Category Archives: Software

Sandbox and torify Signal messenger on Linux

Most of the popular Linux distributions don’t offer any sandboxing or anonymization capabilities and it can be quite difficult to find a good solution. In this post I’m going to describe how I manged to sandbox the messenger app Signal and tunnel all it’s traffic through the anonymization network Tor.

All the tool you need are already in the Archlinux repositories:

pacaur -S firejail tor signal
Firejail is a kind of wrapper around sandboxing capabilities of the Linux kernel. It ships with profiles for various applications, including a profile for Signal.

To launch Signal in a sandboxed environement, just prepend the command firejail like this:
firejail signal-desktop
If you try to share files with someone, you’ll notice that your local files aren’t available anymore to Signal. One of the few “shared” and real directories left is the Signal configuration directory in ~/.config/signal. All files in there will be preserved, even after you close the sandbox. As a lazy workaround I’ll temporarily move files into this directory if I want to share them via Signal.

To isolate the sandbox from your local network and tunnel all traffic through Tor is a bit more difficult. First of all, we have to create a virtual networking bridge with an own subnet:

Somehow assigning the IP with the systemd network profile was not successfull so I further used this service file to manually set the address:

Now start and enable the services to make these changes persistent:
systemctl start systemd-networkd bridge-set-addr
systemctl enable systemd-networkd bridge-set-addr

We also need to enable IP forwarding for the tornet network bridge:

In the Tor configuration, we have to enable the a local port to which we can route our internet traffic:

It is than useful to autostart Tor at boot time:
systemctl start tor
systemctl enable tor

Run following Iptable rules as root
inet_interface=wlp3s0
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p tcp -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p udp --dport=53 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o ${inet_interface} -j MASQUERADE
iptables -t nat -A PREROUTING -i tornet -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A PREROUTING -i tornet -p tcp -j DNAT --to-destination 127.0.0.1:9040
iptables -A INPUT -i tornet -p tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i tornet -p udp --dport 5353 -j ACCEPT

And save the routing table state to the main configuration file:
iptables-save > /etc/iptables/iptables.rules
systemctl start iptables
systemctl enable iptables

I also had to use the program ifplugd to prevent firejail from removing the IP address after closing the sandbox:
pacaur -S ifplugd
So ifplugd will always reassign an IP to the network bridge if you start the sandbox again:

Enable and start ifplugd:
systemctl start ifplugd@tornet
systemctl enable ifplugd@tornet

You can now run Signal sandboxed and in an isolated network where all traffic is going through Tor:
firejail --net=tornet signal-desktop
Signal won’t have any connection if the Tor daemon isn’t running or when Tor is blocked in your network. You can also use the program arm to check if all traffic is going through Tor.

I’m not entirely sure if DNS queries are also anonymized in this setup but according to the original how-to by kargig this should also be the case.

It is important to note that this setup just adds an extra layer of security and anonymity in using Signal. If you strongly rely on anonymity you should consider using Tails or SubgraphOS as pointed out by the security researcher x0rz. His blog post also explains how to register Signal with a fake mobile number to use it pseudonymously.

Download an installation medium directly to your flash drive


For a longer time I was looking for a more direct and faster method to setup my Linux installation medium on an USB flash drive. Usally one would download an ISO image and wait for it to finish before copying to the drive. Both tasks could take some time, depending on your internet connection and USB speed.
Considering you’ll doing both at the same time, downloading and writing the image, you could save half the time. It took a while for me to figure out, that one of my favorite downloading tools for the command line, Aria2, could do exactly this job. It will download your file, supporting different protocols (sftp, https, bittorrent), and write it directly to any block device.
Of course not every installation image could be written directly without any modifications and thus will be bootable, but my favorite Linux distributions support this feature (e.g. ArchLinux, Ubuntu).
In this example, we’re going to download the most recent Archlinux iso using a Bittorrent magnet link (get the newest magnet link from here). Further we select only the iso-file in the torrent and write it to our flash drive at /dev/sdc:
aria2c "magnet:?xt=urn:btih:2d3b3d65b369ba519292dd8ce420afe95120df1e&dn=archlinux-2018.01.01-x86_64.iso&tr=udp://tracker.archlinux.org:6969&tr=http://tracker.archlinux.org:6969/announce" --select-file=1 --index-out=1=sdc --dir /dev --allow-overwrite=true --file-allocation=none --save-session=/tmp/tmp.aria2
Caution: Running this code with root is dangerous when you’re unsure about the destination path of your block device. You could easly overwrite, for example, your system partition, brick your system or lose important data!

Aria2 will start downloading the installation medium and write it directly to your installation medium :) The cool thing is, as long as you keep Aria2 open and your flash drive inserted, the iso will still be seeded from your device.

Stopwatch module for py3status

Whenever you use a tiled window manager like Dwm, Awesome or i3 on your linux desktop, you might also want to replace or modify the default behaviour of the status bar. Usually you’ll display some common information like date, battery level or informations about your network connection.

Compared to the quasi standard program i3status, you can also use py3status as an external program to generate the status bar text. It has even more modules you can use to display additional statistics or functions. One thing I was missing, was the ability to easily track time so I modified the included timer module and transformed it into a stopwatch.

You can run or pause the stopwatch with a left click and reset it with a right mouse click. That’s all … very easy but also very useful ;) You can check out the source code here or just wait until module gets upstream.

Open source powered GNU Casino slot machine

For our private party some weeks ago we prepared a fun slot machine in the spirit of GNU open source software (I’m aware that this might sound contradictory). We already had an old internet cafe terminal but had to change the internal hardware to more recent components. Then we were ready to install a most basic ArchLinux system and configured it to launch X and our PyGame application at startup.

A real slot machine needs some fancy colored buzzers for authentic gamble feeling. So we developed some in Blender and 3d printed them. They are wired to a tiny USB-Arduino and on key press, they will trigger generic key press events on the system.

 

Since we haven’t been able to get the “coin entry” machine working, we checked the credit with a barcode scanner which was further connected to our party payment system :)

Here’s a demo video:

And here you can get our unenhanced, hacky source code. Note that we removed all original sounds and graphics to avoid copyright infringement.

Update (December 2017): We are proud to note that our project got featured on the front page of Heise Online, one of the leading technology news sites in Germany. In addition to the online publication, an even longer article was printed in the C’t Make magazine of 6/2017 (page 104-105).

Easily setup a native instance of Onlyoffice documentserver on ArchLinux

For quite a time I was looking into an online office solution, espacially as an integration into my existing Nextcloud service. At first, there was a lot of publicity for the teamup of Collabora Online together with Nextcloud. It’s a more complex solution, which includes a LibreOffice backend and a LeafletJS frontend. On the one hand, I was impressed how feature rich and stable this first experimental version was but on the other hand, the demo instance was also a bit slow and laggy. Further I was unable to get the Docker image up and running on my own server. I always had connection and routing issues, which of course could be caused by my own custom server setup, but Docker made debugging quite difficult for me.

Onlyoffice documentserver Nextcloud integration

Onlyoffice documentserver was a real performance boost in online office editing compared to Collabora Online. I was able to create complex “Power Point” presentations and larger documents for my studies much faster, nearly as good as provided by Google Docs. I only had to install the Onlyoffice app for Nextcloud and find a public available Documentserver instance (the domain doc.onlyoffice.com worked for a while but with a little work you can also find other instances via Google). After that I could easily open any office document directly in Nextcloud.

Create power point presentations directly in Nextcloud

Collaborative editing of publicly shared documents is also planned feature.

Setup an own Documentserver instance

Since I also had no luck with the docker image provided by Onlyoffice, I decided to compile it from source and deploy it manually. Public available documentation on how to do this was sparse but a good start was the offical documentation. After some weeks of tweaking and patching the sources, I was able to create a working PKGBUILD for the ArchLinux AUR. This means, everything you need to do is a simple:

pacaur -S onlyoffice-documentserver

and the Documentserver is ready to go! You can find a more detailed setup instruction in the ArchLinux Wiki. Installing and configuring Redis, Postgresql, RabbitMQ and Nginx, which all are required dependencies, is easy and straightforward. Further assumed you also have a working domain and SSL setup, you can start using the document server in Nextcloud, providing the URL in the application’s preferences.

Onlyoffice Nextcloud app configuration

Alternative and extensive use cases

There are code examples available for all kind of popular programming languages in which you can embed and include the Onlyoffice document editor. If you just want to see the document editor in action, visit this demo page.