Block all traffic from a Geo-located country with UFW firewall on Ubuntu

I was noticing some really strange requests in my web server’s log files on a VPS that I manage. Requests that seem to be focused on finding vulnerabilities or exploits. Turns out most of the originating IP addresses are from China. Since the VPS is not behind a router or otherwise managed firewall device, I decided to investigate if I could just block all traffic from China to my VPS. Turns out the software “Uncomplicated Firewall” or better know as UFW, that I already had running can do this easily. If you’re new to UFW have a look at this very comprehensive page showing how to set it up.

Here are two examples showing how to setup your UFW firewall to block IP addresses or ports based on Geo location. This should work on any system running UFW but in this case I did it on a headless Ubuntu 18.04 system. Click on Read more to view the rest of this article.

Continue reading

Configuring DNS-Over-HTTPS on RaspberryPi running Pi-Hole

In this article I will show you all the steps you will need to set up DNS-over-HTTPS to Cloudflared on a Raspberry Pi that’s running Pi-Hole on RaspBian Stretch OS. This is called an Argo Tunnel. Now you might think to yourself; What does all this even mean? Let me explain…

A Raspberry Pi is a really cheap tiny computer that has very low power consumption. These tiny computers costs between 30 to 50 euro’s/dollars and are ideal for people who often mess around with computers and everything related to it, like me for example. But they’re also interesting for people who want to keep their power consumption at home as low as possible, but still want certain services to run 24/7. I’m also one of those people. Especially when I saw my most recent electricity bill from the energy provider. It showed that I use more power than a family of five people averagely does. I live alone…

One of the reasons I want certain devices to run 24/7 is because they are hosting some services that I want to be available at all times. Like a DNS server for example. Pi-Hole is basically a DNS server that also blocks adds, for all the devices in your home network. Technically it’s actually not a DNS server but a local DNS resolver but that’s not important right now. I started using Pi-Hole about two years ago and nowadays my network feels incomplete without a Pi-Hole running in it. It also keep statistics that you can view in a simple web interface as shown below. Read more about it here.

pretty-stats
pretty-stats

Pi-Hole will resolve all DNS queries for every device in your home network. And to resolve queries and send the answer back to the clients Pi-Hole uses several upstream DNS server like 1.1.1.1 or 8.8.8.8. DNS queries from my Pi-Hole to the upstream DNS servers are not encrypted in any way. This means that my internet provider can monitor all these queries that I send out to the internet. In other words, they know what websites I visit and they monitor this and save the logs files for a certain amount of time. I’ve never really cared much about this, and I use VPN when I don’t want them to see what I’m doing. But with all the things that are going on right now in the realm of the world wide web, and with all the changes that have happened that I disagree with, I have become more aware of the benefits of securing as much as you can against preying eyes. Having said this just now, I started to nostalgically think back to the early days when the internet still felt like a playground for people like me, in anarchy, and it was completely free and it opened so many possibilities that we couldn’t even predict back then. Good days, good days. I miss those.

Recently I stumbled upon an article that explained the benefits of using HTTPS to secure DNS queries. This caught my interest so I did all the things the article suggested and within a couple of minutes a functional Pi-Hole with DNS-over-HTTPS was up and running. I figured that I might want to build this setup again at some point in the future, so I documented what I did, and since I was doing that, it was little effort to also post it here.

The upstream DNS servers we will be using are hosted by Cloudfare. They revolutionized the way we think of DNS when they went public on April fool’s day 2018, and their DNS servers are several times faster as the public Google DNS servers. I wrote something about this earlier that you might want to read also.

I’m assuming that you have already set up RaspBian on your Raspberry Pi yourself and that you are connected to the internet. I used RaspBian Lite but this works exactly the same on the full desktop version of RaspBian. Since I use the root account there’s no need for me to enter ‘sudo’ before the commands. So forgive me if I have forgotten to include sudo in some of the command-line instructions below. You should never use the root account but a regular account that has sudo rights. So if you see that a command is not working correctly for you, try it again but add sudo to the command.

We’re going to begin with the installation of Pi-Hole on a freshly new installed system. When this is running we install a tiny client-daemon from Cloudflare for the communication with the upstream DNS queries. I choose to use Cloudflare’s really fast servers 1.1.1.1 and 1.0.0.1, but you can use any of these servers that supports DNS over HTTPS. Eventually we will configure Pi-Hole and Cloudflared to work together hand in hand.

To continue reading the full article and the instructions, click on read more. Enough chatter, that barely anybody will read anyways, so let’s get started!

Continue reading

Elon Musk speaks with Joe Rogan podcast

Joe Rogan’s podcast from last Thursday where he speaks with Elon Musk has gotten a lot of attention the last couple of days. Mostly because Elon smokes a joint with Joe. I personally don’t think that’s a big deal and I know that this happens regularly on Joe’s podcasts so I don’t see what all the fuss is about.

What I find far more interesting is the talk itself, because in two and a half hours it’s possible to talk about many things, and they do talk about a lot of interesting subjects. Mainly the subject of A.I. and Elon’s view on the subject is something that is very note-worthy. So just press play, and listen to the whole podcast while you do something else in the meantime, like clean your house or do the dishes or whatever 🙂

Gutenberg is coming to WordPress! Soon!

Gutenberg is a feature that has been under development for a while now, will be released with version 5 of WordPress in the very near future. Until that time, it can be installed as a WP Plugin if you wanna try it out. I’m pretty exited about this cause it looks pretty awesome to me. The designers are already thinking ahead and here is how they see the future of the internet and what Gutenberg’s role will be in this.

httpv://www.youtube.com/watch?v=08Cav2SkUO4

Google Assistant for Android

If you are an Android user, you will probably have found a new app called Google Assistant on your mobile recently. It took them long enough! I read an article that said all Android users would receive the app in the next couple of days when living in the Netherlands. I waited for a while, and then a bit, and in the end I waited well over a week, when I sorta gave up hope. I figured that my version of Android was probably too old or something.

But today I was looking for a specific app and that’s when I found my recently installed Google Assistant. Of course I introduced myself to her first. She knows my name now. Been messing around a lot with it since then, to see where it can go and where it won’t go. Anyways.. it’s fun for the whole family to speak with the Google Assistant. If you’re not sure if you have it on your mobile, you can always install it from here: Google Assistant – Apps on Google Play. For those that don’t know this… you interact with her by using your voice. She understands Dutch perfectly and will answer you in Dutch. I find this very useful when setting my alarm or adding things to my to-do list for example. It’s fun, check it out!

Digital LSD

Have you ever used a hallucinogenic drug in your life? If so, then the following video might put a smile on your face because this “digital LSD” really works. See for yourself. But this experiment is perhaps even more fun for people who have never used any hallucinogenics, but are perhaps a bit curious to find out what the effects are a bit. But no worries, you won’t have to take any drugs. The only thing you need to do is watch the following video, and once you hear the voice say that you can look away then you should watch any direction in the environment you are in. What you see then only lasts a couple of seconds so make sure you look around you. This effect is the result of tricking our eyesight by the technology that is used in the video. Click on the image to have the video full-screen in a popup. If that doesn’t work for you use this link.

Client setup for OpenVPN on Raspbian

In my previous post I explained how to setup an OpenVPN server on Raspbian (April 2018 release) on any model Raspberry Pi. Here’s how to setup the client certificates that you can import in your OpenVPN client app on your desktop or mobile. All these commands are to be entered in the console as root user.

cd /etc/openvpn/certs
source ./vars
./build-key client
mkdir /etc/openvpn/client
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/client.ovpn

Edit the client configuration file client.ovpn and make sure the options as shown below are set.

nano /etc/openvpn/client/client.ovpn

client
proto udp
dev tun
persist-key
persist-tun
nobind
:user openvpn
:group openvpn
remote-cert-tls server
auth SHA512
verb 3
ca ca.crt
cert client1.crt
key client1.key
tls-crypt ta.key
comp-lzo
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

tar cJf /etc/openvpn/client/client.tar.xz -C /etc/openvpn/certs/keys ca.crt client.crt client.key ta.key -C /etc/openvpn/client/ client.ovpn

You should now have a zipped file called client.tar.xz in the directory /etc/openvpn/client. This is the file you need to download or copy using a flash USB drive or whatever means, and import it on the device that has the OpenVPN app and from where you want to connect to your OpenVPN server.

OpenVPN on Raspbian (Raspberry Pi)

This weekend I heard a friend say that he wants to turn his Raspberry Pi into a VPN server. Since I still had an old Raspberry Pi laying around I decided to install the latest version of Raspbian on it (April 2018 release) and also install OpenVPN on it, record how I did this, and show my friend how he can easily do the same on his Raspberry Pi. I listed all the commands I use in the video on this page here below.

Continue reading

Public DNS servers 1.1.1.1 and 1.0.0.1

I’ve been using the public Google DNS servers 8.8.8.8 and 8.8.4.4 for several years now. It was once said that using these DNS servers would result in a noticeable speed increase when compared with the DNS servers that your internet provider makes you use. I started using the Google servers and the addresses immediately got stuck in my head, so I haven’t stopped using them since. Until today that is…
I’ve always really liked the easy-to-remember, and simply awesome addresses 8.8.8.8 and 8.8.4.4. I was happy with the response times and I never had any issues or complaints either. So why change? I’d better have a damn good reason for making this choice! Well, obviously I do!

Yesterday somebody told me that he switched to 1.1.1.1 as primary DNS server and 1.0.0.1 as secondary. He also mentioned that the response times are fast af! That info immediately drew my attention. So I decided to further investigate this as soon as I would get home. Turns out that these servers are indeed fast and have good testing results. I also learned that the good people at CloudFlare are behind it (Wiki). I’m pretty sure that remembering these new server addresses will not be a problem either.

I’m looking for speed when it comes to DNS servers. I want to use the fastest DNS servers in existence. The more speed, the better. Naturally I also want them to be reliable, safe, and respecting my privacy. It turns out that 1.1.1.1 & 1.0.0.1 are all these things and more. So I will be saying my goodbye’s to 8.8.8.8 & 8.8.4.4. And at the same time I will be welcoming 1.1.1.1 & 1.0.0.1 with open arms. Would you like to learn more? Or do you need a step-by-step guide on how to change what DNS servers you use? Just visit the website.