 Welcome to the one-hour workshop Topic is decentralization setting up your own personal cloud mail server, etc. in your own home About myself I'm Sven Neuhaus. I'm a software developer. I joined the software in project two three years ago when I I had been running my own mail server for I don't know a decade or so and and in struggling with all the manual work and I came across this project and it had some really cool features and security faults and so on and started contributing using it myself and That's how I got into that. I hope you do the same Okay, let's get started So this being officially a workshop Let me tell you it will take a lot more than one hour to Go through all the steps if you try to follow it So I will I would just speed through it and then the idea is that you can look it up later on your on the slides I just uploaded them to the To the website to the conference website Or you can just watch the stream and pause whenever you you know want to look look something up Also while deploying it The software sometimes compiles stuff from source and it's also supposed to run on really slow hardware like a Raspberry Pi or something So it will take almost an hour just to go through it Yeah, so Regarding the agenda Most of the slides will be talking about one aspect of their project is running it at home The sovereign aspect is fairly automated And I will be talking about that in the in the later half But the first part is kind of manual at the moment The idea is if there is enough interest we can try to automate it as well and make it a smoother experience Okay, and if you have questions that are Urgent feel free to ask right away, but I will also take okay to take questions at the end. Okay, so I have this slide why do you want to decentralize? I guess I guess you guys all know why but I'm gladly Repeat all the arguments of course If you use a centralized service like I don't know Gmail or One of the many other things It's super convenient, right? You get all these great anti-spam features You get how availability But on the other hand You are the product because your data is making this service possible by Having it being analyzed and sold Also, you don't know if they're going to shut down the service Which something that Google likes to do with some of their products in short notice and And you don't know who's who's looking at it All the companies are Required by law to hand out hand over your data if they get a subpoena and You don't know if they they're not even allowed to tell you sometimes So um We know that We have old laws that protect our Our mail like physical email letters and so on but there there isn't as strong as protection for for For the digital media So the only way to make sure that no one Accessed it without you noticing is Taking control of your data yourself Finally Distributed denial of service attacks are real and they're not going away. So Sure, it's easier to To run a denial of service attack on on a small home server But then again, the impact is also much smaller. That's only a few users that are affected And hopefully that's not even a juicy target for the attackers Also, if you get a denial of service attack, you can talk to your isp and Yeah, the the the guys running the attacks they don't scale So easily if if everyone has his own server They would have to run a lot of attacks against all the people Instead of huge attacks against a few juicy targets Okay, so who should run his own personal cloud So before I prepared this talk, I was under the impression that it was actually fairly easy But I realized that you should have some basic knowledge about command line and networking So In case something goes wrong It's great if you can troubleshoot it yourself there's the sovereign project uses uses github and You can always open an issue there if you have a problem and maybe the documentation is not great enough Or maybe it's an actual bug But once it's installed it's actually fairly low maintenance So you just update the packages and to get the security updates and then That's pretty much it so it's it's you know halfway there between a turnkey solution and total manual setup so sovereign project is initiated by A guy called alex pain in 2013. He was also fed up with google and Put up some Some scripts with a tool called ansible. I'll talk about that later To automate the setup instead of having to you know, write some instructions that you have to follow manually And so the project has A lot of services and they have some really nice defaults with strong encryption and Automatically generated let's encrypt certificates We have email we have calendar contacts file sync IRC bouncers VPN service and some more stuff that I probably forgot uses ansible Ansible is an open source project currently maintained by redhead The scripts for ansible are called playbooks and they're written in in yaml. It's actually really easy to understand Just have a look at it. It's human readable. It uses indentation It's very straightforward and easy to pick up I didn't know at all before I joined this project, so Just have a look at the file. So it should be fairly stuff explanatory so the next question is Where do you want to run your? A personal server um My advice would be don't use a virtual private server Those are the cheapest you can rent them from the isp, but they're only virtual. So actually you're Sharing a part of a of a bigger server and you can't really tell if Someone is looking over your shoulder Copying your files modifying them running tasks. It's totally unnoticeable for you. So Virtual private servers are not good so A dedicated server is the way to go physical hardware But those are kind of expensive and also let's say you rent a dedicated server at an isp And you can do full disk encryption. So even if it gets, you know Examined they can't get your data But what if it suddenly reboots, you know, you don't know why I did a reboot Did they clone the hard drive? Did they put a back door in so next time I log log in to unlock the full disk encryption? You could be compromised and all your data is done anyway So ideally you would have the dedicated server at home Um Let's talk about that in more detail So If it's at home, you will usually notice if there's unauthorized access, you know, if someone breaks into your home You tend to notice that um, you can still use encryption sovereign uses, uh Encryption for the data stuff like emails and so on You can use that you can turn it off and instead use full disk encryption or you just I don't know Put it in a safe and don't use encryption. Maybe because you need to say for something the speed um backups Are easy when it's at home, you know, you can just say, okay, I'm gonna shut down my personal cloud now and uh Do a backup full full backup or sync to your own nas at home? Maybe you have one or you can also use the standard solution provided by sovereign which is star snap, uh Tar snap, but it's commercial product. So maybe you want to build your own stuff Um, okay should be a low power device. So it doesn't Get your big phone bill. I mean electricity bill and uh, doesn't make a lot of noise and so on I recommend to get something with one megabyte of ram But it will probably work with half a megabyte also Um in my example, I'm using a raspberry pi 3 And then the problem is hosting at home means you have a dial-up ip like if you have dsl or maybe you have cable internet you have a you are considered a dial-up user uh in terms of um Real-time black hole lists. So I don't know if you guys are familiar with this but spammers when they they like I mean when they hack home users they Abuse their machines to send a lot of spam and that means those types of ip addresses from home users I usually put on these black lists That you can use that sovereign also uses Uh to protect your mail server from spam So if you have a like a home ip it will not be good experience to run a mail server because Your mail if you send mail it will be rejected a lot, you know So you want a real ip address The way to get that is to use a dedicated ip vpn a vpn a virtual private network I guess you guys all know that The difference here is that you're the only guy with this ip and you always get the same ip when you connect to the vpn I mean in this case it will be a permanent connection anyway so these types of vpns are Expensive like 10 years a month or more maybe even 20 so Instead of using an expensive service. I would recommend that you just Use a vps You don't really have to trust it that much. You can consider it part of the hostile internet And vps are really cheap um I looked around for some super cheap options and you just This is not an endorsement or anything, but you can get them for like less than six dollars a year or something. Yeah, so um there's a nice forum low and Low end talk where you can always find offers for super cheap vps services And you just need, you know, like 64 megabytes of ram and you don't need a lot of disk space Ideally it will be faster connection than your home internet um But you know for email it's probably not that critical anyway So Yeah, use it for outbound and inbound both so Let me show you the talk you through the network setup so um In the lower half you you we have the home network that which which is behind the home router Which has private ip addresses And this thing called homebox That's where the private cloud will run on and um So the green arrow the dotted line is the the virtual the vpn And the the vps running on the evil internet is providing its ip address to your homebox Is it clear so far? okay Okay, now um, let's talk about the vpn configuration So for my purposes i used the um most vpses these days you can Choose debian or ubuntu or some other distributions, but Ubuntu is nice has five years of updates. So I used that for the vps Um, I used the open vpn repository So I get a nice recent version of open vpn, which has all the latest security enhancements and Typhers and so on um You can install it like that and then There are quite a few steps I will go through them I have to speed up a bit. I noticed so if you don't you don't have to you know Look at everything in detail because it will be too much details anyway, but um, you can look it up later so For open vpn, we become our own certificate authority, which sounds complicated, but there's a set of scripts that makes it super easy um, basically you just run those commands And that means you created your own certificate authority created a certificate for your For the server running on the vps and for the client which runs on the homebox, which will be running the sovereign stuff and then um, we create the server configuration This is It uses the files will be generated on the previous slide using the scripts And you copy those to the etc open vpn directory And that's this is the first part of the configuration and this is the second part It uses some nice strong crypto You can also switch to elliptic curve if you prefer that um The latest version of open vpn has its new option ncp ciphers which provides a fallback So it will try to use the latest greatest and if it can't then it goes back to ciphers And this is the client configuration uses this uh inline format so, um Basically where it says contents off then you insert this the file you generated earlier Okay, you have to put in your real ip address there. I guess I left mine in there um Yeah, this is the second half We also generate our own divi helman parameters There were some attacks being suggested. Uh Yeah, there was the idea that the nsa Did a prime factor analysis on the 1024 bit divi helman, so this can Going back A few slides This built dh that can take a several minutes Maybe in 10 minutes or so on on this on this small machine like a raspberry pi So just leave it running for a while Okay, then we have the configuration file for the server and the client um, we need to do some Some more steps to get it started. There's a file that EDC default the open vpn where you configure which Which vpnc want to start? and then Once you do that you can try to start it check just look that it's working all right Enable ip forwarding And then on the client side you the file we just generated With all the inline stuff you copy you copy to your to your raspberry pi or whatever homebox via ssh um So the idea is I used like raspian on the homebox, which is pretty much debian You can use with sovereign you can use either debian or ubuntu So I did basically the same thing for um For the client also I used the latest repository I had to add the signing keys for that and install the 2.4 version of open vpn on the client um Yeah, I think maybe either there's something missing there how to start the service, but maybe come later, but I can if not I can tell you later But it's using system ctl Okay, so before we can um through the sovereign installation We do need to make sure that we have all the dns records for all the services you want to run So if you have turned on everything it will be this list of services But as I said you can also disable whatever you want. Maybe you just want email then you just Don't need the rest basically, but I mean Usually if the machine is running anyway, it's nice to have some other stuff on it So um You need a domain of your own and you need to create A records This is also described in detail in the sovereign documentation for email You also need a mx record Usually if you have a Domain you get a like the most registers offer the Ability to edit your to use their dns service and edit the records there That's probably the best idea, but if you have two machines you can also run your own dns service But that's probably not so good for the if you have never done that before So round So ran uses postfixed as the mail transfer agent Dove caught as the imap server and round cube as the web mail Which is like what we have here from that's all reachable under mail dot your domain name okay, so And remember the the diagram I showed earlier we want to provide the ip address of the vps to this server to the home box so the idea is um Forward everything that hits the vps to the home box except of course ssh so we can Still configure the home box the the vps sorry and also Yeah, to understand this you need to know that on the particular vps. I was using the ethernet interface was called eno one Open vpn creates a configuration file A status file called open vpn status log and we grabbed the ip address from the other side from that And then we use that to To set up the firewall Any questions about this Because it's not done yet. So it's this is not the typical setup But the idea is to create like a separate playbook to do this automated also okay Regarding the actual sovereign installation there's uh This is nice read me You should really check it out um So sovereign provides also a vpn server but in this case it will there's a potential conflict with It being a vpn client also. So I would recommend to comment it out for now. Also, maybe it's uh If you want if you want to use a vpn service, maybe it's a good idea that you use the vps for that because um It will be usually have a faster internet connection. So if you just if you're just on an internet cafe and you want You know, you don't know if there are any people Messing with your traffic or maybe in a hotel or something You can use your your vpn to get your traffic to the vps and then go into the internet from there um Yeah, one point. Uh, I would so you should Comment out all the unwanted roles and one of them being vpn in this case Tar snap I mentioned that it's it's optional um Also comment that out and then you basically run ansible playbook And then you have the host file where you put the ip address of the vps in there And then the site yml file And if you run it to some errors or you want to do some changes later on you can always run it again and again in fact like that's the Standard method if you also if you want to add a user Like another email user You put it into configuration run it again you can also use some Some web frontend but it's to administrate the user accounts and so on but it's currently not part of of sovereign there are some sovereign uses the standard database layout for virtual domains and virtual users and so on so The available tools there are tons of them. They usually work Okay, and then there's also wiki on on github on as part of the sovereign project, which has some nice instructions how to configure like mobile apps if you want like push email um Yeah, stuff like that I can show you what it looks like if it's running one second So this will be faster than a real time because it already ran before And You can tell if it if it found any changes then it will be Yellow otherwise it will be green So I have a raspberry pi in the tent over there. I hope it's still running Looks okay, so as I mentioned this will run for a while and um Hopefully you get no errors if you get an error just look at it Maybe make some changes Maybe file a bug report And then run it again Okay, um So maintenance maintenance is actually quite nice You get an you get some nightly reports via email uh log watch You also get notified if you are if your server appears on a black hole list So you know maybe you know one of my like for me personally I use it from my family also so maybe one of my Family members got hacked and someone is using their account to send spam and then you will usually One or two days later you end up on a black hole list and then you can Find out what what went wrong And then contact the black hole list to get removed again That way your your email is still deliverable um You should definitely do a backup so um I personally created my own solution for that If you have an asset, it's probably a good idea to do that way or you know In the in the case of a raspberry pi if you just have a big rc card We can probably do a snapshot of it every now and then Um user management tools I mentioned those um The one I use is called vea It's super simple. It's It doesn't have it has only like one one master user and you should definitely put it in a password protected area But it's it's nice and easy to use Any questions so far? Yeah No, but I I mean last time I Changed internet providers I uh had a server that was already on a black hole list So Before I even started I checked it and then I contacted them and had had it removed so especially if you have like ISPs which are have really cheap servers They often get abused also So maybe they're even their whole subnet is on a blacklist But in in my case I was able to get an exception for a single ip Sometimes also the isp can help you with that, you know getting removed from a black hole list Pardon I don't have the URL already handy, but you can google for that Yeah, you know check rbl. So the abbreviations rbl check rbl and then you know Also, you will find out really quick because uh, you will send an email and then it will be rejected So you will get a bounce and then it will say in the in the reason for the bounce that No, I don't like you you're an rbl And it usually contains a link where you can fix it and where you can get yourself removed Yes, uh, so the question is why did I use the inline format for the client? Well, the reason is just um I also use it for For other clients and it's easy if you like have an I don't know a mobile phone Then you have to just give people one single file with everything in it So also in this case, you just have one file Copied to the etc open vpn directory You could also do it the same way as the server configuration with the individual files that it also works. So it's just a Convenient thing But if you don't have to do it that way Okay, I'm kind of yeah yeah I mean nowadays I would probably switch to next cloud but um We haven't had a volunteer to to do that change. So If you have a raspberry pi 3, it's okay, you know, it depends on what your Requirements are but If you just want to use sync your calendar and your contacts, it's perfectly fine, you know Why do you It's just my personal impression that next cloud is so it's a fork of open on cloud and I Been to some conferences and it seems that there's more Development going on more support right now But maybe they will merge again also I don't know okay So so yes, I will take more questions. Sorry. Sorry. So sovereign Is always low on volunteers. So we need some more people to take care of bug reports Patches patches and documentation. I mean, there is a lot of documentation already But then you can all you can never have enough documentation, right? Yeah So please consider if it's useful for you and maybe you Find some bugs or whatever you will notice how easy it is to make some changes Had in the pool request and then once you've done that a few times Maybe become a team member or whatever. Um, I would love to see that okay No, we had the official questions part You had one Okay, the question is searching microsoft documents from the mail client and pds So we have some full text search support For for mail, but I don't know if it actually searches attachments also. So you would have to check I can't answer that Yeah Sorry Yeah, so the question is how easy is it is it to integrate with other devices? So in in case of email, you know You have let's encrypt certificates. Everything will just work. Basically, you can use push emails on on android and in ios and um For on cloud you have the on cloud app Hmm Does it answer your question? Yeah, so on cloud is offers contact and calendar and file sharing And probably some a lot of other stuff that are like Image gallery if you want to do photo sharing So that but you can use the built-in contact sync and calendar sync In your phone in your android phone or iphone to sync your contacts and your Calumers, exactly. So, yeah I think so. Yes, I I haven't used it myself with automatic sync, but maybe someone can answer that Yeah, yeah also for the desktop Okay, so yes, definitely, especially with Dropbox being a u.s company. So You don't expect any data protection there Yeah, that's a good point Yeah, I've looked it Isn't but bittern sync isn't open source, I think right? It's it's pretty cool tech, but unfortunately, you know kind of proprietary Yeah Okay, one more question. I mean could you what was it after debian? So the official supported distributions are debian and ubuntu if you have anything else It will probably take some effort to get it adapted, but you know if you're willing to Support it for a while. Please send pull requests, you know, so we support the Debian Jesse right now and stretch. I read that it only requires some minor changes. There is an open issue for that so it's not yet merged but It's like three package name changes on three packages change their name As far as I'm I'm aware So it runs also Yeah, so the question is how easy is it to change components? So we've had quite a few situations where people prefer it like instead of running on cloud. They want to use I don't know Radical or something To syncs their contacts so you You can do that, you know, you can Disable the service you don't want and then manually configure the stuff you want instead and ideally Create an ansible configuration for it. So other people can use it also, you know, and then There's no Ideologic, I mean, there's the discussion usually in in github issues. I mean, of course We are already low on volunteers. So having more variants that do the same thing Unless there's people who are Committed to supporting it We may have second thoughts about that But if you say, okay, I'm running this myself. This works. Well, please merge this We'll surely do it In the back Yeah, the question is does it support multiple domains and virtual users? Yes, it does. Yeah, so it has this normal postfix database backup backed service with postgresql The question is how does sovereign compared to the devian freedom box project? I don't know really. I haven't used anything else in delay lately Maybe someone else has some experiences and can say something about that Okay, sorry. I don't know Please let me know if you This guy's first. Sorry Yeah, so The official way is to use tar snap, which is open source encrypted Cloud backup basically, but it's also commercial service so I Created just some script that runs every night and encrypts the stuff and and pushes it to some cloud space I have but it doesn't like encryption before it pushes it But if you have it in your home, it's also and you have a nas you can just usually Like network attached storage. They always have a backup solution. You can use that and Since they run linux themselves That's true and if it as long as it's all in your own home You may want to have a solution to do. I don't know a weekly backup or decentralized backup, you know Okay, the next question that's yeah, go ahead. Yeah Yeah, so the question is Okay, so the question is about availability being at home. You may not have a ups or it's not serve a great hardware Not that's available. So maybe there's an idea for Distributed cloud solution with some friends or something like that Sounds cool Bring it on There's nothing that i'm aware of there is however Some other talk I want to mention about Running stuff in the cloud even if you don't trust the cloud like searching encrypted cloud stuff I don't know the title of the talk but I hope I thought I had it somewhere in my notes So I can leave this on. This is the URL off the side um Yes by erica Yeah, can you repeat the title? Yeah, my safe in your house, I think it's today in two hours or so so check that out also um Yes, it runs a patchy it does not run my skill right now because we try to have only one database with with a memory requirement But you can definitely Put your own stuff on put your own web pages there Also, if you have a nice upstream upstream connection at home You can go wild here No, it's a raspberry pi 3 it has 1 gigabyte of ram Yeah So the question was if it's a raspberry pi Okay, so the question is automatic updates you can either uh I mean you can use the mechanism provided by your distribution like for For debion and for ubuntu you can use automatic upgrades for for security updates and do the rest manually or you can I tend to log in manually and do it by myself, but Yeah, you can automate that also Okay, any more questions Ah there in the back Yeah Okay, so the question is if you Store your data in the cloud you may not notice it being accessed by the government or anything Can this also happen when you're at home? So depending so there's several things here So your server could get hacked by the government, you know, they're entitled to do that now So we try to make it secure also with the vps solution You cannot um make it slightly more secure by only forwarding those ports that you actually have open Right now it forwards all the ports so This you know, maybe you want to consider that Also, they can physically Break into your house and try to do it in a stealthy manner Is this what you're getting at? I don't know. Um, I mean so it's a server running in your own house If they can get in via the internet Then you have a Of course your data could be copied or even modified whatever Yeah so The question is can they force you to decrypt your own data? Yeah, it depends on the country I mean there's there's a guy in jail in the u.s. Right now because he doesn't reveal his encrypt encryption key. Yeah So but that's only in the u.s. I haven't heard that in europe. I think in in the uk They are also going that way. So some people have been you know I think the the technical thing is like disrespect of the of the judge or something Contempt of court. Thank you But this is actually something that We should fight against, you know As I said, there are strong protections for for written letters And I don't see any reason whatsoever that it doesn't extend to digital Data, you know, there shouldn't be any difference, right? Yeah And also there there are laws in theory protecting data while it's in transit, but there are so many exceptions In germany, there's a g10 and You know, everything's pretty bad Yes, so The vps server could be, you know, backdoor or whatever It doesn't really matter that much. I mean We consider the internet to be hostile anyway. So the vps is part of that and of course if they Get right to the vps. That means they can capture all your traffic But, you know, ideally all of it is encrypted anyway. So if you retrieve your email using Email client, it will be encrypted if you send email using smtp It will be at least it will be transport encrypted and also sovereign has some nice default So if it talks to other mail servers, it will use opportunistic encryption whenever available And if you if you don't know of it, often opportunistic encryption will be used or maybe you're afraid of some SSL stripping Yeah, then you can always use end to end encryption also. Okay One more question Yeah, it's probably a good idea. You know, I mean the first You can go two different routes basically you can either go the performance route Which means you put the choose a vps that is close to your has a good Network connection to your physical server. So there's not a lot of extra round tip time for the request Or you say, you know, I want to have it in different countries But being that the fact that the vps is rather There's a low amount of trust in the vps. It's not that critical really Can also go for the cheapest one