Firewall throughput measurements: OPNsense on APU4d4, OPNsense in a Proxmox VM, and OpenWRT on Turris Omnia

Getting OPNsense to perform well on a low-powered CPU, e.g. the APU4d4 board, can be tricky. As there are some open questions, this post summarizes some measurements taken in a home lab setup.

A highly personal take on KDE vs. Gnome over two decades

I have been using KDE since 1998 and keep coming back to it even though I have tried Gnome in many versions and varients. A highly personal report why configurability is good for an expert work tool.

Settings for Flatpak sandboxing for the Zoom Linux client

The Flatpak package of the Zoom Linux client is better than installing native because of Flatpak sandboxing capabilites. This short post summarizes the settings I use to make it work.

Enabling per-device traffic analysis with separate VLANs, 802.1x MAC based authentication, and OpenWRT

Why For analysing what devices do on a network - specifically the shared medium of a wireless LAN - just packet tracing based on IP address is often not sufficient. There are multicasts, the initial DHCP requests, and potentially other types of traffic not captured by that. Even MAC address based packet tracing is problematic given recent defaults of MAC address randomization e.g. on Android (default since Android 10, optional before).

Transparent Tor-ifying VLAN (separated WLAN SSID) with OpenWRT

Why Tor allows to anonymize Internet traffic through onion routing, typically via 3 separate hops. At INS, we run one of the fastest Tor exit nodes in Austria, and provide statistical data on its usage. For more details, please check those project websites. On my personal home network, I use Tor - among other reasons - to test various devices such as mobile phones, tablets, etc. with apps I do not necessarily trust, “smart home” / IoT style devices, or wearables.

Gibraltar firewall

[Finished/closed] A Linux firewall/UTM distribution with read-only root file system.

Using the Austrian 'Buergerkarte' under Linux

Disclaimer This web page is written primarily in English, but uses German words originating from the Austrian law. There seems to be little point in artificially translating these terms when they are special definitions of a law written in German. I have tried to explain the terms when I first use them - if something is unclear, feel free to send me an email. Introduction Since the beginning of 2000, the Austrian government has begun introducing its digital signature scheme in form for the so called “Bürgerkarte".


[Finished/stopped] A personal Dropbox replacement based on Git

IPsec/L2TP gateway for Android and iPhone clients on OpenWRT

How to set up an OpenWRT router/gateway as an IPsec/L2TP gateway for Andoid and iPhone clients The only “reasonable” (that is, not counting PPTP due to its known security issues) VPN protocol supported by default on non-rooted / non-jailbroken Android / iPhone phones as clients is the combination of IPsec and L2TP. Most probably, this was chosen due to its out-of-the-box support by newer Windows clients and MacOS/X as well.

SSD Linux benchmarking: Comparing filesystems and encryption methods

Introduction After (again) suffering under KMail’s recent sluggishness when dealing with my email spool and general Eclipse slowness when run with many plugins (such as the excellent Android ADT or the still-to-mature Scala plugin), I decided that the best update for my Lenovo Thinkpad X201s laptop would be a solid state disk (SSD). Some preliminary web article research yielded the Crucial C300 256GB as one candidate with near top-level performance and reasonable pricing.

Howto use an encrypted container under Windows XP/7 and Linux

USB sticks become increasingly common to carry around. When one keeps confidential data on such an USB medium, it should be protected against loss (and it should also be possible to use it for transferring files to and from an untrusted machine, just for convenience). An encrypted container that is usable under Windows XP, (Vista, ) Windows 7, and Linux as a virtual drive is a good way to do that.

Howto use Aladdin eToken under Linux

Introduction After some work on getting the Austrian Bürgerkarte to work under Linux, I have now decided to acquire some know-how about using more general smart cards under Linux. After some quick research, the Aladdin smart cards seem to be supported fairly well, so I ordered a bunch of different types. This page details how to make them work (my principal systems are running Debian or Ubuntu, but most should be applicable to any Linux distribution).

Howto create a Debian chroot on an Android phone

Howto create a Debian chroot on an Android phone (HTC Desire and Motorola Milestone) This page will grow once I have everything running, but this is a starting point:… [HTC Desire, unbranded, European version]: Flashed (pre-rooted and with busybox included) firmware from…, taking file On a Debian squeeze (amd64, but with i386 it will be similar) box: sudo apt-get install debchroot qemu-user Download qemu-arm-static from (and its dependency) to get the build-arm-chroot script dd if=/dev/zero of=debian.

Running (K)Ubuntu Linux on a Dell Latitude XT

With Kubuntu Intrepid 8.10, I can delightedly say that installing Linux in form of a Debian variant - my kernel/operating system of choice for most tasks - on a new Dell Latitude XT went flawlessly and got most of its hardware to work out-of-the-box. The remaining adaptations that I did on my system are mentioned here. Note: I couldn’t get Kubuntu Hardy 8.04 in its AMD64 version to install the kernel wouldn’t find its installation CD with the Latitude XT attached to its Mediabase.

Howto configure encrypted home directories under Linux

To get an encrypted home directory under Debian Linux, only a few steps are necessary. The performance hit for the encryption is, at least for current processors and normal (i.e. slow compared to all other PC components) harddisks, negligible. This howto describes the necessary configuration options for automatically mounting the encrypted volume at login and unmounting it again afterwards. First of all, you need the following packages to be installed on your Debian system (or on other distributions, but I don’t know the package names for them):

Howto auto-mount devices under Linux with hotplug

Here is another small thing to make working with Linux more convenient: auto-mounting of hotplug-able devices. This is again specific to Debian GNU/Linux, but might be applicable to other distributions with only slight changes. Quite a few of the following steps have been taken from Ubuntu - well done folks! The whole auto-mounting described here is based upon hald, a daemon that monitors the system’s hardware. Update: As of 2010, none of this is typically required.

Howto combine Chillispot with OpenSwan on one machine

Imagine the following setting: there is some (possibly 802.11a/b/g wireless) network, which can range from a single access point to a complete backbone network of access points working together via WDS, or even a wired network infrastructure. This (W)LAN should serve two purposes: act as an open “hotspot” type network where users do not need any special client configuration to use it (other than maybe a username/password combination or some prepaid account) simultaneously allow registered/special users to use it for purposes that are not open to the first public group These are usually seen as two different use cases, and both are already in extensive use.

Howto fix emails for Cyrus LMTP and IMAP

I, as many others, have been bitten by Cyrus’ strictness when it comes to RFC-compliant email headers. Although it cost me about a full day, I still appreciate that Cyrus interpretes the RFC strictly and thus forces email to be syntactically correct. It may not strictly adhere to the “be liberal in what you accept” approach, but this way is less likely to cause problems later (with IMAP clients, indexing, searching, etc.

Howto make a USB stick bootable

USB sticks are really useful. Not only for transferring files between computers, but also also rescue media, or more generally, to boot from. However, making a USB stick bootable can turn out to be tricky. This small howto describes the tricks that I discovered over the last years. The following commands assume the necessary package to be installed under Linux. It has been tested with Debian GNU/Linux sid (unstable as of 2006-06-26) with packages mbr (1.

Howto setup SyncEvolution on a Nokia N900 with Egroupware

I’ve documented my current selection of smart phones and their respective features, advantages, and disadvantages elsewhere. The Nokia N900 does many things right (in my point of view), but is missing one crucial component by default: SyncML synchronization to HTTP servers. Fortunately, being largely open source, other developers have already taken care of this issue by porting the SyncEvolution package over to Maemo (the Debian-based Linux distribution running on the Nokia N900).