Add Linux wireless drivers to Debian Install ISOs

TL;DR:

This HowTo shows you the process to find, download, and add linux wireless drivers, network drivers, or other drivers (missing firmware) to a Debian installation ISO, and then remaster it for install from a USB stick.

Background

I recently bought a Lenovo X1 Carbon ultrabook. It’s a slim, lightweight machine with no CD / DVD drive, and a couple of USB ports.  That means I needed to wipe the Windows install that was on there, and install Debian 8. Of course, getting the Debian ISOs was no problem. And creating a bootable USB is easy because they are hybridized. But, I was quickly greeted with a screen that complained it could not find my wifi – i.e., it couldn’t detect my wireless card – because it didn’t have the drivers.

Install load firmware debian missing network drivers
Install or load firmware for missing network drivers on Debian

The problem stems from the way Debian is packaged. They do not include “non-free” drivers in the distribution ISOs. It’s a philosophical choice, and it’s not going to change, so there’s no point in tilting at that windmill.

Normally, you can select the option that says: “Install driers from a USB stick”, but, on an ultrabook, there’s a twist: since you don’t have a CDROM / DVDROM drive, adding those drivers from a secondary USB stick doesn’t work! The anaconda installer does not notice a secondary usb stick has been inserted, and flat does not scan it! So, even though you’ve put the needed drivers on that USB stick, it’s still useless.

The answer is to slipstream (Windows lingo) the drivers into the installation media. Debian offers some relatively simple ways to remaster an installation CD, which will cover in depth here in a moment. First, let’s talk about how to get the drivers in the first place.

Getting Debian Linux Wireless Drivers

In my case, the intel network card caused debian to complain that it was missing iwlwifi-6000g2a-6.ucode. A quick DuckDuckGo search reveals that this is part of the firmware-iwlwifi package in Debian. Specifically, 0.43 or higher.

So, if we scroll to the bottom of that page, we can download the .deb file.

Downloading the Debian Installable ISO

Next, we need to get an ISO that we’ll use to create the installable media from which we’ll install Debian. My preferred choice is to use BitTorrent to download the ISO files. It lessens the load on the servers hosting the ISOs, and helps the community give back to the rest of us by using a peer-to-peer connection. For this tutorial, we’re going to be dealing with the CD image, not the DVD image. So, download the CD image from here.

Setting up our working folder

We need a place to work. So, create the folder /home/youruser/custom, and copy the downloaded ISO there.

Prepare the helper scripts

Now, Debian’s Modify CD page has some technical information about this process, but this article is an attempt to make the instructions a little more palatable. That being said, we are going to be using the helper scripts at the bottom, so, copy / paste those scripts, and put them in the /home/youruser/custom directory as well.

Now, open each one, and do a find / replace to find sudo and replace with nothing (we’re removing the sudo commands because it’s easier to operate as root for the duration of this tutorial).

Become root

Because we need access to “root only” system utilities, su to root for the rest of this tutorial. (Alternatively, you could constantly use sudo for everything, but being root for the duration of this operation is probably easier).

The starting point

Right now, your custom directory should look like this:

Starting point

Now, run this command:

./diunpk debian-8.2.0-amd64-CD-1.iso src dest

This will unpack the ISO file into a timestamped directory. Rename this directory to “CD” for ease of use, then copy ./dipk into that directory:

Resulting output of the diunpk commands

The script has created a src and dest directory under the CD directory. “Src” is a readonly version of the ISO image you downloaded, and dest is where we are going to be making changes to add our firmware.

Add the non-free firmware to the image.

Create the a directory named firmware-nonfree using this command:

mkdir ./pool/main/f/firmware-nonfree/

Now, copy our downloaded deb file to this directory:
cp /home/youruser/Downloads/firmware-iwlwifi_0.43_all.deb ./pool/main/f/firmware-nonfree/

Lastly, we need to make a symbolic link from the firmware directory just below the root of the ISO to this file so that that installer can find it during the natural installation process, so change directory to the firmware directory (/home/youruser/custom/dest/firmware), and then create the symbolic link:
cd firmware
ln -s ../pool/main/f/firmware-nonfree/firmware-iwlwifi_0.43_all.deb

Here’s what my whole process looked like:

Workspace 1_261

  1. I used the find command to find existing firmware just to confirm it’s location. As I expected, it was in ./pool/main/f/firmware-free.
  2. I created ./pool/main/f/firmware-nonfree to store the non-free drivers.
  3. I used tab completion (in the red box) to create the correct command to copy the firmware from my Downloads directory to the nonfree directory I just created.
  4. I changed directory to the firmware directory that is just below dest/.
  5. I did a directory listing to ensure I was seeing what I was expecting to see, and to look at the symlink for the existing firmware.
  6. I created a symbolic link to the new, non-free firmware I just added.
  7. I did a directory listing to make sure it was done correctly.

Run dipk to generate the ISO.

Chagnge directories back to CD (the parent directory of dest), and run the following command:

./dipk ../custom.iso src dest

This will create a file called custom.iso in the custom directory  (the parent directory of the CD directory) using the src and dest files that we have been working with.

Preparing the ISO for use with a USB Drive.

In order to use a USB stick to boot this ISO file and install Linux, we need to use the utility isohybrid, so run the follwoing command from the custom directory:

isohybrid custom.iso

This changes the ISO file to allow modern BIOSes to recognize its structure as a bootable disk.

Prepare your USB Stick

Lastly, put your USB stick in the computer, and run dmesg to figure out which device it is. (It’s usually the last /dev/sdX to show up in dmesg). In my case, it was /dev/sdm. Now, just copy the ISO file to that device:

cp custom.iso /dev/sdX

(Note: be sure to replace the “X” with the proper letter that represents your USB drive!).

Enjoy.

OpenSSL Generate: Certificates, CSRs, and Self-Signed CA Certificates

If you’re a computer novice, start reading this at the top. If you know what you’re doing (even somewhat), click here to skip to the section on using OpenSSL to generate Certificates, CSRs, and Self-Signed Certs OR click here to learn how to become your own CA.

Introduction (Crash Course for Beginners)

SSL Certificates are all about trust. It’s how a website tells a user: “Hey, I’m trust worthy because other people trust me, so you should too.” The primary tool of that trust? OpenSSL. Depending on your needs, you might use OpenSSL to:

  1. Generate a self signed certificate
  2. Generage a CSR (Certificate Signing Request)
  3. Become your own CA (Certificate Authority), and if you do that:
  4. Sign CSRs that have been created by others.

Continue reading OpenSSL Generate: Certificates, CSRs, and Self-Signed CA Certificates

Setting Up a VPN with Tinc VPN Software

Setting up a VPN can seem like a daunting task. There are some high-priced options out there, but most of those are closed source, and therefore not to be trusted. Instead, the internet has a variety of open source and free VPN server solutions. OpenVPN is a good one, but does not offer a distrbuted style “mesh network”. It requires a dedicated server, which may or may not be in your budget or scope. But, tinc-vpn offers “point to point” VPN as well as server style and everything in between.

As stated on the project homepage , tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. It’s is an excellent way to create connections to servers and workstations over the internet. In particular, I came across it while looking for free alternatives to logmein.com. While tinc does not provide any sort of interface, it can be used to solve the problem of “permanent” remote access.

There are not a lot of great tutorials on the internet for tinc. So, we are going to take an in-depth look at exactly how to set-up a “server” and a client.

For starters, let’s build out our network on paper before we attempt to get it working in real life. In order to get around firewalls on remote networks, we have “punch through” by initiating a connection from within those remote networks. Routers assume that connections made by computers on the “inside” of their networks have permission to do so, and let those connections be made. Additionally, those same routers allow the return traffic through the firewall because: “what good is a request of we don’t allow the response back through to the requester?”

Thus, we need a centralized VPN “server” that all our remote nodes can connect to. Once we have that set-up, we can connect other computers (like a management workstation and a remote file server that we need to manage) to the VPN via the central node.

Setting up a vpn service for remote network managementSetting up a VPN: the tinc VPN Basics

Up until now, I have been referring to a “server” for the central node. tinc does not have a “server”mode because all nodes are configured the same. For our purposes, the “server” we are configuring is a regular node that doesn’t connect to anyone else (pro-actively). Instead, it’s the place where “everyone else” connects to the network.

With that piece of information out of the way, let’s get back to the basics.

Order of Operations: How tinc reads configuration files (and in what order).

When tincd is started, the first thing it does is check /etc/tinc/nets.boot. Each line in that configuration file can contain the name of a network to join. For this tutorial, we are just going to use a single network, but you could set-up as many networks for your server as you wanted to.

After reading /etc/tinc/nets.boot, tinc goes to each network folder looking for a tinc.conf file. So, if your nets.boot file has a single entry: myvpn, tincd will look in /etc/tinc/myvpn/ for a tinc.conf file. (It will look for /etc/tinc/myvpn/tinc.conf).

Once it finds the tinc.conf file for this network, it will read it, and access information under the hosts directory for that network. So, if we use the “ConnectTo” directive to tell tincd that it should connect to a given server, it will look in /etc/tinc/myvpn/hosts/ for the value of that directive.

So, for example, if we are configuring a client (node) to ConnectTo a server that we have nicknamed “MainServer”, we’d use a directive like this:

ConnectTo=MainServer

Once tincd sees the value of that ConnectTo directive is “MainServer” it will immediately look in /etc/tinc/myvpn/hosts for the MainServer file. (It will want /etc/tinc/myvpn/hosts/MainServer). Once it finds that file, it will load configuration information about that host (node) from that file.

But, it also looks in the hosts directory to find information about itself! So, to get two computers to connect to one another, you must (at minimum) have two files in the hosts/ directory for your connections. One for the “server” and one for the “client”

But, tinc also uses the files in the hosts/ directory to get information about itself! As you’ll see in our example, we will create a file in hosts/ for machines each node will connect to as well as the node itself.

Authentication: How Each Node Knows It’s OK To Grant Access to the VPN Network.

tinc uses RSA authentication to authenticate nodes. If you’re not sure how RSA works, take a look at our RSA authentication primer. But for now, let’s suffice it to say that this is a key exchange. Each end of the node has to provide a key to be accepted by the other nodes

This means that each node has to have its own public / private RSA key pair. But don’t let that intimidate you, we’ll show you had to make these without having a Ph.D. in mathematics.

Preparing Your Computer

Whether you are running a server or a workstation, you have to make sure you have fulfileld the system requirements for tinc. They are:

  • A kernel that supports tun/tap. If you are using a modern version of any Debian based system, you’re already set here. (This includes Debian, Ubuntu, Mint, and other flavors). Most other modern Linux systems support this right out of the box. Except those distros that require you compile the kernel in order to install… but then again, if you’re using one of those experts-only distros, you won’t need much help installing this feature.
  • Make sure you have the following packages installed and available:
  1. OpenSSL
  2. zlib
  3. lzo

How to Install tinc-VPN

In Debian based systems, this is easy. Just use:

apt-get install tinc

Do this for all the machines that will be participating in the VPN.

Setting up the Network

Do it on Paper First! Write down:

  1. Public IP of the “server”.
  2. VPN IP of the “server”.
  3. VPN IP of the “client(s)”

In our case, we are going to assume:

  • Public IP of the “server”: 12.345.67.89.
  • VPN IP of the “server”: 192.168.100.1
  • VPN IP of the client: 192.168.100.2

How To: Setting up the tincd “Server”

Setting up the “server” simply means we need to setup the files tinc uses in the order that it uses them:

  1. nets.boot
  2. the network directory
  3. tinc.conf in the network directory
  4. the hosts directory for the network
  5. the individual host files for hosts on the network.
  6. tinc-up
  7. tinc-down

First, change to the /etc/tinc/ directory, and edit the nets.boot file. We are going to add a single line to the end of the file: myvpn.

echo 'myvpn' >> nets.boot

Next, create the myvpn folder under /etc/tinc because tincd is going to look in that folder after it discovers that nets.boot has “myvpn” as one of the entries.

mkdir /etc/tinc/myvpn
cd /etc/tinc/myvpn

Next, create the tinc.conf file, which tells tincd how to setup its own node. Using your favorite Linux text editor (vim!), create tinc.conf with these two lines in the file:

Name=vpnserver
Device=/dev/net/tun

Save the file.

This, of course, assumes you are running a Debian based system that has a device at /dev/net/tun. Most do. But, if your distro doesn’t, you can change this to something like /dev/tap0 of you have tunctl installed. But for our example, we’re going to leave it like  this.

Now, if you remember from our order of operations above, as soon as tincd finds this file, it’s going to look for mycpn in the hosts directory. So, we need to create that directory so we can create the file.

mkdir /etc/tinc/myvpn/hosts

But we don’t create the myvpn file that goes in hosts/! That will be created for us when we generate the RSA keys for this system. So, let’s generate the keys:

tincd -n myvpn -K

If you haven’t set-up the tinc.conf file correctly (or yet), This command will generate two keys: rsa_key.priv and rsa_key.pub. Both of these will appear in your /etc/tinc/myvpn/ directory (because we specified -n myvpn in the command above). These two keys represent the keys to THIS system. So, we’ll keep the private key where  it is, but let’s move the public key into hosts:

mv /etc/tinc/myvpn/rsa_key.pub /etc/tinc/myvpn/hosts/vpnserver

If you DID correctly set-up your tinc.conf file, tincd will read that file, and find the name of this computer and use it to put the public key in the correct spot. So, instead of creating the public key as /etc/tinc/myvpn/rsa_key.pub, it should read Name=vpnserver, and put the public key in /etc/tinc/myvpn/hosts/vpnserver.

Right now, that file (/etc/tinc/myvpn/hosts/vpnserver) only contains the RSA public key, but we need to add some more information about this node to that file. So, let’s edit that file:

vim /etc/tinc/myvpn/hosts/vpnserver

and add some lines to it to identify the node both to itself, and later, to the other nodes on the network. We’ll add two lines: Subnet and Address.

Subnet identifies the IP address this node will have on the VPN network. Address identifies (to other nodes) what IP address they should use to connect to this server.

Subnet=192.168.100.1
Address=12.345.67.89
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAoEgxyY5DANAlKSP3pkHJvX5Co1uihxcCwFGW7G3bXUsKTkg6TE1P
qs7Fae9HQIYPzu0uHhjR0jFNP0rAEWl3VoQnpe3E6uIBs+8PWlIpB6OvLXjaYbo7
FhCje3OYTQMDwbhGaeZ/TdoOvAhHlu8giHZFc4SZ/Bd4z58UmLC5ShAtHKhMJr6K
dYsZjBWnz341Q/dY+NRW5RXpH8akt8yW7xw/9So8CM3Lyf9Vvtn1RyY0IJcIq1kV
UXYOmx/j5Ef48GrbziF5DhEhYCqVSYzqfeIS0PKesNyTWvqr0/n2owSH3q5a2mNI
b+DuppRFSWxzkymrvrGfxVRuhi1Hj5lQPwIDAQAC
-----END RSA PUBLIC KEY-----

Lastly, we need to set-up the tinc-up and tinc-down scripts. These scripts execute automatically when the VPN network comes up and when the VPN network goes down (respectively).

Essentially, we need these scripts to create the interface that the computer will use to talk to the VPN network when the VPN comes up, and then remove it when the VPN service stops.

Create a file called /etc/tinc/myvpn/tinc-up, and put the following lines of code in it:

#!/bin/bash
ifconfig $INTERFACE 192.168.100.1 netmask 255.255.255.0

Because tincd runs in router mode by default, we do not need to put any other configurations (or routes) in this file because tincd will build and maintain routing tables for us.

Now for tinc-down, which will execute when we shut down tinc and disconnect from the VPN. Create a file: /etc/tinc/myvpn/tinc-down, and add this content.

#!/bin/bash
ifconfig $INTERFACE down

This removes the vpn adapter from the system when the vpn service is shut down.

Once you have created those two files, you have to grant them permission to execute:

chmod +x /etc/init.d/myvpn/tinc-*

Now, you’re ready to start the tinc vpn server:

/etc/init.d/tinc start

If all goes well, you should see the following in syslog:

tincd 1.0.19 (Apr 22 2013 21:45:36) starting, debug level 9
/dev/net/tun is a Linux tun/tap device (tun mode)
Executing script tinc-up
Listening on 0.0.0.0 port 655
Listening on :: port 655
Ready

If you see any errors, google them, fix them, and then restart tinc until the errors resolve.

Setting up the VPN Clients

Because a “server” and a “client” have just ONE difference (the Server doesn’t use a ConnectTo directive in tinc.conf), The basic setup is exactly the same. So, follow the steps above to setup your client(s), but note these differences in /etc/tinc/myvpn/tinc.conf:

  • Clients will use a “ConnectTo” directive.
  • Clients need to be uniquely named. The server uses Name=vpnserver, but the clients should have their own individual (unique) network names. Name=Client01 would work, so would Name=George.

There is two major differences for clients in the public rsa key, which is stored in hosts/ for the network:

  • The Name directive must be unique
  • The subnet must be a different IP for the client than the server has.

Here is an example tinc.conf for a client:

Device=/dev/net/tun
ConnectTo=webservices
Name=George01

Notice the Name is unique (this is for “George’s computer”) and it also uses the ConnectTo directive to tell this client node to connect to the main vpn server node.

Here is an example /etc/tinc/myvpn/hosts/George01 file:

Name=George01
Subnet=192.168.100.2
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzkkYpNIWSrm1kNX49PXYZR4SALGUtDY/iKHVGF2oqvsoKhl5hENi
iNw9QqUtKUSDuJxP8w2AbeHBYaqr9kVyw3c/2Vzp1oGIxpbtMRcSEDJUcgJlpNeJ
8iEvjEPUiliLNrfnpu7dEk8gT6Fu+b94R1n/5JnLueny3i0p8+qbA5/z4KUqVQCH
nQqcDQ+8DY2Otrljae6YwEMgtShtUNA6nkUfJ61Y/2UITL6RQP7rAXbn3kJYozm/
gjJPQ4W0oUlTSFwM2qziGIj68KrUXBj6V3VjInuVdAgFii6B2aXI+qUst705B/Bw
+BZIsQxiKNruU+gi/+aQx2mtP2YPiTYk1QIDAQAB
-----END RSA PUBLIC KEY-----

Notice:

  • the file name matches the Name directive in the /etc/tinc/myvpn/tinc.conf file.
  • The Subnet is different than the server. In this case, it is the next available address, but it doesn’t half to be. It could be any address on the 192.168.100.0/24 network.

Now, your client is setup! Start the tincd service and watch /var/log/syslog for errors that need correcting:

/etc/init.d/tinc start

The Last Step: Exchanging Keys

As mentioned in the introduction as well as in our RSA Authentication Primer, both sides of the VPN need to exchange public keys so that the “conversation” can actually take place.

So, let’s use secure copy to copy the vpnserver public key to the client. From the client:

cd /etc/tinc/myvpn/hosts
scp root@12.345.67.89:/etc/tinc/myvpn/hosts/vpnserver .

If (when) prompted to enter your password, enter the password for the VPN server’s root account.

Now, let’s send the client public key to the vpn server:

cd /etc/tinc/myvpn/hosts
scp George01 root@12.345.67.89:/etc/tinc/myvpn/hosts

Testing Your Connection

If all has gone well, you’ll now be able to ping the machines over the vpn network. From the “client” node:

ping -c4 192.168.100.1

should give you:


PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=64 time=1.15 ms
64 bytes from 192.168.100.1: icmp_req=2 ttl=64 time=0.905 ms
64 bytes from 192.168.100.1: icmp_req=3 ttl=64 time=0.979 ms
64 bytes from 192.168.100.1: icmp_req=4 ttl=64 time=0.943 ms

Form the server node, you should be able to execute:

ping -c4 192.168.100.2

and get:

PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_req=1 ttl=64 time=1.15 ms
64 bytes from 192.168.100.2: icmp_req=2 ttl=64 time=0.905 ms
64 bytes from 192.168.100.2: icmp_req=3 ttl=64 time=0.979 ms
64 bytes from 192.168.100.2: icmp_req=4 ttl=64 time=0.943 ms

Special Thanks

Special thanks to Guus Sliepen, who not only developed tinc-vpn, but also generously provides support via his tinc-vpn mailing list

RSA Encryption and Authentication Primer

RSA Encryption is a cryptographic system that uses public and private keys to exchange messages. It was first published in 1977 by Ron Rivest, Adi Shamir, and Leonard Alderman. RSA stands for Rivest, Shamir, and Alderman.

The system works by generating two RSA encryption keys: one public and one private. The key generation itself requires a good random number generator and the ability to resolve very large prime numbers. (Wikipedia has a more precise explanation of how the keys are generated, but this is sufficient for our purposes).

The public key can:

  • Encrypt messages destined for the person who has the corresponding private key.

The private key can:

  • Encrypt messages for anyone who has a the public key (not used often)
  • Decrypt messages encrypted with the private key (99.9% of all usage)
  • Sign messages to authenticate “I am who I say I am”

The public key can be used to encrypt messages, but only the private key can decrypt messages.

Because a public key can encrypt, but only the corresponding private key can decrypt, this means:

  • I have to keep my private key a secret. I can’t share it, email it, or let anyone see / touch it.
  • I can give my public key to anyone without regard. I can publish it on the internet if I like.
  • This public / private key set can only be used to send me messages. If I want to send someone else a message, my keys won’t work.

This last point is very crucial. In order to have a conversation, you and your friend both have to have a public and private key set. You will keep your private key a secret, and your friend will keep theirs a secret. But, you have to email your public key to your friend and your friend has to email you their public key.

Once the exchange of public keys is complete, you can have a conversation.

How a Conversation Works

There are two parties to the conversation: You and your friend (who we will call “Friend” for simplicity’s sake).

  1. You send friend your public key.
  2. Friend sends you their public key.
  3. You use Friend’s public key to encrypt a message to them.
  4. You send the encrypted message to Friend.
  5. Friend receives the message.
  6. Friend uses his private key to decrypt the message.
  7. Fried reads the message.
  8. Friend uses your public key to encrypt his response.
  9. Friend sends you the message encrypted with your public key.
  10. You receive the message from your friend.
  11. You decrypt the message using your private key.
  12. You read the message.

At this point, if you want to respond, you’ll return to step 3 and repeat steps 3-12 until the conversation ends.

How RSA Authentication Works

RSA Authentication works similarly to how a conversation between two friends works above. The Both sides have to have private keys, and both sides must exchange their public keys so the other side has it. Then, a system known as challenge-response is used to prove to both sides that each is the entity it claims to be.

Typically, a server administrator will setup an application, system service, or daemon to use RSA keys for authentication. When they do this, they:

  1. Generate a public / private key pair for server A
  2. Generate a public / private key pari for server B.
  3. Give server A server B’s public key so that Server A can validate server B when it tries to sign in.
  4. Give server B server A’s public key so that it can validate Server A when it tries to sign in.
  5. Start the relevant system services or daemons.

Now, when server A attempts to authenticate with server B, the conversation goes something like this:

Server A: “Hello. I am Server A. I would like access please.”

Server B looks at the request, and doesn’t trust this “computer” who claims to be server A. So, Server B looks up the public key for Server A, and generates a random “challenge”, which it encrypts with server A’s public key. It then sends the encrypted challenge to the computer claiming to be server A.

Server A receives the encrypted challenge. Since Server A really is who it claims to be, this server has the private key needed to decrypt the challenge from Server B. So, it uses the private key to decrypt the message and finds out that the challenge phrase is “I love world peace and fluffy bunnies”. But, at this point, Server A still needs to convince Server B that they really are the computer they say they are. At the same time, we can’t send the challenge message back to server B in plain text. So, Server A uses Server B’s public key to re-encrypt the message, and then sends it back to server B. This is called the response.

Server B receives the response, decrypts it using its private key, and then checks to make sure the response message is identical to the challenge message. If it is, Server B will grant access. If it’s not, no access will be granted.

Note: In reality, the challenge string will not be human readable. It is much more likely to be a series of randomly generated values like: sxCz3yQ0jj94TNBHCavAK43jiIkOVOTBkSA4oQGClXw=

Linux Mint Install – The Step by Step Guide

The Linux Mint Install is an easy setup operation. Linux Mint is a good operating system to learn Linux on because it is an Ubuntu based distribution with lots of community support. The desktop interface is easy to use, and will be a great starter operating system for you.

Step 1: Get Linux Mint on a USB Stick.

If you haven’t done so already, read my article  How to Install Linux from USB to see how to get Linux Mint, how to put it on a USB stick for installation and how to configure your computer to read the USB Stick for installing Linux.

Step 2: Start the Linux Mint Install

When you first boot up, you’ll see a series of screens flash as the system starts up, but eventually, you’ll get to the live screen, which has three icons: Computer, Home, and Install Linux Mint. Click the last one.

linux-mint-install
The Linux Mint Installation Live Screen

Select Your Language

Pretty self-explanitory here.

linux-mint-install-select-lanaguage
Select your language

Check Your Installation Requirements.

Linux Mint will check to make sure that your system meets the basic requirements before installing. They are pretty easy to meet: 6.1 GB of space and an internet connection.

linux-mint-install-instllation-requirements
Linux Mint will check your system to see if it meets the (basic) requirements

Select Your Installation Type

You have four options here:

  • Erase disk and install Linux Mint (preferred)
  • Encrypt the new Linux Mint installation for security. (Cool, but requires you put in a password every time you boot, and then you will have to log in as a user once it is done booting. Secure, but requires an extra step).
  • Use LVM with the new Linux Mint Installation. (Not recommended, I’ll explain why below).
  • Something else.

My recommended settings are shown below: just install Linux Mint. The encryption is not really necessary unless you’re a security nut. LVM (logical volume manager) is a great technology, but requires many extra steps if you ever have to do recovery. For that reason, I recommend that you not use LVM unless you have a specific reason to do so.

linux-mint-install-installation-type
If you’re learning, just choose the defaults. Encryption is inconvenient, and LVM is complicated to recover if you ever have a problem.

Choose Your Timezone

I’m in EST / EDT. You choose the time zone that applies to you.

linux-mint-install-choose-time-zone
Choose your timezone

Select Your Keyboard Layout

Leave this as the defaults (pictured below) unless you have a special keyboard or language requirement.

linux-mint-install-select-keyboard-layout
Leave as defaults unless you have a reason not to.

 Complete Your Personal Information

Enter your full name, and let it pick your computer’s name (default). It will also give you a username, which I always leave as my first name because my password is very strong.

For security reasons, you never want to allow the computer to log in automatically. Always leave it as the default: Require my password to log in. You can optionally encrypt your home folder.

linux-mint-install-who-are-you
Fill out your personal information

Allow the Installation Process to Complete

Once you complete these screens, Linux Mint will begin the installation process. Just sit back, relax, and let it do it’s thing. Be sure to read all the banners that float by: they will give you some hints of everything you can do with Linux Mint!

linux-mint-install-banners
Read the banners during the install to find out what you can do with Linux!

 Reboot Your System

Once your Linux Mint Install has completed, you’ll be prompted to reboot. Be sure to click the restart now button, then, once your screen goes black you’ll be prompted to  remove the USB drive from your system (or else you might be prompted to start the install process all over again!)

linux-mint-install-complete
Reboot your system, then remove the USB stick!

How to Install Linux from USB

I have had enough of the Unity garbage for the newest version of Ubuntu. My Unity desktop has become unstable on my office machine, so I started looking for another distribution for my office desktop. It’s a work computer, so it has to be a stable, well supported OS. According to distrowatch, Linux Mint has overtaken Ubuntu and become the number one desktop installation worldwide. That’s good news because that means there is a lot of community support. Moreover, Linux Mint is essentially a pre-unity fork of Ubuntu, so it should make for a great operating system. So, I am making the switch. Here’s how to install Linux from USB using Linux Mint 15 as a source distro.

Step 1: Get Linux Mint

Unlike other versions of Linux, there is no torrent download for this distribution that I could find. Torrents are my preferred method of downloading open source operating systems because it saves the developers money on bandwidth, and is usually a great deal faster than a regular download. But, there’s not a torrent (yet) for Linux Mint 15.

Download it from their download page, and select a mirror close to you. My preferred mirror is University of Maryland, College Park because it’s the fastest here in the US.

Step 2: Don’t Bother Burning it to a Disc: Install Linux from USB Instead!

The default download is a .iso file, which should be burned to a DVD. However, I don’t like optical media. I waste DVDs and CDs with these iso’s, and then they get thrown away. I prefer to install from a USB stick. It’s faster, it saves optical disks, there is MUCH less chance that you’ll get a defective disk and therefore a blown / broken installation. It’s an all-round better choice.

I prefer to use the UNetbootin Installer, which you can get from sourceforge.net.

Using the UNetbootin Installer (on Windows)

1. Download the Unetbootin Installer, run the program, and click “I Agree” to the terms and conditions.

2. Select Linux Mint from the Linux Distribution list.

 

install-linux-from-usb-step-1
Select Linux Mint as Your Distribution

3. Select 10_Live or 10_Live_x64 (if you have a 64-bit system). These templates are more of a set of guidelines than hard and fast rules to follow. The template for 10 works for versions 10-15. If you’re not sure if you have a 64-bit system or not, choose 10_Live (the 32 bit) version.

install-linux-from-usb-step-2
Select Linux Mint 10 to Install Linux Mint 15 from USB

3. When you click browse for step 3, it won’t find your Linux Mint 15 iso because it’s looking for 10. So, browse to wherever you saved the download, and then type *linux* in the file name box, and press open. Your Linux Mint 15 .iso file will magically appear. Select it, and click open.

install-linux-from-usb-filemask
When searching for your downloaded ISO file, change the file mask to *linux* to reveal it.

4. Select your USB drive, (in my case, it was drive Q:).  Be sure that you select the correct drive here! You could accidentally erase your hard drive if you select the wrong one!

install-linux-from-usb-select-drive

4. Click OK. It will immediately scare you with warning message (pictured below). Just verify that you have the write drive letter for your USB drive. As long as you have that correct and there is nothing on that stick that is important, click “Yes to All

install-linux-from-usb-step-5
Install Linux from USB Step 5 – Click Yes to All to Erase your USB Stick and put Linux On it.

5. Cilck exit, when you get the completed message. You don’t want to reboot here, unless you are removing Windows from the computer you’re using to setup the USB stick. Typically, you’re going to be installing Linux on a different computer than the one you are using to complete this procedure.

install-linux-from-usb-step-complete
Once it has completed the file transfer process, click Exit

When it completes, you’ll finally have a working USB stick from which you can install Linux. But this wouldn’t be a complete article on how to install linux from USB unless I covered the all-important BIOS settings.

Set Your BIOS to Boot from the USB Drive

Every BIOS is different. So, you have to get the concept in order to be successful. When your computer boots up, the BIOS (Basic Input Output System) has a list of devices that it will look at in order to determine which one it should boot from. You want to configure the BIOS to boot from removable disks FIRST and the hard drive second. That way, if a USB drive is plugged into your computer, it will see that drive, check it to see if it is bootable, and if it is, boot from it. If it’s not bootable or not plugged in, it will go on to the hard drives and boot from those.

Here is an example BIOS screen to help you see what you’re looking for. Most BIOS screens have a boot section. And, in that section, you can select the boot order of the devices. Make sure:

  • Booting from USB is enabled
  • Removable devices / USB device are first, and your hard drives are second.

To Setup Your BIOS to Install Linux from USB:

1. Reboot your computer.

2. At the POST screen (the very first screen you see), press whatever key it tells you to “enter setup.” Typically, this is either del, F2, F8, F9, or F10.

3. Find the Boot section, and re-order the boot devices as detailed above.

how-to-install-linux-from-usb-configure-bios
Setup the boot order so that removable devices boot first when present in the system.

Once you have properly configured your BIOS, press F10 to save and exit. Your system will now reboot, and (if you have the USB drive plugged in) it will boot and install Linux!

Continue On to the next step and read Linux Mint Install – The Step by Step Guide

How to Fix the vsftpd GnuTLS Error 15 with FileZilla on Ubuntu 12

Like many of you around the interwebs, you have been upgrading your Ubuntu 10.04 LTS boxes to 12 because 10 is getting end-of-life’d. And, of course, it is not without headache. You upgrade your server, re-install vsftpd from apt, copy over your config files,  and it starts up just fine. Then you try to connect to vsftpd with your FileZilla FTP client, and the vsftpd GnuTLS Error 15 shows up in the FileZilla log. It worked before, but now it doesn’t. Here how I fixed it. Continue reading How to Fix the vsftpd GnuTLS Error 15 with FileZilla on Ubuntu 12

Creating a Network Lab for Server Pre-Deployment

Wouldn’t it be wonderful if you could prepare a network lab that would allow you to build a server and fully test it (including the production network configuration) before deploying it to a client’s office? As an IT consultant, you will reap many benefits by fully testing a server or a system in a network lab before it ever hits the client’s office. For starters, if something breaks, is mis-configured, doesn’t work, or is just plain wrong, you can fix it at your leisure and without the client ever knowing you made a mistake. If you try to build out servers and systems at the client’s office, however, they are going to see every hiccup and every mistake, which damages your credibility with them.

In this article, I will teach you how to build a network lab that you can use to completely re-create your client’s network inside your own lab, so that not only can you build the server before you give it to the client, but you can fully test it (including it’s network configuration) before deploying it.

Understanding the Concept

Essentially, we are going to create two, concentric networks inside your existing LAN. (This makes a grand total of three concentric networks with an internet connection.)

In order to create each of these concentric networks, we’ll need to configure a router to route traffic appropriately between them. For the sake of simplicity, just know that with every router, a new circle is created. And, the router doesn’t care that the circle you are creating is a private or public network. It just routes traffic.

By definition, a router is a device that joins two networks together. The secret is: it doesn’t care what the networks are. While IP address calculation and subnetting are outside the scope of this article, I will tell you that you can create a small network inside your network that will mimic the public internet at your client’s place.

Terms Used in this Article

PseudoWAN: The emulated WAN or public internet connection we create inside your LAN, which serves to mimic your client’s internet connection.

PseudoLAN: The emulated local area network that is inside your LAN, which serves to emulate your client’s LAN.

AlphaRouter: The router that connects your LAN to the PseudoWAN (and by virtue of its existence and configuration, creates the PseudoWAN inside your LAN.)

AlphaSwitch: The switch that lives in the PseudoWAN.

BetaRouter: The router that connects the PseudoLAN to the PseudoWAN (and by virtue of its existence and configuration, creates the PseudoLAN).

BetaSwitch: The swith that lives inside the PseudoLAN.

Network Universe: The entirety of the three concentric networks, which include your LAN, the PseudoWAN, and PseudoLAN

What Hardware You’ll Need

Routers

To do this, we are going to need two routers in addition to the one you are already using, some cables, and the computers you are going to hook up to test in configuration.For the purposes of this article, we are going to use a Linksys WRT54G, but most any router that allows you to fully configure both the WAN address and the LAN address will do. (If you’re lucky enough to have a WRT54GL and can put either the Tomato firmware or DD-WRT on it, that’s even better!).

Your Client’s Network Topography

You’ll need to know what his IP addresses are. Smaller offices use a 192.168.x.x/24 network. You’ll need to figure out what they are using so you can properly configure your pseudo network.

Your Client’s ISP Configuration

You’ll need to get your client’s IP address block information so you can successfully create the pseudo public internet. For the purposes of this tutorial, we are going to use a 6 host block, which gives us 5 usable IP addresses. The IP addresses we have available are:

  • 1.2.3.1
  • 1.2.3.2
  • 1.2.3.3
  • 1.2.3.4
  • 1.2.3.5

Our gateway is 1.2.3.6, and the network is 1.2.3.0/29 (this is the same as 1.2.3.0 with a subnet mask of 255.255.255.248).

So, our IP configuration for our first usable IP is going to be:

Address: 1.2.3.1
Netmask: 255.255.255.248
Gateway: 1.2.3.6

We will make this the firewall address.

Our second usable address will be configured to be a server. It’s network configuration will be:

Address: 1.2.3.2
Netmask: 255.255.255.248
Gateway: 1.2.3.6

Map Out Your Network Lab

I highly advise that you draw out what you’re about to make and put in the relevent IP addresses for all the equipment. It will make it a lot easier to understand and a lot more efficient to build. Below, you will find the network map of the example Network Universe we are building. You can see that it flows from top to bottom, from the internet, to the LAN, to the pseudo public network for the client, to the client’s pseudo network. Be sure to come back to this diagram and reference it as you read the rest of this tutorial and even as you build your own network universe.

Mimicking  the Public Internet

To create our own, personal, version of our client’s internet connection, we’ll need to configure the first router to create the same network conditions that exist at our client’s office. Thus, we need to create a gateway for their block of public IP addresses. So, let’s grab our Linksys router, and configure the WAN and LAN sides of the router so it will act like our client’s ISP’s gateway.

WAN is LAN and LAN is WAN!

The WAN port of the Linksys router will need to be configured as an address on your local LAN. This allows the router to pass information into your LAN from our pseudo networks. So, let’s configure it to be 192.168.1.15/24.

Now, let’s configure the LAN side to be the gateway of the WAN for the client. Enter your client’s public gateway IP address in for the LAN IP address of the router, configure the gateway, and disable the DHCP server, then click save.

Now, plug the WAN port from this router into the switch on your network, and plug the LAN port into a switch. Your public network is now operational.

Installing Your Public Server in the PseudoWAN

  1. Connect your server’s LAN card to the switch, which is connected to the router we just setup.
  2. Configure the network card of your server with the following:

Address: 1.2.3.2
Netmask: 255.255.255.248
Gateway: 1.2.3.6

Restart the networking services if necessary, and use ping to verify you can ping the gateway 1.2.3.6. Next, use ping to verify that traffic from the PseudoWAN is traversing the router properly and entering your LAN: ping your gateway (192.168.1.1). Lastly, confirm that network traffic can get from your PseudoWAN, through your network, and out on to the public internet by pinging Google’s DNS Servers: 8.8.8.8.

Assuming that all three of these ping tests receive replies, you are clear to move to the next step. If you get packet losses at any of the steps above, go back, and reconfirm your settings.

Setting Up the PseudoLAN

This process is done with a second router. You can use the same make and model router as you used before. They do not have to be different. Again, we are using a WRT54G in the examples.

1. Plug the WAN port of the BetaRouter into the AlphaSwitch.

2. Configure the WAN port of the BetaRouter with the following:

Address: 1.2.3.1
Netmask: 255.255.255.248
Gateway: 1.2.3.6

3. Configure the LAN

First, you’ll need to change the LAN IP address, and click Save / Update because until you do that, the DHCP server range will be inaccurate. Once you have done that, you can configure the DHCP server range, and click save / update again. Configure the LAN IP of this router to be the gateway of the PseudoLAN, which mimics the LAN in your client’s office.

Add Client Computers to the PseudoLAN

At this point, you can add a computer to the PseudoLAN, and give it an IP address that is identical to what it would have while in production at your client’s office. Once you have a computer setup, use ping to verify connectivity from that computer to the PseudoLAN gateway (192.168.10.1), the PseudoWAN gateway (1.2.3.6), your LAN gateway (192.168.1.1), and finally the public internet (Google’s DNS at 8.8.8.8). When all those tests come back positive with good replies, you have successfully built your network universe to parrot your client’s network so you can build and install!

 

How to Install Software on Linux

If you want to install software on Linux computers, the software manager (called a package manager) makes it very easy. But first, there are a couple of terms and concepts you should know. Nothing complicated, just slightly different from the Windows world. Software applications are called “packages” in the Linux world. So, when we mention a Linux package, we are talking about a software program or application. The terms are used interchangeably.

Debian based systems (Debian, Ubuntu, Mint) use a package manager (software manager) called apt to install and uninstall programs. Most of the time, you’ll use the apt manager to install and remove packages from your system. There are, however, a few instances when you will manually setup some packages. We’ll go over those shortly.

Software (packages) are installed from the internet, so you have to have a working internet connection to get new and updated versions of packages. There are five commands you need to know to successfully manage your system:

  1. apt-cache search [search term] (helps you find programs you want or need)
  2. apt-get install [package name]
  3. apt-get remove [package name]
  4. apt-get update
  5. apt-get upgrade

Always Update First

To ensure you have the newest, latest, and greatest information about the repositories that contain the packages you want or use, always use the apt-get update command before performing any management tasks. This command tells the system to go on to the interenet and download the latest list of packages that are available including information about updates, patches, and new versions that have been released.

It doesn’t matter if you just did this yesterday or even a couple of hours ago. It’s always best to do it again and again right before you manage your packages or do updates.

To update your apt package manager, use the following command:

apt-get update

Searching for a Package

The syntax to search for a package is:

apt-cache search [package name]

For example, let’s say I want to find the firefox pacakge. I would use this command:
apt-cache search firefox

This returns a list of all the packages that contain the word firefox. In this case, there are about a page and a half of listings. When choosing a package, Occam’s razor is usually the best thought process to apply: the simplier the better. Among the two pages of solutions, is a simple listing: firefoxx – Safe and easy web browser from Mozilla. This is the right listing.

Here’s a big hint: don’t be afraid to use Google to figure out which package you really want. Search for something like “ubuntu 10 apt-get” and the name of the software you want to install. (Don’t forget to put the version of the operating system you have in the search!)

How to Install Software on Linux

Since we now know that firefox is the package name for the FireFox web browser. Thus, we can install it with this command:

apt-get install firefox

 Removing Software

If, at any time, we want to uninstall the Firefox browser from our system, we can remove the package with this command:

apt-get remove firefox

Getting Upgrades

Upgrades under Linux are extremely easy. At anytime you want to check for, download, and install updates, simply use this command:

apt-get upgrade

As stated before, you want to run the apt-get update command before doing maintenance on the system. This is especially important when you do upgrades. You can even combine the commands into a single line by executing:
apt-get update && apt-get upgrade

vim: Your Linux Editor of Choice

The most important thing you need in any Linux system is a text editor. All configurations are controlled by text files in Linux, and so without a text editor, you cannot get anything to work.

While there is a lot of opinion out there on what editor you should choose, I recommend vim. While many people say that vim is only for hard-core administrators, I recommend it because it is universally available on all systems. Its predecessor (vi) even comes installed with all versions of Linux.

Many people object to vim because it is difficult to learn. There are no menus or gui hints, and all the commands are hotkey based. For many people (like me) that makes it incredibly attractive, but for new users or people migrating from the hand-holding world of Windows, this can be a challenge. Fortunately, you only have to know a couple of commands to put vim (or vi) to work for you.

Installing vim

By default, only vi comes with your Linux operating system. So, you’ll need to install vim with the following command:

sudo apt-get install vim

Starting vim

To start vim, you need only type vim followed by the file you want to edit. In this example, we are going to create a new file called helloworld.txt:

The Interface

The interface has several key parts, which are shown below. One important difference between vim and other editors is the tilde ( ~ ) that shows you where the file ends. In our example, this file is empty, and so you see a series of ~ characters beneath the cursor, which visually indicate where the file ends. Also, the file’s various status indicators are shown at the bottom of the window. They are (from left to right) the file name, a new file indicator, the cursor position (row, column) and the percentage of the file that is currently viewable.

File Editing Basics

There are really only three commands you need to edit files in vim: i, w, and q.

The ‘i’ command sets the editor into “Insert Mode,” which allows you to insert text into the file. Use this command to change files or add information to files. Note: it will only insert text, and will not overwrite text. So, to delete text while in insert mode, you’ll need to use the backspace or delete key.

Once you are done adding / editing text, press the escape key (ESC) to exit insert mode.

Saving the File and Exiting Vim

File operations are done in the command console, which you can access by typing a colon ( : ). Saving a file (writing a file to disk) is accomplished by typing :w and pressing enter. This opens the file console, and issues the write command.

Quitting the file is done much the same way. Use the :q command to quit the program and exit to the shell.

As a shortcut to write changes and exit vim, you can combine the commands into :wq.

Editor Configurations

Vim is unbelievably powerful. Most users only use a fraction of what it is capable of doing. It has a built in macro recording feature, code and syntax highlighting among other powerful features.

There are two features that I highly recommend you use when working with vim, and one that should be turned off.

Turn on:

  • Color scheme. Changing the color scheme makes files easy to see and work with.
  • Auto Indent. This automatically indents files to make them easier to format and read. For example, if you make one line indented for formatting reasons, autoindent will automatically set the next line at the same indent depth, which relieves you from having to tab over for each line.
  • Syntax highlighting. This changes the color of reserved words for various programming languages and system files so that you can easily see what words the system recognizes.

You can manually turn these on using the following commands:

:colorscheme blue
:set autoindent
:syntax on

Turn Off:

  • Word Wrap.

Configuration files frequently get longer than the screen can display. When dealing with human readable text, like a letter, word wrap moves the line of text down to the next line and neatly formats it. However, in the computer world (especially when dealing with programming, scripting, or configuration files) word wrap can make those files difficult to read and decypher. Subsequently, I recommend you turn word wrap off to leave commands in-tact and on a single line when they are supposed to be on a single line. Use this command to turn word wrap off:

:set nowrap

Setting up Auto Configuration with the .vimrc File.

No one wants to type 5 commands to setup vim every time they start the program. Fortunately, there is a simple way that you can configure vim to set itself up every time you start the program. The .vimrc file is like the autoexec.bat file in Windows, except instead of running whenever the system is started, it is run whenever the vim program is started. Simply create this file in your home directory, and put the commands we listed above in it, save the file, and vim will configure itself just the way you want it whenever it is started up:

  1. At the command prompt, type: vim ~/.vimrc, and press enter to edit the .vimrc file in your home directory.
  2. Add in the commands we listed above.
  3. Save the file, and exit vim (use the :wq command).

Here is what my .vimrc file looks like: