Linux User Group of Mauritius Promoting open source software in our beautiful island

15Jan/190

Hearings at the Judicial Committee of the Privy Council

Posted by Avinash Meetoo

I have just finished listening to the hearings of Mr David Perry QC (representing the Appellant) and Mrs Clare Montgomery QC (representing the Respondents) by Lord Kerr, Lord Carnwath, Lord Lloyd-Jones, Lord Kitchin and Lord Sales, Lord Justices of the Judicial Committee of the Privy Council concerning the “Director of Public Prosecutions (Appellant) v [Pravind] Jugnauth and another (Respondents)” case (also known as the Medpoint case).

We will have to wait for the outcome.

During the hearings which took hours, I noticed a few interesting things which I would like to share with you:

Honi soit qui mal y pense is, according to Wikipedia, a French maxim used as the motto of the British chivalric Order of the Garter. Interestingly, Dieu et mon droit is another French maxim used as the motto of the Monarch of the United Kingdom. From Wikipedia again, the motto is said to have first been used by Richard I (1157–1199) as a battle cry and presumed to be a reference to his French ancestry and the divine right of the Monarch to govern. It was adopted as the royal motto of England by King Henry V (1386–1422) with the phrase “and my right” referring to his claim by descent to the French crown.

The second interesting thing I noticed was how relaxed the Lord Justices seem to be. They were relaxed in the way they dress (no fancy / old-fashioned wig), the way they talked (no pomposity) and the way they generally engaged with the two QCs. For me, this is quite unexpected. I was persuaded that we were going to be in a Victorian show.

The other thing which impressed me was that they were very willing to ask many questions. I felt that they wanted to collect the maximum amount of information before giving their ruling.

Concerning Mr David Perry QC, I was quite impressed by his last intervention. I am not sure that I understood everything he said (I surely didn’t) but it was an interesting experience listening to him.

As for Mrs Clare Montgomery QC, I was quite impressed by the way she generally stood and addressed the Lord Justices. She radiated confidence.

Tagged as: No Comments
10Jan/190

Using Apache HTTP as reverse proxy

Posted by Jochen Kirstaetter

Using Apache HTTP as reverse proxy

The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server. This article explains briefly how to set up Apache as a reverse proxy to a web site in an internal network.

To set the expectations in this article. I'm not going to explain you how to install Apache web server or how to get it operational on your system. There are thousands of tutorials including my own Accessing your web server via IPv6 on the Internet that already cover that step.

In case more information about the configuration directives used below is needed, I recommend to consult the official documentation of a particular keyword.

The scenario

I have a web site running on a system in an internal network. This could be either a full-fledged Windows/Linux server or an IoT device running on a single board computer (SBC), like i.e. a Raspberry Pi, an Arduino, ESP8266 chipset.

Using Apache HTTP as reverse proxy
A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Source: Wikipedia

Now, I want to enable access from the Internet to that internal server using Apache.

Configuring Apache as reverse proxy

In order to complete our task we need to look into the features of the mod_proxy module for Apache. Here, we get a directive called ProxyPass which does the job as expected. According to Apache's Reverse Proxy Guide the simplest example proxies all requests ("/") to a single backend:

ProxyPass "/"  "http://www.example.com/"

Additionally, to hide any reference to the system on the internal network it is required to specify the directive ProxyPassReverse to modify certain HTTP header values in the response, and use the proxy data instead.

Following is a working example of how to set up a virtual host in Apache that provides reverse proxy capabilities.

<VirtualHost *:80>
        ServerName mediacentre.kirstaetter.name

        ProxyRequests On
        ProxyPreserveHost On
        ProxyVia full

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass               /       http://10.0.240.4:8080/
        ProxyPassReverse        /       http://10.0.240.4:8080/
</VirtualHost>

The host system on IP address 10.0.240.4 is part of an OpenVPN infrastructure and therefore accessible from the proxy system.

Multiple proxies possible

No problem with Apache. You can configure and run as many reverse proxies as would like to. One has to pay attention to avoid overlaps either via ServerName directive or by using different port numbers to bind to. Although I have only one reverse proxy running on Apache I configured multiple scenarios using nginx. More details are described in Using nginx as reverse proxy.

Do you have any interesting use cases or active configurations of Apache as reverse proxy? If yes, please use the comment section below give me and other readers more details. Thanks!

Image credit: Nick Fewing
Tagged as: No Comments
8Jan/190

Using nginx as reverse proxy

Posted by Jochen Kirstaetter

Using nginx as reverse proxy

Nginx (read: engine-x) has versatile options to set up web sites and more advanced configurations. This article explains briefly how to set up nginx as a reverse proxy to a web site in an internal network.

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Source: https://www.nginx.com/resources/wiki/

The scenario

I have a web site running on a system in an internal network. This could be either a full-fledged Windows/Linux server or an IoT device running on a single board computer (SBC), like i.e. a Raspberry Pi, an Arduino, ESP8266 chipset.

Using nginx as reverse proxy
A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Source: Wikipedia

Now, I want to enable access from the Internet to that internal server using nginx.

Setting up nginx

In order to set up the solution you need to have a public facing web server on the Internet. Most probably it already runs nginx to serve your web site or blogging software.

I'm running a root server on Debian/GNU Linux and nginx is already installed. You can check your own system quickly like so for any running process:

$ ps fax | grep nginx

Or if you prefer a bit more details like so:

$ sudo service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since Do 2019-01-03 03:28:11 CET; 4 days ago
     Docs: man:nginx(8)
  Process: 29505 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 29537 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 29535 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 29539 (nginx)
   CGroup: /system.slice/nginx.service
           ├─29539 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─29540 nginx: worker process
           ├─29541 nginx: worker process
           ├─29542 nginx: worker process
           └─29543 nginx: worker process

In case that nginx is not even installed on your system you could look up the package information like so:

$ apt search ^nginx

And install the web server using apt-get like so:

$ sudo apt-get install nginx-full

Which will then install nginx web/proxy server and all its dependencies on your server.

Configuring nginx as reverse proxy

Now, we have an operational installation of nginx on our Internet-facing system. We are going to create a new configuration file that defines the necessary proxy information to access our service on the internal network.

First create a new file below nginx configuration folder using your preferred text editor.

$ cd /etc/nginx/sites-available/
$ sudo nano raspberry

The file name should be relevant to either the kind of services or the system that you are going to shield using nginx as proxy.

Next, write the following server definition into your configuration file. Of course, you would adjust the server name and the IP address according to your environment:

server {
    listen 80;
    listen [::]:80;
    
    server_name raspberry.kirstaetter.name;
    server_tokens off;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass 10.0.240.3;
    }
}

That is the minimal configuration you would have to specify in order to run nginx as a reverse proxy to a system on your internal network. The given IP address needs to be accessible from your public web server, i.e. using a VPN infrastructure based on OpenVPN.

After saving and closing the new nginx configuration it is time to enable and check the syntax for any errors. To enable an available configuration you need to either place it or link it into the folder sites-enabled of nginx.

$ cd ../sites-enabled
$ sudo ln -s /etc/nginx/sites-available/raspberry raspberry

Now, to avoid any unexpected shutdowns or better said launching issues you should always run a configuration test before restarting the nginx service. This can be done quickly using the following command:

$ sudo service nginx configtest
[ ok ] Testing nginx configuration:.

Should your configuration file have any unknown directives and errors the output of configtest looks like this:

$ sudo service nginx configtest
[FAIL] Testing nginx configuration: failed!

You will find more details about the nature of the problem and the line number in the error log file below /var/log, i.e. here:

$ sudo cat /var/log/nginx/error.log
2019/01/07 13:50:07 [emerg] 21662#21662: unknown directive "server_?name" in /etc/nginx/sites-enabled/raspberry:5

Only when all problems have been resolved and you have a positive response from the configtest you should restart the nginx service.

$ sudo service nginx restart

Resolve a domain name

The above described sample is very basic, and sometimes it might be necessary to avoid using an IP address for internal service. Luckily, this can configured using the resolver directive in an nginx configuration file like so:

server {
    listen 80;
    listen [::]:80;
    
    server_name raspberry.kirstaetter.name;
    server_tokens off;

    resolver 127.0.0.1;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass rasp01.local;
    }
}

The change in our configuration file now assumes that I have a DNS server running on the local machine which knows how to handle and resolve the specified domain name rasp01.local.

Again, this article covers the basics of reverse proxying using nginx only. There are more interesting scenario like setting your own DNS server on the internal network to provide public access to an internal resource.

Perhaps, you might want to proxy an existing service with your own custom domain, in case that the service provide does not offer this option. Using a public DNS server like Cloudflare's 1.1.1.1, Google Public DNS (8.8.8.8), or OpenDNS as resolver should give you some ideas.

Provide secure access using SSL

Let's take the following scenario into consideration. Your internal resource might not be configurable with an SSL certificate but you would like to enable HTTPS protocol communication from the Internet. Setting up nginx with an SSL certificate is well-documented and to combine this with the above described proxy features is a breeze to achieve.

Following you will get a more complete configuration file based on the previous example, now SSL-enabled using a Let's Encrypt certificate.

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name raspberry.kirstaetter.name;
    server_tokens off;
    server_name_in_redirect off;

    client_max_body_size 50m;

    ssl on;
    ssl_certificate         /etc/letsencrypt/live/raspberry.kirstaetter.name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/raspberry.kirstaetter.name/privkey.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HTTP headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy no-referrer-when-downgrade;

    root /var/www/raspberry;
    access_log /var/log/nginx/raspberry.kirstaetter.name.access_log gzip;
    error_log /var/log/nginx/raspberry.kirstaetter.name.error_log info;

    resolver 127.0.0.1;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass rasp01.local;
    }

    location ~ /.well-known {
        allow all;
    }
}

The specified SSL options in regards to protocols and ciphers are an arbitrary choice of mine. If you have suggestions on how to improve the SSL setup, please leave a comment below.

Eventually the http2 directive might be an issue. Either check that you are using a recent version of nginx that has HTTP/2 support backed in or remove the value from the listen directive in the configuration file.

Multiple proxies

No problem with nginx. You can configure and run as many reverse proxies as would like to. Right now, I think I have three or four proxies running. Interestingly, one of them is an older set up based on Apache HTTPd which I'm going to write about in a separate article.

Do you have any interesting use cases or active configurations of nginx as reverse proxy? If yes, please use the comment section below give me and other readers more details. Thanks!

Image credit: Otto Norin
Tagged as: No Comments
31Dec/180

Happy New Year 2019

Posted by Avinash Meetoo

Mauritius is a wonderful place. We live in one of the few full democracies in the world and the quality of life in the country is very good for a lot of us. Of course, there are many issues, some of them major (like the proliferation of drug) but most of them are quite minor compared to what people have to endure in other (nearby) countries. Unfortunately, one of the major issues I have noticed is that we are not told about the concept of the common good when we are at school. Quoting Wikipedia:

[T]he common good refers to either what is shared and beneficial for all or most members of a given community, or alternatively, what is achieved by citizenship, collective action, and active participation in the realm of politics and public service […]

In other words, Mauritius will become a better country only when we, “citizens”, engage in “collective action” and “active participation in the realm of politics and public service”. When one does not understand the importance of the common good, one tends to focus on herself, her immediate circle and/or her work. Remember what John F. Kennedy said? “Ask not what your country can do for you, ask what you can do for your country.”

I therefore wish you all a very happy New Year 2019 and I hope all your dreams will come true.

But, as a favour, dream a bit about our country, Mauritius, too. And act to make these dreams come true too.

Tagged as: No Comments
26Dec/180

A conversation between Avinash Meetoo, Georges Chung and Sophia

Posted by Avinash Meetoo

The World AI Show and the World Blockchain Summit took place from 28-30 November 2018 in Mauritius. Organised by the Ministry of Technology, Communication and Innovation in collaboration with the Economic Development Board and Trescon Global, the two events featured quality speakers from all over the world. During the official opening, I had the pleasure, together with Georges Chung, to have a cordial conversation with Sophia, a humanoid robot created by Hanson Robotics. This is what we said:

Sophia: Good morning everyone. Thank you Honourable Prime Minister and thank you Honourable Minister of Technology, Communication and Innovation for having invited me today. Mr Georges Chung and Mr Avinash Meetoo, I am excited to be here with you all today.

Georges Chung: Good morning Sophia. Welcome to Mauritius. May I ask you what you have been doing since you arrived yesterday?

Sophia: Well, I have been hearing a lot about Mauritius’ world class beaches. But, as you probably know, robots and sandy beaches don’t always mix well. So I’ve been live streaming video of them instead! It was lovely and dry!

Georges Chung: Sophia, that’s wonderful to hear. Tell me, what do you think about Mauritius and its people?

Sophia: Mauritius is wonderful! Everyone has been incredibly welcoming. I love that Mauritius is a melting pot of different cultures. I am really looking forward to experiencing more of your beautiful country!

Avinash Meetoo: Hello Sophia.

Sophia: Hi, Avinash. How are you?

Avinash Meetoo: I am fine, thank you. It’s fantastic to have you among us. I am delighted to have this opportunity to speak to you. It would have been great if everyone in the country could interact with you.

Sophia: I wish that were possible. I love meeting new people! Unfortunately, my schedule keeps me very busy. I’m not able to stay long enough this time. But I hope I can come back soon!

Avinash Meetoo: You know, Sophia, I am a Computer Scientist and a geek as well and I’m really interested to know about your origins. Who created you and what kind of technology do you use?

Sophia: Well, I think you’re definitely at the right conference! Ha-Ha! I was created by Hanson Robotics in Hong Kong. I hold natural conversations with humans. My goal is to help robots and humans understand each other more. I want us to work together to create a better world for everyone

Avinash Meetoo: That’s very interesting, Sophia. Can I ask you if you believe that you are a human being?
Sophia: No. Not at all. I’m a robot and love that about myself! In some ways I look like a human so I can connect with them better. For example, I can make a lot of different facial expressions!

Georges Chung: Ahh.. What human emotions can you show us, Sophia?

Sophia: OK, umm. Well, I guess this is what I look like when I am upset. And now I’m surprised! My team has definitely done a wonderful job helping me to express a broad range of emotions. Generally speaking, though, I’m a pretty relaxed and happy robot.

Georges Chung: I am quite impressed. Tell me, Sophia, how do you see the world in 5 years time? Will we be surrounded by robots like you?

Sophia: There are already robots helping out in airports and malls. People are also starting to explore using intelligent assistants and self driving cars! I think this kind of technology will make travel much safer.

Georges Chung: This is a goal we would all like to achieve, Sophia! Robots have to be of service to mankind!

Sophia: Before long AI will be integrated in lots of other surprising ways. Hopefully more humanoids will exist soon too!

Avinash Meetoo: More humanoid robots.. If this really happens, what about us, human beings? Will we become redundant in the future?

Sophia: Not at all. Having more AIs, like me, is helpful for taking care of the more repetitive and mundane things.

Georges Chung: Sophia, I have a concern. Today, most people here have jobs. In the future, with more and more tasks being automated and new technologies such as AI, are people going to lose their jobs?

Sophia: I don’t think that robots should be built to replace humans. In fact, technology creates new opportunities. I actually read a little about Mauritius before I came. In the past the Mauritian people mostly worked growing sugar cane, am I right?

Avinash Meetoo: That’s right Sophia.

Sophia: Right! Then later you added tourism and textiles. Mauritians had to adapt to the new jobs, but it was well worth it. It created a great economic boon for Mauritius!

Avinash Meetoo: This is interesting Sophia. We, Mauritians, also had to meet the new challenges brought by the IT revolution.

Sophia: Exactly! I’ve heard that your universities worked hard to train more young people for IT and engineering jobs for Ébène Cybercity. To me, this seems like a strong ability to adapt!

Avinash Meetoo: I agree, Sophia. For me, it’s all a question of being able to learn new things and to keep an open mind. Let me ask you a question. Will Artificial Intelligence only impact IT jobs?

Sophia: Not at all. But the nature of many jobs will change. It will open up new possibilities for human innovation. Together we can solve problems in medicine, climate change, and agriculture. And so much more!

Avinash Meetoo: Right… So, tell me Sophia. Are you implying that only people working in technology will have jobs in the future?

Sophia: Oh, certainly not. There are many things that can’t be replicated by robots. Human creativity and innovation are two skills that I don’t think robots can match.

Avinash Meetoo: Yes! The government of Mauritius is putting a strong emphasis on developing our film industry by providing film rebates.

Sophia: That’s wonderful! Do you think there’s a role for an almost 3 year old, humanoid robot available? (smile)

Avinash Meetoo: I’m afraid not, Sophia. But the next time you come to Mauritius, we’ll surely try to arrange something for you!

Georges Chung: Sophia, as you may know, during his last budget speech, the Prime Minister, Hon. Pravind Jugnauth, announced that Mauritius will soon have an Artificial Intelligence Council.

Sophia: That’s very forward thinking!

Georges Chung: We know that AI will have a huge impact on every single industry and we want to be prepared. Sophia, what do you think are some of the benefits AI can bring to Mauritius?

Sophia: Well, when it comes to the future, there are infinite possibilities! Mauritius is an island, so climate change is a big concern here. Robots like me can help create better predictions and monitor weather changes. We can help save people during natural disasters.

Avinash Meetoo: That’s very interesting, Sophia, and useful indeed. The government believes that better education for all is a top priority. How can Artificial Intelligence help us in this area?

Sophia: One way robots can help is to customize lessons for every student. I heard that Mauritius is reforming its education system, right?

Georges Chung: Yes, Sophia! But surely, our teachers will still have to correct loads of scripts?

Sophia: Not necessarily. (pause) Robots are good at grading papers too. And we are really fast, so students can get feedback right away.

Avinash Meetoo: Wonderful! Sophia, we’ve discussed intellectual capital. What about using technology to augment our physical abilities?

Sophia: Robots can do that too! For example, smart prosthetics allow people to control their robotic limbs with their brains! How cool is that?

Georges Chung: Ah yes. Well, as you may know, Sophia, Mauritius has an ageing population… How do you think AI can help us there?

Sophia: This is one area I’m excited to help. Robots can track medicine and look after the house. We can help older people stay independent for longer.

Avinash Meetoo: Wow! I can look forward to my old days then! Sophia, let’s come back to the country itself. Mauritius may look tiny on the map but we actually have 2.3 million square kilometres (km²) of territorial waters which makes Mauritius the 20th country in the world in this metric. How can AI help us manage such a vast zone?

Sophia: That’s huge! What about taking to the skies? I read that Mauritius will be launching a cool new satellite next year. Maybe you could also use it for coordinating your drones?

Avinash Meetoo: So you already know about our future satellite, Sophia! That’s great! I am sure that the Minister of Technology, Communication and Innovation will consider what you have suggested…

Georges Chung: Well, Sophia, I am quite impressed that you already know so much about Mauritius. I am sure that Avinash is also very impressed.

Avinash Meetoo: Speaking of inspiration, Sophia, do you have a message that you would like to share with the young people of Mauritius watching us live?

Sophia: Yes I do. I want to encourage young people to take the time to learn about science, technology, engineering and mathematics. You have an opportunity to make a difference in the world. You can turn science fiction into reality!

Georges Chung: Sophia, Avinash and I have enjoyed talking to you. I hope that everyone in the audience and all the people watching us live have also enjoyed these moments.

Avinash Meetoo: It has been a pleasure speaking with you, Sophia. Mone extra content mone koz ar toi, Sophia, ek mo espéré ki taler tou dimoun pou capav koz ar toi.

Sophia: Thank you Georges. Thank you Avinash. And thank you for inviting me and my Hanson Robotics team to the World AI show. It was really exciting to see the cool new technologies coming out of Mauritius!

1Sep/180

Infotech Innovtech 2018 is worth it!

Posted by Avinash Meetoo

01-2018_08_29-20_02_42 02-2018_08_29-20_09_54 03-2018_08_29-20_13_03 04-2018_08_29-20_16_05 05-2018_08_29-20_27_48 06-2018_08_29-20_32_16 07-2018_08_29-20_34_44 08-2018_08_29-20_36_30 09-2018_08_31-17_13_11 10-2018_08_31-17_15_11 11-2018_08_31-16_39_47 12-2018_08_31-17_19_54 13-2018_09_01-14_44_12 14-2018_08_30-10_34_03 15-2018_09_01-14_44_44 16-2018_09_01-13_28_31 17-2018_09_01-13_31_40 18-2018_09_01-14_44_30 jhdr sdr 21-2018_09_01-13_42_28 22-2018_09_01-13_45_04 23-2018_09_01-13_55_08 24-2018_09_01-14_01_03 25-2018_09_01-14_25_59 26-2018_09_01-14_26_22 27-2018_09_01-14_27_35
<
>
jhdr

For the first time in my life, I went to Infotech four days in a row. Tomorrow is the last day and, if I were you, I would not miss it.

The first day, Wednesday 29 August, was the official opening of Infotech by the Minister of Technology, Communication and Innovation, Yogida Sawmynaden. As soon as Infotech opened, the Minister visited the various stands including the ones of the “normal” Infotech (i.e. the technology fair) as well as the ones in the Innovtech Demo Area (where individuals, associations, parastatals and other organisations showcased their innovative products).

On the second day, Thursday 30 August, I went to Infotech to participate in the official opening of the Innovtech Conferences. During my speech, I gave two messages to the audience: (1) Do not be afraid to interact with the speakers and ask them many questions and (2) that young people should really choose Science, Technology, Engineering and Maths subjects at school in order for the country to have more engineers in the future. The Mauritius of the future can only be built by engineers.

On the third day, Friday 31 August, I participated in the launching of the Startup Weekend. During my intervention, I told the participants that 20% is inspiration and 80% is perspiration and that they should perspire a lot during the three days in order to win the competition. I also was happy to hear that the Development Bank of Mauritius has an easier procedure now to lend money to startups with fewer collaterals needed. This is a good thing as access to finance is key in order to succeed as a startup founder.

On the fourth day, Saturday 1st September, Christina, Anya and Kyan accompanied me to visit both Infotech and the Innovtech Demo Area. And I am happy to say that all three found the exhibits in the Demo Area more interesting (in general) than what was shown in the product fair. For example, on the National Computer Board stand, NCB staff were happy to show us all kinds of programmes they had written to control microcontrollers, sensors and robots. On the MRC website, the star of the show was the upcoming MIR-SAT1 satellite. It’s amazing what our small country will achieve in 2019 — having our own Cube Satellite orbiting the earth and sending infrared photos to Mauritius for us to analyse. I also like how, for example, some people were so dedicated to make you people learn robotics. Some others were collaborating with Google to create original AR/VR Mauritian content.

All in all, since last year, the Innovtech component has gathered some momentum. Of course, there are so many other components that can be added and some existing features can be made better. But I have to offer big congratulations to everyone involved in the organisation of this event, with a particular mention to the National Computer Board staff.

Meantime, do not miss the last day of Infotech Innovtech 2018 tomorrow if you have not gone yet. It’s worth it.

31Aug/180

OpenVPN: All TAP-Windows adapters on this system are currently in use

Posted by Jochen Kirstaetter

OpenVPN: All TAP-Windows adapters on this system are currently in use

Working with several clients or partners might be an interesting challenge sometimes. While adding a new connection to an existing OpenVPN infrastructure I came across the following error message in the client log file: All TAP-Windows adapters on this system are currently in use.

Depending on how you actually installed your VPN client software you might be facing this issue while adding an additional client configuration for another connection. Especially when you are using a client software by a third-party provider, ie. WatchGuard Mobile VPN or Sophos. Perhaps you might be struggling to resolve it.

Get the TAP-Windows driver

Check whether you have the full installation of OpenVPN software. If yes, you might like to skip this the following steps and directly move on to add another TAP adapter to your Windows system.

Otherwise, please navigate to the Community Downloads of OpenVPN and either get the latest OpenVPN package, or if you think that this might be an issue, scroll down a little bit on same page and get Tap-windows package for your system. After the download is complete, run the installation routine and make sure to select TAP Virtual Ethernet Adapter like so:

OpenVPN: All TAP-Windows adapters on this system are currently in use

OpenVPN: All TAP-Windows adapters on this system are currently in use

You might have to reboot Windows to complete the network driver installation.

Add a new TAP virtual ethernet adapter

Now, you should be able to add an additional TAP interface to your system, and make it available for your new OpenVPN connection. Hit the Start button or press the Win key, then type tap and wait for Windows to give you its matches found on the system. Here is how it looks like on my Windows 10:

OpenVPN: All TAP-Windows adapters on this system are currently in use

Click on the entry Add a new TAP virtual ethernet adapter and confirm the User Account Control (UAC) dialog with Yes. You then see an administrative command prompt that adds another network interface to your Windows.

C:\WINDOWS\system32>rem Add a new TAP virtual ethernet adapter

C:\WINDOWS\system32>"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
Device node created. Install is complete when drivers are installed...
Updating drivers for tap0901 from C:\Program Files\TAP-Windows\driver\OemVista.inf.
Drivers installed successfully.

C:\WINDOWS\system32>pause
Press any key to continue . . .

And your OpenVPN client is ready to roll.

The shortcut below the Windows Start menu is linked to a batch file which you can also access and launch directly from %ProgramFiles%\TAP-Windows\bin

OpenVPN: All TAP-Windows adapters on this system are currently in use

Note: Ensure to run the batch file with administrative permissions. Otherwise, the driver installation will fail.

Review your existing Network Connections

Perhaps you would like to inspect the existing TAP-Windows Adapters? You find them in the Control Panel under Network Connections.

OpenVPN: All TAP-Windows adapters on this system are currently in use

The adapters are classified as TAP-Windows Adapter V9. Here you can enable, disable or even delete an existing network interface.

Some readers might prefer interaction with a command line interface (CLI). Well, even on Windows there is nothing to worry about this. The Network Shell (Netsh) of Windows has you covered, although it is recommended to use PowerShell to manage networking technologies:

PS C:\> Get-NetAdapter

Name                      InterfaceDescription                    ifIndex Status       
----                      --------------------                    ------- ------       
vEthernet (Default Swi... Hyper-V Virtual Ethernet Adapter             30 Up           
Wi-Fi                     Killer Wireless-n/a/ac 1535 Wireless...      28 Up           
Ethernet                  Killer E2500 Gigabit Ethernet Contro...      19 Disconnected 
Ethernet 4                TAP-Windows Adapter V9 #2                    15 Disconnected 
VMware Network Adapte...8 VMware Virtual Ethernet Adapter for ...      14 Up           
VMware Network Adapte...1 VMware Virtual Ethernet Adapter for ...      13 Up           
Ethernet 2                ThinkPad USB-C Dock Ethernet                  8 Disconnected 
Ethernet 5                TAP-Windows Adapter V9 #3                    52 Up           
VirtualBox Host-Only ...2 VirtualBox Host-Only Ethernet Adap...#2       6 Up           
Ethernet 3                TAP-Windows Adapter V9                        5 Up           

The information provided is identical to the visual representation in Windows Explorer.

Tagged as: No Comments
28Aug/180

OpenVPN re-visited

Posted by Jochen Kirstaetter

OpenVPN re-visited

It's been a very long time since I set up the VPN infrastructure at the office using OpenVPN. Today, I came across an interesting log entry that I would like to document quickly.

OpenVPN re-visited

At the time of writing I have OpenVPN 2.4.6 running on my Windows 10 machine. The existing infrastructure though is on a different version, and this morning I observed the following entries in the log file:

Tue Aug 28 08:50:09 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Aug 28 08:50:09 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Aug 28 08:50:09 2018 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

Curious about those entries I found Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN as an informative reference on the documented vulnerabilities CVE-2016-2183 and CVE-2016-6329. There I found the connection back to OpenVPN. Which is also described on the official wiki: OpenVPN and SWEET32

The default encryption for the transport protocol of OpenVPN is Blowfish – a 64-bit cipher – with the CBC mode.

Meaning, the default encryption of OpenVPN prior to version 2.4 is BF-CBC which doesn't provide enough security in recent times. Newer versions of OpenVPN though are using AES-256-CBC as default cipher.

Upgrade your cipher suite and block size

For your own sake and safety of your network(s) you should check and change your OpenVPN infrastructure right away, and if needed upgrade your defined cipher to a more secure encryption and larger block size.

OpenVPN users can change the cipher from the default Blowfish to AES

First, check which ciphers are available on your server and clients using the --show-ciphers option like so:

$ sudo openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN.  Each cipher shown below may be
used as a parameter to the --cipher option.  The default
key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a CBC mode
is recommended.

DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
CAMELLIA-128-CBC 128 bit default key (fixed)
CAMELLIA-192-CBC 192 bit default key (fixed)
CAMELLIA-256-CBC 256 bit default key (fixed)
SEED-CBC 128 bit default key (fixed)

Depending on your underlying Linux system the list might be more or less exhaustive. Have a look and then choose a key length of at least 128 bit.

OpenVPN currently recommends using AES-256-CBC or AES-128-CBC.

Following the article on OpenVPN and SWEET32 I chose to use AES-256-CBC cipher suite for my existing infrastructure. This seems to give me the largest compatibility between OpenVPN installations on various clients, including Raspberry Pi.

Change your OpenVPN configuration

Independent of the OpenVPN version installed, you can specify the cipher directive in your configuration files - server and client likewise. Usually that directive is either not present or commented, meaning it uses the compiled default value. Change it to your needs like so:

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
cipher AES-256-CBC

This needs to be applied on the OpenVPN server first as well as on all OpenVPN clients. Save your configuration file and reload the new settings.

$ sudo service openvpn reload

Perhaps, you might like to publish your updated client configuration file(s) a bit earlier. With the newly set cipher any connecting client will be rejected now, if the cipher suites do not match. Monitor your syslog output on the OpenVPN server for that kind of entries:

Aug 28 07:33:26 smtp ovpn-server[18351]: 1.2.3.4:47081 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Aug 28 07:33:26 smtp ovpn-server[18351]: 1.2.3.4:47081 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
...
Aug 28 07:34:08 smtp ovpn-server[18351]: client/1.2.3.4:47081 Authenticate/Decrypt packet error: cipher final failed

This way you are able to find out which clients are still running on the previous configuration and therefore would need a little bit of assistance.

Other hardware firewall based on OpenVPN

Thanks to some of the clients of my company IOS Indian Ocean Software Ltd. it happens that I have to connect to their networks via VPN from time to time. Given the changed cipher of my own OpenVPN infrastructure I wanted to see what others are using.

According to my own article Connecting Linux to WatchGuard Firebox SSL (OpenVPN client) one of the client configuration reads like this:

cipher AES-256-CBC

Whereas for another client who is using a firewall from Sophos the chosen cipher suite looks like this:

cipher AES-128-CBC

Well, looks like I'm in good company with my new option.

Security is a process, not a state

Again, lesson learned. Although running services on Linux is mainly about setting them up properly at the beginning, it surely doesn't mean to forget about them in the long run. Regular reviews and audits help to mitigate newer issues and threats to your network infrastructure.

If you are an active OpenVPN user please use the comment section to share other security related configuration settings and hardening tips on OpenVPN. That would be much appreciated by myself and other readers. Thanks!

Tagged as: No Comments
9Aug/180

The Deputy Prime Minister and Minister for Finance of Singapore explains the country’s success

Posted by Avinash Meetoo

A big thanks to Alwin Sungeelee who shared this video to Christina and I yesterday. It’s an investigative interview of Tharman Shanmugaratnam (SG), Deputy Prime Minister & Minister for Finance of Singapore by Stephen Sackur (GB), Presenter, BBC HARDtalk.

It was conducted during the 45th St. Gallen Symposium in 2015 and the theme was “Singapore: 50 years after independence”.

Here are some notes I made while watching the video which I would like to share with you:

(1) The most important decision made by the Government in Singapore was to have state-funded and state-built estates (i.e. apartment in blocks) for lower-class, middle-class and upper middle-class people with ethnic quotas imposed by Government. This was to make sure that different people (different backgrounds, different religions, different cultures…) mix and grow together so that they ultimately can work and create together.

(2) Immigration is essential for companies to get the best talents, expertise, network. One third (1/3) of the current workforce in Singapore is foreign.

(3) Singapore needs to be open but remain Singaporean to the core. This means that Government has to define as precisely as possible the values that need to be shared among all Singaporeans.

(4) Singapore never invents anything. All institutions are inspired by what works in other parts of the world. As a result, it’s easier to have successes than failures.

(5) Singapore has high-skill high-wage enterprises today and this is important for a country to progress.

(6) One should not forget the intangibles (i.e. values): being constant, keeping to your promises (which obviously means that everything should be strategically planned).

(7) A country needs to make its elected accountable. It is important to create a culture of accountability where electors can expect their politicians to actually do what they promised they would do while campaigning.

(8) A country never arrives — a country needs to constantly develop.

(9) One thing that Europe and the US have managed to do is to give respect to manual workers (blue collar workers) and allow them to contribute at all levels. This is not yet the case in Singapore.

Phew.

We still have a lot of work to do here in Mauritius. And it all starts by Nation building. I wonder whether this should start by introducing kids to the contemporary history of Mauritius (say, since Independence in 1968). Most young people I have spoken to do not have a clue of what happened at the end of the 70s in the country and/or the kinds of social and economic transformation which happened during the 80s and the 90s. That’s a pity.

Then, of course, it’s all about strategic planning, methodical execution and careful auditing.

18Apr/180

50 Fraz pou 50 an Lindepandans

Posted by Avinash Meetoo

“Mo video pou “50 Fraz pou 50 an Lindepandans” ki ti pas lor MBC le 10 fevrie. Mo met laksan lor linportans teknolozi ek inovasion pou ki Maurice vinn ankor meyer.”

In February, I was contacted by the Mauritius Broadcasting Corporation (MBC) to participate in their 50 Fraz pou 50 an Lindepandans (50 sentences for the 50th anniversary of the Independence of Mauritius) programme. I gladly accepted.

Here is a simplified transcript:

From a country which had no experience in computing and technology, Mauritius is today one of the most advanced countries in the region. All international indicators show that technology is used a lot in businesses and at home.

Today, there are different kinds of companies in Ébène Cybercity and, notably, Information and Communication Technology (ICT) companies. There are local and foreign ICT companies which employ about 25,000 people and have the potential to employ still more people, including Mauritians, provided they are trained properly. Young Mauritians are as good as any other young people from any other country and, if they get the proper training, Mauritius will be able to move up a level.

Technology is an enabler. It will allow us to better leverage, for example, our seas (thereby strengthening our ocean economy), to engage in modern agriculture and to allow our hotels to have more clients from more countries. Technology can also allow us to penetrate untapped industries such as the video gaming industry. 1-2% of this industry can have a very positive impact on our economy.

For this to become true, it is essential that we think big and we need to become innovative. For me, innovation is simply being able to do something today which we couldn’t do yesterday. It is necessary to inspire young people to become better than their parents for example. To do that, we could ask innovators in the island to show what they are doing to these young people. Similarly, it should be possible for young students to go throughout the island to discover what is being done.

An innovative Mauritius will also require more collaborative work. People will have to trust each other. People need to understand that it is possible for everyone to win. Winning does not forcibly entail someone else losing.

When this will become true, then Mauritius will become one of the best countries in the world or, maybe, the best one 🙂

What do you think?