Vyos first impression

So just started playing with Vyos, a community fork of Vyatta. Vyatta, now owned by Brocade, is a Linux, Debian based firewall / router distro running on X86 hardware. Renamed to Vyatta, a Brocade company, Brocade sell subscription models and appliances, built round the system. Vyatta has a webgui but the command line structure is I gather based on Juniper Networks Junos. A popular rivle to Cisco’s IOS.

Vyos is freely available and like it’s commercial cousin, runs on X86 hardware and a variety of virtulisation platforms. For my purposes I’ve just installed it to a VM under VMware Workstation. It is apparently possible to install to compact flash card for use in single board PCs, such as the PC Engines Alix. However the usual problem of limitting writes to that media apply, so logs need to be redirected.

At time of writing I’m using Vyos Helium, the second major release. V1.1.0. There is no webgui implemented yet, which personly suits me fine. Command line tools have a higher learning curve but are so much faster once you know them. The on board CLI help, like Cisco IOS is very useful. With the usual “?” offering options for the given mode. Yes like Privileged Exec and Global Configure, the familiar dropping into modes to perform sets of tasks applies here. The “configure” command gets you to global config. Changes are only applied once the “commit” command is given and “save” stores to disk.

One of my reasons for wanting to try Vyos, aside curiosity, is that I’ll be working on some Ubiquiti routers shortly. Their Edge OS is another fork of Vyatta and shares the same command syntax, at least thus far.

I’d say I like Vyos a lot at this point except for one major nag. That is, I’m not currently abel to get my Vyos VM working with VMware Virtual Network Adapters in Workstation. So I can’t connect this VM to the rest of my internal virtual networks. This maybe a misunderstanding on my part, some setting I’ve missed or possibly only works on VMware VSphere. The bare metal hypervisor. This is a great shame. I’ve posted to the Vyos forums but not had a reply. Anyway, will continue nosing around this issue.

Raspberry Pi as Wifi Access Point

Have your own Linux router / access point, provide guests with wireless network access.

Obviously using a Pi model with a RJ45 lan port and a usb wifi adapter. When soursing the latter, make sure it is compatible and won’t require a powered usb hub. I purchased one from.

Your Pi will need to be connected to wired LAN, with internet access. It will NAT to it’s ethernet address and use a lightweight DHCP server to give wireless clients IP addresses.

Assuming the pi is already running Raspbian, SD card image has been expanded, default password changed, networking with internet access working. Sudo to root to run following commands.

Install software.
sudo apt-get install hostapd isc-dhcp-server

Configure DHCP server information for our new wifi subnet.

Using example network. With the first 10 addresses reserved for static asignment.

nano /etc/dhcp/dhcpd.conf

Comment out the following lines, thus.

#option domain-name “example.org”;
#option domain-name-servers ns1.example.org, ns2.example.org;

Uncomment authoritative in the below line.

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

Ad the following lines at the bottom.

subnet netmask {
option broadcast-address;
option routers;
default-lease-time 600;
max-lease-time 7200;
option domain-name “local”;
option domain-name-servers,;

Save and exit.

The wifi adapter will likely show up as wlan0. To check do.




You can use the below command to see if your usb adapter is recognised.


Shut it down whilst we configure DHCP.

ifdown wlan0

Now edit the main configuration file for DHCP server.
Add our wifi interface in.

interfaces =”wlan0″

Save and exit.

Configure wlan0.

nano /etc/network/interfaces

Comment out any config lines already present for wlan0 by prepending a #.

Then add

iface wlan0 inet static

Save and exit.

Configuring the hostapd access point daemon.
In order to get the RTL8187CUS driver working, it was necessary to use this replacement for hostapd below.
wget http://www.daveconroy.com/wp3/wp-content/uploads/2013/07/hostapd.zip

Replace the name of the wifi adapter driver listed in the config with yours if different. Check with.


Create the config file and add the below lines.

nano /etc/hostapd/hostapd.conf


Save and exit. Then edit the main hostapd config file to point it to the above setup config.

nano /etc/default/hostapd

Save and exit.

Because our pi will be acting as a router, forwarding from wlan0 to eth0, we need to enable IP forwarding in the kernel. To enable this at boot edit.

nano /etc/sysctl.conf

Scroll to the bottom and add

on a new line. Save and exit.

To enable IP forwarding immediately do.

sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

Now configure NAT so our wifi users get access to the rest of the network using the pi’s eth0 address.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
To enable this at boot, you can save the rules to a file called nat-rules, for example, and have them read back in. Do

iptables-save nat-rules

In the file, /etc/network/interfaces under the wlan0 config, add the line.

post-up iptables-restore nat-rules

Bring up wlan0 with.

ifup wlan0

To test the access point run it with.

/usr/sbin/hostapd /etc/hostapd/hostapd.conf

Assuming the ap it’s working, to have hostapd and dhcp-server run at boot, do.

update-rc.d hostapd enable
update-rc.d isc-dhcp-server enable

Check status with.

service hostapd status
service isc-dhcp-server status
update-rc.d hostapd enable

Depending on your distro, you may need to remove WPASupplicant. Do so by running this command:

sudo mv /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service ~/

And then rebooting.
That’s it. :)

Apple iOS Voiceover Jestures

List of jestures for Voiceover on Apple’s iOS operating system.. At time of writing I’m using iOS 7.

1 finger Gestures

Touching or dragging one finger around the screen: Speaks and selects the item under your finger.

Double tap: Activate item, button, link etc / open app.

Double tap and hold: Activate drag mode, whereby you can drag icons around to rearrange them and delete apps. Whilst in this mode if you lift your finger off the screen and double tap an app icon, you will be prompted to ask if you want to delete it. To exit this mode. press the home button.

Tripple tap: Fast presses a button.

Swipe left or right: Select the previous or next item.

Swipe up or down: Perform or move to the selected rotor option.


Tap 2 times on the clock in status bar to scroll to top in any app.

2 finger Gestures

Hold one finger on the screen and tap with another: Activates split tapping. This is an alternative to the 1 finger double tap to activate a button / open an app.

Tap once: Pause/resume speech.

Tap 2 times: fast Performs special action dependant on context. E.g. pause / resume music playback.

Tap 2 times and hold: Add Label to selected item+.

Tap 3 times: Open Item Chooser for current area.

Swipe up: Read all from first object in selected area. AKA move focus too and read from top of screen.

Swipe down: Read all from focus or selected item.

Scrub back and forth: Go back, cancel, close pop-up.

Pinch out/in: Select/deselect.

Hold and twist left or right: Select the next or previous rotor item.
On the Ipad, you can use the scrub gesture to split/merge keyboard whenit’s selected.

3 finger Gestures

Tap once: Speaks the current page number and position.

Tap 2 times: Toggle speech on/off.

Tap 3 times: Toggle screen curtain on/off.
Swipe left or right: Move to previous / next horizontal screen/page.

Swipe up or down: Move /scroll down / or up. Like moving a paper

Notification centre.

Note: To open notification center select the status bar and swipe 3 fingers down. Also 3 fingers up/down works for pulling down to refresh in many apps. (but can be a problem in some. (like Facebook side bar)

Control centre.

Touch the status area and do a 3 fingered swipe upwards to open the control centre.

4 and 5 Finger Gestures

Four finger double tap: Turn Voiceover help on / off. Enters a mode where you can practise a jesture and here it’s function.

Tap the upper half screen with 4 fingers: Select the first item in the area

Tap the lower half of screen with 4 fingers: Select the last item in the area.

Apple Blue Tooth keyboard, iOS and VoiceOver: Quick notes.

You can get a lot done pairing, pun intended, a blue tooth keyboard with your phone / tablet.

Here’s some quick notes. I’m using an Iphone 5, iOS 7 and a Logitech K760 keyboard.

The Logitech K760 is a solar powered blue tooth keyboard that can be paired with up to 3 devices simultaniously. It has the requisit keys to effectively use Voiceover., The F1, F2, F3 keys, switch between three paired devices.

Comparing Apple keyboard layout to Windows

Apple keyboard | Windows keyboard

Function | N/A
Ctrl |> Ctrl
Option | Windows
Command | Alt

General navigation

VoiceOver, the Vo Modifier, is the control key, plus option. Therefore a vo down arrow is, ctrl, option, down arrow.

Toggle quick nav on / off
left + right arrow.

vo + h

Start / stop current action.
vo + –

Prev rotor setting
up + left

Next rotor.
Up + right arrow.

Activate selected element.
Up + down arrow.

Read from cursor
vo + a

Read from top
vo + b

Double tap
VO + space bar.

Move to status bar
vo + m.

VoiceOver Settings

Prev setting.
Vo + command + left.

Next setting
vo + command + right.

Increment setting.
VO + command + up or down

Screen curtain
vo + shift + s.

Vo help.
vo + k

Router Distro Headaches

I mentioned Voyage Linux as the os on my virtual routers. Recently I’ve also been trying to get a couple of others working. Namely, ZeroShell and PFSense.

ZeroShell Is working as a VM but I haven’t got it doing that much. I mainly want to test it as a wireless AP and possible Radius server. It only supports Atheros wireless chipsets of which I have none. The Atheros USB adapter I found may not be entirely straight forward in use it seems. I plan at some point to try this on a PC Engines borrowed Wrap or Alix. as

The appeal of the Debian based ZeroShell to me is that it can be configured through a web based gui. It has a lot of features and the ability to unlock other packages by making a contribution. The 3G failover capability is particularly intriguing but alas I’ve not had much luck with a Huawei E303 dongle.


PFSense is a FreeBSD based router / firewall, again with a web based gui. I have been trying to get this booting on the aforementioned Alix, as it’s setup as a DHCP server out of the box. This hasn’t worked as yet despite following their instructions, updating the Alix bios and so on.

More hopefully when I make progress.

VMWare Virtual Network Lab Setup

Example virtual lab using VMWare. I’ll refer to this as Vlab 1 in case I mention it in latter posts.

The general objective is to set up a small virtual network on which I can build. The virtual machines on the network will access the real network and thus the internet through one of them acting as a gateway.

I’m using 4 headless VMs, all running the Debian based Voyage Linux distro, which is tailored for router applications.

One of these VMs will be bridged to my real LAN, the one simulating an internet gateway. It will perform NAT for the networks behind it on the virtual side.

As an aside, these are running single area OSPF with the Quagga router software but I’ll just talk about the basic interface setup in this post.

Let’s call the 4 Voyage routers alpha, beta, gamma, delta. For what it’s worth, they are all installed in 2GB virtual disks, have one processor core each and 256MB RAM.

Alpha will be the gateway. i.e. the one with a bridged interface to the real network. The 4 VMs are connected in a simple line. Alpha – beta – gamma – delta.

In VMWare’s Virtual Network editor, I’ve configured 3 Vnets for these links. For some reason, it seems you can’t use a /30 subnet for Vnets. Which would be the usual point to point link. Virtual Network Editor just won’t allow it. SO I’m using /29’s.

In my case, Vnets 11, 12, 13.

Vnet 11.
Link between alpha and beta.

Vnet 12.
Link between beta and gamma.

Vnet 13.
Link between gamma and delta.

Alpha has 2 interfaces, one on the real LAN.

And the Host Only Custom link to beta.

The rest are all Host Only Custom links in their respective Vnets.

Beta – alpha:

Beta – gamma:

Gamma – beta:

Gamma – delta:

Delta – gamma:


I have to be organised in how I set these up, more so than perhaps most people. As they’re running headless, no desktop, they have no screenreader running. It may be possible to recompile Voyage with Speakup but that’s beyond me at the moment.

Normally when I’m experimenting with say a single virtual server, I’ll have one interface bridged to my real LAN so I can use my screenreader on the host and SSH in. In this case, I want to force all traffic through the virtual gateway and only have that machine appearing on the LAN. So to reach the others, I need to make sure the routing is setup as I’ll be SSHing to the gateway and hopping from there. As there’s no screenreader on the VMs I can’t just type at the consol.

How I’ve done this is initially set up all VMs with one bridged interface so I can connect and configure the other Host Only connections by editing /etc/network/interfaces. Once I know these are up and reachable from the other VMs, I shut down the bridged interface and comment it out.

As mentioned I am using OSPF and having alpha redistribute the default route that leads out on to the LAN. Were this not the case, I could have used a line in interfaces to set a static default route pointing to the Host Only interface. i.e. through the virtual network towards alpha and the real world.
Post-up route add default gw x.x.x.x

Whilst setting these up it might be worth noting, I did manage to mess up my SSH config file on one of the Vms after I’d already shutdown the bridged interface. Effectively locking myself out due to the no screen reader access on the consol. I fixed it by SSHing into another Voyage VM and counted down how many lines the errant line was. Then did this blind on the misconfigured machine. Cleverer people than I might have used Sed and Grep in some fancy way to fix it…



Voyage Linux

Intro to VMware’s Virtual Networks

I’m using the popular VMware Workstation 10 on Windows Seven. VMware have a number of products. You can download the free VMware Player if you want to run a compatible virtual machine but you can do more with Workstation. Of course there are a number of other virtualisation platforms for Windows, Mac and Linux but I’m with this one.

The Virtual Network Editor that comes with Workstation is where you can set up to 19 virtual networks. Before going on to look at that, note, Under VMware There are 3 types of network connection. NAT, Bridged and Host Only.

NAT. Network Address Translation. The NAT option creates a virtual network behind your host machine on which your guest resides. It has access to the real network resources through your host but doesn’t appear on the network to other devices on your LAN.

Bridged. This takes your virtual machine’s network adapter and bridges it through the host so the guest will appear on the LAN with its own IP address. Either a static one you configure on the guest or if you’re using DHCP, it will get one from your real DHCP server.

Host only. This configuration provides a virtual connection to another virtual machine. So you can have a network of completely isolated VMs if you choose.

Using the Virtual Network Editor, as an example we’ll add a virtual network for host only connection. This will act as a private network between 2 or more guests. The VMware virtual network editor found in the program group in start menu or just use the search, is where you initially set up virtual networks or Vnets. Some of these Vnets are configured by default. Vnet 0 provides the bridged connection. Vnet 8, is for NAT. Of this latter type, you can have only one anyway.

To add a custom Vnet click add. Choose the Vnet you want to use. You can think of these like virtual switches. When configuring guest’s network interfaces, you effectively connect them to these virtual switches.

Choose Host Only.

To have this network only be available to your guests, not your host. Untick Connect a Host Virtual Adapter to This Network.

VMware has its own DHCP server for these Vnets. In my case I untick this box as I want to either configure static addresses or set up a DHCP server on one of the guests themselves.

Next choose the IP and subnet you want for this network. Click OK, you’re done.

Now from within VMware, VM Menu, Settings, you can add or change the network adapter settings for the selected guest. For example from the Hardware tab, go to add and choose Network Adapter.

Choose the Host Only setting Click OK.

Highlight this new interface in the list view and select the Custom radio button. You can now choose the Vnet you configured earlier to which this virtual network interface will be connected.

Later I’ll give an overview of how I set up a small virtual network lab using these custom networks, with a guest acting as a router, linking them to my real network and thus internet access.

Send email via telnet

A quick way to test your SMTP server is to use telnet. The default well known port for SMTP is 25.

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix (Ubuntu)
helo me.test.com
250 mail.example.com
mail from:me@here.com
250 2.1.0 Ok
rcpt to:you@there.com
250 2.1.5 Ok
354 End data with .
subject:a test

blah blah.
250 2.0.0 Ok: Queued as ABC123
220 2.0.0 Bye

To use the labels, such as From, To, Subject, add them after the data command. i.e.


subject:testing again.


There are other commands you can issue such as ehlo (extended helo) instead of helo. This will have the server list it’s capabilities. Other commands such as vrfy (verify and address) may have been disabled by the system administrator.

One of the inherent problems with email is it allows the sender to use arbitry information in the headers. Fake domain addresses and so on. The mail administrator may use a variety of techniques to block spam and otherwise unwanted mail from entering their systems but it’s an ongoing battle.

Setting up Postfix and Mutt. 01

Install and configure Postfix

This is a basic setup of Postfix. The mail users have system accounts on the mail server so in this instance, will log into the server to read and send mail. The example client is Mutt, shown at the end.

I’ve included the configuration for the SASL (Simple Authentication and Security Layer) daemon here. We do not need it now but for sending mail from remote systems we will. I wanted to keep the blog posts short so the next will follow on, adding to this config.

At time of writing, I’m using Postfix 2.10.0 on Ubuntu Server 13.04 in a virtual machine in VMWare Workstation 10, on Windows Seven Professional.

Instructions below assume you’re running as root.

Install the application and documentation:

apt-get install postfix postfix-doc

The initial configuration screen is somewhat tricky to use with a screenreader. If possible choose no configuration. We’ll edit main.cf by hand.
There are 2 main configuration files in Postfix. /etc/postfix/main.cf and /etc/postfix/master.cf

We will only be making changes in main.cf at this time.

If you have an admin account on the system, edit /etc/aliases accordingly, so that account receives mail for postmaster via root.

# see man 5 aliases for format
postmaster: root
root: admin

Run the newaliases command to rebuild the alias database:


Edit main.cf with basic server details. Spaces around the “=” are optional.

mydestination=$myhostname, localhost.$mydomain, $mydomain, localhost

Authenticating SMTP with SASL

For clients to authenticate we will use the SASL libraries.

With the below setup, sasl with authenticate email users against the system password file. i.e. The email users have system accounts on the
machine running postfix.

apt-get install sasl2-bin

We want the saslauthd authentication demon to start at boot.

Edit /etc/default/saslauthd

start = yes

Create /etc/postfix/sasl/smtpd.conf and add.

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

If we wanted to use an external method of checking passwords, we’d change the above line to.

pwcheck_method: auxprop

For example to use the sasl password file instead, which is at.

If using the sasldbd to authenticate users, for example in the case where users do not have system accounts. You need to choose the sasldb
mechanism in /etc/default/saslauthd.
mechanisms = “sasldb”

If using the sasldb2 file, you add users with the saslpasswd2 command.

saslpasswd2 -c -u example.com newuser
Again for verification:

-c = create.
-u = realm.

Back continuing with our example using the system password file. i.e. we’re assuming our email users also have system accounts.

Add the user postfix, to the sasl group. This isn’t always necessary.

adduser postfix sasl

Edit main.cf

The parameters for working with sasl start with smtpd_sasl for the postfix server and smtp_sasl for postfix acting as a client. i.e. if sending
mail to a relay that requires a login.

Switch on smtpd authentication.
smtpd_sasl_auth_enable = yes

For some older clients, that didn’t implement the smtp authentication protocol correctly, you can add the following line, although it may not now
be necesary
broken_sasl_auth_clients = yes

To help prevent senders spoofing their from address, you can map the email address to a system user in a map file. Create and then run postmap
against it.
newuser@mydomain.com newuser

postmap /etc/postfix/sasl_senders

And add the below line to main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sasl_senders

The next lines for main.cf are to permit legitimate users.

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_sender_login_mismatch
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

By default, postfix will block anonymous logins from outside your network. If you’re using some other method for checking passwords, such as md5,
you will need to list it in main.cf. However, if you do that, you also need to explicitly list noanonymous, as you’ve changed the default.

smtpd_sasl_security_options = noanonymous, plaintext

The below is my main.cf file. I have moved some of the lines around simply for layout purposes. It doesn’t matter which order they’re in as far as postfix is concerned.

Cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
mydestination=$myhostname, localhost.$mydomain, $mydomain, localhost
mynetworks = [::ffff:]/104 [::1]/128

smtpd_recipient_restrictions = permit_mynetworks,

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
permit_sasl_authenticated, reject_unauth_destination, reject_sender_login_mismatch
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html

Restart postfix

postfix reload.

Restart the saslauthd daemon:

service saslauthd restart.

Remember we’re using system accounts at this point. To test your login with saslauthd uset the commands:

testsaslauthd -u username -p password

Also at this point, the only host that can send mail with out authenticating is the server itself. This is the default. You can add your local
private subnet to the mynetworks parameter if desired. Assuming your subnet is add to the end.
mynetworks = [::ffff:]/104 [::1]/128

Be careful if you change the default, which networks you add to this parameter. You *Do not* want to make your mailserver an open relay.

The home_mailbox=Maildir/ parameter is an alternative to the Unix style mbox format. We need the Maildir format for later when it comes to adding an IMAP server to our setup. Other IMAP servers are available Dovecot, Cyrus but I’ll be using Courier.

Install and configure the Mutt mail client

Mutt is a text based mail client that the users can access from the terminal

Apt-get install mutt

Alas I can’t recall where, otherwise I’d link to them. But I found the following configuration for the Mutt mail client online and it’s worked for me. Just add the following lines at the end of the /etc/Muttrc configuration file. Note: Muttrc starts with a capital M.

set mbox_type=Maildir
set folder=”~/Maildir”
set mask=”!^\\.[^.]”
set mbox=”~/Maildir”
set record=”+.sent”
set postponed=”+.postponed”
set spoolfile=”~/Maildir”


You can view and edit parameters in main.cf with the postconf command.

postconf -d (parameter name.) Display
postconf -e (parameter name=value.) Edit.

Always restart the postfix service after making changes so the main configuration file is reread.

Postfix reload

When editing the /etc/aliases file use the newaliases command to rebuild the database. You can move this file where you want but if you do so, you then need to use the postfix command, postalias.

Postalias (path-to-aliases)

In troubleshooting view the log which by default is at. /var/log/mail.log.

To check the sintax of your configuration try the command:

Postfix check

There are various other commands for administration in Postfix. Consult the documentation.

Although published a while ago, a useful book is Postfix the Definitive Guide written by Kile D Dent, published by O’Riely Press.

Setting up a mailserver: Intro

Following will be a few step by step posts on setting up a mailserver on Linux.

I make no guarantees and you’d obviously be wise to do this on a test machine in a private network before setting up a live system.

I’m using a Ubuntu Server for the examples. The MTA (Mail Transport Agent) I’ll be using is Postfix, certainly initially. Later I may look at Exim. I’ll not be touching Qmail or Sendmail because frankly life’s too short.

Postfix’ home page is.