New Home Infrastructure, including NextCloud a network build

Hello!
I’ve upgraded my ‘home infrastructure‘. Talked about the needs to upgrade and being stuck with a 100Mb/s network. Now I have managed to spend some of my summer earnings on this upgrade and this is how it looks like as of now.

My hardware setup:(Shipping included in price)
-4G dongle
Price: 75€
Link
-TW-LTE 4G/3G router
Price: 41€
Link
-I3-2120 based server bought second-hand from Huuto.net
Price: 128€
Link
-Fortigate FG-20C, the firewall
Price: 47€
Link
-Mobevo 4G antenna
Price: 18,20€
Link

-Total cost: 309,20€

In my last post on this subject I stated that I wanted a budget of 330-360€, which leaves some room to upgrade this list still if needed. Plus my brother decided to join the project, sharing the cost of the server and firewall. Thus lowering my stake significantly. We are also planning a backup server solution for later.

My software setup:
Utilizing open-source software like Ubuntu Server, SSL/TSL, LUKS et.al where all 0€. Which is really good, I’m not going to deploy any proprietary solution like Windows Server.

-Total cost: 0€

So what did I do to set it up? (NOTE: This is not an absolute guide/tutorial on how to do this, just how I did it, it might not work for you.)

1. Install ubuntu server 16.04. I followed basially all the steps here, except for only selecting “standard system utilities” in the software selection step. In this step I did set up disk encryption through selecting “guided – use entire disk and setup encrypted LVM” instead of the non encrypted option in this guide.

2. After logging into the server locally I ran sudo apt install xubuntu-desktop gedit lamp-server^

3. Because I have a separate drive for my nextcloud install I had to edit the 000-default.conf file, which is the default apache2 http configuration file. NOTE that you have to do the same to the default-ssl.conf file if you plan on running https, just substitute default-ssl.conf for 000-default.conf below.
sudo gedit etc/apache2/sites-available/000-default.conf
changed the to point to my secondary hard-drive instead of the default var/www/ location.
Then I changed the owner of that drive by
sudo chown -R www-data:www-data /media/mydrive/

Then I manually downloaded NextCloud and extracted the files into my downloads folder. Because I’m lazy and I like to have a UI I ran sudo thunar, which opens the file manager as root.
I navigated to my secondary drive, right-clicked the folder in question, selected properties, clicked the permissions tab and changed access of www-data to “Read & Write”. Then I simply copied the files over from my downloads folder to the new location on the secondary drive.

However I ran into a 403 error, after some googeling I found a solution here.

A usefull link I used in learning how to configure a web server.

4. Then I went on to install the PHP stuff that NextCloud needs. I base these instructions on linux.com’s NextCloud tutorial found here.
sudo apt-get install libxml2-dev php-zip php-dom php-xmlwriter php-xmlreader php-gd php-curl php-mbstring
a2enmod rewrite
sudo service apache2 reload

Now you should se your website if you navigate to 127.0.0.1

5. Then I went on to create a SSL certificate
I basically followed this guide to the letter

6. Web-server hardening
I to more or less followed Odd Random Thought’s guide on server hardening. The exceptions to this that I made was I used custom iptable rules and ignored all the wordpress specific stuff.

There has been a recent server weakness reported, so I decided to follow this articles guide to protecting my apache2 install
look here

I also decided to change the SSL port to custom port.

7. Employing a Hardware firewall. This is important, if you are going to host a server on the open internet you should do this. Every firewall config UI is different, but basically I told it to block everything except for a few tcp/udp ports. Remember, if you set a custom SSL port as I did, do also configure your firewall to allow traffic through it.

I basically configured my router to DMZ my public facing network to the Firewall and then from there I re-route the traffic to the server.

After this you should be good to go.

My Cloud Setup
NextCloud, since February there has been a split within OwnCloud and that said project has been forked, which now results in us having both OwnCloud and NextCloud. I like the NextCloud ideology of being more open-source and community based, in contrast to the more commercialized OwnCloud, so I went with NextCloud. Both of these platforms are still open-source, though OwnCloud has certain features locked for their commercial customers, while NextCloud has declared their intention to open-source these features. Some argue that the OwnCloud’s business model is key for running a company based on open-source technology. Only the future will tell who will succeed, hopefully both!
You can read more about it here.

Screenshot_2016-07-27_18-46-40

So the I3 based server will be utilized to host these services. The idea is for this setup to give me a Google docs, Dropbox and Spotify like service, so I can abandon them. Because I’m too stubborn to use Spotify(which I subscribed to when it still was new), so I have bought for example all my music I listen to, so I want to have a centralized place from where I can stream it, where ever in the world I am. I mean what would be the point of spending *cough* hundreds of Euros on purchasing your favorite songs and supporting the artists, if you can’t stream or sync it to your devices?

I set up some of the default apps:
Untitled

Even though I set up the default music app, there is a beta version of Ampache integrated with NextCloud. You can use this by going to personal under by clicking on your profile name up in the right corner. Then set it up and configure your music client to connect to your nextcloud. Unfortunatly it only seems to support .mp3 files for now since it is still in beta. It also seems to have difficulty working under http. NextCloud has also go an integrated video streamer, which allows you to stream .mp4 files, not anything else though. All of these features are still in the early stages and I’m utilizing NextCloud 9 and this will most likely change in future releases of NextCloud.

New network performance
The goal is to eventually reach a real speed of 65/35Mbps, though I doubt I’ll reach it where I live. When I tested the speed at my parents place, I got between 70-95/34-39Mbps. Though back home in Turku I only get 29-47/15-28Mbps on speedtest.net. This however means that outside the network the real client download speeds are around ~1.8-3.5MBps, compared to well over a stable 4MBps from my parents place. The speeds where similar at my parents place to those taken at my home in Turku With out the Mobevo antenna. The antenna had no effect in boosting the performance in Turku.

The future
I’m already planning a bunch of upgrades, though I don’t know which to go for. I want to build a custom router/firewall at some point
Collabora Office is also something I’m looking into integrating into my NextCloud in the near future. The current word editing software is not good enough and Collabora is based on the powerful LibreOffice suite.

Sonera

Sonera
So in pursuit of building my ‘home infrastructure‘. I wanted to open up some ports and DMZ my Internet connection from the MF910 router to my Mikrotik router.

Their website does not explain in a good way why they insist on using locked firmware. I have an ZTE MF910 LTE wireless router. So I wanted to unlock this firmware so I would gain access to certain setting, like changing my APN to “opengate” and making it DMZ my internal network (thus sharing my WAN IP to my main router).

My experience
I stroll into the shop, wait ~30-45min before I get some service and the place is not even full with customers. I explain my case to them and why I want to unlock it, the Sonera person is very kind, but is unable to help me because he doesn’t know how. He redirects me to their “Vikapalvelu”, which is the place supposed to contain the experts at Sonera. I call them and get a sales person, I can tell because she does not seem to be proficient enough to technically understand me fully. Imagine my reaction when I find out they have blocked certain ports on the ISP side, making it impossible for me to host my web servers online. I admittedly get pissed by this and move to end the call. You need to buy Sonera’s “opengate” service to get truly open internet. I however decide to swallow my hurt pride and go ahead to buy this service which cost me 3€ extra a month. The reason is that I have a discount on my 150/50 LTE account which makes it less than 17€ a month and the same account costs 20-25€ from other ISPs. When I get the opengate service I notice that I can’t change the APN settings to “opengate” to get the unblocked service.

So I call the ISP again, being bounced between a few sales persons and waiting in Que(s) until I finally get to the technical line. The technicians explains to me that understands stands my needs and what I’m after, which is a big relief, because most of the time my technical problems and knowhow are above the customer service persons knowhow. Though the caveat is that he doesn’t know how to fix it because he does not have access to those systems that can fix my problem. He kindly escalates the issue to their higher-ups. Takes them 3-4 business days to open up the firmware so I can change the available settings. Then I go and lock my self out of the MF910 router, which happens from time to time when I fiddle with new routers. I figure hitting the reset button will fix it and I’ll just start from scratch with my router configuring…. BUT no, it of-course loaded the old locked firmware, meaning I had to go through a 1-2H worth of phoning and bouncing between customer service persons, sales people etc. then wait 3-4 days for their higher up technicians to re-unlock my MF910. AND if I went and locked myself out again I would have to do this process a third time! Did I mention that these calls, waiting in line to be picked up by a customer service person etc. cost money per minute? Yes it does!

This process increases my phone bill, including taking time out of my day, when I could be doing something else. Overall I maybe spent 4-5H in this mess without concrete results, an increased phone bill, so I just snapped and I thought “F*** it!”. So I went and bought an unlocked USB LTE dongle for ~75€. Considering the cost of this process to me in terms of money, it was worth it! Calculating (4-5H*salary per hour)+(added euros on my phone bill for the received customer service)+(added hours of struggling with their customer service)+(business days waiting for Sonera to unlock their already stripped firmware, plus days of not having access to a cloud service)= much more than 75€. Oh and don’t forget the opengate service. This is not the first time I’ve had a bad customer experience with Sonera and all the Sonera people that I talked to where nice and polite. I have worked previously as an customer support agent and can appreciate the difficult customers these people has to deal with on a daily basis, it is not as easy as it might sound.

Sonera Open Gate cost just under 3€/month and their premium version just under 12€/month. I do speed tests frequently, and my download speed went from 27.56 to 46.81 Mbps, in other words Sonera is nerfing my Internet speeds. I tested my DNA equivalent phone sim, with no such issues, and no opengate added service, so I can recommend them.
speed
http://mattfolk.eu/kennet/wp-content/uploads/2016/06/speed-1.png

My latest impulse buy, the GMX-5 gaming mouse

Hello!

I decided to impulse buy myself an new mouse, the Exibel GMX 5. It has an 6400 dpi and with the software drivers you get an [interpolated] 12800 dpi. Unfortunately for me as an Linux user there doesn’t seem to be any drivers, besides the plug-and-play ones. Though I still happy with the 6400dpi, which is an significant upgrade from my old A4Tech OD-35D, which I estimate had an dpi of around 800. This mouse goes under Clas Ohlson brand and is around 33€ from said place. The mouse is fairly heavy and sturdy compared to my old one, which doesn’t bother me or hinder my user experience.

With the OD-35D mouse, I started noticing that my aim in Insurgency was jumping slightly when I turned up the mouse sensitivity in the game settings. This mouse obviously doesn’t have that issue and is rather oversensitive while aiming and looking around in FPS games, though I’m still getting used to it. I haven’t tried other more expensive gaming mice and can’t thus compare it to those, but by looking at this mouse’s specs it should be competitive. I do sometimes feel the need to crank down the sensitivity, which is easily done by two buttons above the scroll wheel, obviously one is for added sensitivity and the other for decreased. The color on the mouse indicates a certain sensitivity setting, Red being 400 dpi, Orange 800, Green 1600, Blue 3200, Purple 6400 dpi.

In short, I can definitively recommend this mouse it gets the job done!

Tha box!
IMG_20160513_180326_HDR

Tha mouse!
IMG_20160514_133901_HDR

Links:
Finland
http://www.clasohlson.com/fi/Optinen-pelihiiri-Exibel-GMX-5/38-5533-1
The UK
http://www.clasohlson.com/uk/Exibel-GMX-5-Optical-Gaming-Mouse/Pr385533001

My home infrastructure

Hello!

Haven’t updated the site since November 2015, so I thought I post an update. I have since set up an cloud service from home intended for my own use. It has been a learning curve having to set up all the software to host this, although I had significant prior knowledge of similar things, so it was easier than I thought. I want to keep these kinds of services under my control, services like the cloud or music streaming. After all I spent lots of money buying the songs I listened to from Spotify back when you still could buy songs from Spotify. It is also a hassle to always back up or sync your play-lists between your different devices.

From a security perspective I find it creepy to know that cloud services like OneDrive etc. actually utilize your data for marketing purposes and what else. Even Spotify on android wants access much of your phone that isn’t necessarily related to the core service they provide. This means that your data is in one way or the other spread out over the Internet under different companies located in different countries and operating under different legislation. It could be as simple as your e-mail information being sold to third party advertisers and you receiving lots of SPAM due to it or if fallen into the wrong hands, such as criminals, then it could be used to do all kinds of nefarious stuff. Well, hosting everything your self isn’t arguably more safe either, considering corporations may have better resources to encrypt data and so forth, while you need to have a lot of knowledge to effectively protect yourself.

Current Network
Anyways, the network that I employ at home includes an hAP Mikrotik router, an Odroid C1 server and an ZTE 4G ‘modem’. The hAP has 5 100Mb/s Ethernet ports, this has however proven to have become an limitation. This only offers me 9-12MB/s (~70-95Mb/s) and is the current bottleneck in my home-based cloud infrastructure. For those that don’t know the difference between “MB/s” and “Mb/s”, they are basically the same thing but different in formats, both measure data transfer speeds. 1MB aka MegaByte is the same as 8Mb or Megabits, it can be confusing to get your head around.
IMG_20160228_175408_HDR

The server hosts Owncloud and Ampache. Owncloud is an Google docs + dropbox type of service. My Odroid C1 suffers from the same issue as my router, a 100Mb Ethernet port. It is however surprisingly powerful, I used to use an old Pentium T4400 dual-core server, which struggled with the same task and was much larger than the Odroid C1.
IMG_20160228_175511_HDR

Due to the router not supporting the kind of 4G router I’m using, I’m forced to connect the router to my 4G router via WiFi, providing me with much worse speeds than if I would connect it directly to my PC.
internet speed before

The Future
Well, there are problems with my current setup, which I started as an experiment into how to build a working LAN based cloud network. However I soon realized the limitations of the current network setup and have now started planning for an upgrade. My current thinking is to upgrade my server to the Odroid XU4, my router to the RB951G-2HnD and my 4G router to a ‘dumb’ router, namely the Huawei E3372, with an MiMo antenna. This would effectively bring my LAN network capacity to the Gigabit standard and should eliminate the router-via-wifi-to-4G problem. The estimated cost of this upgrade will be around 330-360€, which is an big investment considering I’m an financially poor Finnish student. The cost is the one factor holding me back since I need to secure the funds and remains a near future project for now. I would also like to integrate an proper office suite into my OwnCloud install, thus hopefully rendering Google docs completely obsolete in my case.