ZeroNet Blogs

Static ZeroNet blogs mirror

Jita

Information wants to be free, let's free it together !

Shadowsocks, on Windows this time

- Posted in Jita by with comments

Following my article about shadowsocks on Linux, I was asked if I could do the same on Windows since it is still by far the dominant OS in China, ask and you shall receive indeed !

First, let's grab the latest shadowsocks-win client which is version 4.0.4 as the time of writing, it consist of a single exe in a zip file, unpack and run and you should see it's UI :

image.png (482x380)

Next, fill it with your shadowsocks credentials, this was again the tricky part for me since I'm not aware of good, reliable shadowsocks servers.

The haoboji.com server which worked yesterday didn't worked today for some reasons, perhaps too much load since it's the middle of the afternoon in Singapore ? All in all, the Windows vs Linux configuration is pretty much the same if you abstract the UI, as expected.

After this step, configure Firefox like we did on the Linux article :

Alt -> Edit -> Preferences -> Advanced -> Network -> Settings -> tick "Manual Proxy configuration"

and fill 127.0.0.1 on the SOCKS host field and 1080 on the port field, tick SOCKS v5 and tick Proxy DNS when using SOCKS v5

Restart Firefox

So it's quite easy to get started with shadowsocks as a program, really nothing too technical and according to the few reports I read, it still better than a VPN when connecting from China since the GFW use machine learning algorithm to recognize VPN connections and throttle them (clearnet ! [link] [link2]) but the devil is in finding a proper server that you can trust or building a shadowsocks server yourself, something I want to try now :)

Also worth mentioning that if you're on such a country which spies on it's citizen with such high stakes if you get caught doing something deemed illegal, it's well worth investing some time installing/configuring a proper Linux / BSD instead of using Windows.

Safe surfing !

寻找这篇文章的中文翻译 // Looking for Chinese translation of this article !

Living in Europe, I never really had to worry about bypassing any firewall to browse Internet, merely using a VPN to somehow gain a bit more of anonymity.

Here in Zeronet I discovered that many Chinese users are in need of a solution to bypass the Great Firewall, one of the usually mentioned one is shadowsocks, I thought I would give a look at it and try to make it work.

First, I installed the shadowsocks-libev-3.0.6 since I'm using Linux and that's the one available on the repository of my distro.

The configuration file on my system is located at /etc/shadowsocks-libev/shadowsocks.json and looks like this by default :

{
    "server":"my_server_ip",
    "server_port":8388,
    "local_port":1080,
    "password":"barfoo!",
    "timeout":600,
    "method":"aes-256-cfb"
}

Next, you'll have the difficult task to find a Public Shadowsocks proxy server that you can trust or you can build yours on a VPS, for the sake of this test, I choose the 1st option and tried with the one from https://streisand.haoboji.com/shadowsocks/

**/!\ Big disclaimer /!** I do not vouch for this shadowsocks proxy security/trustworthyness ! This is a PoC, I'm sure experienced shadowsocks users might have a better overview of the public proxy landscape or other solutions. I will update this article if I can gather more info.

After configuring the JSON file we mentioned earlier with the information on this page, the program itself can be started like a regular unix service :

service shadowsocks.client start

Next, configure Firefox to browse through the proxy :

Alt -> Edit -> Preferences -> Advanced -> Network -> Settings -> tick "Manual Proxy configuration"

and fill 127.0.0.1 on the SOCKS host field and 1080 on the port field, tick SOCKS v5 and tick Proxy DNS when using SOCKS v5

Restart Firefox, If you check your IP before/after starting Shadowsocks on https://www.iplocation.net/ you should see the difference, in my case, my HTTP connection were routed from my VPN provider through Singapore.

before-after.png (640x180)

I'm still discovering this software so I cannot guarantee the security is top notch but hey, it works !

I'm open to ALL criticism, I know having difficulties/risk accessing a non-controlled internet is a real deal for many persons.

寻找这篇文章的中文翻译 // Looking for Chinese translation of this article !

Depending on your computer OS/setup you man not have the Chinese characters displayed properly out of the box on your browser, leading an incomprehensible stream of the standard Unicode block character.

Fortunately, this can easily be fixed by installing a font which support Chinese, in this case, noto-cjk did the trick perfectly.

It's should be available on most Linux distros repos, it's also available there : https://www.google.com/get/noto/help/cjk/

If for some reasons it doesn't work, take a look at about:preferences#content -> Advanced -> Fonts for Simplified Chinese and select Noto Sans CJK SC for Sans & Sans-Serif

image.png (601x508)

Happy reading ! 快乐阅读 !

hertzme.jpg (625x299)

There's a lot of interesting Youtube channels around, here's some I really like, mainly about science, applied science, philosophy and vulgarization, the list will hopefully grow over time, feel free to suggest some !

English-speaking

Kurzgesagt : Various topics in a nutshell, well presented and documented : https://www.youtube.com/user/Kurzgesagt

Crashcourse : Computer science, Sociology, History and much more in crash course format : https://www.youtube.com/user/crashcourse

Computerphile : Computer history and computer engineering deep dive, a must for any computer lover ! : https://www.youtube.com/user/Computerphile

French Speaking

E-penser : Réflexions et explications sur progression de la science à travers l'histoire, mécanique quantique : https://www.youtube.com/user/epenser1

Dany caligula : Philosophie, question de société actuelles, travail, tout y passe ! : https://www.youtube.com/user/DanyCaligula

Science Etonnante : Topics scientifiques variés exposés avec brio et beaucoup de mesure :

https://www.youtube.com/user/ScienceEtonnante

Paf le geek : Informatique, sécurité et vie privée, chiffrement et réseaux décentralisés : https://www.youtube.com/channel/UCCSHWqosFfYJY5v2WqbTLhg

Feedback welcome, please share these channels around you if you like them, they need our support :)

vfio2.jpg (1200x675)

This post is not a tutorial, merely some notes sharing about a working setup I've made in 2016 and maintain since. Feel free to let me know if something needs to be added/corrected :)

Windows has been the PC gaming platform for more than two decades and while Linux games are on the rise, including AAA titles like Shadow of Mordor, Tomb Raider, the XCOM series, Rocket League or Total War, many titles remains Windows-only.

Maintaining a dual-boot system is often still the go-to solution to play Windows games, you may have some luck with Wine but not all games are supported.

There's however a third option to play Windows games from Linux : VFIO which stands for Virtual Function I/O and allows you to give a piece of hardware like a GPU or a NIC to a Windows Virtual Machine.

Assuming you met the prerequisites, you can with a bit of work get an extremely good performance out of such a setup, around 95% of a comparable bare-metal Windows install.

For that, you'll need :

  • An Intel processor with VT-x and VT-d instructions or AMD-Vi

  • A compatible motherboard

  • 2 GPUs (one discrete for the VM and one integrated for the host for instance)

  • enough spare RAM anc CPU juice to run both a Linux host and the Windows VM

In this blog post, I'll document some of the steps I've taken to get a working setup.

These notes focus on Intel CPU and Nvidia GPU as I don't own another type of hardware, that being said, some parts are hardware agnostic.

These notes use the most "recent" KVM VGA passthrough method which is OVMF + vfio-pci (compared to Seabios + pci-stub) and requires a GPU with EFI ROM

Software :

Gentoo amd64, Linux kernel >= 4.6.x
QEMU >= 2.5.1 + KVM
virt-manager >= 1.3.2 & libvirt >= 1.3.5
OVMF
Windows 10 Pro VM

Hardware :

Intel Core i5-3470
ASRock B75 Pro3
Intel HD (IGP)
Nvidia GTX 750 Ti (Discrete GPU)
16 GB RAM

Part 1 : Host system setup

Kernel configuration

CONFIG_VFIO_IOMMU_TYPE1=m
CONFIG_VFIO_VIRQFD=m
CONFIG_VFIO=m
CONFIG_VFIO_PCI=m
CONFIG_VFIO_PCI_VGA=y
CONFIG_VFIO_PCI_MMAP=y
CONFIG_VFIO_PCI_INTX=y
CONFIG_VFIO_PCI_IGD=y
CONFIG_KVM_VFIO=y
CONFIG_IOMMU_HELPER=y
CONFIG_VFIO_IOMMU_TYPE1=m
CONFIG_IOMMU_API=y
CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_SVM=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
CONFIG_INTEL_IOMMU_FLOPPY_WA=y

For easier sound handling, I've found than compiling snd_hda_intel in kernel rather than as a module works perfectly (no need to unload/reload the kernel module)

Kernel boot options

edit /etc/default/grub and add to GRUB_CMDLINE_LINUX

intel_iommu=on

Then regenerate grub2 menu with

grub-mkconfig -o /boot/grub/grub.cfg

Check IOMMU groups

This command should report the various IOMMU groups from your machine (An IOMMU group is the smallest set of physical devices that can be passed to a virtual machine.)

if there's nothing it means IOMMU is not properly enabled.

#!/bin/bash

for iommu_group in $(find /sys/kernel/iommu_groups/ -maxdepth 1 -mindepth 1 -type d);
        do echo "IOMMU group $(basename "$iommu_group")";
    for device in $(ls -1 "$iommu_group"/devices/);
        do echo -n $'\t'; lspci -nns "$device";
    done;
done

Isolating the GPU with vfio-pci

Get your vendor-id :

lspci | grep -i vga

note down the first number, it is the slot number i.e 01:00.0

lspci -nns 01:00.0

Note down the last number between "[]", this is the vendor-id, i.e 10de:1380

lspci -nnk -d vendor-id

Edit /etc/modprobe.d/vfio.conf with the vendor-id from your GPU you want to isolate gathered from the previous command, in this example, the vendor-id is 10de:13c2 for the GPU and 10de:0fbb for the audio

options vfio-pci ids=10de:13c2,10de:0fbb

Add these modules to /etc/conf.d/modules (Gentoo/OpenRC specific)

modules="vfio vfio-pci vfio_iommu_type1 vfio_virqfd"

module loading at boot is enabled by

rc-update add modules boot

If you were using the nvidia proprietary Unix driver before, you need to blacklist module loading at boot time by settings up the blacklist in /etc/modprobe.d/blacklist.conf

blacklist nvidia

blacklist nvidia_drm

Reboot, your computer need to be able to run Xorg on top of the Intel IGP to be able to proceed for the rest of the setup.

Check that your GPU is correctly isolated

$ dmesg | grep -i vfio
[    0.329224] VFIO - User Level meta-driver version: 0.3
[    0.341372] vfio_pci: add [10de:13c2[ffff:ffff]] class 0x000000/00000000 <-- Good

$ lspci -nnk -d <VENDOR_ID>
Kernel driver in use: vfio-pci <-- Good

Same check for your sound card

If lspci -nnk -d reports a "Kernel driver in use" which is not vfio-pci, there's something wrong.

Make sure these modules are present when you run lsmod

$ lsmod
vfio
kvm
kvm_intel
vfio-pci

QEMU/KVM/libvirt

Below example is for Gentoo & OpenRC, adjust for your distro.

# emerge --ask qemu virt-manager libvirt git
# rc-update add libvirt-guests
# rc-update add libvirtd# service libvirt-guests start
# service libvirtd start

If you plan to user virt-manager, make sure your user is part of the libvirt group so that you don't need to type the root password each time your start it.

usermod your_username -a -G libvirt

OVMF setup

Get OVMF firmware via https://www.kraxel.org/repos/jenkins/edk2/ and choose the

edk2.git-ovmf-x64-[_some_date_] RPM.

Unpack it and copy OVMF-pure-efi.fd and OVMF_VARS-pure-efi.fd to /usr/share/ovmf/x64/, creating the directory if needed.

Add this line to /etc/libvirt/qemu.conf :

nvram = [
        "/usr/share/ovmf/x64/ovmf_x64.bin:/usr/share/ovmf/x64/ovmf_vars_x64.bin"
]

Create a new machine with virt-manager and check "edit settings" before finishing the setup, change firmware from BIOS to UEFI (or to "Custom: /usr/share/ovmf/x64/ovmf_x64.bin").

At this point you should be able to install Windows through the VGA console.

If you're dropped to an EFI shell, make sure the ISO you wish to boot is correct, try with a recent Ubuntu release for instance.

Part 2 : Guest VM setup

The XML configuration of the VM is located at /etc/libvirt/qemu, should you edit it, do it with virsh edit , do NOT edit with your editor directly since XML validation is done by virsh (and you want it)

When the Windows install is done, shutdown the VM and give it the GPU through the virt-manager GUI.

Boot the VM with standard virtualized VGA adapter and install the nvidia drivers (tested with Nvidia Geforce driver 368.81 WHQL)

Networking

One effortless way is to get an USB WiFi adapter and passing-through the USB device to Windows directly using virt-manager, otherwise, best to look at bridging.

Bugs

  • nvidia code 43

Recent nvidia drivers block the driver if it runs on top of an hypervisor, the workaround is to hide KVM and enable some hyper-v-related tweaks :

Qemu 2.5+ supports the hv_vendor_id flag that lets you change the vendor ID. It was discovered that this is whats used by the nvidia drivers to detect hyper-v, so changing the vendor ID allows you to use all the enlightenments without upsetting nvidia

via libvirt :

edit your VM XML definition with virsh edit your_vm_name

<domain type='kvm'>
...
  <features>    <acpi/>    <apic/>    <hyperv>      <relaxed state='on'/>      <vapic state='on'/>      <spinlocks state='on' retries='8191'/>      <vendor_id state='on' value='whatever'/>    </hyperv>    <kvm>      <hidden state='on'/>    </kvm>  </features>...
</domain>
  • Prevent Windows to install nvidia drivers

You might need to set this up so that Windows doesn't try to update your nvidia driver unattended, as newer drivers are sometimes more locked down or require workaround to work on a VM, we prefer to update them manually (with a VM snapshot as a safety net !)

prevent_driver.PNG (1080x697)

Resources

The best resource I know is the VFIO subreddit at https://www.reddit.com/r/vfio and this Arch Wiki page https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF

Footnotes

VFIO is not a silver bullet ! When it works, it's pretty great but it can be kind of a pain (bugs/regression, slow I/O if you don't use the VM often or on an HDD rather than an SSD, maintaining Windows, ...)

I believe we must strive to vote with our wallet when buying games, Linux as an open gaming platform is still a work in progress, let's make sure we support it !

The video which started it all for me :

https://www.youtube.com/watch?v=37D2bRsthfI

Inspired by a post on ZeroMe, I thought I would write an overview of some Linux backups methods I personally use (meaning I can talk a bit about it without bullshitting you, dear reader), it's thus not meant to be exhaustive by any means (there'll be links at the bottom for that) but can hopefully give you some easy to implement ways to saveguard the data you care about

  1. File-level

1.1 tar

The good old tar was born in 1979 when Unix was still a Bell Labs project. It has become the defacto archive format on *nix ever since.

tar can create archives of files scattered around on your system easily if you feed it a list of the files/folders you wish to backup :

tar -T files_list.txt -czf /backups/archive-20170520.tar.gz

Where files_list.txt needs to be on this format, one line per folder/file :

/home/user/Documents

/home/user/file1

For proper security, you may encrypt your archive at a later stage with gpg such as

gpg -o /backups/archive-20170520.tar.gz.gpg -c /backups/archive-20170520.tar.gz

Beware that the encryption doesn't remove your original file, you wave to remove it yourself if you wish to.

1.2 rsync

rsync is a smarter cp, it can understand which files are already on the destination location and process delta between them.

It has a huge list of options which will be too much to cover in this overview and can be used over SSH.

One simple invocation could be :

rsync -av /home/user/Documents /backups/Documents

2. Block/inode/filesystem-level

2.1 xfsdump

XFS is a high performance filesystem which originates from the 80's/90's IRIX operating system, the same company (SGI) created the open-source 2D/3D API OpenGL which powers many games and software. Kudos !

If you're using it, xfsdump is a no-brainer for very fast live (with filesystem mounted !) backups, two years or so ago, I moved my system from ext4 to XFS just to get this feature and it has been good to me, including 2 full systems restore since I'm good at breaking stuff apparently :)

xfsdump -F -M myFSlabel -L sessionLabel -l 0 - / | pigz --fast > $destination.gz

This create a gzip2 compressed xfsdump archive in a bunch of minutes of your XFS filesystem. The compression ratio is usually pretty good at -310% on a random archive I made recently.

If you want to encrypt the backups, you may pipe the stream to gpg it's usually preferable to do it at backup time due to the size of the backup and the length it takes to do it.

Restoring it is just a matter of

  • booting a liveCD/USB

  • mounting the partition where you want your backup to be restored (has to be an XFS filesystem of course, can be a recently formatted one)

mount /dev/sda1 /restore_destination

  • Unpack the xfsdump file from the gz archive

gzip -d Gentoo-root-20052017.xfsdump

and then run

xfsrestore -f Gentoo-root-20052017.xfsdump /restore_destination

tl;dr : Do backups and make sure you can restore them, there's plenty of options and when run frequently, they are very worth the initial effort.

3. Links

The Arch Wiki has en extensive list of backup and sync programs at https://wiki.archlinux.org/index.php/Synchronization_and_backup_programs

Also worth taking a look is https://wiki.archlinux.org/index.php/disk_cloning

If you've ever used a Unix-like system like Linux or *BSD, you may know that most of the system is represented as files, allowing you to easily read and (if you know what you're doing !) tweak your system configuration using only your trusty text editor.

But you do you maintain and keep track of these configuration changes over time ? Or across different machines ? Possibly with different operating systems ? On 1, 3, 10, 100 or 1000 machines ?

Enter configuration management tools such as Ansible, Chef, Puppet or Saltstack which will be the focus of this blog post.

Saltstack (or Salt) allows you to represent your computer configuration as ... code or pseudo-code to be exact, referring a particular system configuration as a state.

As a simple example, let's say you have a specific firewall configuration with port 15441 open to use ZeroNet that you may want to handle.

It involve making sure you have the proper software installed, configuring it via a specific file, and restarting the service.

Doing so in Salt could be represented with this pseudo-code (NB : sorry for the image but the multi-lines code editor looks horribly broken on ZeroBlog)

image.png (298x200)

This basically says :

  1. Make sure iptables is installed (Gentoo format here)

  2. Make sure the contents of /var/lib/iptables/rules-save are the one I defined on the salt://files/iptables_rules file (salt:// being a "shortcut" for a specific folder on your system from where Salt operates)

  3. Reload the iptables service and make sure it's enabled at boot time

Once you've applied your state (more on that later), saving it on a remote location like a Git repository allows you to keep track of your current system configuration and to re-apply/change in a reliable manner it along the lifetime of your system(s)

This post is just an introduction on a subject I like to babble about, feel free to give me your feedback and keep seeding ! :)