For those seeking a flexible and lightweight VPN solution that works seamlessly within Docker, Gluetun has emerged as a popular choice. Developed by Quentin McGaw (@qdm12), Gluetun describes itself as a “swiss-army-knife-like” VPN client that integrates multiple providers, protocols, and additional privacy tools in one compact container.

What is Gluetun?

Gluetun is a VPN client designed to run in Docker containers, offering support for a wide variety of VPN service providers. Unlike most single-provider setups, Gluetun acts as a universal client that can connect to dozens of major VPN services through OpenVPN or WireGuard.

It’s written in Go, based on Alpine Linux for a small footprint, and includes built-in DNS over TLS, firewall features, and proxy servers. This makes it a versatile option for individuals or self-hosters who want both privacy and control over how their traffic is routed.

Key Features

• Wide VPN Provider Support
  Works with many providers including AirVPN, Mullvad, NordVPN, ProtonVPN, Surfshark, Private Internet Access, Cyberghost, Windscribe, and more.
• Protocol Flexibility
  • OpenVPN support for all listed providers.
  • WireGuard support for many providers, with both kernelspace and userspace options.
  • Ability to use custom WireGuard configurations.
• Privacy & Security Tools
  • DNS over TLS with the provider of your choice.
  • Fine-grained blocking of malicious, ad-related, or surveillance domains, updated daily.
  • Built-in firewall kill switch to prevent leaks outside the VPN tunnel.
• Proxies Included
  • A Shadowsocks proxy server (with UDP + TCP tunneling).
  • An HTTP proxy for web traffic.
• Container-Friendly
  • Other Docker containers can connect to Gluetun as their network gateway.
  • LAN devices can also be routed through it.
  • Works across multiple CPU architectures: amd64, i686, ARM (32/64-bit), and even ppc64le.
• Advanced Features
  • Custom VPN server-side port forwarding (for supported providers).
  • Split-horizon DNS (using multiple DNS over TLS providers).
  • Usable as a Kubernetes sidecar container.

Setup and Usage

The project maintains a detailed Wiki with provider-specific instructions, ensuring a smoother setup experience for newcomers. A minimal docker-compose.yml example is provided for those who want a quick start:

services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - /yourpath:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=ivpn
      - VPN_TYPE=openvpn
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - TZ=

With this configuration, Gluetun can function as the backbone of a secure, private networking stack inside Docker.

Project Activity and Community

Gluetun is under active development with regular updates, bug fixes, and new features. It has:

• 11,000+ stars on GitHub.
• 71 releases to date (latest in December 2024).
• Contributions from over 50 developers.

The community often engages via GitHub Issues and Discussions, while the Wiki and documentation provide troubleshooting resources and setup guides.

Licensing

The project is released under the MIT License, allowing free use, modification, and distribution.

Conclusion

Gluetun has become a go-to tool for self-hosters and developers looking for a reliable VPN client in Docker. Its wide provider support, compact footprint, and built-in privacy tools make it an attractive solution for both simple setups and more advanced containerized environments.

Whether you’re running a small homelab or deploying Kubernetes clusters, Gluetun offers a flexible way to integrate VPN connectivity into your workflow without being locked to a single provider.

Explore the project here: Gluetun on GitHub

The post Gluetun: A Lightweight, All-in-One VPN Client for Docker appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

Exposing private services to the internet is traditionally a messy affair — it usually involves port forwarding, firewalls, VPNs, or jumping through hoops with third-party tunnels and ingress controllers.

But what if there was a secure, self-hosted way to do it all — using just WireGuard and NGINX — without giving up control?

Meet Wiredoor.

What Is Wiredoor?

Wiredoor is an open-source ingress-as-a-service platform designed for securely exposing services from private networks to the internet. It uses a reverse VPN tunnel (powered by WireGuard) and a built-in NGINX reverse proxy to forward requests to your local services — no matter where they are.

Whether you’re a developer, sysadmin, or just privacy-conscious, Wiredoor gives you complete control of how your internal services become externally available — without relying on a public cloud provider.

Why Wiredoor?

Here’s what makes Wiredoor stand out:

• Reverse VPN with WireGuard: Secure, high-performance tunneling from internal nodes to the internet-facing gateway.
• NGINX Reverse Proxy: Routes traffic efficiently and supports HTTPS, WebSockets, and subdomain mapping.
• OAuth2 Authentication: Restrict access with Google, GitHub, or any OIDC provider using OAuth2-Proxy.
• Automatic SSL: Built-in Let’s Encrypt integration for public domains, or use self-signed certs for internal use.
• Web UI: Manage nodes, services, and domains from a sleek, browser-based interface.
• Flexible Deployments: Works in Docker, Kubernetes, bare-metal servers, IoT devices — anything with Linux.
• CLI Client: Register and expose services easily from the terminal with wiredoor-cli.

And of course, it’s fully open source and 100% self-hosted.

Quickstart: Get Wiredoor Running in Minutes

You’ll need:

• A Linux VPS with Docker
• Open ports: 80, 443, and 51820/UDP (VPN)
• A domain (optional but recommended)

Step 1: Deploy the Wiredoor Server

git clone https://github.com/wiredoor/docker-setup.git
cd docker-setup
cp .env.example .env
nano .env   # Edit admin email, password, hostname/IP, and ports
docker compose up -d

Step 2: Log in to the Web UI

Go to https://your-server-domain-or-ip in your browser, and log in with the credentials you set in .env.

Now you’ve got the control panel to manage everything — nodes, domains, and services.

Expose Your First Private Service

Now, install the Wiredoor CLI on your local device (or any internal machine):

curl -s https://www.wiredoor.net/install-wiredoor-cli.sh | sh

Then connect it to your server:

wiredoor login --url=https://your-server-domain-or-ip

And expose a service running on port 3000:

wiredoor http myapp --domain app.yourdomain.com --port 3000

Make sure app.yourdomain.com points to your Wiredoor server’s public IP. Wiredoor will handle SSL, tunneling, and routing for you.

Advanced Use Cases

Wiredoor works great in more complex environments too:

• Docker Gateway: Drop-in sidecar container to expose services in Compose stacks.
• Kubernetes: Use the Helm chart to expose services from inside your cluster.
• IoT Networks: Expose dashboards, logs, or remote device control panels from isolated networks.
• Site-to-Site VPN: Use gateway nodes to bridge entire networks, not just individual services.

Designed with Security in Mind

Wiredoor doesn’t compromise on security. You get:

• Encrypted VPN connections (WireGuard)
• Fine-grained OAuth2 access controls
• Secure session handling
• Automatic certificate renewal
• Brute-force resistant login with admin PIN/password

You control your ingress — not some third-party SaaS provider.

Ideal Use Cases

• Share a dev or staging app with your client — securely
• Access internal dashboards (like Prometheus, Grafana, etc.) from anywhere
• Replace complex OpenVPN/ZeroTier setups with a simple alternative
• Expose IoT devices, edge services, or legacy systems with minimal configuration

100% Open Source, Self-Hosted

Wiredoor is maintained by developers who care about privacy, control, and simplicity. You can inspect, modify, or host it yourself — no vendor lock-in.

Check out the source code, contribute, or just star the repo to support the project:

GitHub: wiredoor/docker-setup

Final Thoughts

Wiredoor offers a refreshing take on secure service exposure. If you’re tired of fragile SSH tunnels, overpriced third-party solutions, or clunky VPN setups — give Wiredoor a try.

It’s simple, self-hosted, and made for people who want to control their own infrastructure.

The post Wiredoor: Securely Expose Private Services with Reverse VPN Magic appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

In today’s digitally connected world, amateur radio isn’t just about radios and antennas — it’s also about the secure, smart use of modern networking tools. One tool that’s gaining popularity among hams is WireGuard, a next-generation VPN protocol. While VPNs are often associated with corporate IT or privacy tools, they have practical and exciting use cases for amateur radio operators too.

Let’s explore what WireGuard is and how it can empower your ham radio setup — from remote control to repeater networking.

What is WireGuard?

WireGuard is an open-source, modern VPN (Virtual Private Network) that’s fast, lightweight, and secure. Think of it as a secure tunnel between two or more devices, no matter where they are in the world. It uses cutting-edge cryptography like ChaCha20 and Curve25519 and is designed to be extremely simple to set up and manage.

Some key features:

• Blazing fast performance, even on low-powered devices like Raspberry Pi.
• Built into the Linux kernel (also works on Windows, macOS, iOS, Android).
• Minimal configuration with easy-to-read config files.
• Highly secure with modern encryption standards.

Why Should Hams Care?

You might be wondering — “What does a VPN have to do with amateur radio?”

Well, WireGuard isn’t just for IT professionals. It can be incredibly useful for amateur radio in a variety of modern applications:

1. Remote Station Access

Operate your station remotely — securely. Use WireGuard to connect to:

• Your home radio via web interface (e.g., Hamlib, WebSDR, OpenWebRX).
• Digital modes like FT8, even when you’re away from home.
• Control rotators, power switches, and more — all over a private network.

No need to open public ports or worry about hacking attempts.

2. Linking Repeaters or Nodes

Running AllStarLink, EchoLink, or DMR nodes? WireGuard is perfect for:

• Securely linking multiple nodes.
• Simplifying firewall and NAT traversal.
• Avoiding reliance on port forwarding or dynamic DNS.

With WireGuard, repeaters in different locations can talk to each other over encrypted tunnels.

3. Emergency Communications (EMCOMM)

In emergency situations, you may deploy AREDN mesh networks, Raspberry Pis, and LTE routers. WireGuard lets you:

• Quickly set up a secure, private network between team members.
• Share sensitive data, maps, or status pages — safely.
• Connect mobile and fixed stations over WiFi, LTE, or satellite links.

WireGuard is lightweight enough to run on solar-powered mesh nodes and Pi devices in the field.

Legal Note for Hams

It’s important to point out:

Encryption is NOT allowed over amateur radio frequencies in most countries (including Malaysia and the U.S.).

This means you cannot run WireGuard over RF links on ham bands. But here’s where you can:

• Private home or field networks using WiFi, cellular, or fiber.
• Between club servers or repeaters connected via the internet.

Always follow your country’s amateur radio regulations.

Easy Setup with WG-Easy

Want to get started without headaches? The easiest way to install and manage WireGuard is with WG-Easy — a simple web interface for WireGuard.

Install WG-Easy (Docker)

If you’re familiar with Docker, just run:

docker run -d \
  --name=wg-easy \
  -e WG_HOST=your.domain.com \
  -e PASSWORD=your_password \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.ip_forward=1" \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  weejewel/wg-easy

Then visit http://your-server-ip:51821 to manage your VPN through a friendly web UI. Generate keys, scan QR codes for your phone or field devices, and connect in minutes.

Works beautifully with Android/iOS WireGuard apps — great for mobile operators.

Summary: Why Hams Should Use WireGuard

Final Thoughts

WireGuard is more than just a tool for techies — it’s a game-changer for the modern amateur radio operator. Whether you’re running a club repeater, experimenting with remote stations, or preparing for field communications, adding a secure layer like WireGuard is smart, responsible, and powerful.

The post How Amateur Radio Operators Can Use WireGuard for Secure Networking appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

OpenWrt is not just firmware—it’s a complete Linux-based operating system purpose-built for routers and embedded devices. To understand how OpenWrt works, it helps to look at how it integrates with router hardware, manages networking tasks, and provides flexibility well beyond stock firmware.

In this post, we’ll explore how OpenWrt operates internally, from bootloader to network stack, and why it’s so much more powerful than vendor firmware.

1. The Boot Process: How OpenWrt Starts

OpenWrt uses the standard embedded Linux boot sequence:

1. Bootloader (e.g., U-Boot or CFE)
   • Executes first when the router powers on.
   • Initializes the CPU, memory, and peripherals.
   • Loads the OpenWrt kernel and passes control.
2. Linux Kernel
   • A highly customized and lightweight kernel compiled for the router’s architecture (e.g., MIPS, ARM, x86).
   • Initializes hardware drivers, network interfaces, file systems, and system services.
3. Init System (procd)
   • OpenWrt uses a custom init system called procd to manage services, boot order, hotplug events, and more.
   • It replaces classic sysvinit or systemd to keep things lightweight and fast.

2. Filesystem and Overlay

OpenWrt’s filesystem is built around SquashFS + OverlayFS:

• SquashFS is a compressed, read-only root filesystem containing the core OS.
• OverlayFS provides a writable layer on top of it, enabling persistent configuration and package installation without altering the base image.

This design allows:

• Fast boot times
• System resets (factory reset = wipe overlay)
• Minimal storage use (great for routers with low flash memory)

3. Networking Stack

OpenWrt’s real power lies in its networking flexibility. Here’s how it manages key components:

a. Interface Management (netifd)

Handles creation of logical interfaces (LAN, WAN, VLANs, bridges, tunnels).
Interfaces are defined in /etc/config/network and handled by netifd.

b. Firewall (nftables or iptables)

OpenWrt uses nftables (or iptables in older versions) for packet filtering, NAT, and port forwarding.
Firewall zones (e.g., LAN, WAN) are defined for easy rule management.

c. DHCP/DNS (dnsmasq)

A lightweight DNS and DHCP server (dnsmasq) serves local IP addresses and hostname resolution.

d. Wireless Stack (hostapd / wpad)

Wireless radios are configured using hostapd or wpad, managing SSID, encryption (WPA2/WPA3), and multiple interfaces.

e. Routing

Routing is handled by the Linux kernel’s routing table and can be extended with:

• Static routes
• Dynamic routing protocols (e.g., OSPF via quagga or bird)
• VPN routes (e.g., WireGuard or OpenVPN)

4. Package Management: How OpenWrt Is Modular

OpenWrt includes a package manager called opkg (Open Package Manager).

Users can install packages for:

• VPNs: wireguard, openvpn
• Ad-blocking: adblock, banIP
• Monitoring: collectd, luci-app-statistics
• Web servers, proxy servers, NAS functions, mesh routing (B.A.T.M.A.N., 802.11s)

Each package is a compressed archive with its own dependencies and can be installed with:

opkg update
opkg install luci-app-wireguard

5. Configuration System (UCI)

OpenWrt uses its own Unified Configuration Interface (UCI) for managing system settings. All configs are stored in:

/etc/config/

Examples:

• /etc/config/network – interfaces, VLANs, bridges
• /etc/config/wireless – radios, SSIDs
• /etc/config/firewall – zone policies, rules
• /etc/config/system – hostname, timezone

You can edit these directly or use UCI commands:

uci set wireless.@wifi-iface[0].ssid='OpenWrt'
uci commit wireless
wifi reload

6. Web Interface (LuCI)

LuCI is OpenWrt’s lightweight, modular web GUI:

• Runs on an embedded uhttpd or lighttpd web server
• Dynamic rendering via Lua + JavaScript
• Exposes all config options in a user-friendly form
• Extendable with modules (e.g., luci-app-sqm, luci-app-ddns)

You can install LuCI separately or use CLI-only setups for advanced users.

7. Remote Access & Automation

OpenWrt supports:

• SSH access out of the box
• Public key authentication
• Cron jobs for automation
• Remote syslog
• SNMP, Prometheus exporters
• MQTT for IoT applications

You can remotely manage it using APIs, CLI, or custom scripts.

8. System Resources and Performance

Because OpenWrt runs on devices with as little as 8MB flash and 64MB RAM, it is optimized for:

• Minimal memory usage
• Background service trimming
• Efficient caching and logging
• Graceful failure on low disk/memory

That said, OpenWrt can scale well to more powerful hardware (x86, ARM64), supporting multi-core load balancing, gigabit routing, and even containerization (via lxc or docker on x86 builds).

Final Thoughts

OpenWrt works by replacing the limited firmware on your router with a full-featured Linux OS, designed for performance, customization, and stability. It gives you access to capabilities usually reserved for enterprise-grade routers—at zero cost.

If you’re the kind of person who likes to control every part of your network, OpenWrt is the ultimate toolkit: flexible, modular, transparent, and endlessly powerful.

The post How OpenWrt Works: Inside the World’s Most Powerful Router Operating System appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

Are you looking to learn more about servers but don’t know where to start? Ubuntu Server provides the perfect foundation for beginners and experienced users alike. With its reliability, security features, and extensive community support, Ubuntu Server makes it easy to create useful projects that enhance your home network or provide valuable skills for your career.

In this guide, I’ll walk you through 10 practical projects that anyone can set up using Ubuntu Server. Each project requires minimal hardware and provides real-world benefits. Let’s get started!

1. Network-Attached Storage (NAS) Server

What it is: A centralized location to store and access your files from any device on your network.

Why Ubuntu Server is perfect: Ubuntu’s stability ensures your data remains safe, while its lightweight nature means even older hardware can serve as a reliable NAS.

Setup overview:

1. Install Ubuntu Server on your hardware
2. Install and configure Samba for file sharing:

sudo apt update
sudo apt install samba -y

3. Create a directory for your shared files:

sudo mkdir -p /media/nas
sudo chmod 777 /media/nas

4. Configure Samba by editing its configuration file:

sudo nano /etc/samba/smb.conf

5. Add the following at the end of the file:

[NASShare]
path = /media/nas
browseable = yes
read only = no
force create mode = 0660
force directory mode = 2770
valid users = @users

6. Set a Samba password for your user:

sudo smbpasswd -a yourusername

7. Restart Samba:

sudo systemctl restart smbd

Benefits: Access your files from any device, centralize your backups, and stream media throughout your home.

2. Personal Cloud Storage (NextCloud)

What it is: Your own personal cloud storage solution similar to Dropbox or Google Drive but hosted on your own hardware.

Why Ubuntu Server is perfect: Ubuntu’s package management makes installing dependencies straightforward, while LTS releases ensure long-term stability.

Setup overview:

1. Install LAMP stack:

sudo apt update
sudo apt install apache2 mariadb-server libapache2-mod-php php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip -y

2. Secure your MariaDB installation:

sudo mysql_secure_installation

3. Create a database:

sudo mysql -u root -p
CREATE DATABASE nextcloud;
CREATE USER 'nextclouduser'@'localhost' IDENTIFIED BY 'your_password';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextclouduser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

4. Download and install NextCloud:

cd /tmp
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
sudo mv nextcloud /var/www/html/
sudo chown -R www-data:www-data /var/www/html/nextcloud/

5. Configure Apache:

sudo nano /etc/apache2/sites-available/nextcloud.conf

6. Add the following configuration:

<VirtualHost *:80>
    DocumentRoot /var/www/html/nextcloud/
    ServerName your_domain_or_IP

    <Directory /var/www/html/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

7. Enable the site and required modules:

sudo a2ensite nextcloud.conf
sudo a2enmod rewrite headers env dir mime
sudo systemctl restart apache2

8. Access NextCloud through your browser at http://your_server_IP_or_domain and complete the setup wizard.

Benefits: Maintain control over your data, avoid subscription fees, and get unlimited storage based on your hardware.

3. Media Server with Plex

What it is: A powerful media server that organizes your movies, TV shows, music, and photos, making them accessible from anywhere.

Why Ubuntu Server is perfect: Ubuntu’s efficiency means more resources are available for transcoding media, and its compatibility with Plex is excellent.

Setup overview:

1. Add the Plex repository:

sudo apt update
sudo apt install apt-transport-https curl -y
curl https://downloads.plex.tv/plex-keys/PlexSign.key | sudo apt-key add -
echo deb https://downloads.plex.tv/repo/deb public main | sudo tee /etc/apt/sources.list.d/plexmediaserver.list

2. Install Plex Media Server:

sudo apt update
sudo apt install plexmediaserver -y

3. Create directories for your media:

sudo mkdir -p /opt/plexmedia/{movies,tv,music,photos}
sudo chown -R plex:plex /opt/plexmedia

4. Access the Plex web interface at http://your_server_IP:32400/web and follow the setup wizard
5. Add your media libraries pointing to the directories you created

Benefits: Stream your media collection to any device, automatic metadata fetching, and smart organization of your content.

4. Home Automation Server with Home Assistant

What it is: A central hub to control and automate your smart home devices.

Why Ubuntu Server is perfect: Ubuntu’s reliability ensures your home automation stays running, while its hardware compatibility supports various IoT devices.

Setup overview:

1. Install Docker (the easiest way to run Home Assistant):

sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce -y

2. Install Docker Compose:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

3. Create a Docker Compose file:

mkdir ~/homeassistant
cd ~/homeassistant
nano docker-compose.yml

4. Add the following content:

version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: ghcr.io/home-assistant/home-assistant:stable
    volumes:
      - ./config:/config
    environment:
      - TZ=YOUR_TIME_ZONE
    restart: always
    network_mode: host

5. Start Home Assistant:

sudo docker-compose up -d

6. Access Home Assistant through your browser at http://your_server_IP:8123

Benefits: Centralized control of all smart devices, powerful automation capabilities, and reduced dependence on cloud services.

5. Personal VPN Server with WireGuard

What it is: Your own VPN server that allows secure remote access to your home network and protects your privacy when using public Wi-Fi.

Why Ubuntu Server is perfect: Ubuntu’s security focus makes it ideal for VPN services, and recent kernels include built-in WireGuard support.

Setup overview:

1. Install WireGuard:

sudo apt update
sudo apt install wireguard -y

2. Generate private and public keys:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

3. Create a WireGuard configuration:

sudo nano /etc/wireguard/wg0.conf

4. Add the following (substituting your own values):

[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client configuration example
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

5. Enable IP forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

6. Start and enable the WireGuard service:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

7. Generate configurations for your clients and distribute them securely

Benefits: Secure remote access to your home network, enhanced privacy on public networks, and better control over your internet connection.

6. Web Server for Hosting Your Own Website

What it is: A server to host your personal website, blog, or web application.

Why Ubuntu Server is perfect: Ubuntu’s robust LAMP stack support makes it the go-to choice for web hosting environments.

Setup overview:

1. Install LAMP stack:

sudo apt update
sudo apt install apache2 mariadb-server php libapache2-mod-php php-mysql -y

2. Secure MariaDB:

sudo mysql_secure_installation

3. Create a website directory:

sudo mkdir -p /var/www/yourwebsite
sudo chown -R $USER:$USER /var/www/yourwebsite

4. Create a simple index.php file:

echo '<?php phpinfo(); ?>' > /var/www/yourwebsite/index.php

5. Configure Apache virtual host:

sudo nano /etc/apache2/sites-available/yourwebsite.conf

6. Add the following configuration:

<VirtualHost *:80>
    ServerName yourwebsite.local
    ServerAlias www.yourwebsite.local
    DocumentRoot /var/www/yourwebsite
    ErrorLog ${APACHE_LOG_DIR}/yourwebsite_error.log
    CustomLog ${APACHE_LOG_DIR}/yourwebsite_access.log combined
</VirtualHost>

7. Enable the site and restart Apache:

sudo a2ensite yourwebsite.conf
sudo systemctl restart apache2

Benefits: Full control over your web presence, no monthly hosting fees, and valuable skills for web development.

7. Pi-hole Ad Blocker

What it is: A network-wide ad blocker that improves browsing speed and privacy by blocking ads at the DNS level.

Why Ubuntu Server is perfect: Ubuntu’s efficiency means Pi-hole can run alongside other services without issues, making it a perfect addition to any home server.

Setup overview:

1. Install required packages:

sudo apt update
sudo apt install curl -y

2. Run the Pi-hole installer:

curl -sSL https://install.pi-hole.net | bash

3. Follow the on-screen instructions (accept most defaults)
4. Note your admin password at the end of installation
5. Configure your router to use your Ubuntu Server as the DNS server, or configure individual devices
6. Access the Pi-hole admin interface at http://your_server_IP/admin

Benefits: Faster browsing, reduced bandwidth usage, enhanced privacy, and protection from malicious domains.

8. Git Server with Gitea

What it is: A lightweight, self-hosted Git service similar to GitHub but running on your own hardware.

Why Ubuntu Server is perfect: Ubuntu’s package management and system resource efficiency make it ideal for hosting developer tools like Git services.

Setup overview:

1. Install required packages:

sudo apt update
sudo apt install git curl sqlite3 -y

2. Create a user for Gitea:

sudo adduser --system --group --disabled-password --shell /bin/bash --home /home/git git

3. Download and install Gitea:

VERSION=$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | grep tag_name | cut -d '"' -f 4)
sudo wget -O /tmp/gitea https://dl.gitea.io/gitea/${VERSION}/gitea-${VERSION}-linux-amd64
sudo chmod +x /tmp/gitea
sudo mv /tmp/gitea /usr/local/bin/gitea

4. Create required directories:

sudo mkdir -p /var/lib/gitea/{custom,data,log}
sudo chown -R git:git /var/lib/gitea
sudo chmod -R 750 /var/lib/gitea
sudo mkdir /etc/gitea
sudo chown root:git /etc/gitea
sudo chmod 770 /etc/gitea

5. Create a systemd service:

sudo nano /etc/systemd/system/gitea.service

6. Add the following content:

[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target

[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target

7. Start and enable Gitea:

sudo systemctl daemon-reload
sudo systemctl enable --now gitea

8. Access Gitea through your browser at http://your_server_IP:3000 and complete the initial setup

Benefits: Full control over your code repositories, no limitations on private repositories, and integrated issue tracking.

9. Game Server Host

What it is: A dedicated server for hosting multiplayer games like Minecraft, Terraria, or Counter-Strike.

Why Ubuntu Server is perfect: Ubuntu’s stability and resource efficiency allow game servers to run smoothly and consistently, even on modest hardware.

Setup overview for Minecraft Server:

1. Install required packages:

sudo apt update
sudo apt install openjdk-17-jre-headless screen -y

2. Create a minecraft user:

sudo adduser --system --home /opt/minecraft-server minecraft
sudo addgroup --system minecraft
sudo adduser minecraft minecraft

3. Switch to the minecraft user:

sudo su - minecraft

4. Download the Minecraft server:

mkdir -p ~/server
cd ~/server
wget https://piston-data.mojang.com/v1/objects/8f3112a1049751cc472ec13e397eade5336ca7ae/server.jar -O minecraft_server.jar

5. Accept the EULA:

echo "eula=true" > eula.txt

6. Create a start script:

echo '#!/bin/sh
cd /opt/minecraft-server/server
java -Xmx2G -Xms1G -jar minecraft_server.jar nogui' > start.sh
chmod +x start.sh

7. Exit the minecraft user and create a systemd service:

exit
sudo nano /etc/systemd/system/minecraft.service

8. Add the following content:

[Unit]
Description=Minecraft Server
After=network.target

[Service]
User=minecraft
Nice=5
KillMode=none
SuccessExitStatus=0 1
InaccessibleDirectories=/root /sys /srv /media -/lost+found
NoNewPrivileges=true
WorkingDirectory=/opt/minecraft-server/server
ReadWriteDirectories=/opt/minecraft-server/server
ExecStart=/opt/minecraft-server/server/start.sh
ExecStop=/usr/bin/screen -p 0 -S minecraft -X eval 'stuff "say SERVER SHUTTING DOWN IN 10 SECONDS. SAVING ALL MAPS..."\015'
ExecStop=/bin/sleep 10
ExecStop=/usr/bin/screen -p 0 -S minecraft -X eval 'stuff "save-all"\015'
ExecStop=/usr/bin/screen -p 0 -S minecraft -X eval 'stuff "stop"\015'

[Install]
WantedBy=multi-user.target

9. Enable and start the service:

sudo systemctl enable minecraft.service
sudo systemctl start minecraft.service

Benefits: Host your favorite games with friends without subscription fees, customize server settings, and install mods freely.

10. Docker Host for Containerized Applications

What it is: A platform for running containerized applications, making it easy to deploy and manage various services.

Why Ubuntu Server is perfect: Ubuntu has excellent Docker support, regular updates, and a well-maintained Docker repository.

Setup overview:

1. Install Docker:

sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce -y

2. Install Docker Compose:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

3. Add your user to the Docker group (to avoid using sudo with Docker commands):

sudo usermod -aG docker $USER

4. Log out and back in for the changes to take effect
5. Test Docker:

docker run hello-world

6. Create a sample Docker Compose project:

mkdir ~/docker-test
cd ~/docker-test
nano docker-compose.yml

7. Add the following content for a simple web server:

version: '3'
services:
  web:
    image: nginx:latest
    ports:
      - "8080:80"
    volumes:
      - ./html:/usr/share/nginx/html
    restart: always

8. Create a test HTML file:

mkdir -p html
echo "<html><body><h1>My Docker Container is Working!</h1></body></html>" > html/index.html

9. Start the container:

docker-compose up -d

10. Access your test site at http://your_server_IP:8080

Benefits: Easily deploy complex applications, maintain isolated environments, and simplify updates and maintenance.

Why Ubuntu Server is the Perfect Choice

Throughout these projects, Ubuntu Server demonstrates its incredible versatility and power. Here’s why Ubuntu Server stands out from other options:

1. Stability: Ubuntu Server LTS releases are supported for 5 years, ensuring long-term reliability
2. Security: Regular security updates keep your server and data protected
3. Huge Community: Extensive documentation and community support make troubleshooting easy
4. Package Management: The APT package system simplifies software installation and updates
5. Resource Efficiency: Works well even on older or limited hardware
6. No License Fees: Completely free to use, even in commercial environments
7. Regular Updates: Stay current with the latest technologies and improvements

Getting Started with Ubuntu Server

Ready to begin? Here’s how to get started:

1. Download Ubuntu Server from ubuntu.com/download/server
2. Install it on your preferred hardware (old PC, Raspberry Pi, or virtual machine)
3. Choose one of the projects above and follow the step-by-step instructions
4. Join the Ubuntu community for support and to share your experiences

Remember, these projects are just the beginning. As you become more comfortable with Ubuntu Server, you’ll discover countless more possibilities for creating valuable services for your home or small business.

Have you built any interesting projects with Ubuntu Server? Share your experiences in the comments below!

This guide was created to help newcomers explore the capabilities of Ubuntu Server. For enterprise environments, consider Ubuntu’s commercial support options.

The post 10 Simple and Useful Projects Anyone Can Build with Ubuntu Server appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

In today’s digital landscape, the traditional network security model is increasingly insufficient to protect against sophisticated cyber threats. As businesses adapt to remote work and cloud-based infrastructures, the need for a more robust and adaptive security framework has never been greater. Enter Zero Trust Network Access (ZTNA), a revolutionary approach that’s reshaping the way we think about network security.

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is a security model based on the principle of “never trust, always verify.” Unlike traditional security models that rely on perimeter defenses to keep threats out, ZTNA assumes that threats can exist both inside and outside the network. Therefore, it enforces strict identity verification and access controls, regardless of where the user or device is located.

ZTNA operates on the assumption that no user or device, whether inside or outside the network, should be trusted by default. Every access request is verified as though it originates from an open, untrusted network. This model aims to minimize the risk of internal and external threats by continuously validating user identity and device integrity.

Core Principles of ZTNA

1. Least Privilege Access: Users and devices are granted the minimum level of access required to perform their functions. This minimizes the potential damage from compromised accounts or devices. For instance, an employee in the finance department would only have access to financial systems and not to the HR or IT systems, thus reducing the potential impact of any security breach.
2. Continuous Verification: Authentication and authorization are not one-time events but continuous processes. Every access request is verified in real-time based on the user’s identity, location, device health, and other contextual factors. For example, if a user’s behavior deviates from their usual patterns, additional authentication steps might be triggered.
3. Micro-Segmentation: The network is divided into small, isolated segments to limit lateral movement of threats. Each segment enforces its own access controls and security policies. This means that even if an attacker breaches one segment, they cannot easily move to another part of the network.
4. End-to-End Encryption: Data is encrypted at all stages of its journey, ensuring that it remains secure from eavesdropping or tampering. This encryption covers data in transit between devices and applications, as well as data at rest within storage systems.

How ZTNA Works

ZTNA operates by creating secure, encrypted tunnels between users and the resources they need to access. Here’s a detailed overview of the process:

1. User Authentication: When a user attempts to access a resource, they must first authenticate their identity through multi-factor authentication (MFA). This could include something they know (password), something they have (security token), and something they are (biometric verification).
2. Device Posture Check: The system evaluates the security posture of the user’s device, checking for compliance with security policies (e.g., up-to-date antivirus software, device encryption). Devices failing to meet these criteria are either denied access or placed in a restricted mode where they can only access resources necessary to remediate their posture.
3. Policy Enforcement: Based on the user’s identity and device posture, the ZTNA solution enforces access policies. These policies determine whether the user can access the requested resource and what level of access they have. Policies can be very granular, specifying access based on the user’s role, location, the sensitivity of the data, and other factors.
4. Access Granted via Secure Tunnel: If the user meets all the criteria, access is granted through a secure, encrypted tunnel. This tunnel ensures that data remains protected during transmission, preventing unauthorized interception and tampering.

Benefits of ZTNA

1. Enhanced Security: By continuously verifying users and devices, ZTNA significantly reduces the risk of unauthorized access and data breaches. Continuous verification means that even if an attacker obtains valid credentials, additional security measures will be triggered if the system detects suspicious activity.
2. Improved User Experience: ZTNA solutions often integrate seamlessly with existing IT infrastructure, providing users with secure, frictionless access to resources. Instead of dealing with cumbersome VPN connections, users can access resources through a single sign-on (SSO) interface.
3. Scalability: As organizations grow and adopt new technologies, ZTNA can easily scale to accommodate additional users, devices, and resources without compromising security. This scalability is particularly beneficial for businesses with fluctuating workforces or extensive remote work policies.
4. Reduced Attack Surface: Micro-segmentation and least privilege access limit the potential damage from compromised accounts or devices, reducing the overall attack surface. By isolating resources and strictly controlling access, ZTNA makes it more difficult for attackers to move laterally within the network.

Comparison with Virtual Private Networks (VPNs)

While ZTNA and VPNs both aim to provide secure remote access to network resources, they differ fundamentally in their approach and capabilities.

1. Security Model:

• VPNs: Traditional VPNs create a secure tunnel between the user’s device and the corporate network. Once connected, users often have broad access to the network, relying on perimeter defenses to keep threats out.
• ZTNA: In contrast, ZTNA assumes no user or device is trusted by default. It continuously verifies every access request, regardless of the user’s location, and provides access on a need-to-know basis.

1. Access Control:

• VPNs: VPNs typically grant broad access to the network once a user is authenticated. This can be risky if an account is compromised, as attackers can potentially access a wide range of resources.
• ZTNA: ZTNA enforces strict access controls, granting users access only to specific resources required for their role. This minimizes the potential damage from compromised accounts.

1. User Experience:

• VPNs: VPNs can be cumbersome for users, requiring manual connection and often slowing down network performance due to the overhead of tunneling.
• ZTNA: ZTNA offers a more seamless experience, often integrating with single sign-on (SSO) solutions and providing fast, direct access to resources without the need for a full network connection.

1. Scalability:

• VPNs: Scaling VPNs can be challenging, as each new user increases the load on the VPN gateway, potentially impacting performance and requiring additional infrastructure.
• ZTNA: ZTNA solutions are designed to scale easily, accommodating growing numbers of users, devices, and resources without significant performance degradation.

ZTNA in Action: Real-World Use Cases

• Remote Workforce Security: With the rise of remote work, ZTNA ensures that employees can securely access corporate resources from any location without relying on traditional VPNs. For example, a sales representative can securely access customer relationship management (CRM) tools and company email from a home office, with access policies ensuring that sensitive financial data remains protected.
• Third-Party Access: Organizations can securely grant access to external partners, contractors, and vendors without exposing their entire network. Each third-party user is granted access only to the resources they need, based on strict verification policies. For instance, a freelance developer might access specific development environments without gaining access to HR or finance systems.
• Cloud Migration: As businesses migrate to the cloud, ZTNA provides secure access to cloud-based applications and services, ensuring that data remains protected in transit and at rest. This is particularly useful for companies using hybrid cloud environments, where seamless and secure access to both on-premises and cloud resources is essential.

Challenges and Considerations

While ZTNA offers numerous advantages, it’s not without challenges. Implementing a zero-trust model requires a shift in mindset and potentially significant changes to existing infrastructure. Organizations must carefully plan their transition to ensure that security policies are properly enforced without disrupting business operations.

1. Complex Implementation: Moving to a zero-trust model can be complex, requiring a thorough understanding of the organization’s current infrastructure, applications, and access patterns.
2. Performance Management: ZTNA solutions can generate a high volume of authentication and access requests, which may require robust performance management to prevent bottlenecks and ensure a smooth user experience.
3. Cost Considerations: While ZTNA can reduce long-term security risks and costs, the initial investment in new technologies and training can be significant. Organizations must weigh these costs against the potential benefits.
4. Cultural Change: Adopting a zero-trust approach often requires a cultural shift within the organization, as employees and management must understand and embrace new security practices.

Conclusion

Zero Trust Network Access represents a paradigm shift in network security, offering a more dynamic and resilient approach to protecting digital assets. As cyber threats continue to evolve, adopting a zero-trust model will be essential for organizations looking to safeguard their data and maintain a secure, agile IT environment. By embracing ZTNA, businesses can stay ahead of threats and ensure that their networks are secure, no matter where their users or resources are located.

The post Unveiling Zero Trust Network Access (ZTNA): The Future of Secure Networking appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.