Don’t even try to repeat this in the GUI

There is such a thing as Linux user friendly… It appeared a very long time ago, perhaps a few minutes after Linus Torvalds announced his development in the comp.os.minix list. It is difficult to say whether this concept and its various incarnations at the workstation have been beneficial. One thing is clear that progress on this path does not quite noticeably coincide with the expectations of this very user.

Perhaps this is because commercial Linux distributions and PC manufacturers are trying to show that it is realistic to use Linux on a workstation without using the console as the main operating system management tool. Perhaps in the future it will be so, but today the console on the home computer is as indispensable as on the server and there are good reasons for this.

We propose to consider several scenarios from real life, where you want – you don’t want, everything needs to be done in the CLI. There are very, very many such examples, these are just a couple of cases in a huge variety of similar ones.

Case 1 – setting up a custom environment

Most Linux distributions allow graphical installation of the OS, which is easy for an advanced Windows or macOS user. There is evidence that Ubuntu works out of the box for the first time Linux user.

However, further immediately it becomes necessary to edit / etc / sudoers with pens in order for the user to have rights to execute sudo commands. You will not be able to log into the DE environment as root; by default, most Desktop Managers disable this option. We’ll have to manually remove these restrictions in console mode, here’s catch 22. Remains visudo /etc/sudoers, or as a last resort vim /etc/sudoers from under the super user.

This is how my edit of the file looks.

|18:42:09|admin@srv:[~]> sudo diff /etc/sudoers /etc/sudoers.orig

85c85

< %wheel ALL=(ALL) NOPASSWD: ALL

---

> # %wheel ALL=(ALL) NOPASSWD: ALL

You just need to disable commenting in the corresponding line, after which it is enough to include the user in the group wheel… It would be strange to do this in graphics, if you can run just gpasswd -a admin wheel from under the root user.

But since we have rights sudo you must be able to use them. The very first thing you need these rights for is to install and update programs. You can of course use the graphical frontend of the repository programs, after all even Gentoo has a GUI for its portage. However, the limitations and inferiority of these tools bulge so much that they literally push the user towards the CLI.

Instead of a simple sudo aptitude update / sudo dnf update, you are not going to run a graphical frontend and helplessly roll up and down the list of packages. If you are going to stay on Linux for a long time, then you need to master the necessary minimum of console commands for your package manager.

Font customization is a little less common. One install of the font family Liberation, Noto, Dejavu and Droid the matter is not limited. We still need to get rid of the use of ancient Microsoft fonts from the package corefonts… The easiest way is not to install them at all, but they often penetrate the system as a dependency for Wine or other packages. In this case, you will have to create or edit the ~ / .fonts.conf file. Here’s a directive to get rid of Arial.

<match target=«pattern»>

  <test name=«family» qual=«any»>

   <string>Arial</string>

  </test>

  <edit name=«family» binding=«same» mode=«assign»>

   <string>Noto Sans</string>

  </edit>

 </match>

I want to emphasize that the problem is not that Microsoft fonts are used, but that it is very old versions of them. Accordingly, they do not look very good on the screen, to put it mildly. They are the only ones allowed to be used in Linux distributions. You can do this in a graphical editor, but files with a dot at the beginning of the name will have to be opened in a clever way in the built-in file manager every time, and this is inconvenient.

In addition, you may have to shaman with symlinks in /usr/share/fonts, or in /etc/fonts in order to get rid of SH. So it’s better to do everything at once on the command line. In fact, here many go out of the way, trying to do everything with the help of graphic applications as long as possible, after a while updates break, drivers crash and everything goes to hell.

This cannot be allowed, so we immediately proceed to the next stage – the need to master the console text editor: vim, emacs, or their clones. Believe me, you should not get attached to unpretentious nano, or mcedit, in which even undo has not yet been delivered. Having mastered these editors, you can safely edit configuration files in /etc, $HOME and gain reliable control over the system.

Case 2 – setting up a network environment in the office

Now with NetworkManager configuring networks has become much easier, and previously it was necessary to edit the wpa_supplicant.conf file to configure a wireless connection. However, even today the functionality NetworkManager in many respects is still limited. For example, it cannot connect to vpn using Juniper Pulse protocol with two-factor authentication – only CLI.

|18:29:57|admin@srv:[~]> sudo openconnect --protocol=pulse 

--authgroup ТOTP -u jsmith https://my.company-gateway.com

In the office, it may well happen that many ports are blocked for outgoing and incoming traffic on the main network, but unblocked in the secondary one. If it connects to a secondary network, then many important resources of the main network become unavailable. On the other hand, I don’t want to bump into a firewall either. Which exit?

We take important subnets of the main network and register them with a statistical route.

sudo ip route add 110.10.0.0/8 via 110.10.10.1;

Then we connect to the secondary network and send the rest of the traffic through it. Since the metric of the main network is smaller in absolute value, it has a higher priority, and with two parallel default routes, traffic still goes through it persistently. Since it is impossible to change the route metric, it is easier to delete the unnecessary default route.

sudo ip route delete default dev eth0;

For one time, it is enough to run these two commands, but every day it is inconvenient to connect like this, you need to automate it. To do this, you need to create a script in the /etc/NetworkManager/dispatcher.d/ folder.

|17:43:17|admin@srv:[~]> ls /etc/NetworkManager/dispatcher.d/

10-openrc-status  no-wait.d  pre-down.d  pre-up.d

|17:43:22|admin@srv:[~]> cd /etc/NetworkManager/dispatcher.d/pre-up.d

|17:43:27|admin@srv:[~]> sudo chmod +x 10-office-netw.sh

The scripts to be executed before activating the network connection should be in pre-up.d. Accordingly, scripts should be placed in pre-down.d if the network connection is disconnected. The names can be arbitrary, if there are several scripts, they will be executed in alphabetical order.

#!/bin/bash

if [ «$1« == «eth0» ] && [ «$2« == «up» ]; then

    ip route add 110.10.0.0/8 via 110.10.10.1

    ip route delete default dev eth0

#более высокая метрика, чтобы быть ниже основного gw в ip route

    ip route add default dev eth0 metric 700

fi

For the sake of objectivity, I must say that the ip route add directives can be implemented from the NetworkManager interface in the properties in the IPv4 => Routes connection tab.

Case 3 – Raise Wireguard VPN

Literally every day, we receive new evidence that it would be nice to get your own VPN solution. Today, torrents and foreign bookmaker sites are banned, tomorrow they will decide to restrict social networks and online libraries, and then some people will not like news resources. Fortunately, technology also does not stand still, and with the appropriate skills, you can set up Wireguard VPN in 15 minutes and bypass all ridiculous restrictions. The most important thing is the presence of a Linux server with an external, t ․ e ․ not a Russian IP address.

All configuration is done exclusively using CLI and text configuration files. This is not a complete setup guide, as the whole process consists of the following steps.

  1. Install the Wireguard utility package.
    aptitude install wireguard-tools
  2. Install kernel-headers for older kernels.
    aptitude install linux-headers
  3. Open the connecting UDP port (in our example, 51820) to the outside from the virtual server service control console.
  4. Create public and private keys for Wireguard on client and server.
    umask 077; wg genkey | tee privatekey | wg pubkey> publickey
  5. Create a config file in / etc / wireguard.
  6. Check for L2 connection.
    wg show, if there is something like transfer: 4.80 MiB received, 1833.04 KiB sent, then this is a good sign.
  7. To plug IP Forwarding using sysctl -w net.ipv4.ip_forward = 1 and add it to /etc/sysctl.conf if you haven’t already.
  8. Configure traffic routing and NAT masquerade.

In fact, in Wireguard terminology, participants in a network connection are not named client and server, but peers – equal. However, in reality, nevertheless, one of the nodes performs the function of a server, so it is more logical to name them that way for this case.

The VPN server configuration file contains the client’s own private key and public key. The opposite is also true, in the VPN client configuration file we write our own private key and the server’s public key.

#client config

[Interface]

PrivateKey = uJPzgCQ6WNlAUp3s5rabE/EVt1qYh3Ym01sx6oJI0V4

Address = 192.168.10.2/24

[Peer]

PublicKey = qdjdqh2pN3DEMDUDRob8K3bp9BZFJbT59fprBrl99zM

AllowedIPs = 0.0.0.0/0

Endpoint = 172.105.211.120:51820

PersistentKeepalive = 20

Any inaccuracy in each of the listed items, except for checking the OSI L2 connection, will lead to a failure in the VPN tunnel, but with the necessary skill, everything can be done quickly and accurately.

#server conifg

[Interface]

Address = 192.168.10.1/24

ListenPort = 51820

PrivateKey = eEvqkSJVw/7cGUEcJXmeHiNFDLBGOz8GpScshecvNHU

SaveConfig = true

[Peer]

PublicKey = 2H8vRWKCrddLf8vPwwTLMfZcRhOj10UBdc0j8W7yQAk=

AllowedIPs = 192.168.10.2/32

In some examples, the client’s AllowedIPs is set to the internal tunnel IP address of the server for some reason. Then only requests to this IP address will be allowed, but if you set 0.0.0.0/0, then all traffic will go through Wireguard VPN. Also, the Endpoint of the client must point to the external IP address of the server.

It remains to configure NAT masquerade so that the Wireguard server can route traffic in a NAT environment.

#IPv4

[root@wgsrv ~]$ iptables -A FORWARD -i wg0 -j ACCEPT

[root@wgsrv ~]$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#IPv6

[root@wgsrv ~]$ ip6tables -A FORWARD -i wg0 -j ACCEPT

[root@wgsrv ~]$ ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#NAT

[root@wgsrv ~]$ iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

Then you need to save the rules in the database. iptables, or netfilter… Also, the wg-quick service, which manages the Wireguard VPN tunnel, needs to be added to startup.

[root@wgsrv ~]$ systemctl enable wg-quick@wg0

[root@wgsrv ~]$ systemctl netfilter-persistent save

[root@wgsrv ~]$ systemctl enable netfilter-persistent

Conclusion

I hope the examples given are enough to show how much CLI skills are necessary and how much easier it is to perform basic system administration actions even for a home workstation with Linux OS.


Cloud servers from Macleod fast and safe.

Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *