Back from a weekend at the family cottage. Barbecue in front of the lake, good weather, my brother’s birthday party.

The family cottage is outside cell phone range. Normally, the cottage has wifi from a rural wireless provider, a satellite TV link, and a landline.
The rural data wireless was out. Using a us robotics usb 56K modem, I was able to make a 24Kbps connection, which is a low speed, even by dialup standards. This poor performance is due to the analog exchange and noise on a rural line: in the city one would expect 50Kbps. There are “light” versions of sites like gmail that load faster on slower connections, but even the simplest requests would often time out and require a reload.

It was fortuitous that i had left a us robotics usb modem in the cottage 10 years ago.

I was able make a dialup connection with my windows 10 laptop, but the experience was not as good as with previous versions: sharing the connection via mobile hotspot did not work, and using connection sharing via the wifi did not trigger a wizard with ad-hoc networking set up on the wifi adapter, things that worked well in prior versions of windows, as recently as windows 8.1.

At the community center 7KM away, near the dépanneur, there is free wifi and a picnic table. On my Linux laptop, I was able to apt install wvdial on the free wifi. wvdialconf autodetected the modem and the man page made it easy to create a dialup file /etc/wvdial.conf (even to find the option for pulse dialing: “ATDP”):

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Modem Type = USB Modem
Phone = xxxxxxxxxx
ISDN = 0
Password = xxxxxxxx
New PPPD = yes
Username = xxxxxxxx
Modem = /dev/ttyACM0
Baud = 33600
Dial command = ATDP

wvdial was able to make a 24Kbps ppp connection. I gained some insights, and learned enough to complete a dialup wifi server, based on wvdial, hostapd and dnsmasq. Given the limited speed, there is little point in deploying a dialup server. I will, however, continue to maintain the ability to connect as a dialup workstation, from both my windows and linux laptops.

Modern websites and i/o make dialup almost useless. there may be edge cases especially involving security or remote telemetry, but for consumer use, I suggest driving to the free wifi at the community center.

One of the systems I maintain requires access to a Checkpoint VPN. Until recently, this has meant that I needed a Windows laptop or vm when I traveled. The recipe to connect to the vpn using a command line client called “snx” seems obvious, but is not. Here is how I was able to connect a Fedora 29 Linux machine with version 800007075 of the snx command line client.

Install the Oracle Java JRE

Download Linux x64 RPM:

https://www.java.com/en/download/linux_manual.jsp

Use rpm at the command line instead of using the software installer gui.

(change version number as needed)

rpm -ivh jre-8u191-linux-x64.rpm

dnf install pkgconf-pkg-config

dnf install libcanberra-gtk2.i686

dnf install /lib/ld-linux.so.2 libX11.so.6 libpam.so.0 libstdc++.so.5 libnsl.so.1

According to this link:

https://unix.stackexchange.com/questions/450229/getting-checkpoint-vpn-ssl-network-extender-working-in-the-command-line

versions of the snx command line client > 800007075 are not compatible with recent Linux kernels. So we will obtain a copy of that specific version of the SNX command line client:

[root@server etc]# cd ~desktop/tmp/
[root@server tmp]# wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
–2018-12-30 07:34:08– https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh
Resolving www.fc.up.pt (www.fc.up.pt)… 193.137.24.4
Connecting to www.fc.up.pt (www.fc.up.pt)|193.137.24.4|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 973618 (951K) [application/x-sh]
Saving to: ‘snx_install.sh’

snx_install.sh 100%[====================>] 950.80K 378KB/s in 2.5s

2018-12-30 07:34:26 (378 KB/s) – ‘snx_install.sh’ saved [973618/973618]

and now we make the script executable:

[root@server tmp]# chmod 755 snx_install.sh

run the installation script:

[root@server tmp]# ./snx_install.sh
Installation successful

test a command line connection (use values appropriate for your username and vpnservername)

[root@server tmp]# snx -s vpnservername -u username@domain.com
Check Point’s Linux SNX
build 800007075
Please enter your password:
SNX authentication:
Please confirm the connection to gateway: *.domain.com
Root CA fingerprint: XXX XXX XXXX XXX XXX XXXX XXXX XXX XXX XXXX
Do you accept? [y]es/[N]o:
y
SNX – connected.

Session parameters:
===================
Office Mode IP : x.x.x.x
DNS Server : x.x.x.x
Secondary DNS Server: x.x.x.x
DNS Suffix : domain.com
Timeout : 12 hours

Some useful links:

https://www.java.com/en/download/linux_manual.jsp

https://kenfallon.com/checkpoint-snx-install-instructions-for-major-linux-distributions/

https://kenfallon.com/installing-snx-on-fedora-28/

https://unix.stackexchange.com/questions/450229/getting-checkpoint-vpn-ssl-network-extender-working-in-the-command-line

https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh

TL;DR

The recent release of Fedora 29 for the Raspberry Pi means that the hobbyist hardware platform can finally be considered as a viable alternative to Windows-on-Intel (“Wintel”) hardware to host Linux server applications. Although too slow to operate as a useful Graphical User Interface (“GUI”) desktop, the Pi does a good job running a text-only web, file, and vpn server. This makes Fedora on Pi perfect for serving video files at home, or as a vpn server for a small home office or satellite office.

Actual practical HOWTO section

This section contains actual procedural information. After the practical information, there is a “Rant section.”

Choosing the version you will install

For now, I suggest you avoid the GUI desktop altogether and stick with a text-only web, file, and vpn server based on Fedora 29 Minimal.

Downloading the Fedora 29 image file

Download the file for Fedora Minimal:

https://alt.fedoraproject.org/alt

How this is different from a Wintel install

A Wintel build consists of boot media, either a usb drive or a dvd drive, which contains a bootable image that includes an installer used to format another device, typically a hard drive, with boot and other partitions.

The Raspberry Pi Fedora installer consists of an ISO image you will image to a micro-SD card. In the Pi world, everything boots from a FAT32 UEFI partition on a micro-SD card.

Understanding the Fedora 29 image file

The Fedora 29 image contains a FAT32 partition with an implementation of UEFI, and several ext4 partitions.

Decompressing the file containing the Fedora 29 image file

In Windows, use WinRAR to decompress the image file.

In Linux:

from: https://fedoraproject.org/wiki/Architectures/ARM/Raspberry_Pi

xzcat Fedora-IMAGE-NAME.raw.xz | sudo dd status=progress bs=4M of=/dev/XXX # Location of your media (will be sdX or mmcblkX depending on hardware)

Formatting the micro-SD card with the image

Windows:

https://sourceforge.net/projects/win32diskimager/

Linux:

(Decompression and image write to media part of the same operation above under “Decompressing the Fedora image file”)

Using a partition tool to expand the / partition on the micro-SD card

Windows:

https://www.easeus.com/partition-manager/epm-free.html

Linux:

gparted /dev/XXX

Following the text setup wizard

On first boot, at the bottom of the screen, you will see a set of questions regarding initial system username, password, and other settings. Follow the wizard – make sure you create a root password, The system will boot.

Rebooting into a standard machine

You will boot into a standard Linux login screen. Login as root.

Doing standard housekeeping and a standard build

From this point on in the build, the machine feels like a “normal” Linux box.

Using nmcli to set a static ip address

https://unix.stackexchange.com/questions/290938/assigning-static-ip-address-using-nmcli

Using dnf to install nano, rsync, and net-tools

A lot of things that you take for granted, like nano, rsync, and ifconfig (part of net-tools), do not exist until you add them with dnf.

Editing the selinux config file

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable.html

Modifying or disabling firewalld

systemctl stop firewalld; systemctl disable firewalld

(some people like firewalls, I think they are lazy – just turn off unneeded ports!)

Enabling an SSHD server

systemctl start sshd; systemctl enable sshd

Adding the rpmfusion repos

https://rpmfusion.org/Configuration

dnf clean all; dnf update

reboot

Doing a standard LAMP build

https://www.digitalocean.com/community/tutorials/how-to-install-lamp-linux-apache-mysql-php-on-fedora

(notes: dnf install mariadb mariadb-server instead of dnf install mysql mysql-server, dnf install php-mysqlnd instead of dnf install php-mysql)

Installing a free cert with Let’s Encrypt

https://letsencrypt.org/

Installing Nextcloud

Normally, I would just say, dnf install nextcloud and watch yum dependencies in action. Unfortunately, there is a missing dependency for php-composer(ircmaxell/password-compat) which breaks nextcloud in yum/dnf. This is not a good thing, however it is not specific to the Pi, it is a Fedora 29/Nextcloud thing (and it would appear that Owncloud and Nextcloud do not get a lot of maintainer love in the yum repos).

As it happens, I was able to deploy nextcloud 2 weeks ago on a cloud server using this script, and it worked just as well on this installation of Nextcloud on Fedora on the Pi:

https://help.nextcloud.com/t/fully-automated-nextcloud-on-fedora-installation-script/27276

Doing a standard Samba build

https://www.digitalocean.com/community/questions/installing-configuring-samba-on-centos-7-droplet

Optimizing Samba file shares, especially for MacOS Finder clients:

http://blog.gordonbuchan.com/blog/index.php/2018/10/21/fixing-slow-macos-finder-on-samba-file-share-optimizing-for-windows-clients/

Doing a standard OpenVPN build

http://blog.gordonbuchan.com/blog/index.php/2018/01/28/a-corrected-procedure-for-the-installation-of-openvpn-on-fedora-27/

Enabling the rc-local service in system

https://www.linuxbabe.com/linux-server/how-to-enable-etcrc-local-with-systemd

Rant section

Although some people like the rant, others just want a HOWTO. So the rant goes here, after the practical.

It is a big deal that Fedora treats the Pi’s aarch64 as equal to Wintel’s x64

The ability to use standard Red Hat software tools and procedures means that aside from differences in the installation process, the Pi feels like a normal, if slightly slow, Red Hat machine. Because Fedora on Pi has full standard repositories, you can use standard howtos and procedures to do a build.

Until now, Linux was effectively relegated to dumpster-diving Wintel boxen

Intel hardware originally designed for Windows is the commodity computing platform on which Linux was born. It is comforting to know that Linux now has a second viable hardware platform, which will grow in capability over time.

A motorcycle engine trying to power a car

I remember a TV show where a team of mechanics scoured a junkyard and found a motorcycle engine powerful enough to drive a car-sized frame, chassis, and wheels. The motorcycle engine was large by motorcycle standards – and was able to power the car form factor, but it struggled with the task. Like the motorcycle engine in the TV show, the Pi is now powerful enough to run a full Red Hat Linux (Fedora) server, but it struggles with a full GUI desktop like Gnome 3 or XFCE.

Vision and leadership and big decisions by Fedora and rpmfusion yum repo maintainers

The big decision by Fedora to provide full support for the Pi’s aarch64 ARM cpu gives Linux its own hardware platform, for the first time. The Fedora project maintainers and the rpmfusion repo maintainers did an excellent job of ensuring that the yum repositories contained aarch64 binary rpm packages for everything that had an x64 package. Let me just say it is inspiring to see people with vision actually execute and do something like this.

Using standard procedures and software libraries

What is impressive is that the main yum repositories for fc29, as well as the rpmfusion free and non-free repositories, fully support aarch64. That means you can dnf install vlc filezilla, and it will work. Some repositories are not there yet, such as the remi rpm repo for php56 support on modern fedora, so I will be limited to php72 for the moment. Some third-party repos, like google-chrome, do not yet support aarch64, however I was able to install Chromium.

What the Pi is not so good at: GUI desktop

When I first installed Fedora 29 Workstation on the Pi, the GUI was virtually unusable. It became better over time, but would sometimes freeze. I turned off the Gnome 3 desktop, did all the dnf updates, then turned on Gnome 3. After a few tweaks with the Gnome tweaks took I was able to run LibreOffice Writer, Chromium, and FileZilla, but only very slowly. XFCE was slightly faster but not enough to make a difference. Although rpmfusion allowed me to dnf install vlc, VLC was virtually unusable – but props to everyone in that value chain for vision – a hardware rev or 2 from now the VLC will be usable.

The Pi is fast as a text server

I decided to go the other way and install a text-only server from the ground up. There are some Raspberry Pi-specifics to the build I will address in the Install procedure section. However, the rest was identical to the way one would build a wintel linux box. On my brother’s advice, I decided to use Fedora 29 Minimal. It really is minimal: I had to use dnf to install nano and rsync. However, I was able to do a dnf update including the rpmfusion free and non-free repositories. Because I had full standard repositories, I could use standard howtos and procedures to do my build.

I then built a standard LAMP web server, an SSL cert with let’s encrypt, an installation of nextcloud media server, samba file share server, openvpn vpn server. The server performed well – so well that I am already planning to deploy a few in the field as openvpn servers and rsync backup data dumps.

A random reference to a satirical book about home servers

https://gizmodo.com/342499/microsofts-brainwashing-childrens-book-mommy-where-do-servers-come-from

 

My mother has a great cottage on a lake. There is no cell phone service for a few kilometers around. There is a landline. There is a form of rural data wireless that is often down. Thus the need for a dialup wifi server as a backup, for when rural data wireless service is unavailable. Too slow for web surfing, but enough for email and texting. This seems like a perfect task for Linux. After all, Linux is usually a good foundation for web servers, email servers, vpn servers, file share servers, voip servers, and more.

I started this project last year, and found that although Windows could drive the built-in 56K modem on a circa 2009 laptop, Linux could not. Fortunately, I have a US Robotics USB 56K modem, which is recognized by Linux.  I got as far as a dialup connection without DNS.

This year I learned how to override some settings in wvdial to enable dns. So i was able to surf on fedora 28 via dialup. However, I was unable to share the connection via the GUI networkmanager.

To explain why, let me tell you a few stories:

I should point out that sharing a connection like this is something that Windows can do without breaking a sweat. I first installed such a gateway, albeit dialup shared as a NAT over wired Ethernet, on a Windows 98 box in 1999.

Last year (2017), while on vacation at a hotel with a 2 device limit, I confronted the dilemma: how does one choose between a laptop, an iPad, and 2 cell phones? Answer: use a laptop with a second wifi adapter to provide a repeated hotspot under my control.

NetworkManager on Gnome 3 on Fedora offered to share a wired Ethernet connection as a local WIFI hotspot, but was unable to do other permutations — like a second wifi on usb sharing a first wifi connection to hotel wifi. Fortunately, the machine was able to dual-boot into Windows and share the  hotel wifi via a second wifi usb adapter.

Back to the Linux dialup wifi server project.

It would seem that I must configure hostapd, in order to create a hotspot that can share the dialup connection. I have followed the instructions, but have not succeeded so far — there are some things i can try. I find myself consulting blog posts from 2002-2011. I suppose that is the kind of deep time audience that reads these blog posts, a few at a time, in the future.

More to follow at the beginning of October when I return to the cottage to take another run at the problem. for now i will simulate the hostapd problem with a test machine here, then bring that solution to the cottage and test the integrated solution with the already-working dialup connection.

I suppose I could try to test the dialup connection via a voip analog telephone adapter device, but that seems wrong.

[edit 20180924] My brother had a somewhat similar but more successful experience in 2015: http://www.malak.ca/blog/index.php/2015/03/05/having-to-find-multiple-levels-of-internet-access-oh-fun/

Although it is still possible to run a small hobby web server, it has become impractical to run a private email server. The challenges of dealing with spam and viruses go back to the beginning of the web hosting industry, in the late 1990s. During that era and until recently, a person or small team with minimal resources were able to deploy a web and email server with a combination of anti-spam and anti-virus countermeasures, using the same tools available to larger companies. That is no longer the case due to collateral damage from the spam wars.

Since the late 1990s, anyone with a Windows-compatible computer could reformat that computer with Linux, an operating system similar to UNIX. A person or small team could host web sites and email accounts with DNS, web, database, and email hosting on a single computer (hopefully with a second server as a backup).

Reputation management and blacklisting services minimize spam arriving in inboxes, but can also result in mistaken blacklisting or collateral damage such as innocent firms hosted by a provider that has one bad client using their infrastructure and causing a block for all. Until recently, this could be managed. However, since about 2016 the email threat environment has escalated even further.

This new email threat environment has resulted in increased resource use to process inbound mail (the majority of which is spam and some with viruses). Worse still, it has become almost impossible to ensure that one’s email will be likely accepted by the remote party. Even following all protocols, smaller email providers are no longer equals with larger ones.

The blocking of email from small servers is not due to any commercial conspiracy, it is simply that some activities require scale, and email has become one of those activities. It may be that the bad actors still exist, and are now hosted on the big providers, but no one will blacklist Gmail or Hotmail, no one will blacklist a company’s mail if it is hosted on one of those systems. There may be 10 or 20 hosting companies of scale that can be described as being in this category.

Of course, there are still thousands of hobby servers exchanging email, and small 1-10 person hosting operations still offering email services to small companies. There are people who have found a successful recipe, for now, to stay on the air. For now. Good luck to them.

To newcomers considering the vocation: try for the challenge and the knowledge, build your own email server for fun, but do not try to host email for anything remotely important, like a paying customer.

Some will say, sure, but a big company can host its own email. To which I would say they can, but they shouldn’t. We have seen telcos and even governments outsource their email. They saw this coming, and got out of the business. So should we all. Gmail for Business is good. Microsoft 365 is good. Others might be good.

Not all is lost. For the web, we are still in a golden age. Linux servers big and small, some virtual, allow people and companies to have unprecedented degrees of control over the most minute aspects of their web computing. An old laptop can become a Linux web server. A virtual server can be deployed for US$6/month. Those willing to work and learn can still have a web server that is the equal of any other web server.