Howto: Remote SSH tunnelling on Ubuntu

On the server, install openssh-server

sudo apt-get install openssh-server

if you have firewall on the server, open port 22

if you want to access the server outside the router, port forward port 22 to the server's ip address also.

From the client,

ssh -Y remotemachine -l

commands issued will be started in the remote machines

eg.

nautilus

Setting up network printer in ubuntu 11.10

Oddly, the usual simple gnome printer setup application is missing from Ubuntu 11.10's interface.

One can still go to terminal, type

system-config-printer

My printer is connected to the Asus RT-N16 router & the configuration to enter is as follow, where 192.168.0.1 is the router's ip address.

ATI linux drivers, room for improvement still...

Discovered another bug on ATI graphic chip linux driver.

Some of you may have noticed, if you install 32bits ubuntu 10.10 with 4G ram, it will automatically use the PAE kernel, which is a patch to the 32bits kernel to address all of the 4G ram. Sweet you may say.

Things took for a downward spin for my ATI chipset pc. After the ubuntu 10.10 install with 2 sticks of 2G ram, naturally the PAE kernel is in placed. My 2D desktop started giving lots of artifacts which made me ran to the shop couple times to change the board & ram thinking it's either the Biostar A880G+ board or the Kingston ram are having compatibility issue. 2 sticks of 2G ram with onboard graphic showing artifact, that is nothing new, so I thought. Unfortunately, new board & rams did not solve the problem. So I lived with the problem by using the 3D desktop, which miraculously has no artifact problem. Weird. And that was with the open source ati driver.

Lately, I tried to enable hardware accelerated HD video playback with the proprietary ATI driver & now the 'hardware accelerated' full HD playback is displayed in an even bigger mess... dropped frames, artifacts, messed up colors, tearing... I tried ATI driver version 11-1, 11-2 & 11-3 & no matter what I do, the problem persisted.

Then it daunts on me that the PAE kernel was at work. So, I reinstall ubuntu with 2G of ram alone & sure enough it installed the non-PAE kernel. What do you know, all the artifact, discoloration are gone... other problems like non-optimized hardware accelerated HD playback & high cpu utilization persisted. But those are, again nothing new for the poorly written ATI linux drivers.

So, could it be linux PAE kernel's problem, one ask? Not at all. I checked my other pc with 4G ram running the same version of PAE kernel, the 2D desktop, 3D desktop, hardware accelerated HD playback are all silky smooth, cpu utilization is low & stable. I even finished most of the Starcraft2 campaigns( except the final one ) on the onboard graphic chip, an it did all that flawlessly in linux with the PAE kernel & with 2 sticks of 2G ram.

It's nvidia 8300 onboard graphic chip. Kudos to nVidia.

Most people already knew ATI's windows drivers are a pain to install/remove compared to nVidia. I just have to say, ATI's linux drivers are even more buggy & much room for improvement.

A lesson to learn for the linux community. nVidia chipset is more linux friendly, always.

Bad news though, nvidia has since dropped out of the onboard graphic chipset race for DIY motherboard business. Intel won't let them in on their motherboard chipset business from i3, i5 & i7 series onward, except the OEM laptop & netbook segment. ATI won't let them in on their motherboard chipset business for obvious reason.

So, now the linux community is left with the buggy ATI graphic chips. Let's hope ATI will improve their linux support & give a better linux experience with their their graphic chips.

Let's also hope, Intel delivers the graphic drivers for their shinny & new Sandy Bridge chips soon. Words has it that, graphic support is only available from ubuntu 11.04 onwards. Which is another set back for the linux community.

Hardware Accelerated HD Video playback with ATI graphic card - Part 2

To install mplayer

1 cd /usr/src
2 wget http://www.splitted-desktop.com/~gbeauchesne/mplayer-vaapi/mplayer-vaapi-latest.tar.bz2
3 tar xvfj mplayer-vaapi-latest.tar.bz2
4 cd mplayer-vaapi-20091106
5 aptitude build-dep mplayer
6 ./checkout-patch-build.sh
7 cd mplayer-vaapi
8 make install
9 ldconfig

To install smplayer

1 cd /usr/src
2 wget http://downloads.sourceforge.net/smplayer/smplayer-0.6.8.tar.bz2
3 tar xvfj smplayer-0.6.8.tar.bz2
4 cd smplayer-0.6.8
5 aptitude install qt4-qmake ibqt4-dev
6 make
7 sudo make install
8 ldconfig

Configure smplayer following this link

http://www.loggn.de/ubuntu-mplayer-inkl-smplayer-mit-vaapi-unterstutzung/

Here is the playback of a HD video snippet using ATI HD 4250 onboard graphic & a Phenom II 3.2GHz unlocked Quadcore. Notice the high cpu speed scaled to full 3.2GHz often & the relatively higher cpu utilization % in the 30~42% max on the system monitor tab.

Here is the playback of the same video snippet using nVidia onboard 9300 graphic chip & Core 2 Duo 2.8GHz. Notice the cpu never really need to scale up to full 2.8GHz, mostly stayed low at a mere 1.6GHz & the cpu utilization is always in the low 20~30% & stable.

While you cannot see the video playback because video overlay is not captured by screen recording, playback were smooth in both cases.

This serve to demonstrate how nVidia's vdpau hardware acceleration is much matured, well implemented & superior in linux than ATI's vaapi. Nevertheless, it is a big step forward for ATI's to have hardware accelerated HD video playback in Ubuntu 10.10. Things should get better in future.

Hardware Accelerated HD Video playback with ATI graphic card

Hardware accelerated HD Video playback has been around for a long time in Windows OS. Previously, PC & laptop with slow processors were too slow to playback 1080P Full HD videos just by the slow processors in them. With graphic card accelerated HD decoding, all the PC & laptops with slow processors are suddenly empowered to playback 1080P Full HD Video. This is especially helpful in laptops with slow processors to extend battery life, while the onboard ATI/nVidia graphic chip are powerful enough to decode Full HD video with ease.

nVidia has to be commented for it's collaboration with the linux community & enabled hardware accelerated HD video playback with their integrated graphic chip or discrete graphic card. This is done through VDPAU & can be enabled by installing vdpau plugin for mplayer.

ATI however, has only recently enabled hardware accelerated playback via VAAPI support. And implementation in Ubuntu 10.10 Maverick still requires some tinkering with libraries and etc.

Here is how to enable VAAPI in XBMC media player for ATI graphic card/chips in Ubuntu 10.10.

ATI proprietary driver flgrx must be installed & activated via 'Additional Hardware drivers' under System tab in Ubuntu 10.10

Obtain latest libva files from

http://www.splitted-desktop.com/~gbeauchesne/libva/pkgs/i386/

libva1_0.31.1-1+sds4_i386.deb
libva1-dbg_0.31.1-1+sds4_i386.deb
libva1-dev_0.31.1-1+sds4_i386.deb

sudo dpkg -i *.deb

Add xbmc development ppa from

sudo add-apt-repository ppa:team-xbmc-svn/ppa lucid

(lucid is used here because the corresponding maverick xbmc ppa is not ready)

sudo apt-get update
sudo apt-get build-essential
sudo apt-get build-dep xbmc

sudo apt-get install -f
svn co https://xbmc.svn.sourceforge.net/svnroot/xbmc/trunk/ xbmc
cd xbmc
./bootstrap
./configure
make
sudo make install

sudo mv /usr/bin/xbmc /usr/bin/xbmc.bak
sudo mv /usr/bin/xbmc-standalone /usr/bin/xbmc-standalone.bak
sudo ln -s /usr/local/bin/xbmc /usr/bin/xbmc
sudo ln -s /usr/local/bin/xbmc-standalone /usr/bin/xbmc-standalone
sudo reboot


Now when you reboot xbmc should have VAAPI option under video playback.

On my AMD test rig running a PhenomII X2 555 unlocked to quad core 3.2GHz with integrated ATI 4250 graphic chip onboard, a snippet of 1080P Avatar was playback at 40~60% cpu utilisation without hardware acceleration in VLC & MPlayer. Cpu utilisation drops all the way below 20% when the same video clip was playback with Vaapi enabled XMBC.

( implementation of vaapi in mplayer & vlc to be further explored ... )

Buy two & get two free!

Buy two & get two free! Sounds too good to be true? Read on.

Wafer manufacturing process in microprocessor production is never perfect. While manufacturers prints a 4 cores cpu chip on to the silicon, some of the cpu cores can sometimes ended up malfunction or dead at the end of the manufacturing process. Instead of throwing away the chip with the remaining 2~3 cpu cores functioning perfectly well, manufacturer can disabled the malfunctioned cores & 'marked' the chip as a dual-cores or tri-cores cpu & sell them as it is. With such practice, it makes sense for cpu manufacturers to print more of the chips in 4 cores & test to 'bin-out' the chip into dual-cores, tri-cores or quad-cores chip, depending how well the silicon is yielding.

There were possibility also, in a situation when the yield is exceedingly good, a lot of the chips had all 4 cores fully functioning but the demand/order for dual-cores chip outstripped that of the quad-cores chip, manufacturers 'marked' some of the chips with 4-cores fully functioning as a 2 cores chips & sell as it is.

One of the chip I bought last week, an AMD dual-core PhenomII X2 555, may well fall into such category. It is a 4-cores chip that may well have 2 of the cores not meeting the stringent functional testing specification of AMD, and had two of the cores 'disabled' & being sold as a dual-core chip. Special motherboards like the BioStar A880G+ I bought, came with an 'ACC' option to unlock the disabled cpu cores. And viola! I have a chip with all 4 cpu cores fully unlocked at a flip of a switch on the motherboard bios. More extensive stress testing is definitely needed to know the 4 cpu cores are really fully functioning well. A simple test run of a HD video playback without gpu acceleration however, showed the 4 cores taking turn, 'speed-stepping' between 800Mhz to 3.2Ghz decoding & playing back the HD video. There were also no noticeable increase in temperature of the chip, hovering around 41 degree Celsius, same as when it was running with just 2 cores activated.

The chip I have is labelled 'Black edition' reflecting probably a die from a good yielding wafer that can either scale high gigaherz in speed or meeting the stringent testing specifications well. Of course, there is no guarantee that any chip, whether 'Black edition' or not, can successfully have the hidden cpu cores unlocked. Also, I cannot vouch for the reliability & functional aspects of such unlocked cpu cores. While there were many cases of successful stories of folks unlocking the cores & running it well without problems, it is equally not uncommon to hear folks have unlocked the hidden cores & found the system became unstable or not functional at all, most just flip the switch back & run it as dual-cores chip as it was originally intended.

The chip manufacturers definitely marked the chip as dual-core for a good reason. We may never know why. And if you don't try, you'll never know why.

So, here we have, a too good to be true, 'Buy two get two free' case, depending on how lucky you are.

Here, you see the chip I have, with 4 cpu cores in action, running on Ubuntu linux.



Here is a shot of the Black edition, AMD Phenom II X2 555 cpu chip, that had the 4 cores unlocked successfully.


Here is a shot of the BioStar A880G+ motherboard that made the unlocking trick possible.


Disclaimer: The writer shall not be liable to any damage to your computers by following the guide above. Try at your own risk.

VPN Server Implementation & Illustration in ubuntu 10.04 LTS

Been managing a remote ubuntu server for a long time using VNC. To further enhance security measures, I have ventured into VPN implementation.

VPN Server implementation:

sudo apt-get install openssh-server pptpd

pptpd is Microsoft Point to point Tunneling Protocol, chosen as such to maintain compatibility with both linux & Microsoft windows clients.

Reboot server.

sudo gedit /etc/pptpd.conf

add the following two lines to end of pptdp.conf

localip 192.168.0.234-238,192.168.0.245
remoteip 192.168.1.234-238,192.168.1.245

Above specify corresponding local & remote ip for the VPN connection.

sudo gedit /etc/ppp/pptpd-options

change the host name if you wish, default is pptpd.

sudo gedit /etc/ppp/chap-secrets

specify the user name, server, password & ip addresses allowed for connection, * for no ip address restriction.

eg.
# client server secret IP addresses
username pptpd password *

To enable ip-masquerading

sudo gedit /etc/rc.local

add the followings above 'exit 0'

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To secure SSH server against brute force attack.
add the followings above 'exit 0' also.

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

Do check which ethernet adapter you are using for connection

ifconfig

Mine uses eth1 & I have to change all entries of eth0 to eth1 in /etc/rc.local

sudo gedit /etc/sysctl.conf

uncomment the line "net.ipv4.ip_forward=1"

Reboot server.

Router configuration:

To enable VPN pass-through on your router, do the followings

forward 1723 TCP port to your VPN server's ip address,
on some router, it is simply enabling 'pptp',
on some Dlink router, protocol is TCP & set to 6, with 1723 TCP port.

forward GRE to your VPN server's ip address,
on some Dlink router, protocol is Other & set to 4, with port field greyed out.

enable 'PPTP' & 'IPsec'.

VPN Client implementation:

On ubuntu 10.04 LTS, network-manager-pptp is needed & installed by default.

if it is not install, type in terminal:

sudo apt-get install network-manager-pptp



Left click on network-manager, VPN connections & select configure VPN


Enter connection name, gateway, username, password

Gateway can be local ip address of your server if you are connecting within same subnet.

Gateway can be your dynamic dns hostname like myvpnserver.dyndns.org, assuming you are using dyndns's service to track your dynamic ip(not covered in this article).


Select 'Advanced', check 'Use Point-to-Point Encryption (MPPE)'


Once setup correctly. Select network manager & your vpn connection name to connect to the server.

If everything is setup correctly, you will see the connection established.

ifconfig should give result as follow:

ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.1.234 P-t-P:192.168.0.234 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1251 (1.2 KB) TX bytes:1778 (1.7 KB)

Note: 192.168.0.234 will be the server ip address used in subsequent client connections examples.

On Windows XP client, open network connections & select 'make new connection', 'connect to work place' & 'VPN connection'. Enter details as above & you should be connected to the server in no time.

Testing the VPN connection:

Assuming you have setup NFS server, VNC server(remote desktop) & Samba(windows share in linux) in the ubuntu server correctly(again, not covered in this article). See examples as follow:

1. VNC:

On ubuntu client pc, open 'Application', 'Internet', 'Terminal Server Client', enter the ip address of the server, select VNC protocol & click 'connect'.

In-secured connections =

ip address = 192.168.0.8

(assuming my VNC server is on 192.168.0.8 in the same subnet)

Secured connections =

ip address = 192.168.0.234

2. Windows File Sharing

On Windows client pc

Open 'My Computer', 'Tools' & select map network drive:

Similarly,
In-secured connection =

\\192.168.0.8\250g hdd or
\\callisto550\250g hdd

Secured connection =

\\192.168.0.234\250g hdd


On Ubuntu client pc using Samba

Open 'Places', 'Connect to server' & select 'Windows Share'

In-secured connection =

Server = 192.168.0.8

Secured connection =

Server = 192.168.0.234


3. NFS:

In-secured connections =

Open 'terminal', type:

sudo mount 192.168.0.8:/vpnserver/sharedfolder /clientpc/localmountpoint

(assuming my NFS server is on 192.168.0.8 in the same subnet)

(replace appropriate shared folders in your server & mount point in your client pc accordingly.)

Secured connections =

Open 'terminal', type:

sudo mount 192.168.0.234:/vpnserver/sharedfolder /clientpc/localmountpoint

One common mistake in nfs implementation is in the /etc/exports configuration

To allow access of share folder to clients within the same subnet, entry in /etc/exports should be

/tmp/sharedfolder 192.168.0.1/24 (ro,async)

To allow access of share folder to remote clients via VPN, the client pc's ip address
should be 192.168.1.234, as per example above. So, one need to modify the entry to allow access by clients in 192.168.1.1 subnet as follow

/tmp/sharedfolder 192.168.1.1/24 (ro,async)

To illustrate the encryption taking place, same files were transfered from NFS server to the Client PC using both the 'Secured VPN connection' & the 'In-secured connection' over my gigabit network.

In-secured file transfer = ~55MByte/s
Secured VPN file transfers = ~9MByte/s

So, the encryption process reduced the throughput to slightly less than one fifth of the In-secured file transfer. Of course, there is little motivation to have encrypted file transfer within a home or small office. Above example is just to illustrate encryption is actually taking place.

VPN is to be deployed for remote users to be connected to the home network as if he is locally connected. Under such implementation, the bottleneck is more likely the internet bandwidth & ping at both end of the server & client. I transferred a file from my VNC server in Singapore with a 3Mbps cable network to a client PC 550km away in Malaysia with a 1Mbps ADSL network & net a 56KByte/s throughput.

Have fun with VPN.