Tag Archives: HowTo

Using an HTTP proxy when a VPN is used

Background: When I connect to my University’s VPN service I need to use a HTTP proxy in order to access the WWW. I use GNOME and Network-Manager. The Openconnect plugin manages to establish the VPN connection nicely, but previously I had to enable the proxy in Firefox manually afterwards. This is my solution on how to set GNOMEs http proxy settings automatically when a VPN connection with the name “UniiHH” is established and works by using a script in /etc/Network-Manager/dispatch.d.

This is my 10_enablevpnproxy (needs permission 755):

#!/bin/sh -e
# Script to set up the University of Hamburg web proxy when the Openconnect VPN connected
# credits to https://wiki.ubuntuusers.de/NetworkManager/Dispatcher/

VPN_CONNECTION_NAME="UniHH"
USER="spaetz"

# VPN connection started or stopped?
case "$2" in
    vpn-up)
    active_vpn=$(nmcli -t --fields NAME con show --active|grep "${VPN_CONNECTION_NAME}" -q)
    if $active_vpn; then
        # VPN to UNI HH was started
    else
        #Irrelevant VPN started, do nothing
        exit 0
    fi
    # gsettings will fail if dbus is not launched with:
    # "dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy mode 'manual' 
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy.http host 'proxy.uni-hamburg.de'
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy.http port 3128
    ##gsettings set org.gnome.system.proxy.ftp host 'proxy.localdomain.com'
    ##gsettings set org.gnome.system.proxy.ftp port 3128
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy.https host 'proxy.uni-hamburg.de'
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy.https port 3128
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy ignore-hosts "['localhost', '127.0.0.0/8', '10.0.0.0/8', '192.168.0.0/16', '172.16.0.0/12' , 'fc00::/8' , '*.fritz.box' ]"
        ;;
    vpn-down)
    # Disable all proxies on VPN shutdown, this might be to simple
    # for your case, it works for me.
    echo "VPN connection was stopped"
    sudo -u "$USER" dbus-launch gsettings set org.gnome.system.proxy mode 'none'
        ;;
esac
exit 0;

The script is run as root by network-manger so, I needed to hardcode the user whose proxy settings I want to modify in the script. And admittedly the part about calling sudo -u $USER dbus-launch multiple times is quite clumsy and should be solved more elegantly. The problem is that gsettings needs to a) run as the user whose values we want to change and b) needs access to a running dbus-session or it will spit out:

Cannot autolaunch D-Bus without X11 $DISPLAY

Helpful links were: https://wiki.archlinux.org/index.php/proxy_settings https://wiki.ubuntuusers.de/NetworkManager/Dispatcher/ http://askubuntu.com/questions/645968/error-cannot-autolaunch-d-bus-without-x11-display

P.S. Of course, sudo needs to be installed for this script.

Getting WiFi rtl8723be to work in Debian

After crashing my previous laptop, I bought a HP 15-ba055ng that contains a rtl8723be Wifi card. However, under Linux the connection would become instable after a short while and refuse to reconnect. I needed to do a series of things to fix this:

  1. Apparently only 1 antenna is connected to the card while the card is configured to use a different antenna slot, leading to an abysmal signal. A new parameter was introduced in kernen 4.0.7 (or so) that lets on select the antenna in the kernel module.
    Create a file /etc/modprobe.d/rtl8723be.conf and enter

    options rtl8723be ant_sel 1

    (the default is 0). This let to a much better signal reception (as visible by doing iwlist scanning). But it still did not help, connection got refused after a while.

  2. Some other options need to be changed to make it work. Most people say that disabling sleep parameter fwlps (FW control power save, default 1) helped. So, that would be adding fwlps=0 to the above line. I did that.In addition some claim, that setting ips=0 or msi=1 has helped them to get a better reception. Try it, I use ips=0, but msi=1 seemed not necessary, so that my current options look like this: options rtl8723be ant_sel=1 ips=0 fwlps=0
  3. Some claim that windows fasstboot mode needs to be disabled in order to make WiFi work reliably. (in case you dualboot) However, I have not tried that yet, nor found it necessary.

All this is on a Debian Jessie system. On a final note: I find it pretty sad that a laptop sold in 2016 has no 5Ghz capabilities. I did not even fact-check that before my purchase as it did not occur to me that this could be an issue.

Relevant links I used for trouble-spotting (plus a ton of other links I forgot about):

  • https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1461174/comments/35
  • https://unix.stackexchange.com/questions/229221/rtlwifi-rtl8723befw-bin-wireless-stop-working-then-laptop-needs-to-reboot-to
  • http://askubuntu.com/questions/635625/how-do-i-get-a-realtek-8723be-wireless-card-to-work
  • https://ubuntuforums.org/showthread.php?t=2304607&page=4
  • https://bugzilla.kernel.org/show_bug.cgi?id=83641#c1

Howto extract PDF pages on Windows and Linux

mutool is great. You can install it portable as regular user on Windows, for instance. If you need to extract a few pages from a long pdf you can use mutool clean. However by default, this will create a pdf that is as big as the original input file. To compact the resulting file, make use of the -g options. So this works great to extract pages 19-20:

mutool clean -ggg  input.pdf output.pdf 19,20

Ungültige Signatur in Windows

Ich benutze einige Portable Programme (wie z.B. emacs) auf meinem Windows-Arbeitsrechner. Leider gibt es dort diese hässliche Fehlermeldungen bei jedem Start: “Diese Datei verfügt über keine gültige Signatur…”. Mist, dachte ich. Allerdings ist Windows gar nicht so streng, es will lediglich alle aus dem Internet heruntergeladenen Programme signiert haben. Wenn man das Programm lokal “kreiert” dann läuft es auch ohne Signatur (eigentlich hirnrissig). Die Anleitung um den Fehler beim Starten wegzubekommen ist hier. (Danke)

UPDATE (Mar 2016:): Die Anleitung in Kürze: Mit “cat putty.exe > putty2.exe” ist die ausführbare Datei auf einmal “lokal” erzeugt und gilt nicht als unsichere heruntergeladene Datei. Dann klappts auch mit den Nachbarn.

VPN an der Uni Hamburg mit Linux

Die Universität Hamburg bietet wie so viele andere Organisationen ein VPN auf Cisco AnyConnect Basis an. Bis vor einiger Zeit funktionierte der eingebaute “vpnc” VPN Dienst (Gruppenname “vpnusers”), allerdings wurde der wohl endgültig eingemottet :-(. Als einzige Möglichkeit wird der Download und die Nutzung des proprietären Cisco AnyConnect Client angeboten. Also, downloade Cisco Binärblob und lasse ihn als Administrator (root) auf deinem Rechner laufen. HAHA, ganz bestinmmt … nicht.

Zum Glück geht es auch mit Linux-Distributionsbordmitteln. Zur eigenen Referenz hier die Schritte mit GNOME unter Debian (Jessie):

  1. Das Geheimnis heisst “Openconnect” und ist so als Paket auch in z.B. Debian installierbar. (muss nicht installiert werden, wenn man die GUI Variante verwenden will). Für alle hardcore Terminalbenutzer: Die Verbindung (als root) mittels: “openconnect https://vpn.rrz.uni-hamburg.de” funktionierte. Das wäre also das Minimum.
  2. Für alle die den Komfort einer grafischen Oberfläche zu schätzen wissen, installieren:
    network-manager-openconnect-gnome bzw. network-manager-openconnect (KDE Nutzer, was ist das Richtige für Euch???)
    Danach mindestens Aus/Einloggen oder sogar neu booten, ansonsten klappte das Verbinden bei mir nicht!!!
  3. Zum EInrichten: Netzwerkeinstellungen starten, Neues VPN einrichten, “Cisco Anyconnect kompatible Verbindung (OpenConnect)” auswählen.
    Als Gateway: vpn.rrz.uni-hamburg.de
    Als CA-Zertifikat: Ich habe in Debian das vorinstallierte Telekom Zertifikat ausgewählt (/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem). Das ist das gleiche Zertifikat das man auf der Downloadseite des RRZ unter dem Namen “Deutsche Telekom Root CA 2 Zertifikat” angeboten bekommt. Ich weiss aber nicht ob es notwendig gewesen ist hier überhaupt ein Zertifikat anzugeben (bitte Bescheid geben).
    Die restlichen Einstellungen kann man auf “deaktiviert” (Token-Modus) und “(keine)” (Zertifikate, …) lassen.
  4. Verbinden, dann wird nach User/Passwort gefragt, bei dem man die Uni Kennung angibt (nicht den STINE Nutzernamen).
  5. Bei einer VPN Verbindung lässt die Uni nur HTTP Verkehr über ihren eigenen Proxy zu, also muss man noch als Systemproxy: Server: proxy.uni-hamburg.de Port: 3128 einstellen. Es gibt auch ein Plugin für Firefox mit dem man Webproxies im Browser schnell umschalten kann.
  6. Profit.

P.S. Wer eine Lösung für Android gefunden hat, melde sich bitte oder hinterlasse einen Kommentar.

Making Logitech Bluetooth keyboard work on GNOME

Bought a bluetooth keyboard (Logitech K480), so I can use my tablet during travels. However, it would not connect to my Debian desktop computer. Turns out the formidable Archlinux page on Bluetooth has the solution. You just want to type:

hciconfig hci0 sspmode 0

and suddenly the PIN dialog will pop up that makes everything work… Easy…

By the way, the keyboard is nice and can connect to three different devices. It is just heavier than I would have expected (800 gramms or so).

Konnte nicht mit Gruppenrichtlinienklient verbinden…

…Fragen Sie Ihren Systemadministrator.” beim Anmelden an einem ganz gewöhnlichen Windows 8.1 Home Computer bei dem lediglich die normalen Systemupdates eingestellt sind. Die einzige Möglichkeit ist dann das Herunterfahren des Computers. Ach ja, als Administrator kann man sich auch anmelden dann kriegt man sogar einen schwarzen Bildschirm und darf den Task Manager starten. Anscheinend hat das Windows Update (oder ein automatisches Update eines anderen Programms) die Windows Registry zerschossen. Google findet ein paar Seiten mit diesen Fehlermeldungen.

Hier ist die Webseite die die schritte beschreibt die tatsächlich geholfen haben. (war eine lange Recherche) Die Schritte sehen scary aus, man kann ihnen aber ganz gut folgen. Hat hier tatsächlich das Problem gelöst. Danke für Zerschiessen des Systems, Microsoft.

Get the Brother MFC-8860DN to scan under Ubuntu 12.04

I have a Brother MFC-8860DN Printer/Scanner/Fax on my LAN which I tried to get to scan under Ubuntu 12.04. It was quite a journey, but I succeeded in the end.
This documents what I have done, as others might suffer the same problem.

  • Download the brscan2 and brscan-skey deb packages for 64 bit. Install.

  • brsaneconfig2 -a name=MFC-8860DN model=MFC-8860DN ip=xx.xx.xx.xx

    (Replace the ip with your static IP address of the scanner. The name
    argument can be any user friendly term you want, really)

    Theoretically, this is all you are supposed to do. But, alas, no luck yet.

  • Check the output of brsaneconfig2 -q. Does it show your scanner? Good.

  • Check the output of brscan-skey -l. Does it show your scanner as
    "Active"? Mine showed "Not responded", and it turned out I must have
    fudged something in the scanner options on the printer web interface
    earlier that made it non-work. I had to factory-reset my scanner
    before it worked, ie it showed up here as "Active". This cost me a few
    hours to find out.

    The most common error here is that people configure the wrong IP
    address. Do avoid that :).

  • The next hurdle was that it still would not recognize the scanner with
    xsane, simple-scan, etc..

    sane-find-scanner already reported a possible usb scanner though.

    It turned out that brscan2 installs libraries into /usr/lib64 and they
    are now supposed to be in /usr/lib/. So, they were not found at all.

    (SANE_DEBUG_DLL=255 scanimage -L can help to find out weird things
    like this, although it is very verbose)

    Solution: copy or link: /usr/lib64/sane/* to
    /usr/lib/sane and /usr/lib64/libbr* to /usr/lib/. (credits go to: https://wiki.archlinux.org/index.php/Brother_DCP-7020)

  • I was nearly there. scanimage -L started showing::

    device ‘brother2:net1;dev0’ is a Brother MFC-8860DN MFC-8860DN

    but trying to actually scan using scanimage, xsane, etc led to::

    open of device brother2:net1 failed: Invalid argument

    It turned out that my copying of the libraries was not done well, as
    the symlinked files were still pointing to /usr/lib64 locations. Check
    ls -la /usr/lib/libbr* to see which ones need fixing. Of course, had
    I left the libraries where dpkg installed then, and simply symlinked
    them to /usr/lib/ everything would have worked now.

  • I did not have to add entries to
    /lib/udev/rules.d/40-libsane.rules as you will find in many web
    sites. a) This file is 60-libsane.rules under current Ubuntu now
    and b) this is only if you connect it directly via USB. Mine is on
    the LAN.

  • I did not have to create a /etc/sane.d/brother.conf with an entry
    starting "usb …." as you will see in many howtos. Again, this is
    required for connecting the scanner directly via USB.

Good luck to all you poor souls out there with similar problems. This was horrible to debug, thanks to lacking documentation and obscure error messages. I wish Brother open sourced that crap.