this is all done, I startup BIND on my network and it starts processing DNS requests for my networks immediately.  If we try to go to a “bad” destination from a restricted endpoint, we will see the page denying the request!  If we are on the unrestricted part of the network, we are allowed through!  YAY!  Of course no filtering solution is perfect, but if there is a false positive, then the denial page gives the user the opportunity to have the page unblocked with the network owner’s approval.

If we head on over to OpenDNS, you’ll see a nice dashboard which also lets you setup many content filtering categories & websites.   The dashboard will also have tools for you to review settings and most visited and blocked traffic.   It’s FREE and it’s pure magic!   This parental control solution is quite effective and can be setup with a small investment of time.  Over the long run of usage, it will pay you back by making it easy to manage internet content for your family or small business.

 

 

 

 

 

 

 

 

 

 

BACKGROUND

Most people don’t have this problem on a Home or Small Office network.  Being a Cisco fan (Cisco networking), I eat my own dog food when it comes to networking at my house.   We live in a two story victorian home, circa 1886 with all its charm, it has 21st century smarts.  When we moved into our home, one of my firsts projects was to put in an “enterprise” type of network, using all Cisco network equipment.  This meant, amongst other things, installing wired ethernet drops in every room.  Each room has a CAT5 drop for phones, security cameras, and access points.  Each room has a Cisco 7960 voip phone/intercom and we enjoy having room to room intercom, whole house paging, and land line (for free) using Google Voice for PSTN termination.  Sure, WiFi is great, but is best used for laptops and mobile devices.  Non-mobile devices like phones, cameras, DVR, and multimedia (TVs, set top boxes, etc) are all ethernet connected for maximum reliability and performance.  As you can imagine, fishing wired network drops through old horsehair plaster & lathe walls is NOT a fun undertaking!  The older construction of our home and the options for installing jacks in older 20th century construction requires a great deal of patience and finesse to ensure a good outcome.  That all being said, I was determined to complete this project.   

When I ran all the cables to a central point in a closet upstairs, which became the server/controls closet, I setup my core switch (a Catalyst 3750 stacked with a 12 port Cisco SFP gigabit switch) and router (a Cisco 3825).  I provisioned different vlans for differing uses:

  • Kids network
  • Multimedia
  • Home Lab
  • Automation & Control
  • Home Office
  • Guest Network
  • Network Management
  • Voice

Each vlan was established with its own 10.x.x.x/24 subnet and by building the network in this way, allowed me to ensure separation of traffic and use ACLs to provide additional security by application.  With great flexibility on how I could build this, came a level of complexity not seen in most Home networking, but by building our network in this way, allowed for some really cool features.   I had to be sure to build a backup and recovery scheme that could backup all the route, ACL, DHCP pool, NAT, VLAN, and interface configuration!  What if I lost a switch, or made a mistake and needed to recover?   Given the cost of Cisco equipment, I wasn’t buying my gear new, but rather used from Ebay for pennies on the dollar.   I had to be prepared in case a switch let go.

THE SOLUTION

I had a few Raspberry Pi boards laying around, and decided to cook up a quick and cheap solution.   I killed two birds with one stone.   I had planned to use the Pi for building a GPS time source (for accurate stratum 0 NTP time on my network).  I decided to setup a folder on the Pi and TFTP server, as well as a cron job to automate a bash/expect script to login to each Cisco device and TFTP its configuration to the folder on the Pi every week.  The script creates time stamped backup configs for each switch should I ever need to restore.  In addition, each network switch is set to be an NTP peer with the GPS clock on the Pi – BONUS!

An example of the expect script: 

Showing the TFTP folder with all the Cisco backups: 

This quick and dirty “get out of jail free” card has already saved my bacon at least once.  Restoring the config to a switch via TFTP is a well documented procedure that is in Cisco’s documentation.

BACKGROUND

Raspberry Pi computers…   they are used for many DIY projects and are even used in production environments for various roles from IoT (Internet of Things) to network servers of all kinds.  They’re great for small industrial uses as well as IoT applications and the reason why is because they have a small power footprint and no moving parts, making them extremely robust.  The Achilles heel however, is the SD card that is used in them!  Seemingly, there are many accounts abound that tell tales of card corruption which can bring down a RPi based application.

Being a seasoned Linux user, I noticed one thing that may be to blame: growing logs & swap file usage in /var/swap & /var/log.   SD cards have a limited amount of write cycles and when they’re used up, the card will likely need to be binned, and a new one written and replaced.  It seems clear that most of the read/write activity seems to be done in the /var directory and so I figure that a better solution to this problem is to setup a USB drive (SSD or thumbdrive), format it for EXT4, and mount it permanently as /var in /etc/fstab.  This article will explain how to do just that, and by doing so, you will significantly prolong the life of your sd card!  Read on:

SOLUTION

The first thing you will notice when you plug a USB drive into your Pi is that it will most likely be formatted as FAT (we want to change this).  You can see the details of your USB drive by running fdisk -l and viewing the output below:

As you can see, in my example, the USB drive is an 8GB size and is already formatted as a “linux” filesystem, but in many cases you would see FAT or NTFS here.  Our goal is to delete any partitions on the USB and create a new one that looks like this example.   You can use any size drive you want, I recommend 8GB or larger – and larger is always better!

After you have created a single Linux partition on your USB device, you then want to write the changes to the USB and then format it.  In this example, the drive is /dev/sda.  We want to format the first partition so that partition will be /dev/sda1 and so we will issue the following command once we write the partition and close fdisk:

mkfs.ext4 -L var /dev/sda1  NOTE: be SURE you know which device you are about to format!!!   we assume your device will be /dev/sda but it could be different so check when you run fdisk -l.   The format can take a few minutes to a while depending on the size of your USB device, so be patient and wait until you are returned to a prompt.  Once back at the prompt, you will have a formatted EXT4 partition on your USB device, and you will be ready for the next step, copying your /var directory to the USB.

To copy the contents of /var to your USB, become root or use sudo and then mount the USB to a mountpoint.  I suggest we create /mnt/usb and mount to that to keep things simple.   execute:   sudo mount /dev/sda1 /mnt/usb then you will now be ready to move your /var contents to the USB.

To move your /var contents to the USB execute:  mv /var/* /mnt/usb/. NOTE: you may get an error on moving the swapfile, this is OK, do not worry about it.  We need to then check /mnt/usb and verify that all our /var stuff is in there by running ls /mnt/usb  and you should see the same directories and files in there as you did in /var.   You are now ready to setup your USB device as the permanent home for the /var location.  To do this, you need to modify /etc/fstab and add an entry to the file showing the usb device mounted as /var as follows (use your favorite text editor – carefully!):

Once you have the fstab file looking similar to this example, you can then save the file, and reboot your Raspberry Pi.   When the Pi reboots, it will now mount /var to the USB drive and no longer use the SD card for swap or for logs and log rotation.   This will greatly save a huge number of write cycles to your SD card!  After you make this change you can also ensure swapping is turned off by running these commands:

sudo dphys-swapfile swapoff
sudo dphys-swapfile uninstall
sudo update-rc.d dphys-swapfile remove

I hope you find this info useful!

 

Because I am an active Ham Radio enthusiast, it is hard to pass up the chance to try new things that come out, especially new radios!  My first experience with digital Ham Radio was D-Star, and while D-Star is great and a lot of fun, I *had* to try DMR eventually.  Unlike D-star, in the beginning, it was hard to come by dual band DMR radios, but a lot has changed since the DMR mode has matured in the Ham Radio community.  DMR, has its roots in commercial land mobile communications, typically business, municipal, and public safety services.  The system was initially developed by Motorola and released as TRBO (MotoTurbo).  TRBO allowed the interlinking (via IP networks) of various repeaters and radio systems in the commercial world.  Each system was often referred to as a zone and a zone consisted of one or more channels and/or talk groups.

Enter 2017, and DMR (compatible with TRBO) is now available by many 3rd party OEMs and even in dual band flavors!  My first DMR radio was the TYT MD-390 (A great radio!) but when I first purchased mine, I paid $179 for a UHF only version without GPS!  Definitely cheaper than your average D-Star radio (most D-Star radios average $350).  It is no wonder a lot of Hams flocked to DMR, you could get TWO DMR radios for the price of ONE D-Star radio!  That simple economic fact allowed DMR to explode and now DMR radios are everywhere, and significantly less expensive.

Recently, I purchased a pair of Radioddity GD-77 Dual Band DMR radios from a trusted vendor on Ebay for $169/pair shipped.  The radios are a bit thinner than the ubiquitous MD-390, and upon unboxing them, I soon realized they were decently made and came with the following items in each box (though I ordered a pair, each radio ships individually):

  • Radio
  • 2200mAH battery
  • Programming Software (Windows)
  • Programming Cable (USB)
  • Belt Clip
  • Antenna
  • Manual
  • Drop-in charger
  • Power cord

Everything you need to operate is in the box!  You just need to install the software and figure out how to program the radio, which is not difficult if you are used to doing this sort of thing.  You basically create channels, then zones, add contacts, add channels to zones, and put your DMR ID in the proper field.  For advanced users, you can enable “expert mode” in the programming software by holding down CTRL ALT SHIFT + F11, and then entering this password: DMR961510.

STERN WARNING: It should be noted that the radio does ship with apparently random frequencies programmed by the factory and these frequencies (if used) would put you in serious trouble if used!!!   If you are a Ham, you are advised to program your radio with the proper frequencies before use.  If you are not a licensed Ham, I recommend you use the radio on the MURS frequencies, or (dare I say it) on the FRS frequencies (the ones often used by the popular bubble pack radios frequently available in stores).  DO NOT TRANSMIT ON THE RADIO UNTIL YOU PROGRAM IT TO PROPER FREQUENCIES, OR YOU COULD BE IN SERIOUS TROUBLE!!!!

The radio has a simple display, (I actually like it more than the MD-390 display, as you can read it without the backlight unlike the display on the MD-3X0.  I had my radios programmed in 5 minutes, and was on the air in no time, without reading the manual.  Who needs a manual anyway?  I have two uses for my GD-77 (I am buying 3 more handsets), 1) Ham Radio  2) FRS/MURS for family communications (keeping tabs on my kids as they play in the neighborhood).  In the later use (kiddie comms) one of the great feature of these radios is that:

  • They can use traditional FM mode – makes them compatible with other non-digital (analog) radios commonly available in stores.
  • TWO WAY TEXT MESSAGING! (across a talk group or 1-on-1) – digital mode only.
  • In digital mode, range is slightly increased and there is NO noise or static.
  • In digital mode, eavesdropping is largely eliminated since most MURS/FRS radios use analog FM – BONUS!
  • In digital mode, these radios can make use of optional encryption just by turning it on – eliminating any eavesdropping opportunity – just as private as a cellphone!
  • In digital mode, you can have one or several “Talk Groups” or privately message 1-to-1 – not possible with traditional FM radios.
  • These radios can enable “remote monitor” which lets you command another radio to start transmitting for a preset time interval so that you can listen to nearby sounds, or conversation that is happening near the far unit.  This is FANTASTIC for keeping tabs on your kids!  There’s no visible indication when you “open their mic” and listen in on what’s going on around them!  This allows parents to proactively check-in on their kids!
  • Programmable buttons for quick sending of alerts or activating functions.

Amazon has the GD-77 with prime shipping for $89/radio.  This is perfect if you are an experienced radio user and quite convenient.

PARENTS & SCHOOLS:  I am willing to offer parents a value added service:  you can buy the radios through me, and I can pre-program them to proper frequencies & with some “secure” channels if you wish to buy several as part of a group.  With this option, you can simply unbox and use them.  If interested in this offer, please call 617-651-1492 and ask for John & I’ll be happy to help.  This offer is available to non-commercial & family end users only.   For commercial users, please look up your nearest radio shop/dealer.