LINUX Unplugged - 322: Just Enough VPN
Episode Date: October 9, 2019We reveal our secrets for bridging networks with WireGuard and Linux-powered networking. Plus the future of OpenPGP in Thunderbird, a disappointing update for the Atari VCS, and a shiny new Spotify cl...ient for your terminal. Special Guest: Martin Wimpress.
Transcript
Discussion (0)
Are you all packed up for our trip?
No, not at all.
But that's going to happen tonight.
Oh, yeah.
So I keep saying to...
Well, I got to do laundry first.
That's right.
I am totally going to do it after the show.
Wes and I tomorrow fly out to San Antonio, San Antonio, Texas for the Texas Cyber Summit.
Before the show, we were both checking in and realizing neither of us is prepared for those.
What about you, Cheesy?
Are you packed?
Yeah, I'm pretty much packed up.
I've got a few things to add, some swag to throw into the back of the vehicle but other than that yeah i'm ready to go looking
forward to hanging out with you guys obviously i know that is going to be a lot of fun we got
well l set us all up with an airbnb so we'll be uh hanging out at the airbnb doing stuff that'll
be really good i feel like it's going to be kind of like a red hat summit was where we all get to
decompress at the end of the day and kind of wrap out for a few. And, like last time, we always get geeky sitting around talking about Linux when we get an Airbnb.
That's the greatest thing, to get to geek out in person.
Oh, hey.
Welcome into Linux Unplugged, your weekly Linux talk show.
My name is Chris.
My name is Wes.
Hello, Wes. This is one of those episodesged, your weekly Linux talk show. My name is Chris. My name is Wes. Hello, Wes.
This is one of those episodes where we got together last week and we thought,
well, let's chat about next week's episode.
And about 10 hours later, we've got something really cool,
but we went down a few rabbit holes.
So hopefully we'll save you some time when you're trying to set up an ultimate LAN mesh.
Powered by WireGuard. WireGuard. WireGuard.
In fact, we'll talk a little bit about that because I think soon you'll be hearing much more about WireGuard. Let's hope so. Yeah, it seems like there's some pieces that are moving
that are going to kick things into high gear. And it turns out things are a bit more complex
than maybe you might appreciate, but some things are a little easier. So we'll get into how I bridged a mobile network with a LAN network using WireGuard
and making all the devices on each end of the LAN accessible to each other.
It's really neat, and it's essentially enterprise-grade networking tech,
like stuff that you used to have to pay Cisco tens of thousands of dollars to do,
and now it's baked right into Linux. And I don't know, maybe people haven't seen your RV,
but you don't have room for a network rack in there. So we'll talk so much more about that
in a little bit. Of course, we've got the community news. There's some good stuff in
there to get to, as well as our virtual lug. Time of appropriate greetings, Mumble Room.
Hello. Hello.
Hi, good to see you, Wimpy and mini mech and bitten
and carl and bruce and i'm gonna say act nomad can't quite see from across the room what is it
there read it for me there west west is closer ace nomad there you go that's it hey you got it
you got it nice ace nomad well welcome in glad to have you here and of course mr bacon's there too
hey cheesy hey hey hey What's up, everybody?
Oh, you know, getting ready to fly down to San Antonio.
Looking forward to seeing you.
Hell yeah.
Yeah, I think it's going to be nice to get a little shift in weather too from the Pacific Northwest.
More than a little shift.
Well, let's talk about some community news. And Linus kicks it off this week after, well, some not-so-surprising comments about Microsoft, I suppose.
I was going to say somewhat surprising, but if you know Linus, he's very pragmatic about these kinds of things.
So SVJN from ZDNet was at the Linux Plumbers Conference and put the question to Linus how he feels about Microsoft.
And put the question to Linus, how he feels about Microsoft.
Linus is then quoted as saying,
the whole anti-Microsoft thing was sometimes funny as a joke, but not really.
Today, they're actually much friendlier.
I talked to Microsoft engineers at various conferences,
and I feel like, yes, they have changed.
And the engineers are happy.
They're, like, really happy working on Linux.
So I completely dismiss all this anti-Microsoft stuff. Hmm. If you want more context, you can read the full article over at OMG Ubuntu. We'll
have that linked in the show notes. This to me sounds like an individual, Linus, that has to
interact with other individuals, Microsoft developers, on an ongoing basis and has formed
what is pretty much considered
a cordial working relationship.
I mean, I think it's very different from our perspective, watching development happen and
different parties interested.
Linus is right there in the mix of it all.
And yeah, he probably thinks about kernel development in terms of people less so than
as an abstraction far away.
You recall he had a very pragmatic stance about Android and the use of the Linux kernel
and having really zero issue that people don't know they're using Linux. Kali had a very pragmatic stance about Android and the use of the Linux kernel, and
having really zero issue that people don't know
they're using Linux.
He's fine with that. That's not what we created Linux for.
So the whole
anti-Microsoft thing was sometimes funny
as a joke, but not really.
That's the line that stuck out to me
the most. Because he's kind
of like saying, the whole MS
dollar sign thing, it never really was all that funny. And it feels like saying the whole MS dollar sign thing, like it never really was
all that funny. And it feels like in a couple of big ways, the community is being told, move on,
move on with the Microsoft stuff, move on with Richard Stallman, just let's just move on. And
it's a big ask, both of those things, and they both represent a massive sea change. And I think
that's why it's taking so much processing by everyone.
It kind of makes me think we need to be more nimble in general, right?
Like, it's not to say that Microsoft's going to be a great Linux ally forever.
We just need to judge it based on what's happening now.
And I don't mean to say forget the past, but also remember the present.
By the time we get it figured out, things will have changed.
Exactly.
Well then, moving on from that, let's talk about the future of OpenPGB in Thunderbird.
I love Enigma.
It's my go-to first thing I install
when I have a new Thunderbird installation,
and it makes using GPG encryption really straightforward.
I can sign my messages really simply.
I can decrypt and encrypt them.
It's a great piece of software.
Yeah, something tells me if you had to go do this in the command line, you just wouldn't do it.
I mean, maybe like make my keys and stuff.
It's actually not so bad.
Like I suppose if you're just going to encrypt a text file and then attach a text file to an email, it's not that bad to do it from the command line.
But a whole email, it's really crazy, that workflow.
really crazy, that workflow.
That's why I was a little surprised to see that Enigmail is essentially, for Thunderbird,
going away with the new releases of Thunderbird.
This is interesting, right?
Because people use it a lot.
It's kind of being depended on.
It has a pretty substantial feature set.
It is a really full-featured,
and sometimes maybe overly complicated,
piece of software.
But it appears that the Mozilla developers are actively working on not just improving the old code base of Thunderbird,
but integrating encryption support for OpenPGP directly into Thunderbird as a core feature.
Yeah, this is kind of huge.
I'm excited about it.
Yeah, I am too.
I think it's good. I think it's
good. I think it means more people have access to encryption. And having it built in means that
perhaps more people will use it. So using encryption becomes more of a norm, which I
think is tremendously important. But the Mozilla developers, the Thunderbird developers, and the
Enigma developer are very upfront about the fact that the stuff that's going to be built into Thunderbird
will be nowhere's feature complete
as to what Enigma could do.
Yeah, although Patrick Brunschwig,
the maintainer of Enigma,
makes a good point here.
But in my eyes,
this is by far outweighed by the fact
that OpenPGP will be part of Thunderbird
and no add-on and no third-party tool
will be required.
And that's probably worth it, right?
If you need more features, I'm sure new add-ons will, you know, spring into existence and
well, go make a PR against future Thunderbird.
Yeah, Enigma itself won't be moving forward.
They write that the new API is just nowhere as feature-rich as the old web extensions
API that they could use to create extensions.
And there's just less stuff they can do now.
But overall, it makes Thunderbird a more secure product.
Yeah.
Patrick's going to continue to support and maintain Enigmail for Thunderbird 68
until six months after Thunderbird 78 comes out,
and will also continue to support Enigmail for Postbox,
which is running on a different release schedule.
What do you think, Wimpy?
Could the team pull it off?
Could they get you to switch back to Thunderbird? No. Never?
Interestingly, there was a period at which I had Thunderbird and Evolution installed on my machine
whilst I was evaluating Evolution. And I had a need to send a signed and also an encrypted email.
to send a signed and also an encrypted email.
And I chose to do it with Evolution because that encryption integration is just better.
It's simpler too.
Yeah, it's simpler to use.
Yeah.
So I chose to use Evolution
to send my signed and encrypted emails.
So consequently, no.
You know, Thunderbird has served me very well for a very, very long time.
And it, you know, has been for me and is for many people a staple of the Linux desktop.
But I've found a new place to manage my email and I'm very happy with where I've landed.
Yeah, it is particularly straightforward and easy to use in evolution.
I say good on the
Thunderbird project,
though, for baking
this feature in.
I think your points
are well taken, Wes.
You know, we should
probably just step away
from the old show
here for a second.
Come here.
The cone of silence.
Let's not,
don't tell anybody this.
It's so cozy in here.
I love the cone.
Okay, I think
we got a problem.
Uh-oh. I don't know if this Atari VCS is love the cone okay i think we got a problem oh i don't know this atari vcs is gonna work out do we have a problem or do you have a problem well i mean
as the royal we as a show because i backed this thing for the show oh yeah right i mean not for
myself i backed it for the show wes oh here we go oh wimpy's in the code of silence. Yeah, so this is bad.
It looks like a designer who was contracted to work with Atari on the VCS has told the register that they haven't been paid going back over six months.
The consultancy has not been paid by Atari.
Yeah.
And he says as a small company, they're lucky to have survived this long.
Because it's been rough, Wes.
Yeah, I mean, if you don't have dollars coming in, how are you supposed to keep working?
Here's the concern I have.
This launch of this retro console that looks like the old Atari, running Linux,
that's supposedly going to have the ability to run other operating systems on it as well,
it's already late at this point. And it's also listed as one of the three operational goals for Atari in 2019, 20, and 2020, along, you know, adding more games to their portfolio. But
like, it's not here, and they're not paying their bills, and it's running super late. And the more
delayed it gets, the more a Raspberry Pi can do. And it's just getting more and more embarrassing in all of the ways.
So what's your bet?
Am I getting my Atari VCS ever?
No.
You think?
I don't think so.
No, never.
No, never.
You think never?
Never.
Yeah, I agree with Wes.
Now, the next question is, will you be refunded?
No.
You don't think I'm even going to get like a piece of crap hardware?
No, I didn't think this three years ago.
I thought it would be delayed.
I mean, I thought I'm like, well, of course it'll be delayed.
One of the reasons I backed it is I'm like, well, this is going to be a story.
So that part has been working out.
Yeah, it's definitely become a story.
That's for sure.
But I think it's interesting, too, where, you know, some people that have worked on the project that have chosen to remain anonymous
have basically said that the executives have no clue what's going on,
that they wanted to build a Linux-based OS, but it may not be,
that they were trying to sign a deal with Walmart,
but Walmart wanted them to be under the $250 price point,
so they just pull four gigs of RAM out of the machine, that they show up to a game conference with empty
shelves with no hardware in them. I don't know. I mean, it's all adding up to be pretty sketchy.
Yeah, that is sketch. Well, I congratulate them. Congratulations, Atari. You are continuing on in a long tradition of hardware fundraisers,
and we appreciate you keeping that culture alive, keeping it strong.
I would love to be proved wrong.
I would also love to be proved wrong.
I would love at least a little piece of hardware, a little something,
a little retro-looking piece of hardware that I could play video games on.
Godspeed.
Godspeed to you.
I hope you guys are wrong.
Jeez.
All right, let's change gears.
A little housekeeping here.
We just released a, I don't know, I wouldn't call it a breakdown so much, but maybe like
a guide to reverse proxy.
I was going to say just like a nerd out because we were all pretty excited to talk about it.
Yeah, that's true.
Yeah.
Thank you for joining us.
So Wes, Alex, and myself got together for a Jupyter Extras on how we do reverse proxy,
when we use Nginx, when we use traffic, and how it all works with containers.
Yeah, why would you might need a reverse proxy at all?
Plus, we talk about a bunch of really great applications and little tricks and tools
for like updating your Let's Encrypt certificates and your dynamic domain,
or your IP if you've got a domain name, and all these little tools that we use
to do our own sort of fundamental hosting
and reverse proxy.
So go check out xers.show slash 19 for that.
It's 28 minutes long, and hopefully you kind of will walk away with a pretty good concept
of how it all works.
And something we use quite a bit in production, we have traffic now on two different systems
in production, and Wes Payne's making me a convert.
I was an NGINX man. Yeah, I mean, I'm looking forward to playing with version two a systems in production. And Wes Payne's making me a convert. I was an NGINX man.
Yeah, I mean, I'm looking forward to playing with version 2 a little bit more,
so I'm sure we'll be talking about it again.
Hmm.
I should mention as well, with that extras.show release we did of reverse proxies,
we have another one coming out that is all about the basics of containers,
what it is at a fundamental level, and some things you need to know about them.
No hype, no sales. It's just Alex and I doing a breakdown of how containers work.
That'll be coming out in the extras feed as well. And then later this week, self-hosted.show
my home network for under $200. How I set up my whole home network for under $200.
That's in there. That's coming out in self-hosted this week. And then of course,
I should mention we're going to be in Texas tomorrow.
Tomorrow.
And this weekend as this show comes out.
So if you're in San Antonio, going to make it to Texas Cyber Summit or just in that area.
Come say hi to us.
Come say hi.
There will be a barbecue Thursday night or Wednesday night?
Wednesday night.
Wednesday night.
6 p.m. local time, I believe.
Yeah, you and I will just be landing around then.
So we may not make it to the very end if we make it.
But there will be a barbecue going, cheesy.
You'll probably try to make it to most of that, I would imagine.
Oh, yeah, I'll be there for sure.
I hear that the cake is not a lie.
It will, in fact, be there.
So come help us celebrate the unbirthday for Elle and Allie
and just kind of get together and hang out.
I think we have something like 30,
33 people so far signed up for that meetup.
People don't say no to barbecue.
Never do.
You don't say no to barbecue.
And Carl has vetted the barbecue for us.
So we know it's good.
I love that.
All right.
There you have it.
That's what you need to know about.
Moving right along now.
We, well, really me,
had a situation that was particularly challenging to solve.
In my home network, I am afflicted by double net.
We all have it from time to time, every now and then.
Maybe you're in a hotel.
Maybe you're going somewhere that's off of your regular beaten path, and you wind up, even though you tried your best, in a double NAT situation.
And you've got kind of a complicated setup.
I mean, you've got a mobile home, right?
Right.
So I frequently find myself in the double NAT.
Now, just a brief explanation of what I mean there.
double NAT, I mean that my internet connection is getting a 192.168.1.something address as if it were on a LAN. That is the quote-unquote public address that my router is getting.
So you've got NAT from your ISP regardless.
Yeah. So I'm on a 192 and then my LAN's also on a 172.16.0.0, whatever. So I have a NAT just for a day.
It's NAT all the way down.
This makes accepting inbound connections essentially impossible.
I can't SSH into my LAN.
I can't VPN into my LAN because of this double NAT situation.
It's the worst.
Yeah, no just easy open up a port on your firewall and call it a day, right?
You don't have access to that.
Right.
But I demand, I demand't have access to that. Right.
But I demand, I demand full remote access, Wes.
The goal I wanted was to connect the studio network and my home network together.
So when sitting on either LAN, I could access systems from the other LAN.
Right.
I mean, you've been, as people following self-hosted, well, no.
You're doing all kinds of fun stuff.
Hosting things on all manner of gadgets. You've got your RV just automated and wired up
to the nines.
Yeah, this upcoming self-hosted
episode goes into some of that.
There's a lot of ways
you can solve this. Tink, VPN
is something we've talked about.
Open VPN is very popular.
I suppose at the end of the day,
you could really just do it
with a SSH tunnel.
Sure.
There's also a lot of services
out there that'll, you know,
sort of forward those ports
along for you
and give you a port
on their public IP address.
But that's not really the spirit
of what we wanted to do.
Right, right.
I wanted to solve this
using some open source software.
Built-in stuff to Linux. Oh, we could have used OpenVPN too, but we wanted to do. Right, right. I wanted to solve this using some open source software, built-in stuff to Linux.
Oh, we could have used OpenVPN too,
but we wanted to mess around
with WireGuard
because it was a great opportunity
to learn what it's capable of
and what it's not capable of.
And there's some things that you,
there's some infrastructure
that you have to build yourself
when you're using WireGuard
that you might not with other solutions.
So a quick recap, WireGuard, that you might not with other solutions. So a quick recap.
WireGuard is a new type of VPN connection available for Linux
that right now uses some very clever crypto called Zinc,
but sounds like possibly in the future we'll use the standard crypto
that's in the Linux kernel.
It creates a new interface on your box, a new network interface.
It shows up like any old interface.
Like ETH0, now you've got WG0.
Yep, like just another interface, and you can up and down that interface.
When it's up, your VPN is established.
And you can interact with it like you would any other interface on your system.
It's so great that way.
Another nice thing about it is it's just minimal and clean and fast.
And unlike some other options
like OpenVPN say,
there's not as much
complicated stateful tracking
of like connection status
because all the cryptography
handles it
and you just basically
are shoving encrypted packets
at a host.
That host that's receiving it
knows that if it can read that,
it's got a big map
of allowed IPs
and which keys can send
from those IPs
and it just handles it.
So instead of having to make sure that your VPN's restarted correctly, if you've got your interface up and you have an internet connection, WireGuard's going to figure it out.
Now, the other thing that it does really well is it bounces back.
You know, WireGuard can get knocked down, but it gets back up every single time.
And this is particularly useful in an RV that's going down the road that sometimes will
have connectivity and sometimes will not. Sometimes I'll be parked in a national park that has
no wireless signal for miles. And then when I get back into civilization, I just want things to kind
of pick back up and start working again. No futzing. WireGuard's really good at that. To a
fault, it even bit Wes today as we were setting some of this up.
Yeah, we'd been testing things out.
So last night I was working on some of this, and I VPNed into the studio from home
and, of course, forgot to town that interface.
And then we're doing some troubleshooting, and I'm realizing, like, I can't ping that host.
What's happening? It's working on your machine.
And, of course, I was routing through WireGuard because it had just magically bounced back.
It reconnected, and it just, it does that. And that's one of the aspects that I really want
in this particular kind of setup. The idea being that when I do have connectivity, I can traverse
both lands with ease as if there is a connection persistently through them. Right. I mean, you
might be doing a show, let's say remotely from the rig, and you want to come in and be able to mess with the mixer like you're on the local network.
The other reason why I really want to do this is I'm trying to
not expose any public ports on my homeland.
So there's no inbound connections other than an outbound WireGuard connection.
So I have an outbound WireGuard connection on a Raspberry Pi in my RV
that runs Raspbian.
And then on there is
Docker, which is running PiHole.
So this is essentially my network
services Pi.
And on there, I have a
persistent WireGuard connection back
to the studio.
The neat thing about it
is WireGuard is pretty clever
on how it routes traffic.
It's pretty intelligent about that.
Yeah, you have all kinds of options,
especially if you're using
some of the nice,
like the WG quick script
that comes with the WireGuard tool set.
As long as you've given it
the right information about,
you know, what IP ranges are in play,
it's going to run a lot of the right
IP tables commands for you.
So you don't have to worry
so much about that. Yeah, that is really nice. I really appreciate that. And with a little
bit of extra clever DNS trickery, we've got this thing working pretty well. So let's talk about a
couple of the things we had to do to actually make this work. So we have an outbound connection
from my RV coming into the studio that from a box
here in the studio, just any one of these computers, I can now access the systems in my RV.
How did we make that possible? We had to do a bit of routing trickery, a little bit of DHCP trickery,
and a little bit of DNS. But at the end of the day, once you know what to do, it's only about
maybe a half hour's worth of work. Yeah. I mean, so once we've got the, you know,
you know what to do. It's only about maybe a half hour's worth of work. Yeah. I mean, so once we've got the, you know, our WireGuard VPN network, it's got its own IP space, right? And then there's an
IP space for the studio and there's a different IP space for your network at the RV. So basically,
we just had to make sure that both sides knew about the other one, right? So somewhere you
need to add a route entry that says, oh, if you want to get to space A, here's the machine to do
it, whether that's the Pi or whatever gateway box we've got here. For the most part, depending on
how you set it up, WireGuard will handle that, or you may need to add a routing entry somewhere
if you don't have that pushed from your gateway. So in your RV, we're using DNS mask on the Pi
hole, which is kind of great, and added a little bit of extra config that basically tells anyone who's pulling a DHCP lease
that, oh, hey, there's this additional network,
and to get to it, well, use me as a gateway.
We didn't quite have that option here at the studio
for really some boring reasons,
so we've just added some manual routes for the moment
to machines that need access back to your RV,
and that works just the same.
Yeah, and so every device at the RV knows how to route back here, but only select systems in the studio can back to your RV, and that works just the same. Yeah, and so every device at the RV
knows how to route back here,
but only select systems in the studio
can route to the RV,
which I kind of prefer anyways.
Yeah, I mean, my laptop doesn't need access.
No, and you know how to do it
if for some reason I needed your help with something,
so it's not like it's not a possibility.
And then we also used DNSMask
to put some nice names
to all these different IP addresses.
Yeah, I mean, since we were already using PyHole,
and then took the opportunity to deploy another PyHole here at the studio,
and it's using DNS Mask under the hood, it's just so easy to add that stuff, right?
So we just added an extra file where we defined some new host entries
and statically add them for any of the ones we care about.
And that file, it just looks like a host file,
so you just put the machine and the IP in there and done.
Done. It's really easy.
And now all the machines that get that from the DHCP server can query that.
Now they can talk to each other by machine name.
And we have created, essentially, a little two-way tunnel using WireGuard
that involves no inbound connections to my homeland.
Right. It's nice that way,
so that as long as you've got internet connection,
well, WireGuard's just going to go build up a tether
right here to the studio.
Yeah.
And, of course, you know,
what we may want to do down the line
is add a few other redundant connections.
We've got some, you know, VPSs out there in the cloud,
and we could add some there, too,
so that as long as your RV's got connection
and not all of our machines are down,
you're going to have a backdoor in.
Wes Payne, you're always watching my backdoor.
Now, we also decided to play around,
and really this is how this all got kicked off,
to tell you the truth,
with a tool called Subspace.
Not only does it have a badass name,
but it is a very elegant,
simple-to-use WireGuard VPN server, GUI.
Yes, friends, it's a graphical front-end
to WireGuard. It's called Subspace,
and it has
a couple of catches.
It really wants to own the box it's on.
Yeah, so this is coming from Portal.Cloud.
It's open-source, it's MIT-licensed,
and mostly based in Go.
And if you're just running this as
a machine, you want to have some VPS that you're going to connect
a whole bunch of other devices to
when you want to sort of form a VPN that way,
it is great,
especially if you don't want to customize any of your configs.
Subspace works very well.
Yes, I'll also just add a little side note here.
When I was messing around with Subspace,
I noted that Linode has a community image
that's ready to go with WireGuard all pre-installed.
WireGuard is not hard to set up
on pretty much all major distros
because it's all just, there's so many great guides.
But there are now some VPS images
that are one-click deployments with WireGuard ready to go,
and then you could just throw a subspace on top of it,
and you're done.
Yeah, I mean, we've been just running it from a container,
but since it's Go, I'm sure you could find
all manner of ways of running it.
Yeah, it's going to give you a UI to manage devices,
to manage keys, and while
we didn't test this aspect of it very much,
because we didn't require this,
it may also do some easy
name resolution for devices that are on
the VPN IP space.
Yeah, it turns out it's also running DNS
mask and then adding host entries
as you add them, you know, configure them
and giving access to your VPN.
And that's really where subspace shines is
the kind of trickiest part about WireGuard often
is managing all the keys that you have to keep
track of, especially once you've got, say,
5, 6, 10, 20 machines.
With subspace, you've got them all
there as a list and you as the
administrator can go download those configs, modify them, mess with them if you need to.
Now, unfortunately, you're going to have to do that manually, and this is where some of the limitations of subspace comes in.
It seems to me like a project ripe for some community involvement, because right now it hasn't been updated in a couple months, and it sort of seems like it's probably just tossed over as an open source contribution, which is great.
I don't mean that as a bad thing. It just means it doesn't have a lot
of customization built in. Yeah. It's made by a VPS provider to just create something that's easy
for their customers to use. And I think it is very much sort of like, here's the open source
version of it. However, it's so fantastic, a little bit of love, and it could be perfect.
In our testing, I can't remember how long. I want to say 10 seconds
is how long it took me to get a WireGuard VPN created and connected on an iPhone.
Yeah, it just sent you the URL and the password and you were in.
It's so good because Subspace will create a QR code that contains all the config info
you need for the WireGuard VPN on the client. So as fast as my phone could read the QR code,
my VPN configuration was set up.
I tap in my iPhone PIN code once to add it to the network stack.
And at the network level, I can now WireGuard VPN from my freaking iPhone.
That's what's so great about WireGuard.
I mean, one of the many things that's so great, really,
is that the mobile clients have really come a long way, right?
Even on iOS, which feels like it should be a pretty foreign platform to WireGuard, those
apps are rock solid.
So subspace is killer when you're just trying to create something that's really easy for
end users to consume as well.
Family members that you want to give remote VPN access to your LAN, maybe you have, like
for me, my notes now are on my LAN. They're offline and I use
WireGuard. Just I leave that persistently connected when I'm not home and I just access everything as
if I were there. And so it's such a great tool. Jeezy, I think you happen to be playing with
WireGuard over the weekend too. Yeah, so my use case is a little different. I wasn't necessarily
trying to connect to LANs. I just wanted something that whenever I was traveling,
I could easily connect through a VPN and kind of tunnel my traffic through and stuff.
And I connected to a private VPN provider. In my case, I'm trying out VPN AC. There are a ton of
different ones out there, though I will say that it seems to be the least supported option WireGuard
does compared to OpenVPN. So you might
end up paying a little bit more for it. But I found that it was less expensive for me to buy
a yearly subscription than what it would cost me to run the cheapest Linode. Yeah, it is kind of
expensive if you're only using a VPS for WireGuard, you could do something like this and get just a hosted service. Were you
worried, though, about, you know, the like privacy or security implications of connecting to a third
party VPN versus one that you have a little more direct control over? Well, absolutely. I mean,
you know, that's always a concern. But I felt that given the use case, I think it's going to
work fine for me. I'm not overly paranoid about it. You're more thinking
like in the hotel scenario and you want to protect your traffic and you're not so worried about the
other end. Exactly. I wouldn't necessarily be opposed to using a hosted WireGuard service
provider. I think I heard NordVPN does it? Yeah, more and more are. Actually, I had an existing
account with one of the providers and I saw the other day they have WireGuard support.
Let's go around the horn in the Mumble Room.
Does anybody in the Mumble Room want to volunteer a rough overview of how they do a VPN solution if they have one?
I'm sure not everybody does,
but someone in there must be using a VPN for something.
Well, in fact, I have one.
I have a little dacha,
so I mean a little apartment in the Alps, in the Swiss Alps.
So I have direct access to this router, but it's using internal router software.
It's a Fritzbox.
I don't know if you know these in the United States.
They have good VPN solutions.
Cool.
So you can directly access this router, and from then you can do you can
access whatever you want.
I wouldn't be surprised if
for a lot of people the answer is
don't use a VPN but just use SSH
because you'd be surprised what you can get away
with with port 40 and whatnot with just
SSH. What about you Wimpy? Do you have any
remote login
solutions? I mean you travel a
lot these days. You must every now and then
wish you could get back to your LAN. Yes, I do have VPN running. I've got VPN running on a
Raspberry Pi that is NATed through my router when I need to get to my home network.
Very nice. And also you're using the Pi, and do you find it to be sufficiently fast enough, even with the network limitations and whatnot of the Pis?
Yeah, once the key negotiation is out of the way, it's perfectly fast enough.
Because I'm usually just wanting to SSH in. I'm not wanting to stream video or anything like that.
Sure. Right. Yeah, yeah. Fair enough.
What about you, Carl? Do you have any remote access solutions when you're on the go?
Yes, sir. I'll use SSH tunnels pretty regularly.
I just got used to it for my day job, and it's just my go-to now.
Yeah.
I think that's probably, if somebody wanted like a hot take, I'd say don't use a VPN.
Use an SSH tunnel.
You know, one nice thing about doing it, the way you're doing it now too,
is sort of the dynamic DNS stuff, well, it doesn't really matter as much because you're not going that direction.
Right. The connections are all, they all start from the RV.
And so, which is great because that's where the connectivity is going to be the most hit and miss.
There could be days where there's no connectivity.
It's funny, as we were sort of testing this out both on the RV and here at the studio,
setting up those SSH tunnels just as back doors in case we messed something up.
That was handy more than once.
Yeah, yeah. One time we couldn't get into the WireGuard server,
so it was nice to be able to get into another machine on the land.
And then until the WireGuard tunnel was up from the RV,
we had really no way into the RV other than an SSH tunnel.
So I just was able to connect out in that case to a machine that we share,
and then we came back in over that machine. But there are a lot of different ways you can pull these tricks off. Even if you, like me,
suffer the plague of double NAT, there is a solution out there for you. And WireGuard may
be it, and SSH Tunnel may be it. And the other options out there like OpenVPN and others are
still perfectly viable. Wes and I just, we think you're going to be hearing a lot more about WireGuard
over the remainder of this year and early next year.
I think it's going to be a pretty big story as it gets merged into Linux kernel.
Yeah, there's already so much support, right?
I mean, we were able to get it working on a Raspberry Pi.
It took a little bit of doing here and there, but we got it to work.
There's already devices out there that have WireGuard support, routers that you can find. So there's all kinds of gadgets. And once it's
mainline, I'm sure there'll be more. We had a really brief but great opportunity to just have
a quick email exchange with the developer of WireGuard as we were doing some of the
preparation for this project. And, you know, it's hard to read much into just a quick couple of emails. But Jason seemed really accommodating to our questions, really clear-spoken, and really engaged.
Like he was right on answering the stuff.
He gave us really clear, concise answers to our questions.
And I just sat there for a moment thinking, how awesome is this?
At the end of it, I just said, you know, thank you for WireGuard.
Just thank you because it's such a great project.
And then to also have them answer our questions, you know, we're just a couple of local podcasters.
Yeah, he's very active in, you know, presentations.
And if you're more curious, too, there's a WireGuard mailing list that you can follow.
Stay tuned for updates.
Yeah, there will be updates coming.
He said to us that there will be some more significant developments over the next week or two.
And to keep an eye out for that.
Oh, boy.
Yeah, I think you will be hearing a lot more about it.
And I am elated with the setup now.
It's so slick to be sitting on either LAN and be able to get access to everything on either side from any machine.
And I think it's kind of just enough.
You know, WireGuard integrates so nicely with the rest of Linux.
It plays nicely with IP tables and the IP Route 2 package
and all the modern Linux networking stuff.
Plus, since you don't have some demon running somewhere,
if you're not touching it all the time, it's just simpler to administer,
and I think that's something that will give it staying power.
So I'm glad you said that, because I think that maybe was the unspoken piece that we haven't really made clear is what makes it so great is it's just enough VPN and then it works with all of the other things on Linux that you're used to working with.
So even an old blockhead sysadmin like me is able to work with something relatively brand new because I understand default routes, DNS, IP tables,
like I get that stuff and all of that is applicable here. That's so great. And that, you're right,
it's just enough VPN and it's that perfect Unix philosophy where it's, you know, the right tool
for the right job and it doesn't do too much more than that. And we love it. Anyways, enough
fawning, I suppose, because we have an app pick this week
that Wes Payne built just for us.
He set up a container even for it.
It is truly something that the Internet's been demanding.
Spotify on the command line.
Finally, ladies and gentlemen,
you can have a Spotify UI written in Rust
on your command line.
Oh my, let's just come on now.
I know, you've been laying awake at night thinking to yourself,
life is great, except I can't run Spotify on the command line.
So why did you have to create an entire build environment?
Well, right now the release binaries they've got
over on GitHub
are only supported on macOS.
What?
And since this is Linux unplugged,
that wasn't going to fly.
I know you're shocked to hear this,
but on the current setup on this laptop,
I didn't have the Rust build chain
already installed.
So what do I do but pull down a container?
So there's a Rust build
environment container? Yeah, of course.
An official one, even.
I love it. Yeah, so then you just use Cargo,
the excellent build tool,
install the package, and again, since it's Rust,
I just copied the built binary out of the
container onto my local system. Yeah, once it's built,
right, you're done. Good
to go. Why don't they just do that then?
Well, if you're developing on a Mac,
you have to set up a Linux build server.
You know what they have to do
is they could download this container.
Oh, that's a great idea.
Now, one little catch here.
It has a great little introduction
to help you go through the, like,
create an app,
and you have to get the token and the secret
so you can auth to it.
And apparently, somehow,
I actually signed into your account.
That's amazing.
I'm also not clear in that I'm just trying this now.
It seems like it's actually used to control another device.
Oh, yeah.
So when I loaded it up, it gave me like.
You were controlling the soundboard machine.
Yeah, the soundboard machine or I can control it running on an Echo, say.
Right, that's Spotify Connect right there.
Yeah.
So I don't know how that happens since that's on your own machine but it's
it's great and yeah so the thing is you we were thinking wouldn't it be fun just to have again
like some sort of device like a raspberry pi or something that's just sitting around with this
always going and then you just could turn turn on the speakers when you want to listen or not
and i love a nice terminal user interface like this. It feels so clean. I don't have to
mess with anything else and it's right there in a terminal which I
always have open. Can I admit
something? Yeah, oh please do.
To me, that terminal
UI, this N-Cursus style
layout, is easier
for my brain to process and understand
than the actual Spotify UI. That is
clean and simple
and well deldelineated.
I can understand all of that just by glancing at the screen.
You know what's also great?
You can use the arrow keys,
or it's got VI-style movements too, right?
It's fantastic.
Okay.
All right, there you go.
There you go.
I'm glad you got that in there.
We'll have a link to that in the show notes. Linuxunplugged.com slash 322 if you want to build it, if you have a Rust build environment
and want to build it. I want to make it clear, it's not ready to go out of the box, unless you're
on a freaking Mac, and then apparently it's just a brew away. What kind of? I'll tell you what.
Next week on macOS Unplugged.
All right, well, we're going to wrap up here, so Mr. Payne and I can go pack.
If you're going to be in the San Antonio area,
do come say hi to us.
Otherwise, we're back next week.
We're just down there for the weekend,
so it doesn't really impact the show production at all,
other than Wes won't be doing headlines.
No, we've got some fill-in, so...
And I'm not doing headlines.
No.
Neither one of us are doing headlines for the rest of the week.
We're done for the week. Woo-hoo!
If you haven't checked out the new daily podcast,
linuxheadlines.show,
it is a breakdown of the day's news events at Linux and open source in under three minutes.
Yeah, you know, if you don't want to go troll Hacker News and find out all the things that are happening in the world, we'll do it for you.
There is a really fair amount of research analysis that goes into that.
We have a team member, and that is their job.
Yeah, we're tracking trends, making sure we follow up on things.
It's not one of our on-air people. It's just somebody who's dedicated to that task
and puts a lot of work and research into the headline show.
Our staff in the newsroom.
That's right. We have a newsroom now.
All right. So we do this show live like next week over at jblive.tv.
We do it on a Tuesday.
We'd love to have you here.
Oh, please join us.
Yeah, we've got the virtual lug you can hang out in.
We've got the chat room.
Or you can just sit back and watch.
But there's a lot more show.
There's probably about an hour more show if you join us live at the beginning and at the end.
jblive.tv, Tuesday, 2 p.m. Pacific.
Or get it converted at jupiterbroadcasting.com.
Or if you want audio only, jblive.stream.
That's right. Gotta mention too, that's also a really nice low latency way to listen.
jblive.stream. Go check out
westtechsnap.systems.
I'm at Chris Elias, the network at Jupiter
Signal. Go find the Ubuntu podcast
too. Ubuntu podcast
dot org. Yeah, do that.
And go get Mr. Cheesy at Cheese Bacon.
That's right. All right, everybody.
See you next Tuesday! Minimac, you're pointing out that that Spotify app
looks a lot like another famous command line music app.
Well, it was Cheese Bacon that pointed that out,
but I'm using Seamus.
Ah, yeah, okay.
It is much easier for my muscle memory to look for songs
because just slash and then you do some letters
and then you get the songs you want.
That's so nice.
It's so easy.
It is so easy and it's so fast, you know?
Have we mentioned Seamus before on the show? I don't know
that we have. I guess you did.
I'm going to put a bonus link in.
Now you even have GTK
3 integration when it comes
to notification and everything.
You can just launch
Seamus in a terminal
and then you get
notifications for song change
and everything. I'm putting a link to that in the show notes.
That looks great.
By the way, I have a question about that Spotify tree.
Do you have to be registered for that
or can you just use it like that?
And do you have all the ads still?
You got to have a token, so you have to have an account.
Yeah, I had to go create like a new client.
Yeah, yeah.
And I think the ads are added in line to the audio stream itself.
Oh, okay, I see. Mm-hmm, mm-hmm, that's how they get you.
Seamless is definitely an app pick you have to
look if you just have one, because Seamless is really great. I didn't
mention this in the show, but I've kind of in the last three
weeks, four weeks weeks kind of started
re-evaluating how i'm doing my music and i think i'm going to do more local music what more all
or do it i'm going to try to just do all flack local music all flack even if i'm going to go
local right i've got a couple of different areas where i can i have speakers where i can really
tell the difference and i'm like well if i've got two areas that i spend a fair one of them is my car and i spend a lot of time in my car i can really hear the difference. And I'm like, well, if I've got two areas that I spend, one of them is my car, and I spend a lot of time in my car,
I can really hear the difference in the car speaker system.
So why not? Why not, right?
And I'm not going to rush. I'm just going to take my time.
You know, just do the right music.
Not waste a bunch of disk space.
Because really, you have a hybrid approach.
You have a streaming playing account.
You have access to all this cloud music.
So you just start collecting the things that really matter to you.
I blame Alex.
You know, all the self-hosthosted stuff he's really got me going
there. And now I'm loving it in the RV
because I can take all this stuff with me
offline wherever I go. You're no longer hooked
on the cloud. I am
so jazzed about self-hosting right now.
This is the perfect time to launch a self-hosted show.
Tell you what. On speakers,
have you guys noticed that the
Alexa device's favorite distribution is
Ubuntu? Did you guys see that this week? Yeah, what was that? I saw the headline go by,
but what does that mean? Well, just ask Alexa what its favorite operating system is. All right,
hold on. Okay, you're getting a trigger. You keep saying it. You want me to do it? I'll do it right
now. Do it right now. Alexa, what's your favorite operating system? I'm glad you asked. It's all about Windows.
What?
What?
She said it's all about Windows, dude.
I just asked her and she said it's all about Windows.
How dare she?
Did they change it already?
Did they already change it?
That's too funny.
I'll screw again.
All right.
Okay.
I'm going to ask her again.
You ready?
I'm sorry for everybody at home if I'm triggering your Echo devices here.
Alexa, what's your favorite operating system?
Definitely Windows.
Oh, man.
She's picking up all the Windows you're running on your network there.
That's what's going on.
You know what's interesting?
She shortened the answer, too.
It was a tighter answer this time.
I don't want to answer this again.
Holy crap.
What is going on there?
Alexa, what's your favorite operating system?
Definitely Ubuntu.
What the hell? Interesting.
That'll be on account of all the Ubuntu I'm
running on my network and all the Windows you're running
on yours. There's probably never been
a Windows box on this network in
the lifetime of that Echo device.
No, no, it's React OS. It's just getting
confused.
It's the country you live
in. You're in the Windows country. Oh, it's because we're in Washington and it country you live in you're in the windows country
oh it's because we're in washington and it knows that's what i thought yeah we're in redmond town
i don't know if all those previous tweets were uk-based do we have any cupertino-based friends
here to check in yeah is anybody else uh anybody else got a lady tube near them that isn't in
washington that could ask because uh somebody in the chat room asked or something because
what's not only weird about it to me it's weird that she changes the answer like that's something i've noticed they're
doing more and more is she'll like give you a long answer and then she'll give you a short answer and
then with like somehow like if she thinks you're not very busy she'll be like by the way sometimes
she does it at the wrong time by the way did you know that and then she'll tell you about something
else that they can do now that they've added like Like, yeah, it's very clever. It's very clever. I noticed that, you know, our family was
barking orders at, um, the echo. And, um, I felt a bit bad about that because it felt rude.
So I started being polite and occasionally it acknowledges your politeness,
which is also a little bit creepy, but quite clever.
Like a little, you're welcome.
Yeah.
Oh, it's no problem.
Isn't that something?
It's kind of nice, though.
I mean, I suppose it's all trying to increase engagement.
And the more human it feels, the easier it is to talk to, and the more you'll talk to it.
Ding.
Yep, absolutely.
They're aggressive.
The Echo team is aggressive with these features.
Google is a little bit slower, and Apple is glacial.
Like, I am flabbergasted that the other lady tubes haven't ripped off whisper mode.
If you have an Echo, you've got to turn on whisper mode.
It's the best thing for night times.
Because if you whisper to it, she automatically recognizes that you're whispering and whispers the responses back to you.
That's so smart.
Super clever.
And there's a lot of little things like that.
Like now they have celebrity voices like Samuel Jackson
and they have like you can play with Jimmy Fallon.
I assume there's a Chris Fisher voice in the works.
Nobody's making a wiretap device
more appealing than Amazon these days.
I tell you what.
And it can order you packages
oh yeah that too
oh man
I wish my craft
would have been a thing