New Home Infrastructure, including NextCloud a network build

Hello!
I’ve upgraded my ‘home infrastructure‘. Talked about the needs to upgrade and being stuck with a 100Mb/s network. Now I have managed to spend some of my summer earnings on this upgrade and this is how it looks like as of now.

My hardware setup:(Shipping included in price)
-4G dongle
Price: 75€
Link
-TW-LTE 4G/3G router
Price: 41€
Link
-I3-2120 based server bought second-hand from Huuto.net
Price: 128€
Link
-Fortigate FG-20C, the firewall
Price: 47€
Link
-Mobevo 4G antenna
Price: 18,20€
Link

-Total cost: 309,20€

In my last post on this subject I stated that I wanted a budget of 330-360€, which leaves some room to upgrade this list still if needed. Plus my brother decided to join the project, sharing the cost of the server and firewall. Thus lowering my stake significantly. We are also planning a backup server solution for later.

My software setup:
Utilizing open-source software like Ubuntu Server, SSL/TSL, LUKS et.al where all 0€. Which is really good, I’m not going to deploy any proprietary solution like Windows Server.

-Total cost: 0€

So what did I do to set it up? (NOTE: This is not an absolute guide/tutorial on how to do this, just how I did it, it might not work for you.)

1. Install ubuntu server 16.04. I followed basially all the steps here, except for only selecting “standard system utilities” in the software selection step. In this step I did set up disk encryption through selecting “guided – use entire disk and setup encrypted LVM” instead of the non encrypted option in this guide.

2. After logging into the server locally I ran sudo apt install xubuntu-desktop gedit lamp-server^

3. Because I have a separate drive for my nextcloud install I had to edit the 000-default.conf file, which is the default apache2 http configuration file. NOTE that you have to do the same to the default-ssl.conf file if you plan on running https, just substitute default-ssl.conf for 000-default.conf below.
sudo gedit etc/apache2/sites-available/000-default.conf
changed the to point to my secondary hard-drive instead of the default var/www/ location.
Then I changed the owner of that drive by
sudo chown -R www-data:www-data /media/mydrive/

Then I manually downloaded NextCloud and extracted the files into my downloads folder. Because I’m lazy and I like to have a UI I ran sudo thunar, which opens the file manager as root.
I navigated to my secondary drive, right-clicked the folder in question, selected properties, clicked the permissions tab and changed access of www-data to “Read & Write”. Then I simply copied the files over from my downloads folder to the new location on the secondary drive.

However I ran into a 403 error, after some googeling I found a solution here.

A usefull link I used in learning how to configure a web server.

4. Then I went on to install the PHP stuff that NextCloud needs. I base these instructions on linux.com’s NextCloud tutorial found here.
sudo apt-get install libxml2-dev php-zip php-dom php-xmlwriter php-xmlreader php-gd php-curl php-mbstring
a2enmod rewrite
sudo service apache2 reload

Now you should se your website if you navigate to 127.0.0.1

5. Then I went on to create a SSL certificate
I basically followed this guide to the letter

6. Web-server hardening
I to more or less followed Odd Random Thought’s guide on server hardening. The exceptions to this that I made was I used custom iptable rules and ignored all the wordpress specific stuff.

There has been a recent server weakness reported, so I decided to follow this articles guide to protecting my apache2 install
look here

I also decided to change the SSL port to custom port.

7. Employing a Hardware firewall. This is important, if you are going to host a server on the open internet you should do this. Every firewall config UI is different, but basically I told it to block everything except for a few tcp/udp ports. Remember, if you set a custom SSL port as I did, do also configure your firewall to allow traffic through it.

I basically configured my router to DMZ my public facing network to the Firewall and then from there I re-route the traffic to the server.

After this you should be good to go.

My Cloud Setup
NextCloud, since February there has been a split within OwnCloud and that said project has been forked, which now results in us having both OwnCloud and NextCloud. I like the NextCloud ideology of being more open-source and community based, in contrast to the more commercialized OwnCloud, so I went with NextCloud. Both of these platforms are still open-source, though OwnCloud has certain features locked for their commercial customers, while NextCloud has declared their intention to open-source these features. Some argue that the OwnCloud’s business model is key for running a company based on open-source technology. Only the future will tell who will succeed, hopefully both!
You can read more about it here.

Screenshot_2016-07-27_18-46-40

So the I3 based server will be utilized to host these services. The idea is for this setup to give me a Google docs, Dropbox and Spotify like service, so I can abandon them. Because I’m too stubborn to use Spotify(which I subscribed to when it still was new), so I have bought for example all my music I listen to, so I want to have a centralized place from where I can stream it, where ever in the world I am. I mean what would be the point of spending *cough* hundreds of Euros on purchasing your favorite songs and supporting the artists, if you can’t stream or sync it to your devices?

I set up some of the default apps:
Untitled

Even though I set up the default music app, there is a beta version of Ampache integrated with NextCloud. You can use this by going to personal under by clicking on your profile name up in the right corner. Then set it up and configure your music client to connect to your nextcloud. Unfortunatly it only seems to support .mp3 files for now since it is still in beta. It also seems to have difficulty working under http. NextCloud has also go an integrated video streamer, which allows you to stream .mp4 files, not anything else though. All of these features are still in the early stages and I’m utilizing NextCloud 9 and this will most likely change in future releases of NextCloud.

New network performance
The goal is to eventually reach a real speed of 65/35Mbps, though I doubt I’ll reach it where I live. When I tested the speed at my parents place, I got between 70-95/34-39Mbps. Though back home in Turku I only get 29-47/15-28Mbps on speedtest.net. This however means that outside the network the real client download speeds are around ~1.8-3.5MBps, compared to well over a stable 4MBps from my parents place. The speeds where similar at my parents place to those taken at my home in Turku With out the Mobevo antenna. The antenna had no effect in boosting the performance in Turku.

The future
I’m already planning a bunch of upgrades, though I don’t know which to go for. I want to build a custom router/firewall at some point
Collabora Office is also something I’m looking into integrating into my NextCloud in the near future. The current word editing software is not good enough and Collabora is based on the powerful LibreOffice suite.

Sonera

Sonera
So in pursuit of building my ‘home infrastructure‘. I wanted to open up some ports and DMZ my Internet connection from the MF910 router to my Mikrotik router.

Their website does not explain in a good way why they insist on using locked firmware. I have an ZTE MF910 LTE wireless router. So I wanted to unlock this firmware so I would gain access to certain setting, like changing my APN to “opengate” and making it DMZ my internal network (thus sharing my WAN IP to my main router).

My experience
I stroll into the shop, wait ~30-45min before I get some service and the place is not even full with customers. I explain my case to them and why I want to unlock it, the Sonera person is very kind, but is unable to help me because he doesn’t know how. He redirects me to their “Vikapalvelu”, which is the place supposed to contain the experts at Sonera. I call them and get a sales person, I can tell because she does not seem to be proficient enough to technically understand me fully. Imagine my reaction when I find out they have blocked certain ports on the ISP side, making it impossible for me to host my web servers online. I admittedly get pissed by this and move to end the call. You need to buy Sonera’s “opengate” service to get truly open internet. I however decide to swallow my hurt pride and go ahead to buy this service which cost me 3€ extra a month. The reason is that I have a discount on my 150/50 LTE account which makes it less than 17€ a month and the same account costs 20-25€ from other ISPs. When I get the opengate service I notice that I can’t change the APN settings to “opengate” to get the unblocked service.

So I call the ISP again, being bounced between a few sales persons and waiting in Que(s) until I finally get to the technical line. The technicians explains to me that understands stands my needs and what I’m after, which is a big relief, because most of the time my technical problems and knowhow are above the customer service persons knowhow. Though the caveat is that he doesn’t know how to fix it because he does not have access to those systems that can fix my problem. He kindly escalates the issue to their higher-ups. Takes them 3-4 business days to open up the firmware so I can change the available settings. Then I go and lock my self out of the MF910 router, which happens from time to time when I fiddle with new routers. I figure hitting the reset button will fix it and I’ll just start from scratch with my router configuring…. BUT no, it of-course loaded the old locked firmware, meaning I had to go through a 1-2H worth of phoning and bouncing between customer service persons, sales people etc. then wait 3-4 days for their higher up technicians to re-unlock my MF910. AND if I went and locked myself out again I would have to do this process a third time! Did I mention that these calls, waiting in line to be picked up by a customer service person etc. cost money per minute? Yes it does!

This process increases my phone bill, including taking time out of my day, when I could be doing something else. Overall I maybe spent 4-5H in this mess without concrete results, an increased phone bill, so I just snapped and I thought “F*** it!”. So I went and bought an unlocked USB LTE dongle for ~75€. Considering the cost of this process to me in terms of money, it was worth it! Calculating (4-5H*salary per hour)+(added euros on my phone bill for the received customer service)+(added hours of struggling with their customer service)+(business days waiting for Sonera to unlock their already stripped firmware, plus days of not having access to a cloud service)= much more than 75€. Oh and don’t forget the opengate service. This is not the first time I’ve had a bad customer experience with Sonera and all the Sonera people that I talked to where nice and polite. I have worked previously as an customer support agent and can appreciate the difficult customers these people has to deal with on a daily basis, it is not as easy as it might sound.

Sonera Open Gate cost just under 3€/month and their premium version just under 12€/month. I do speed tests frequently, and my download speed went from 27.56 to 46.81 Mbps, in other words Sonera is nerfing my Internet speeds. I tested my DNA equivalent phone sim, with no such issues, and no opengate added service, so I can recommend them.
speed
http://mattfolk.eu/kennet/wp-content/uploads/2016/06/speed-1.png