Monday, February 10, 2014

nvidia-settings don't load on reboot

Problem: 
You are using an Ubuntu/Mint/Debian with an Nvidia driver (or perhaps another proprietary GPU driver), and your custom resolutions are lost at each restart even though you applied them and saved to xorg.conf. This frustrates you to no end, and even if you script a live modeline change putting your box to sleep or a reboot will mean it doesn't get automatically reapplied. Also, your settings don't get reloaded into the settings GUI after a reboot, and you are mystified.

Explanation: 
The built-in Mint Preferences > Displays tool doesn't give a crap about your custom configuration, and it will reload whatever it had set previously just to torture you. You can kill it with fire though. To see if it has a settings file look for a ~/.config/monitors.xml file.

Solution:
You may not need the first four steps, or you may have already performed them.

  1. sudo nvidia-xconfig    # create a fresh xorg.conf
  2. gksudo nvidia-settings # set it up like you wanted it; my overscan fix example
  3. Click "apply"
  4. Click "save to x-config file"
  5. rm ~/.config/monitors.xml  # get rid of the non-xorg Displays configuration
  6. restart
I have seen this problem again and again on forums where nobody knew that deleting that file would fix the problems. Spread the word my friends.

Wednesday, December 18, 2013

Apt-get behind a corporate proxy: A tale of Ironport, 401 errors, and NTLM

Problem:
I was trying to fetch packages via aptitude and apt-get, but I would get "ign" or "401 Authorization Required" when attempting it.  I knew we had a proxy set up and figured out where it was. I tried all the advice to use user:pass@domain as the http_proxy value directly to no avail, but NTLM was the way to get out in our Windows oriented shop. Oddly, wget would work to download the package indexes, but apt-get could not.


Solution:
A tool called cntlm creates a little proxy at a specified port on your box which handles authentication with the real proxy. I found a good guide here* for how to set it up, but see my notes and added clarification about the config parameters below. Keep in mind that there will be trial and error if you have an uncooperative network security team in your organization. I had to figure out where the proxy was, the port to use, and masquerade the server as my desktop workstation to get it all going. Good luck, and don't give up. Once you get the settings right, this works flawlessly.

Parameters in /etc/cntlm.conf:
    1. username - Active Directory username
    2. domain - Active Directory domain
    3. workstation - Name of the workstation (feel free to spoof this to that of another machine, NTLM can't stop you)
    4. proxy - the ip:port of the proxy
    5. listen - the local port to use for relaying your traffic 
* Note that the value in the -M parameter value in "cntlm -H -M" had to be something other than the proxy itself (eg http://test.com) in order to work for me.

* Note that the guide I linked shows two separate hashes for the password (PassNT and PassLM), but you may only get one with NTLMv2 (PassNTLMv2) as shown at the bottom of the cntlm page. This is fine, and just paste that one line into your /etc/cntlm.conf.

Sunday, July 7, 2013

Linux Mint Overscan Woes

I fired up Linux Mint 15 because my Ubuntu distribution was looking a bit dated, and it had developed an overscan problem where the edges of the screen went off the monitor. I am using an nvidia graphics card with nvidia drivers.

Problem: 
The overscan was all screwed up on my 23 inch Hannspree monitor. It was listed as device DFP-1, and no resolution I could use in the nvidia-settings GUI menu would resolve the problem.

Solution: 
I needed to set a metamode to fix the overscan. I headed over to this page, and the metamode suggested worked perfectly with "DFP-0" altered to
"DFP-1."

DFP-0: 1920x1080 { ViewPortOut=1820x1020+50+30, ViewPortIn=1920x1080 } 



  1. sudo nvidia-xconfig
  2. gksudo nvidia-settings

Then plug your custom resolution configuration into nvidia-settings like so. Note that I had to manually select the 1920x1080 resolution or the settings below it wouldn't work right:



After that, hit apply. Then click save to X configuration file.

If you lose your settings after a restart, then you may be experiencing a problem that plagued me for a long time. My solution is HERE.

Thursday, December 20, 2012

Simple KVM Server Virtualization

I want to virtualize a server from scratch. I have a server in mind already, but I don't want to bother with virtualizing it directly since it is running on a dated OS.  I figure I will build a new VM in parallel on some spare hardware and then migrate the image over to my beast server. Some key benefits of this are that I can use some of the spare capacity of that beast server to test out other server operating systems and software in parallel with my main server.  Also, I can install crashplan on the host itself and have it backup my server images for painless offsite backup whereas now I really don't have a backup of the physical server configs.

This guide will be devided into three stages as follows because this is the order I carried out the steps in.

  1. Set up a host CENTOS 6.3 server
  2. Set up a guest MINT 14 server (with MATE desktop)
  3. Set up a static bridged network and configure our VM to use it

1.Setting up host server

First thing, you should make sure your processor supports kvm virtualization. Install CENTOS 6.3 or later. I am not a redhat/centos guy for most of my home Linux systems, but it seems ideal for a VM host where I don't really need the latest and greatest packages and stability and concise configuration are key. I am assuming you can install this on your own with the graphical installer or however.

Now, we will need some special tools to get virtualization running.  As root, do the following on your fresh CENTOS box:

# I recommend you update your box first, this may take a while
yum update

# get the core virtualization pieces
yum groupinstall Virtualization "Virtualization Client" "Virtualization Platform" "Virtualization Tools"

# install and turn on the avahi daemon
yum install avahi
service avahi-daemon start
chkconfig avahi-daemon on

# I ran into this not being on.  The virt-manager just sat there trying to connect before I did this.
service libvirtd start
chkconfig libvirtd on

That's it, you are ready to virtualize!  Some people say you need to deactivate SELINUX, but some say it isn't needed.  You can do so by editing /etc/selinux/config if you think it is causing you troubles.

2.Setting up a guest server

This is pretty straight forward (except for the last little bit where we correct some video settings). Download  an ISO and/or burn it to a CD for the OS you want to install. In this example, I am using Linux Mint 14 with MATE desktop.

Open up the KVM manager tool you installed in step 1.


In the top left click play button on a monitor that says "Create a new virtual machine" when you hover over it.  Then, on the step 1 window name your server and pick ISO/CDROM.



On the step 2 windows, tell it where the ISO/CD is.  For OS type, just use Linux.  For version, go to "see all" and select the latest kernel available as shown.  The OS being installed is so far ahead (3.x) kernel, that there is no more up-to-date choice that I can tell.


On the step 3 window, set up your memory (give Mint 14 at least a gig) and select how many cores to set. There are ways to alter this later if you need to, so don't get too hung up on getting this just right now.  In my case, the host has too few cores and too little memory to set it up like I will after I migrate it to something more powerful.  


On the step 4 window, set up your storage. The default 8GB is probably a bit tight, 20GB+ may be better. After taking this screenshot, I chose 40GB. You don't have to "allocate entire disk now." I say let it grow dynamically.


On the step 5 window, review your selections and then hit finish.  If you carried out the final section of this guide before doing the VM setup, you could expand the Advanced options and choose your network now. However, I am trying to break this into quick chunks for time-crunched people like myself and getting your VM up feels like progress ;-).


Now launch your VM and install the OS as you would on a physical machine (except maybe more slowly and less responsively) in the window that pops up.  The blue "i" icon on the VM popup window (next to the terminal icon) will show you system stats and you can change things here.

I had an issue where every time I logged in, I got bounced back out.  To fix it, I had to do two things.  I did these out of order, so I don't know if they were both necessary.  I will share them in the opposite order I did them. If the first step works for you, don't bother with the second.

First, switch the virtual video adapter from cirrus to vga.


If you still can't login to the VM gui, then carry out this second part. At the login screen to your guest OS:
use the send menu to send ctrl alt f2           # to drop to virtual terminal on VM
login as root
apt-get install nvidia-current
reboot

After it reboots, it should work like a charm. Also, if you want to shut off the GUI later, you can always edit the /etc/inittab to prevent loading the GUI. I like having the option of the GUI on my servers since it really doesn't take up that much disk space and can be disabled as needed.

Your network should be set up fine for using this guest VM like a desktop to go on the internet, get updates, etc as long as your host's network is working right. Out of the box it gives you a virtual network using NAT which is fine for these purposes.  I could reach out to other boxes on my network just fine. The show-stopper for virtualizing a server, is that nothing else on my network can reach out to the VM except its own host.  In the next step, we fix that nonsense.

3.Setting up a bridged network

Okay, this was a bit foreign to me. I have used a wireless network bridge, but I never built a virtual bridge on a box off of a physical NIC before. I am doing something odd here in using a static IP for the bridge itself which nobody seemed to do in their guides, but it is easy enough.

I have to give some credit here as I got started with bridging using information from this site.  I also found a good reference on killing NetworkManager which doesn't play nice with your bridge.  Anyway, here is my condensed version.

As root on the host:

service NetworkManager stop
chkconfig NetworkManager off
chkconfig network on

Clear out any crappy config files you have like /etc/sysconfig/network-scripts/ifcfg-Auto_eth0 that were made by NetworkManager. 

vi /etc/syconfig/network-scripts/ifcfg-eth0   #(this may be different on your system if eth0 isn't your NIC)

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
------------------------
vi /etc/syconfig/network-scripts/ifcfg-br0  # set up your static IP and DNS entries

DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
DNS1=192.168.0.1
DNS2=8.8.8.8
GATEWAY=192.168.0.1
IPADDR=192.168.0.205
NETMASK=255.255.255.0
ONBOOT=yes
DELAY=0
------------------------

Make sure you have DELAY=0 and ONBOOT=yes.  Usually DNS points to your router (gateway) and/or a service like google (8.8.8.8).


vi /etc/sysconfig/iptables  #edit the firewall definititions by adding a line
.....
-A INPUT -i lo -j ACCEPT  # EXISTING LINE
-A INPUT -i br0 -j ACCEPT # ADD LINE SIMILAR TO THE ABOVE EXCEPT CHANGE lo TO br0
.........

service network start  # should give all OK's
service iptables restart  # restart the firewall

Now you need to edit your VM settings. While the VM is off, open it and hit the blue "i" like we did to alter the video adapter. I used device model vertio because it was the default, but there may be merit in some of the other options. Anyway, go to the NIC device and set it up as shown:


Then click apply. Now you can boot up the guest OS and configure its network settings with a normal static IP or even DHCP. It will work just like it is on the network directly using its own NIC.

I hope this guide has been helpful for you. Feel free to offer any tips or improvements or ask questions. Now go forth and virtualize!

Sunday, August 12, 2012

Linux Apache2 Reverse Proxy With SSL Termination and Basic Auth For Sickbeard, Sab, Couchpotato, etc.

I just finished completing one of the hardest home server administration tasks I have ever embarked on, and I thought I would share my efforts since I had to pour through over a boatload of sources to get all the information needed to do it.  If anyone has suggestions on how to improve this, I am all ears so leave a comment.  I used Linux Mint which is very close to Ubuntu so the commands ought to work on it too.

I wanted to get this.  We'll call it option A:

[User]-----HTTPS over Internet----->[Single Login Proxy]----HTTP------>[Web Applications At Home]

It is also trivial then to set up this (Option B) since it only requires the removal of some configuration (comment out the A-only sections labeled in the config files) and then configuring each individual application with a password:

[User]-----HTTPS over Internet----->[No Login Proxy]----HTTP------>[Web Applications At Home]

Ensure you have your applications (Sab, Sickbeard, Couchpotato, etc) running already on their own port and record those port numbers.  Don't bother enabling SSL on any of those individual apps since we are going to handle it on Apache directly and tunnel the LAN HTTP traffic through HTTPS across the net.

Get a domain pointing towards your home IP and an SSL cert (OpenSSL type when the CA asks).  I used NameCheap and got everything (ssl and domain) for under 6 bucks before tax for a .info domain for one year, and they have free dynamic dns service.  You will need to generate a cert signing request on your Linux box to send off to the CA to get your cert, and there are a million guides for this.  You will also need dynamic DNS configured so your domain points to your home IP if it is dymanic and it probably is.  I will document the Dynamic DNS step in more detail in the future for my particular provider but it will be different if you use another service.

Install apache2 with apt-get install apache2. Configure a new site called proxy in /etc/apache2/sites-available with the following contents:

    <VirtualHost *:80>
      ServerName www.mywwwdomain.com
      Redirect permanent / https://www.mywwwdomain.com/
    </VirtualHost>
    <VirtualHost _default_:443>
    ServerName www.mywwwdomain.com
    SSLEngine on
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ProxyPreserveHost On
    RewriteEngine on
    CacheDisable *
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /local/path/to/certfile.cert
    SSLCertificateKeyFile /local/path/to/certkey.key
    
    ProxyRequests Off
    ProxyPreserveHost off
    
    DocumentRoot /var/www
    <Directory />
    ############ OPTION A ONLY##################
    AuthType Basic
    AuthName "My Homebrew Gateway"
    AuthUserFile /etc/apache2/passwords
    Require user your_login(s)_go_here
    ############# END OPTION A ONLY#############
    SSLRequireSSL
    SSLRequire  %{HTTP_HOST} eq "www.mywwwdomain.com"
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    ErrorDocument 403 https://www.mywwwdomain.com
      Options FollowSymLinks
      AllowOverride None
    </Directory>
    <Directory /var/www/>
    ############ OPTION A ONLY##################
    AuthType Basic
    AuthName "My Homebrew Gateway"
    AuthUserFile /etc/apache2/passwords
    Require user your_login(s)_go_here
    ############# END OPTION A ONLY#############
    SSLRequireSSL
    SSLRequire  %{HTTP_HOST} eq "www.mywwwdomain.com"
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    ErrorDocument 403 https://www.mywwwdomain.com
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Order allow,deny
      allow from all
    </Directory>
    
    <Location /sab>
       ProxyPass http://localhost:8080
       ProxyPassReverse http://localhost:8080
    </Location>
    <Location /couchpotato/>
       ProxyPass http://localhost:8084/couchpotato/
       ProxyPassReverse http://localhost:8084/couchpotato/
    </Location>
    <Location /subsonic>
       ProxyPass http://localhost:4040/subsonic
       ProxyPassReverse http://localhost:4040/subsonic
    </Location>
    <Location /sickbeard/>
       ProxyPass http://localhost:8081/sickbeard/
       ProxyPassReverse http://localhost:8081/sickbeard/
    </Location>
    <Location /manage>
       ProxyPass http://localhost:32400/manage/
       ProxyPassReverse http://localhost:32400/manage/
    </Location>
      RewriteEngine on
      RewriteOptions inherit
    </VirtualHost>
    
    Then set your /etc/apache2/httpd.conf file up like the following:
    ServerName www.mywwwdomain.com
    <Proxy *>
    Order deny,allow
    Allow from all
    ############ Option A Only ###################
    AuthType Basic
    AuthName "My Homebrew Gateway"
    AuthUserFile /etc/apache2/passwords
    Require user your_login(s)_go_here
    ############ End Option A Only #################
    SSLRequireSSL
    SSLRequire  %{HTTP_HOST} eq "www.mywwwdomain.com"
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    ErrorDocument 403 https://www.mywwwdomain.com
    </Proxy>
    

After you have these files in place remove /etc/apache2/sites-enabled/000-default and from within  /etc/apache2/sites-enabled run ln -s ../sites-available/proxy to make a softlink to the proxy site configuration file we just made.
To review the files we just made:

The "option A only" sections deal with basic auth using passwords.  In order to have passwords you will also need to create a password file containing your login/password info using the htpasswd command.  In the example provided, the passwords are stored in /etc/apache2/passwords and you could set this up with htpasswd -c /etc/apache2/passwords your_login.  It will then prompt you for the password.  If you want to enforce use hashed passwords there is an htpasswd option for that.  Basic auth is perfectly secure when used behind SSL encryption as is anything tunneled through an encrypted protocol.  So if anyone tells you different, punch them in the groin and scream like a rabid hyena.

The SSL options ensure https is enforced at specific locations and in general.  The httpd.conf file generally applies these settings, but I wanted to be super-sure that we are getting SSL on the auth in a few places where it didn't happen with the httpd.conf alone.

You should replace www.mywwwdomain.com with your actual internet-accessible domain.  Also, you should replace the your_login(s)_go_here with your actual login names as set up in your htpasswd created file.  There is a "Require group" directive if you want to use that instead.

In the location sections, the references to localhost are because these different applications are all hosted on various ports of the same machine that is acting as the reverse proxy.  If you have your apps on a different machine in your local network, replace localhost with the local static ip address (e.g. 192.168.0.x) for that server.

The location sections set domain subdirectories that proxy to the port numbers transparently.  The reason for doing this instead of something like sickbeard.mywwwdomain.com is because the cheap SSL certs are only licensed to www.mywwwdomain.com and can't do wildcards to match each subdomain.  If you want to drop hundreds of dollars a year on a wildcard cert, knock yourself out.  The method I used lets one cert work for unlimited applications.  Check that your own port numbers are used in the configuration.  Most of mine are probably not the defaults for these apps.

Lastly, we also set up a redirect here so that traffic coming to mywwwdomain.com will get sent to https://www.mywwdomain.com.  From there they may be asked to login (if using option A) and then sent to the landing page.  Also, it is important to know that each subdomain also requires authentication on the proxy if you go straight to them instead of the main landing page which we will make later, but once you are logged in it will not ask again until your browser is restarted.  This Option A authentication is really neat if you are only accessing things on the web, but it can hinder any third party applications you might want to use.  If using webapp-specific phone apps for instance, they will not understand the auth popup.  In those cases, omit or comment out the option a authentication and just turn on passwords on each individual app.  The proxy will still handle SSL for everything so you don't need it on each individual webapp.

None of this is going to work yet.  And we don't want it to yet.  First we need to do some app configuration. Here is the rundown:

Sickbeard will need extra configuration.  Stop sickbeard from running.  If you have a service setup for it this is as easy as service sickbeard stop. Then edit sickbeard's config.ini file and set web_root = /sickbeard with no quotes.  Then start sickbeard back up again.

Sab is already ready.

Couchpotato (V2) needs extra configuration.  If you are not using V2, you are on your own.  It is what I used and I am not going to muck with an older version for your benefit.  Go to settings, check advanced, in general enter "couchpotato" in the Url Base field.  Then restart it.

Subsonic requires additional configuration as well.  Turn subsonic off service subsonic stop.  Open up /usr/bin/subsonic (it is a script not a bin file) and set "SUBSONIC_CONTEXT_PATH=/subsonic".  Turn subsonic back on service subsonic start.  Note that you can't get rid of the login on subsonic.

You might not care about these last two since the above are the big four, but in case you do they are in there.  Of course, comment out any of the location sections in your proxy configuration file for apps you aren't using. 

Plex will work out of the box with the configuration I gave you and it using its default port.

EXtplorer is a web-based file manager.  If you have it configured, it will work with a proxy out of the box.  As far as deploying it though, if you don't already have it setup, DO NOT USE THE DEBIAN PACKAGE FOR IT!!!!  Don't do it!!  It will mess up apache and steel port 80 from it, and there is no documentation on how to configure or use the packaged form of it at this point.  Download the normal zip file for it, and follow this guy's guide.  Chmod the whole extplorer unzipped directory with 777 recursively chmod -R 777 extplorer and then chmod the .htusers.php file with the devil's number (666) like he said.  Also ensure you jack up the upload size and post size to something you can live with.  When you are done with his guide, go and softlink your /extplorer directory from within /var/www using ln -s /path/to/extplorer extplorer.  When you log into it with admin/admin the first time (after we fire up apache) you will also want to change the root directory to something more useful like /mnt or /media (or / if you are bold) depending on what you want to see.  

You need to port forward your server using your router so the outside world can get to it.  Forward 80->80 and 443->443 on your proxy IP.  You should not be doing this without a static IP on your proxy box. 

Finally, you need to fire apache up service apache2 restart.  When you do this, you will see some errors about modules or something telling you to go to the error log /var/logs/apache/error.log.  You will need to use a2enmod to load the modules you need enabled.  When you run it, it will give you a list of what you can turn on.  Turn on the ones it is bitching about and then try to restart apache again.  Eventually it will stop bitching and everything will work if you get the right modules turned on.  You will also probably need to configure the apache init script to restart on reboot with update-rc.d apache2 enable.

Finishing Touches:
We already set up a webroot so you can alter the html files in there and make your own custom landing page at /var/www/index.html.  I highly recommend this instead of having to remember all your subdirectories as your setup grows.  My landing page looks like this:

It is just a bunch of logos (stored in /var/www) linked with relative paths to the various apps.  So use an href="/sickbeard/" as the link for example.

Final thoughts:
If Jerry Springer can have them, so can I.  A nice improvement would be to allow you to access this on your local network without having your traffic redirected to the authentication/ssl domain when you type your.local.proxy.ip/appname/.  It really shouldn't be hard to configure, but I sunk so much time into this I really don't want to mess with it at the moment.  My simple workaround is to add local links to your landing page that use your.local.proxy.ip:app_specific_portnum to access each thing and you will need to append the directory in addition to the port number for some of them.  Here are the ones I needed for my specific port setup 8081/sickbeard, 4040/subsonic, 32400/manage (plex).  The rest worked already.  You won't have to authenticate when using these local addresses, but they aren't accessible to the outside world this way since you are only forwarding ports 80 and 443.  Extplorer is running in apache, so it cannot be worked around like this.  That is fine for me at home since my server serves up files with NFS/SMB locally and that is a much more integrated solution for your local systems anyway.   

Also, I spared you the hassle of setting up SSL on each individual app.  Not that it is difficult for most of those that can do it, but couchpotato (for example) cannot and it is nice to get zero-configuration SSL on each app you add down the road especially when the app didn't even offer it.  

Subsonic is very painful to setup with SSL directly because it uses utterly retarded java keystores that require converting your ssl cert into a pkcs12 type and then running it through some retarded java keystore importer app with a load of retarded flags and retarded options to generate a retarded file that retarded java can retardedly accept.  Then you have to stick options in /usr/bin/subsonic to tell it about that file and how to access it.  

Lastly, I expect some smart ass to say, "Hey, Mr. Sheez.  I noticed that the auth pops up before my browser says it is encrypted https."  Really punk?  Does it?  No, not really.  Your browser might make it look like the authentication is going to happen in plain text.  However, intercept your traffic like a grown-ass man and you'll see that nothing is being sent in non-encrypted http.  If it is, I'll eat my hat.  If not, you'll eat my hat.

Do let me know if anything legitimately needs correction or updating.  If you need clarification on anything I covered, then let me know in the comments.  Don't ask me some random apache question about an unrelated setup because you are too lazy to look it up.  I am not an apache guru in general.  I figured all this out through sheer force of will and shared it out of some twisted sense of altruism toward the reddit usenet community.  Anyway, have fun with this info mateys.  

Monday, August 1, 2011

The Android-based Car Stereos You Can Buy NOW

Move over Parrot Asteroid, there are several android-based dual din car stereos shipping now from Asia.

1.The Easy Rising ES666 is available direct here for under $400 USD.  This device features a fully removable android tablet which can operate all stereo functions and low profile hard controls for when the tablet is undocked.  It has TV tuning, bluetooth, RDS, wifi, 3g, GPS, and DVD.  The included tablet is a nice bonus prize. 


2.If you paid too much for your car, you can snag a Dynavin. It looks like you can get the DVN-E46 for your BMW, but they don't make generic DIN units.  This unit runs android 2.2. 

3.Another Chinese manufacturer is trying to sell a pretty sleek model.  However, I couldn't find anyone reselling this in the US yet, and a 1000 unit minimum order is too rich for my blood.  That said, it is obtainable in bulk so it should be for sale  somewhere.


If you don't mind buying from a no-name Chinese company, you can be one of the first to grab one of these bad boys.  In contrast, the Parrot device is rumored to run a locked-down app store and an older version of android, and God knows when/if it is actually coming out.  I find it odd that major manufacturers are not producing these types of units when the after market is threatened by Ford Sync and the upcoming GM Intellilink systems.

Tuesday, March 15, 2011

HOWTO: Use Google and Asterisk For Free Home Telephone Service

Recently I have been playing around with free VOIP solutions on my cellphone, and they were pretty neat.  However, they had a lot of jitter, dropped calls, and the occasional connection problem.  I wanted something truly stable with excellent call quality for work besides my cellphone.  Well, I have seen the light and found the answer, and it is a system that uses google talk (what you use to make phone calls from gchat) and google voice.  When it is done, you won't know the difference from your old telco, and it will be free.


BEFORE YOU START:

INGREDIENTS:
1 Linux server (it can be old and not-so powerful)
1 ATA (analog telephone adapter)*
1 or more phone handsets**
1 router with 2 free ports (for your Asterisk server and your analog telephone adapter)
1 google voice account that you don't typically log into for gmail or chatting

*For purposes of this guide, I suggest using the Grandstream HandyTone HT286

**I didn't have a home phone before I did this so I snagged a 3-handset answering system which connect through only one unit (as many these days do) and thus avoid any extra work inherent in connecting multiple phones through your existing home phone wiring.

WHAT YOU WILL GET:
When you are done, you will have a phone that acts like a phone and can call any number in the US and Canda for free or international numbers for pocket change.  You will receive calls to your google voice number on your phone.  You will get incoming phone numbers in your caller id, but you won't get names without a little extra work.  This is because the phone company provides this to you by querying their database.

You can take some extra steps so your Asterisk server has its own caller id database built from your google contacts, but that is outside the scope of this guide.  Many modern handsets (like mine) can check your stored contacts and show the associated names when those people call, so this wasn't a big enough deal to warrant the extra work for me.

WHAT YOU WON'T GET:
911 service!  Also, there is no guarantee Google will keep this free forever.  You also don't get some kludged-together solution where you have to use NAT-traversal or punch holes in your firewall with open ports since this uses native capabilities of Asterisk.  Because this method uses Asterisk by itself, you don't need FreePBX, PIAF (PBX In A Flash), or any other unnecessary extra software.


THE BIG PICTURE (literally):


HOWTO:

1.Set up Asterisk (AKA, the bulk of the work):

Make sure you have a Debian or Ubuntu computer with a static IP address.  You can set up a static IP in /etc/network/interfaces.  I would guess you can use Red Hat-like distros, but some of the locations, required packages, and commands may be a bit different so only go this route if you know what you are doing.   Also, stick to the darn guide.  If you try to get clever and just use the Asterisk package for your distro, it will be horribly outdated and not contain the functionality to do what you want.  You really need to compile it yourself until Asterisk 1.8+ is included in your Linux distribution.

1A.On your Linux box, follow the guide here but don't do step 5 or 6 since those are changes for devices with ARM processors, and I assume you are just using a standard non-ARM computer here.  Also, you don't have to install the second list of packages for FreePBX since you won't need it.  Note that your packages may be slightly different versions than those listed.  For example, on my Debian Squeeze system I found that the package libmysqlclient15-dev was now version 16.  Also, the forum thread in the next step (1B) talks about configuring only the minimum modules needed to run Asterisk, so you may want to reference it later if you need to tune Asterisk for very crappy hardware, but don't worry about that until you get it working.

1B.Next, go to this post and do steps 2-5 since you already did step 1. If you have a different ATA (analog telephone adapter) from what I suggested, then you will need to enter the configuration information as shown in step 6 and configure it on your own.

If you don't see a listing in Google Voice's Settings->Phones for your Google Chat account, then you need to first fire up gmail and dial a call with Google chat.  It should show up then.  

1C.After you finish up that guide, you will need to make some quick additional changes to conquer two issues I encountered.  As root, open /etc/asterisk/extensions.conf and add the following lines just after "exten => you@gmail.com, n,Set(CALLERID(name)=${DB(cidname/${CALLERID(num)})})".

Add these lines just after that line (with "you" replaced with your username):


Then restart your Asterisk server as root by executing /etc/init.d/asterisk restart.

The first new line rips the + sign off of incoming numbers so your phone's callerid will be able to handle them properly.  For example, my handset would show the number, but I couldn't return a call to a missed incoming call from my call log menu on the handset because it didn't recognize the +1-555-5555 format as a valid phone number.  This fixes such issues.

The other three lines let Asterisk pick up the phone while it is ringing, make it wait a very brief period, and then it sends a "1" tone to Google.  If you don't do something like this, incoming calls will be preceded by a message saying "Please press 1 to accept the call..." even if all such options are disabled on google voice.  Worse, pressing 1 didn't work for answering these calls.  If you don't want your phone to pick up calls when you don't answer, then you will need to do something a little different by having asterisk send 1 when you pick up a line based on the other method described here.

2. ATA Setup
2A.Grab your shiny new Handytone box, and connect it to power, ethernet, and your phone.  The manual for it is found here.

Pick up your handset and dial ***.  Then dial "01" to hear your IP address mode and 9 to toggle between dynamic and static.  I highly recommend a static IP.  After toggling to static, hit * to hear a readout of the Handytone's current IP address.   You can enter in a new one by typing 12 digits on the keypad (including any zero values).  You may need to reboot it after that.  You can do so by typing #, then 99, then 9.  After that, you can use a web browser on a computer connected to your router to access the web interface at the IP address you specified.

2B.On the web interface, type the default password "admin".

Click "basic settings" and enter an end-user password other than the default "123", then set the static configuration options making sure the IP is set to what you requested, and that subnet mask matches your router's (usually 255.255.255.0), and default router and DNS settings match your router's IP address for most users.  Also, set up your time info, and US folks in areas with DST should replace the Optional Rule with "3,2,7,2,0;11,1,7,2,0;60" so it follows the newer DST rules instead of the old ones preloaded on the device.  This will matter if you have a handset that resets its display time from the incoming line when you receive a call (as mine does).  Click "Update" when finished.



Click "advanced settings 1" and enter a new admin password in the first box (which you will use to login to the web interface in the future), your Asterix server's IP in the second and third boxes, and "101" in boxes 4 and 5.  If any STUN server options are turned on, deactivate them.  You can also fool around with the codec choices if you like.  I believe that the highest numbered G### options are the better ones.  Then click update (leaving all other settings alone on this page), and then click reboot.


No changes are needed on Advanced Settings 2.  If all goes well, after the reboot you can click status and see "Registered: Yes", and your Handytone won't flash red through the button on top intermittently.  Now make some calls and get some calls to try it out.  For me it is rock-solid stable even for 1hour+ teleconferences, and my Handy-tone is even plugged into a wireless network bridge since I was out of router ports.

After writing this, I figured out how to set your home area code as described here so you can dial local numbers with only seven digits.  Feel free to leave some comments praising me or asking for help.