Investigating an OpenVPN connection problem in Gentoo Linux and Lubuntu 22.04 but not in Android 13

Back in 2020 I successfully used OpenVPN to access a remote server from my laptop and from my smartphone. Fast forward to 2023 and I needed to use OpenVPN again to access the same remote server. I could again access the remote server when connecting from my smartphone, now running Android 13, using the OpenVPN client app. However, when I tried to use OpenVPN from my laptop running Gentoo Linux, and from my desktop machine running Lubuntu 22.04, VPN connection attempts always timed out. The OpenVPN client configuration file (referred to generically as ‘client.ovpn‘ in some articles, named ‘bsf1.ovpn‘ in my case) and the OpenVPN password were both correct, so I did not understand why a connection could not be established from the laptop and desktop machine to the remote server, especially as there was not a problem connecting from my smartphone running Android 13.

I use KDE in Gentoo Linux, and Lubuntu 22.04 uses LXQt. In both those Desktop Environments I used the relevant GUI front-end to NetworkManager to import the client.ovpn file and to try to connect to the VPN server. As these connection attempts had failed, I launched the OpenVPN client from the command line in Gentoo Linux to see if there were any error messages, and the output is shown below. (For privacy reasons I have annonimised my public IP address, domain, e-mail address, country, location and organisation in all the command line output shown in this post.)

root # openvpn --config bsf1.ovpn
2023-09-30 01:07:02 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-09-30 01:07:02 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2023-09-30 01:07:02 OpenVPN 2.6.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-09-30 01:07:02 library versions: OpenSSL 3.0.10 1 Aug 2023, LZO 2.10
2023-09-30 01:07:02 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password:
2023-09-30 01:08:57 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-09-30 01:08:58 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:08:58 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:08:58 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:08:58 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:08:58 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:08:58 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:08:58 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-09-30 01:08:58 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=fc150984 3a9d3b4f
2023-09-30 01:08:58 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:08:58 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:08:58 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:08:58 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:08:58 TLS Error: TLS handshake failed
2023-09-30 01:08:58 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:08:58 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:08:58 Restart pause, 1 second(s)
2023-09-30 01:08:59 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:08:59 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:08:59 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:08:59 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:08:59 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:08:59 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:08:59 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:08:59 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=00c193e4 f375c3df
2023-09-30 01:08:59 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:08:59 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:08:59 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:08:59 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:08:59 TLS Error: TLS handshake failed
2023-09-30 01:08:59 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:08:59 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:08:59 Restart pause, 1 second(s)
2023-09-30 01:09:00 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:00 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:00 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:00 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:00 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:00 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:00 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:00 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=415fddcd dc5faf65
2023-09-30 01:09:01 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:01 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:01 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:01 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:01 TLS Error: TLS handshake failed
2023-09-30 01:09:01 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:01 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:01 Restart pause, 1 second(s)
2023-09-30 01:09:02 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:02 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:02 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:02 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:02 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:02 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:02 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:02 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=1458e510 821d0c37
2023-09-30 01:09:02 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:02 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:02 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:02 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:02 TLS Error: TLS handshake failed
2023-09-30 01:09:02 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:02 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:02 Restart pause, 1 second(s)
2023-09-30 01:09:03 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:03 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:03 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:03 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:03 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:03 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:03 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:03 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=9ab3df76 86d3e81d
2023-09-30 01:09:03 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:03 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:03 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:03 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:03 TLS Error: TLS handshake failed
2023-09-30 01:09:03 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:03 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:03 Restart pause, 2 second(s)
2023-09-30 01:09:05 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:05 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:05 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:05 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:05 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:05 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:05 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:05 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=9f21e4f5 a4d9fecb
2023-09-30 01:09:05 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:05 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:05 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:05 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:05 TLS Error: TLS handshake failed
2023-09-30 01:09:05 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:05 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:05 Restart pause, 4 second(s)
2023-09-30 01:09:09 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:10 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:10 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:10 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:10 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:10 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:10 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:10 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=bb6d7166 52844953
2023-09-30 01:09:10 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:10 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:10 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:10 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:10 TLS Error: TLS handshake failed
2023-09-30 01:09:10 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:10 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:10 Restart pause, 8 second(s)
2023-09-30 01:09:18 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:18 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:18 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:18 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:19 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:19 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:19 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:19 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=099e3b11 8ddc87c1
2023-09-30 01:09:19 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:19 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:19 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:19 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:19 TLS Error: TLS handshake failed
2023-09-30 01:09:19 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:19 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:19 Restart pause, 16 second(s)
2023-09-30 01:09:35 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-09-30 01:09:35 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:35 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 01:09:35 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:35 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 01:09:35 TCPv4_CLIENT link local: (not bound)
2023-09-30 01:09:35 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 01:09:35 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=38ffac21 50e59cc4
2023-09-30 01:09:35 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2023-09-30 01:09:35 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2023-09-30 01:09:35 TLS_ERROR: BIO read tls_read_plaintext error
2023-09-30 01:09:35 TLS Error: TLS object -> incoming plaintext read error
2023-09-30 01:09:35 TLS Error: TLS handshake failed
2023-09-30 01:09:35 Fatal TLS error (check_tls_errors_co), restarting
2023-09-30 01:09:35 SIGUSR1[soft,tls-error] received, process restarting
2023-09-30 01:09:35 Restart pause, 32 second(s)
^C

The error message ‘TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled.‘ made me suspect that the version of the OpenSSL package (which also provides TLS) in Gentoo Linux on my laptop is incompatible with the version of the OpenSSL package on the remote server.

The command line output in Lubuntu 22.04 on the desktop machine also showed there was a problem with TLS when I tried to launch the VPN client:

user $ sudo openvpn --config bsf1.ovpn
[sudo] password for fitzcarraldo: 
2023-10-03 14:00:43 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-03 14:00:43 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2023-10-03 14:00:43 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-10-03 14:00:43 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-10-03 14:00:43 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
🔐 Enter Private Key Password: ************            
2023-10-03 14:00:48 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-10-03 14:00:48 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:00:48 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:00:48 RESOLVE: Cannot resolve host address: bsfitzgerald.ddns.net:1194 (Temporary failure in name resolution)
2023-10-03 14:00:48 RESOLVE: Cannot resolve host address: bsfitzgerald.ddns.net:1194 (Temporary failure in name resolution)
2023-10-03 14:00:48 Could not determine IPv4/IPv6 protocol
2023-10-03 14:00:48 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-10-03 14:00:48 SIGUSR1[soft,init_instance] received, process restarting
2023-10-03 14:00:48 Restart pause, 5 second(s)
2023-10-03 14:00:53 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-10-03 14:00:53 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:00:53 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:00:55 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-10-03 14:00:55 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-10-03 14:00:55 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2023-10-03 14:00:55 TCP connection established with [AF_INET]111.222.333.444:1194
2023-10-03 14:00:55 TCP_CLIENT link local: (not bound)
2023-10-03 14:00:55 TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-10-03 14:00:56 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=c3ec9433 c4139af0
2023-10-03 14:00:57 VERIFY OK: depth=1, C=PE, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:00:57 VERIFY OK: depth=0, C=PE, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:00:58 OpenSSL: error:0A0C0103:SSL routines::internal error
2023-10-03 14:00:58 TLS_ERROR: BIO read tls_read_plaintext error
2023-10-03 14:00:58 TLS Error: TLS object -> incoming plaintext read error
2023-10-03 14:00:58 TLS Error: TLS handshake failed
2023-10-03 14:00:58 Fatal TLS error (check_tls_errors_co), restarting
2023-10-03 14:00:58 SIGUSR1[soft,tls-error] received, process restarting
2023-10-03 14:00:58 Restart pause, 5 second(s)
2023-10-03 14:01:03 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-10-03 14:01:03 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:01:03 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:01:03 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-10-03 14:01:03 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-10-03 14:01:03 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2023-10-03 14:01:03 TCP connection established with [AF_INET]111.222.333.444:1194
2023-10-03 14:01:03 TCP_CLIENT link local: (not bound)
2023-10-03 14:01:03 TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-10-03 14:01:03 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=486e45aa bbf5d0b0
2023-10-03 14:01:05 VERIFY OK: depth=1, C=GB, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:01:05 VERIFY OK: depth=0, C=GB, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:01:05 OpenSSL: error:0A0C0103:SSL routines::internal error
2023-10-03 14:01:05 TLS_ERROR: BIO read tls_read_plaintext error
2023-10-03 14:01:05 TLS Error: TLS object -> incoming plaintext read error
2023-10-03 14:01:05 TLS Error: TLS handshake failed
2023-10-03 14:01:05 Fatal TLS error (check_tls_errors_co), restarting
2023-10-03 14:01:05 SIGUSR1[soft,tls-error] received, process restarting
2023-10-03 14:01:05 Restart pause, 5 second(s)
2023-10-03 14:01:10 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-10-03 14:01:10 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:01:10 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-10-03 14:01:10 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-10-03 14:01:10 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-10-03 14:01:10 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194 [nonblock]
2023-10-03 14:01:10 TCP connection established with [AF_INET]111.222.333.444:1194
2023-10-03 14:01:10 TCP_CLIENT link local: (not bound)
2023-10-03 14:01:10 TCP_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-10-03 14:01:11 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=2523066e a7169e23
2023-10-03 14:01:12 VERIFY OK: depth=1, C=GB, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:01:12 VERIFY OK: depth=0, C=GB, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-10-03 14:01:13 OpenSSL: error:0A0C0103:SSL routines::internal error
2023-10-03 14:01:13 TLS_ERROR: BIO read tls_read_plaintext error
2023-10-03 14:01:13 TLS Error: TLS object -> incoming plaintext read error
2023-10-03 14:01:13 TLS Error: TLS handshake failed
2023-10-03 14:01:13 Fatal TLS error (check_tls_errors_co), restarting
2023-10-03 14:01:13 SIGUSR1[soft,tls-error] received, process restarting
2023-10-03 14:01:13 Restart pause, 5 second(s)
^C

The version of OpenSSL currently running on the remote server is as follows:

user $ openssl version
OpenSSL 1.0.2l  25 May 2017

whereas the version of OpenSSL currently running in Gentoo Linux on the laptop is:

user $ openssl version
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

and the version of OpenSSL currently running in Lubuntu 22.04 on the desktop machine is:

user $ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The last time I successfully used the OpenVPN client on the laptop was in 2020, when the version of OpenSSL on the laptop was 1.1.1g, so my suspicion grew that the root cause of the problem is a version difference in OpenSSL between the client machine and the remote server.

I searched the Web and found OpenVPN bug report #348: ‘2.6 client cannot connect to old 2.2 and 2.1 server‘. Therefore I tried adding the following three lines to the client.ovpn file (bsf1.ovpn) in Gentoo Linux:

tls-cert-profile insecure
providers legacy default
compat-mode 1.1.1

Now the laptop can connect to the remote VPN server via the command line in a terminal window, as shown in the output below:

root # openvpn --config bsf1.ovpn
2023-09-30 03:13:26 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-09-30 03:13:26 OpenVPN 2.6.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2023-09-30 03:13:26 library versions: OpenSSL 3.0.10 1 Aug 2023, LZO 2.10
2023-09-30 03:13:26 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password:
2023-09-30 03:13:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-09-30 03:13:33 TCP/UDP: Preserving recently used remote address: [AF_INET]111.222.333.444:1194
2023-09-30 03:13:33 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-09-30 03:13:33 Attempting to establish TCP connection with [AF_INET]111.222.333.444:1194
2023-09-30 03:13:33 TCP connection established with [AF_INET]111.222.333.444:1194
2023-09-30 03:13:33 TCPv4_CLIENT link local: (not bound)
2023-09-30 03:13:33 TCPv4_CLIENT link remote: [AF_INET]111.222.333.444:1194
2023-09-30 03:13:33 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-09-30 03:13:33 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=4103e161 8493e221
2023-09-30 03:13:34 VERIFY OK: depth=1, C=PE, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-09-30 03:13:34 VERIFY OK: depth=0, C=PE, ST=Loreto, L=Iquitos, O=Work, OU=vpn, CN=server, name=server, emailAddress=brian@bsfitzgerald.com
2023-09-30 03:13:35 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-09-30 03:13:35 [server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
2023-09-30 03:13:35 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-30 03:13:35 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-09-30 03:13:36 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-09-30 03:13:36 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-options DNS 8.8.8.8,route-gateway 10.10.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.1.4 255.255.255.0'
2023-09-30 03:13:36 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: dhcp-options (2.6.4)
2023-09-30 03:13:36 OPTIONS IMPORT: --ifconfig/up options modified
2023-09-30 03:13:36 OPTIONS IMPORT: route options modified
2023-09-30 03:13:36 OPTIONS IMPORT: route-related options modified
2023-09-30 03:13:36 Using peer cipher 'AES-128-CBC'
2023-09-30 03:13:36 net_route_v4_best_gw query: dst 0.0.0.0
2023-09-30 03:13:36 net_route_v4_best_gw result: via 192.168.96.245 dev wlp3s0
2023-09-30 03:13:36 ROUTE_GATEWAY 192.168.96.245/255.255.255.0 IFACE=wlp3s0 HWADDR=d8:fc:93:c5:f4:6d
2023-09-30 03:13:36 TUN/TAP device tun0 opened
2023-09-30 03:13:36 net_iface_mtu_set: mtu 1500 for tun0
2023-09-30 03:13:36 net_iface_up: set tun0 up
2023-09-30 03:13:36 net_addr_v4_add: 10.10.1.4/24 dev tun0
2023-09-30 03:13:36 net_route_v4_add: 111.222.333.444/32 via 192.168.96.245 dev [NULL] table 0 metric -1
2023-09-30 03:13:36 net_route_v4_add: 0.0.0.0/1 via 10.10.1.1 dev [NULL] table 0 metric -1
2023-09-30 03:13:36 net_route_v4_add: 128.0.0.0/1 via 10.10.1.1 dev [NULL] table 0 metric -1
2023-09-30 03:13:36 UID set to nobody
2023-09-30 03:13:36 GID set to nogroup
2023-09-30 03:13:36 Capabilities retained: CAP_NET_ADMIN
2023-09-30 03:13:36 Initialization Sequence Completed
2023-09-30 03:13:36 Data Channel: cipher 'AES-128-CBC', auth 'SHA256', compression: 'lzo'
2023-09-30 03:13:36 Timers: ping 10, ping-restart 12
[...]

and I can access the SMB shares on the remote server by entering ‘smb://192.168.0.10‘ in the Dolphin file manager’s window in KDE on the laptop.

However, if I terminate the openvpn client on the command line and then import the modified bsf1.ovpn file into NetworkManager using plasma-nm (the KDE GUI front-end to NetworkManager), connection attempts to the VPN still time out. The created NetworkManager connection file /etc/NetworkManager/system-connections/bsf1.nmconnection does not contain the settings in the additional three lines that I added to the client.ovpn file, as apparently they are meaningless to NetworkManager. When I use the plasma-nm GUI to import the client.ovpn file I assume plasma-nm or NetworkManager simply ignore the additional three lines when they parse the configuration file.

In Lubuntu 22.04 I edited bsf1.ovpn to add the three lines:

tls-cert-profile insecure
providers legacy default
compat-mode 1.1.1

and launched the openvpn client from the command line, but OpenVPN objected to the compat-mode line:

user $ sudo openvpn --config wjh1.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in bsf1.ovpn:93: compat-mode (2.5.5)
Use --help for more information.

For the openvpn client command to execute successfully in Lubuntu 22.04 I had to omit the line ‘compat-mode 1.1.1‘, i.e. the two manually-added lines to bsf1.ovpn in Lubuntu 22.04 are:

tls-cert-profile insecure
providers legacy default

In my situation (i.e. the client is using OpenSSL 3.x.x in Lubuntu 22.04 and the remote server is using OpenSSL 1.x.x) the VPN connection still times out when attempting to connect using the GUI front-end (nm-tray or nm-applet) to NetworkManager in LXQt, so the work-around is still to launch the OpenVPN client from the command line as already explained:

user $ openvpn --conf bsf1.ovpn

and I can access the SMB shares on the remote server by entering ‘smb://192.168.0.10‘ in the PCManFM-Qt file manager’s window in LXQt on the desktop machine.

The remaining question I had was why my Samsung Galaxy Note 20 Ultra 5G running Android 13 can connect to the remote server via OpenVPN. I suspected that Android 13 uses an earlier version of OpenSSL that is compatible with the version on the remote server. A little research online showed me that Android 13 (and a couple of previous versions of Android) uses a Google fork of OpenSSL called BoringSSL. So, to find the version of OpenSSL/BoringSSL in Android 13, I cloned the BoringSSL repository on my laptop:

user $ git clone https://android.googlesource.com/platform/external/boringssl

and then I searched for the environment variable OPENSSL_VERSION_TEXT:

user $ grep -r OPENSSL_VERSION_TEXT boringssl/*
boringssl/include/openssl/crypto.h:// OPENSSL_VERSION_TEXT contains a string the identifies the version of
boringssl/include/openssl/crypto.h:#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 (compatible; BoringSSL)"
boringssl/src/include/openssl/crypto.h:// OPENSSL_VERSION_TEXT contains a string the identifies the version of
boringssl/src/include/openssl/crypto.h:#define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1 (compatible; BoringSSL)"
boringssl/src/crypto/crypto_test.cc:// Test that OPENSSL_VERSION_NUMBER and OPENSSL_VERSION_TEXT are consistent.
boringssl/src/crypto/crypto_test.cc:// Node.js parses the version out of OPENSSL_VERSION_TEXT instead of using
boringssl/src/crypto/crypto_test.cc:            std::string(OPENSSL_VERSION_TEXT).substr(0, strlen(expected)));

As I had surmised, OpenSSL (well, the fork BoringSSL) in Android 13 is Version 1.1.1. That is why the original bsf1.ovpn still works with the OpenVPN client on my phone to access the OpenVPN server running on the remote server.

By the way, in order to use OpenVPN in Lubuntu 22.04, you need to install the following three Ubuntu packages:

openvpn
network-manager-openvpn
network-manager-openvpn-gnome (despite Lubuntu using LXQt rather than GNOME)

The NetworkManager GUI front-end nm-tray does not support password asking, so you need to use the NetworkManager GUI front-end nm-applet to connect to the VPN (assuming both client and server have compatible versions of OpenSSL, that is). You can either type ‘nm-applet‘ on the command line or you can switch to using nm-applet instead of nm-tray by deselecting nm-tray in LXQt ‘Application Menu’ > ‘Preferences’ > ‘LXQt Settings’ > ‘Session Settings’ > ‘Autostart’ and adding nm-applet to the Autostart list. See Lubuntu Manual Appendix G Advanced Networking for further details. As already mentioned, in my situation the client is using OpenSSL 3.x.x and the server is using OpenSSL 1.x.x so the VPN connection still times out, therefore the work-around is still to launch openvpn from the command line:

user $ openvpn --conf bsf1.ovpn

To summarise my situation:

On my smartphone running Android 13 I simply use the OpenVPN client app for Android with the original client.ovpn configuration file (named ‘bsf1.ovpn‘ in my case) in order to connect to the VPN server on the remote server running OpenSSL 1.0.2l.

In Gentoo Linux currently running OpenSSL 3.0.10, I have to edit the original client.ovpn configuration file and add three lines, then launch the openvpn client from the command line in a terminal window in order to connect to the VPN server on the remote server running OpenSSL 1.0.2l.

In Lubuntu 22.04 currently running OpenSSL 3.0.2, I have to edit the original client.ovpn configuration file and add two lines, then launch the openvpn client from the command line in a terminal window in order to connect to the VPN server on the remote server running OpenSSL 1.0.2l.

The bottom line is: To avoid problems, check you have the same version of OpenSSL installed in the client and server devices when using OpenVPN.

Disabling the DebugLoggerUI service app in Android

The following notification appeared every time I switched on my Blackview Tab 10 tablet (Android 11):

DebugLoggerUI

DebugLoggerUI service is running

I cannot remember if this notification started appearing after I upgraded the tablet’s firmware last year to remove a bug in the original firmware (I had contacted Blackview and they supplied me with the updated firmware file plus a Windows 10 tool to update the tablet’s firmware). Anyway, the DebugLoggerUI notification was annoying and the log files it created were not needed either.

I enabled ‘Developer options‘ in Android and selected the settings page for DebugLoggerUI. I tapped the DebugLoggerUI’s wastebin icon to delete the existing log files, then unticked all the listed log files in order to prevent further logging.

The following notification now appeared every time I switched on the tablet, confirming that logging had ceased:

DebugLoggerUI

DebugLoggerUI service is running
Warning: All logs are stopped!!!

However the service was still running and there was no way to permanently disable or uninstall the DebugLoggerUI app from the tablet’s menus. I therefore decided to try to disable the application by using adb (Android Debug Bridge). The procedure I used is listed below.

1. Installed adb tools on the computer

In Lubuntu:

user $ sudo apt install android-tools-adb

In Gentoo Linux:

root # emerge android-tools

2. Enabled ‘Developer Options’ on the tablet

‘Settings’ > ‘About tablet’ and quickly tapped seven times on ‘Build number’.

3. Enabled ‘USB Debugging’ on the tablet

‘Settings’ > ‘System’ > Developer options’, scroll down and tap on ‘USB debugging’. Tapped ‘OK’ when prompted ‘Allow USB debugging?’.

4. Launched adb on the computer

user $ adb start-server

5. Connected the tablet to the computer with a USB cable

user $ adb devices
List of devices attached
DKTAB10EEA007074        unauthorized

A few prompts on the tablet asked whether or not to allow USB debugging. Tapped ‘Always allow from this computer’ and tapped ‘OK’.

6. Checked for a DebugLoggerUI service

user $ adb shell service list | grep -i logger

Nothing was returned.

7. Checked for a DebugLoggerUI app

user $ adb shell pm list packages | grep -i debug
package:com.debug.loggerui
package:com.mediatek.gnssdebugreport

8. Disabled the DebugLoggerUI app

user $ adb shell pm disable-user --user 0 com.debug.loggerui
Package com.debug.loggerui new state: disabled-user

9. Checked if the app is now disabled (enabled=3)

user $ adb shell dumpsys package com.debug.loggerui | grep enabled
    User 0: ceDataInode=467223 installed=true hidden=false suspended=false distractionFlags=0 stopped=false notLaunched=false enabled=3 instant=false virtual=false

N.B. If I want to re-enable the app in future, I would use the following command:

user $ adb shell pm enable --user 0 com.debug.loggerui

10. Stopped the adb server on the computer

user $ adb kill-server

11. Unplugged the phone from the computer.

12. Restarted the tablet.

Great! No more notification message about DebugLoggerUI.

Blackview Tab 11, a good budget tablet

Blackview Tab 11 tablet with optional wireless keyboard.

Last year a family member told me that her compact mobile phone’s screen is too small to show family photos properly to her friends. She said her friends use tablets to show their family’s photos, and she asked me if it would be possible to access her existing WhatsApp account via a tablet. I explained that, without guaranteed access to Wi-Fi in public areas, it would not be feasible to use WhatsApp Web on a tablet, so a tablet would need to have a SIM card. As the tablet’s SIM card would have a different phone number she would need a different WhatsApp account on the tablet but that account could be a member of the existing WhatsApp chat groups of which she is a member on her mobile phone. Additionally, she could forward to her tablet’s WhatsApp account any photos she receives in her mobile phone WhatsApp’s account.

Coincidentally, a few weeks later we changed our home Broadband provider (the previous provider’s service was terrible), and the new package included a mobile phone SIM card with 5 GB data monthly at a very cheap price. We already have good SIM-only packages for our mobile phones, so the new SIM card was available to be used in a tablet. Therefore I decided to buy a budget tablet, and plumped for a Blackview Tab 10, which had a good specification for a budget tablet. It came in September 2021 with Blackview firmware version Tab10_EEA_TP717_V1.0.0_20210429V07 containing some bugs: the System Manager app did not work after I inserted a 128 GB microSD card and the tablet’s microphone did not work in WhatsApp, Signal and Skype. I was able to fix the bugs by upgrading the tablet’s firmware to version Tab10_EEA_TP717_V1.0_20210824V09 with the help of Blackview’s customer support department. I assume a Tab 10 purchased since September 2021 would already have the newer firmware. Anyway, after upgrading the firmware everything works well. The tablet’s camera performance is not stellar, but who buys a tablet for its cameras? I would summarise the Blackview Tab 10’s features as follows:

• It has 4 GB RAM and 64 GB storage.
• It was supplied with a charger, USB C earphones (including microphone), OTG (on-the-go) adapter (USB C plug on one end, USB A socket on the other end), and a protective case which can be folded to make a kickstand.
• It does not have a 3.5 mm jack socket for earphones, so you have to use earphones that have a USB C plug.
• In the UK it works well to make and receive phone calls (4G), send and receive SMS messages (4G), and send and receive mobile data (4G). The SIM card for a mobile network that also supports 5G works with 4G too. I had to enter the APN (Access Point Name) parameters of my mobile service provider, which I found by googling.
• According to Blackview the Tab 10’s mobile phone functionality does not work in the USA. only Europe and Asia.
• It comes with Blackview’s Doke OS_P 1.0 using Android 11.
• It has a bright, crisp screen, albeit without automatic brightness adjustment.
• It can be connected to a magnetic keyboard designed for the Tab 10 (see Blackview’s online shop).
• Wi-Fi and Bluetooth work well.
• It is fine for browsing the Web, viewing photos, watching YouTube videos and other videos, reading documents, chatting via WhatsApp, Signal and Skype.
• The tap detection is a little slow, but fine for normal use.

There is a very comprehensive review of the Tab 10 on the NOTEBOOKCHECK Web site.

By the way, since I bought the Tab 10 Blackview has released a Tab 10 Pro with 8 GB RAM and 128 GB storage, with handwriting support. The additional memory, storage and handwriting support make the Tab 10 Pro a better choice than the Tab 10 for an extra GBP 30 or so.

Anyway, the Tab 10 filled the brief I had been given.

This post would have ended here except that, last week, I noticed that the Tab 10’s screen had partially popped out of its plastic housing. I suspect one of my family had either dropped the tablet or sat on it on the sofa. When I tried to push the screen back into its housing a crack formed in a corner of the screen. The crack appears to be in the LCD screen under the touch screen. I asked a local repair shop how much they would charge to repair it and they quoted me nearly half what I paid for the tablet, so I decided to buy the latest Blackview tablet model instead, the Tab 11. The Tab 11 has a higher specification than the Tab 10 and I paid less for it than I paid for the Tab 10 (although the Tab 10 is now being discounted by Blackview and some online stores and can be purchased for less than the Tab 11).

Apart from the higher specification CPU and GPU than the Tab 10, the Tab 11 has double the RAM and double the storage. The Tab 11 housing is aluminium alloy rather than the plastic housing of the Tab 10, and it weighs less than the Tab 10. The NOTEBOOKCHECK Web site does not yet have a comprehensive review of the Tab 11, but the TECHXREVIEWS Web site has a fairly comprehensive review. The Tab 11 is noticeably snappier and responsive than the Tab 10 and I like it a lot so far. Unlike the Tab 10, the Tab 11 has a 3.5 mm socket for earphones with a 3.5 mm jack plug, which I prefer.

The Tab 11’s mobile phone functionality does not work in the USA, only Europe and Asia according to Blackview. I can confirm a UK SIM card works perfectly in the Tab 11 in the UK. The SIM card I am using supports the mobile provider’s 5G network but the Tab 11 supports up to 4G LTE, which works fine with the SIM card.

There is significant commonality between the Tab 11 and Tab 10 as they both use Android 11. The Tab 10 has Blackview’s Doke OS_P 1.0 on top of Android 11, whereas the Tab 11 has Doke OS_P 2.0 which has several additional features (split screen functionality, for example).

I have seen a YouTube video review that claims the Tab 11 does not support Widevine L1, despite Blackview’s specification for the Tab 11. I have not tested that feature as it is not something I am particularly interested in. However, I read Blackview’s blog post ‘How to enable or check out Widevine L1 Certification on Blackview Tab 11?‘ and I installed the third-party Android app ‘DRM Info‘ which indicated the Tab 11 supports Widevine L1, although that is as far as I have checked. I installed the BBC iPlayer app on the Tab 11, and programmes play perfectly; video looks great to my eyes, and audio is also excellent. YouTube videos also play well and sound great. I’m not interested in playing games, so cannot comment on that aspect, although the reviews of the Tab 11 I have watched on YouTube claim games performance is good.

I would summarise the Blackview Tab 11’s features as follows:

• It has 8 GB RAM and 128 GB storage.
• The housing is made of aluminium alloy and is strong and rigid.
• The tablet weighs less than the Tab 10.
• It was supplied with a charger, OTG (on-the-go) adapter (USB C plug on one end, USB A socket on the other end), and a protective case which can be folded to make a kickstand.
• It has a 3.5 mm jack socket for earphones.
• In the UK it works well to make and receive phone calls (4G), send and receive SMS messages (4G), and send and receive mobile data (4G). The SIM card for a mobile network that also supports 5G works with 4G too.
• According to Blackview the Tab 11’s mobile phone functionality does not work in the USA. only Europe and Asia.
• It comes with Blackview’s Doke OS_P 2.0 using Android 11.
• It has a bright, crisp screen with automatic brightness adjustment (‘adaptive brightness’).
• It can be connected to a wireless keyboard designed to work with the Tab 11 (see Blackview’s online shop).
• Wi-Fi and Bluetooth work well.
• It is good for browsing the Web, viewing photos, watching YouTube videos and other videos, reading documents, chatting via WhatsApp, Signal and Skype.
• The tap detection is good, and response is snappy.
• Audio is good.

In summary, if you’re in the market for a budget tablet, in my opinion the Blackview Tab 11 would be a good choice; I am very pleased with it. At the time of writing, Blackview’s online shop lists the Tab 11 at GBP 168.44 and the Tab 10 at GBP 145.47. Unless your budget is tight, I would forget the Tab 10; the Tab 11 is the way to go. If you want a tablet that supports a UK SIM card as well as Wi-Fi and Bluetooth, the Blackview Tab 10 and Tab 11 are good budget choices in the UK, although the Tab 11 is a much better choice if you can afford the extra GBP 25 or so. However, US residents should note that the tablets do not support mobile networks in the USA (Wi-Fi and Bluetooth work fine in any case). Blackview’s Web site states “This tablet’s 4G [mobile] network connection can only work in Europe and Asia area, please pay attention before purchasing or consult us.”

croc – another file transfer method

I have lost count of the number of times I have had to send a large file to someone at work, usually in a hurry. I’ve used Dropbox, ownCloud, Firefox Send (no longer available) etc. Transferring large files became a bit easier when e-mail service providers increased the size limit for attachments, but that is still not a solution for very large files. The xkcd cartoon FILE TRANSFER sums up the situation nicely.

I recently discovered the command line utility croc, which the author claims is a way to ‘easily and securely transfer stuff from one computer to another.’ I thought I’d give it a try, if only to have another tool to fall back on in an emergency. It does rely on both ends having croc installed, but hopefully that should not be a show-stopper as croc is available for Linux, Windows, macOS and BSD. To quote the author:

croc differs from a utility like scp because it doesn’t require any two computers to have enabled port-forwarding. Instead, croc will uses a relay – a temporary server setup locally (if both computers are on lan) or publicly (default is at croc4.schollz.com). Any two computers can connect to the relay, and after securing their channel with PAKE [password authenticated key exchange], they can transfer encrypted metadata and data through the relay. The relay works by first having the computers communicate the PAKE protocol via websockets, and then exchanging encrypted metadata, and then stapling the TCP connections directly so that they can transfer directly.

So, to use croc you will be dependent on the public relay provided by the author unless you set up your own relay (instructions are provided in the author’s original 2018 blog post introducing croc – see link above – and in various third-party articles about croc, such as ‘Securely Transfer Files and Folders Between Computers Using Croc‘ and ‘Transfer Files And Folders Between Computers With Croc‘).

Anyway, I installed croc in Lubuntu and Gentoo Linux from the author’s GitHub repository and indeed it is easy to use and works fine. The binary releases for the various OSs and Linux distributions can be found on the Releases page of the GitHub repository or via the OS package manager.

Lubuntu 20.10:

user $ wget https://github.com/schollz/croc/releases/download/v9.1.6/croc_9.1.6_Linux-64bit.deb
user $ sudo dpkg -i croc_9.1.6_Linux-64bit.deb

Gentoo Linux:

root # emerge net-misc/croc

(Note that croc ebuilds are not currently marked as Stable in the Gentoo Linux Portage tree, so you’ll have to unmask them by keyword if you are using the Stable branch.)

Termux:

I even installed croc in Termux on my Samsung Galaxy Note 20 Ultra 5G, and it works in Android too:

$ pkg install croc

Other OSs and other Linux distributions:

See the instructions in the README file online.

Using croc

Using croc is as simple as entering a command on one computer, informing (via e-mail, telephone, SMS, Signal or other social media) the person using the other computer of the command to use, and entering that command on the other computer. For example:

Sender

user $ croc send Documents/flight-times.ods
Sending 'flight-times.ods' (16.6 kB)
Code is: 8878-salary-courage-roger
On the other computer run

croc 8878-salary-courage-roger

Receiver

user $ croc 8878-salary-courage-roger
Accept 'flight-times.ods' (16.6 kB)? (Y/n) 

If the receiving user then enters ‘Y’, the sending user sees something similar to this:

user $ croc send Documents/flight-times.ods
Sending 'flight-times.ods' (16.6 kB)
Code is: 8878-salary-courage-roger
On the other computer run

croc 8878-salary-courage-roger

Sending (->192.168.1.74:60740)
 100% |████████████████████| (17/17 kB, 10.918 MB/s)
user $ 

and the receiving user sees something similar to this:

user $ croc 8878-salary-courage-roger
Accept 'flight-times.ods' (16.6 kB)? (Y/n) Y

Receiving (<-[::1]:39442)
 100% |████████████████████| (17/17 kB, 3.989 MB/s)
user $ 

The observant reader will notice that the above example shows a file being transferred on the same computer. When transferred between different computers the IP addresses of each computer will be displayed instead. I have used croc to transfer files between different computers on my home network (I would normally just use my NAS for this, though), between remote computers on the Internet, and between my computers and my phone via mobile broadband, and croc works in all cases.

I have not mentioned all croc’s features. I’ll leave you to read up on croc in more detail in the links I’ve given above. It looks like it might be a useful tool to have installed.

Using adb tools in Linux to remove bloatware from my Samsung Galaxy Note 20 Ultra

Samsung included a lot of bloatware on my Galaxy Note 20 Ultra 5G, and it is not possible to uninstall it using Play Store. However, it is possible to remove this stuff using adb tools. I got rid of the bloatware I don’t want very easily using the Linux version of the adb tools.

I have never had a Facebook account and never will, so I decided to remove all trace of it as follows:

1. Installed adb tools

In Lubuntu 20.10:

user $ sudo apt install android-tools-adb

In Gentoo Linux:

root # emerge dev-util/android-tools

2. Enabled ‘Developer Options’ on the phone

‘Settings’ > ‘About Phone’ > ‘Software Information’ and quickly tapped 7 times on ‘Build number’.

3. Enabled USB Debugging on the phone

‘Settings’ > ‘Developer options’, scrolled down and tapped on ‘USB debugging’.

4. Launched adb

user $ adb start-server
* daemon not running; starting now at tcp:5037
* daemon started successfully

5. Connected the phone to the computer using the USB cable

A few prompts on the phone asked whether or not I wanted to allow USB debugging. Tapped ‘Always allow from this computer’ and tapped ‘OK’.

6. Uninstalled Facebook

The packages I needed to uninstall were:

com.facebook.appmanager
com.facebook.katana
com.facebook.services
com.facebook.system

First I tried to uninstall with the ‘-k‘ option:

user $ adb uninstall -k --user 0 com.facebook.appmanager
The -k option uninstalls the application while retaining the data/cache.
At the moment, there is no way to remove the remaining data.
You will have to reinstall the application with the same signature, and fully uninstall it.
If you truly wish to continue, execute 'adb shell cmd package uninstall -k'.

See ‘Difference between pm clear and pm uninstall -k on Android‘

I have never been a member of Facebook and never will, so I dispensed with the ‘-k‘ option and entered the following commands:

user $ adb uninstall --user 0 com.facebook.appmanager
Success
user $ adb uninstall --user 0 com.facebook.katana
Success
user $ adb uninstall --user 0 com.facebook.services
Success
user $ adb uninstall --user 0 com.facebook.system
Success

I didn’t want the LinkedIn, Samsung Global Goals and Spotify apps either, so I uninstalled those too:

user $ adb uninstall --user 0 com.linkedin.android
Success
user $ adb uninstall --user 0 com.samsung.sree
Success
user $ adb uninstall --user 0 com.spotify.music
Success

7. Stopped the adb server on the computer

user $ adb kill-server

8. Unplugged the phone from the computer.

That’s it.

In order to disable the apps using this method, you will need to know the exact package name of the app you want to get rid of. For this, use Play Store and install App Inspector (there are several apps with this name in Play Store; I installed the app by Projectoria Ltd but the others look OK too). Launch App Inspector and you can find the package name under the name of the app. This starts with a ‘com‘ or ‘net‘ followed by words separated by dots.

For example, App Inspector shows the package name for LinkedIn as ‘com.linkedin.android‘.

Some useful links:

• How to install and setup ADB tools on Linux
• How To Remove Bloatware on Samsung Galaxy Note 20 and Improve Performance
• WARNING: Do *NOT* delete all the apps in this list
• Disable Bloatware on Your Galaxy Note 20 for Free Without Root
• How to Remove Samsung Bloatware without Root (ADB)

To get a list of all the packages installed on my phone:

user $ adb shell pm list packages

To get a list of system apps only:

user $ adb shell pm list packages -s

To get a list of only Samsung packages:

user $ adb shell pm list packages | grep samsung

To search for e.g. facebook packages:

user $ adb shell pm list packages | grep facebook

(Returns nothing now, as I already deleted all the Facebook packages. Yay!)

To search for other packages, e.g.:

user $ adb shell pm list packages | grep kids
package:com.samsung.android.kidsinstaller
package:com.sec.android.app.kidshome

Installing Linux on an old Motorola Xoom tablet

Back in March 2012 I bought a Motorola Xoom Android tablet (Model MZ604 UK), when tablets were going to be the next big thing. It was available in two versions: 3G and Wi-Fi, and it was the latter version I purchased. When it was released in early 2011 the Xoom was state-of-the-art with its NVIDIA Tegra 2 chip, 1 GB RAM, 32 GB internal storage memory, microSD Card slot (up to 32 GB), Wi-Fi, Bluetooth, GPS, gyroscope, magnetometer, accelerometer, barometer and Android 3.0, trumping the first Apple iPad and Samsung’s Galaxy Tab. It has a 2 MP front-facing camera and 5 MP rear-facing camera that records 720p video, supports 720p video playback, has a 10.1-inch display (1280×800 pixels) and 3D graphics acceleration, and a micro HDMI port.

Apple launched the iPad 2 almost immediately after Motorola launched the Xoom, and the Xoom looked outclassed. By the time I bought my Xoom in March 2012 Motorola was already discounting it. Motorola issued a couple of Android updates for the UK Xoom before the company stopped supporting it, although I think mine lost its second update (Android 4.1.1, if I recall correctly) after I factory-reset it several years later when it became very sluggish. Anyway, ‘Settings’ > ‘About tablet’ tells me it currently has Android 4.0.4 installed.

It had been gathering dust on a shelf for several years until I decided to dust it off yesterday to see if there was anything useful I could still do with it (the answer is: not much). None of the apps on it can be upgraded. The version of the Play Store app can no longer access the Google app store. Even if it could, most of the apps in the app store cannot run in Android 4.0.4. The YouTube app cannot access YouTube. The Web browser cannot browse many modern Web sites and can no longer download files either, displaying a message that the browser is no longer supported and must be updated — except that it cannot be. The Google Talk app no longer works since Google pulled the plug on its Talk service (not that I ever used Google Talk anyway). The Gmail app still works, but I don’t use Gmail either. The Maps app still works, as do the Music and Gallery apps.

I connected the Xoom to my desktop machine using a USB cable (Type-A to Micro-USB) and was able to copy files quickly and easily to and from the Xoom. I systematically set about finding versions of Android APK files on the Web that the Xoom would be able to install. APKPure for Android is one of several Web sites to find older versions of APK files. The latest versions I found that the Xoom could install are as follows:

Google Chrome browser

com.android.chrome-42.0.2311.111-2311111-minAPI14.apk

This old version of the Google Chrome browser works better than the browser supplied with Android 4.0.4 on the Xoom but is still not much use, as it cannot browse many sites and cannot download files either. It can access YouTube and play some of the videos, which is some consolation given that neither the browser nor the YouTube apps supplied with Android 4.0.4 can access YouTube any more.

File Manager + (an excellent Android app, by the way)

File Manager_v2.6.0_apkpure.com.apk

This older version of File Manager + works well in Android 4.0.4 on the Xoom, and even enables me to browse files on my Cloud server via WebDAV, although the Xoom cannot open hi-res photos (4032×3024 etc.) via WebDAV. This version of File Manager + supports SMBv1 but not later versions of the protocol, so I cannot browse SMB shares on my home network, as all my machines use either SMBv2 or SMBv3. Pity.

Total Commander

Total Commander file manager_v3.20_apkpure.com.apk
WebDAV plugin Total Commander_v3.01_apkpure.com.apk
LAN plugin for Total Commander_v3.20_apkpure.com.apk

Although I find Total Commander’s UI rather old-fashioned, with the WebDAV and LAN plugins installed I can browse files on my Cloud server via WebDAV, and browse files on my NAS via SMBv2/v3. So Total Commander works well, and the Xoom can open hi-res photos (4032×3024 etc.) via either protocol.

NewPipe legacy (forked by sh000gun to work with Android 4.0+)

NewpipeLegacy-armeabi-v7a-API-14.apk

This open-source YouTube app works in Android 4.0.4 on the Xoom and allows me to view some YouTube videos, although the app tends to crash quite often. Still, it is better than the YouTube app supplied with Android 4.0.4 on the Xoom, as that does not work at all and cannot be upgraded.

Linux

The following Android apps enabled me to root the Xoom and install and run an old version of Linux in a chroot:

BusyBox_v64_apkpure.com.apk

Linux Deploy_v2.5.0_apkpure.com.apk

VNC Viewer Remote Desktop_v2.1.1.019679_apkpure.com.apk

Those were the most-recent versions of the BusyBox, Linux Deploy and VNC Viewer apps for Android that the Xoom could manage to install.

I downloaded the tarball LAIOT.tar.gz from the following Web page and extracted the file TiamatCWM.img from it:

https://sourceforge.net/projects/laiot/files/LAIOT.tar.gz/download?use_mirror=phoenixnap&r=&use_mirror=master

Note: Do NOT try to run the shell scripts in LAIOT, because they are out of date and will mess up the ADB and Fastboot tools in Linux on the desktop machine.

To be able to install Linux it was first necessary to root Android 4.0.4 on the Xoom. I used a modified version of the procedure given in the 2014 blog post Motorola Xoom Root on Linux:

• I installed ADB and Fastboot on a desktop machine running Lubuntu 20.10:

user $ sudo apt install adb
user $ sudo apt install fastboot

• I enabled the USB Debugging mode on the Xoom (‘Settings’ > ‘Developer options’).
• I downloaded the file Xoom-Universal-Root.zip from XDA Developers Forums thread [Root] Universal Xoom Root – ANY XOOM ANY UPDATE. The main link in that thread no longer works but a link in Post #411 in the thread still downloads the file.
• I inserted a 32 GB microSD card in the Xoom microSD Card slot.
• I connected the Xoom to the desktop machine via a USB cable.
• I copied the file Xoom-Universal-Root.zip to the microSD card.
• I checked connectivity:

user $ adb devices
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached 
0299918743aad023        device

• I reboot the Xoom:

user $ adb reboot bootloader

• ‘Starting Fastboot protocol support’ was displayed on the Xoom’s boot screen. I typed the following commands on the desktop machine:

user $ fastboot oem unlock

• In response to a question on the text screen on the Xoom I pressed Volume Down (accept) then Volume Up (confirm).
• I repeated the process to confirm, i.e. I pressed Volume Down (accept) then Volume Up (confirm).
• ‘Device unlock operation in progress’ appeared on the Xoom screen and the Xoom rebooted.
• The bootloader was now unlocked.
• I typed the following commands on the desktop machine:

user $ adb reboot bootloader
user $ fastboot flash recovery TiamatCWM.img

• When flashing was complete I rebooted the Xoom by pressing Volume Up + the ON/OFF button.
• Upon booting, when the Motorola logo appeared I pressed Volume Down.
• ‘Android Recovery’ appeared in the top left corner of the screen.
• I pressed Volume Up to enter recovery mode.
• This mode is called ‘ClockworkMod recovery’. I selected ‘Install zip from sdcard’ > ‘Choose zip from sdcard’, then selected the zip file I had downloaded earlier to the microSD card (Use Volume Up/Down to navigate and ON/OFF to select).
• I rebooted, and root access was enabled. I verified this by downloading the Android app ‘Root Checker_v6.5.0_apkpure.com.apk’, copying it to the Xoom via USB, installing it and launching the app.

Now that the Xoom had been rooted, I could proceed with installing Linux in a chroot. To do this I followed the procedure given in the 2017 Android Authority article How to install a Linux desktop on your Android device. In the Linux Deploy app I selected ‘Ubuntu’ as the distribution, ‘Precise [Pangolin]’ as the distribution suite, and LXDE as the desktop environment. I installed the three apps BusyBox, Linux Deploy and VNC Viewer, launched the BusyBox app and tapped ‘Install’. Then I launched Linux Deploy, tapped the configuration icon next to the STOP button in the top right of the screen and configured Linux Deploy as follows:

BOOTSTRAP

	Distribution
	Ubuntu

	Architecture
	armhf

	Distribution suite
	precise

	Source path
	http://ports.ubuntu.com/

	Installation type
	File

	Installation path
	${EXTERNAL_STORAGE}/linux.img

	Image size (MB)
	Automatic calculation

	File system
	ext4

	User name
	root

	User password
	android

	Privileged users
	root

	Localization
	C

	DNS
	Automatic detection

	Network trigger

	Power trigger

INIT

	Enable
	Allow to use a initialization system  <--- NOT TICKED

	Init system
	run-parts

	Init settings
	Change settings for the initialization system

MOUNTS

	Enable
	Allow to mount the Android resources  <--- NOT TICKED

	Mount points
	Edit the mount points list

SSH

	Enable
	Allow to use a SSH server  <--- NOT TICKED

	SSH settings
	Change settings for SSH server

PULSEAUDIO

	Enable
	Allow to use an audio output  <--- NOT TICKED

GUI

	Enable
	Allow to use a graphical environment  <--- TICKED

	Graphics subsystem
	VNC

	GUI settings
	Change settings for the graphics subsystem

	Desktop environment
	LXDE

Then I tapped the three-dot icon in the top right of the screen, tapped ‘Install’ then ‘OK’. Once the messages on the screen stopped scrolling and a final message ‘<<< deploy’ was displayed, I tapped the START arrow and ‘OK’.

I launched VNC Viewer, tapped the ‘+’ icon to add a new connection, entered ‘localhost:5900’ for the address and ‘Linux’ for the name, tapped ‘CREATE’ then ‘CONNECT’. From there I was prompted to enter the password I had specified previously under ‘User password’ (see above), and the LXDE Desktop was displayed.

After following the procedure in the above-mentioned article to configure and install the Linux image, subsequently I use the following steps to start and stop Linux on the Xoom:

To start Linux on the Xoom, use Linux Deploy.
Press the ‘START’ arrow at the top right of the Linux Deploy screen.
Then open VNC and press ‘Connect’.

To exit Linux on the Xoom, use Linux Deploy.
Tap the square ‘STOP’ button at the top right of the Linux Deploy screen.
Tap ‘OK’ to ‘Stop services & unmount the container’.
Then tap the menu button (three horizontal bars) at the top left of the Linux Deploy screen.
Tap ‘Exit’.

To exit VNC Viewer:
Press the ‘Recent Apps’ icon (two overlapping rectangles) at the bottom left of the Xoom’s Android screen.
Swipe to the left to close the app.

The phone name assigned automatically by Android on my new phone prevented Bluetooth pairing and connecting in Linux

I recently installed Lubuntu 20.10 on a desktop machine, but Bluetooth did not work with my new phone (Samsung Galaxy Note 20 Ultra with Android 11). Bluetooth had worked fine in Lubuntu 18.04 on the same desktop machine with my previous Android phone (Samsung Galaxy Note 8 with Android 9).

The first thing I discovered was that, although the Lubuntu 20.10 Installer had installed Bluez, it had not installed a Bluetooth manager, so I installed Blueman:

$ sudo apt install blueman

Then, I re-installed Bluez just to be sure:

$ sudo apt install --reinstall bluez

The Bluetooth device was detected but Lubuntu 20.10 would not pair with my new phone.

The Bluetooth device was definitely unblocked:

$ rfkill --output-all
ID TYPE      DEVICE TYPE-DESC         SOFT      HARD
 1 wlan      phy0   Wireless LAN unblocked unblocked
 2 bluetooth hci0   Bluetooth    unblocked unblocked

Now, the phone name Android 11 had assigned automatically to my new phone was Fitzcarraldo’s Galaxy Note20 Ultra 5G. After trying many things, I began to wonder if the apostrophe in the phone name was causing the problem, so I changed the name in the phone (Settings > About phone > Edit) to Fitzcarraldo Galaxy Note20 Ultra 5G. Blueman/Bluez were then able to pair with, and connect to, the phone. Problem solved, but what a silly cause.

Why I switched from WhatsApp to Signal

I had avoided WhatsApp until late 2017 when one of my family installed it on my phone with the promise I would find it useful to keep in touch during a two-month work trip. Actually, it turned out to be more useful for work, as WhatsApp is the preferred method of communication at the company I visited on that trip.

Now, I was aware that Facebook acquired WhatsApp in 2014 for US$19 billion. I do not have a Facebook account and have no intention of getting one, and the fact Facebook owns WhatsApp was one of the reasons I had been reluctant to install WhatsApp in the first place. However, it didn’t take me long to like WhatsApp. The UI is very well designed, the functionality excellent and WhatsApp Web is easy and convenient to use. WhatsApp is a polished product, no doubt about that. The end-to-end encryption of WhatsApp messages is comforting, although that was not my main reason for using it. Offhand I can only think of one function I find annoying in the WhatsApp UI: when you forward a message containing an image, there is no automatic way to include the text accompanying the original message.

Recently I have read several articles stating that Facebook intends to display advertising in WhatsApp from 2020 onwards. I am sick and tired of ‘surveillance capitalism‘ tracking me and bombarding me with advertising on the Web, and this news prompted me to search for a replacement for WhatsApp. A newspaper article mentioned Signal, which I learned happens to be the source of the encryption protocol used by WhatsApp. I also learned that WhatsApp co-founder Brian Acton, who left Facebook in 2017, is Executive Chairman of the Signal Foundation, which he co-founded with the creator of Signal in 2018. So I decided to give Signal a try, and was pleasantly surprised as the UI is very similar to WhatsApp. OK, it’s not quite as polished aesthetically, but it was easy to use from the get-go.

I initially found Signal’s security-related functionality confusing. I was not sure what the so-called ‘Safety Number‘ per contact does. It turns out that you can ensure your connection with a given contact is secure by ‘verifying the Safety Number’ with that contact. From then onwards ‘✓Verified‘ will appear next to the contact’s name and phone number at the top of the conversation window. Verifying the Safety Number is optional, which was not clear to me initially. Each contact’s Safety Number is actually a 3 x 4 table of 5-digit numbers. You should compare the Safety Number in your app with the Safety Number in your contact’s app in a way that prevents someone intercepting you both; you can either scan a QR Code or make a visual or audible comparison of the Safety Number in your app with the Safety Number in your contact’s app. If both Safety Number tables match, you can both click on ‘Mark as verified’ in your app. The app will then warn you if a safety number has been changed because someone is intercepting your conversation (a so-called ‘man-in-the-middle’ attack).

The other security-related function I found confusing initially is resetting a session (‘Settings’ > ‘Reset session’). It is normally not necessary for you to touch this, but, if for some reason the encryption keys between two contacts no longer match (the Signal app would notify you if that occurs), either party can reset their session and force Signal to negotiate a new session.

Unlike WhatsApp, Signal does not have a Web browser UI to use on desktop machines. It used to have such an interface (using Google’s Chrome browser) but now there is a Signal desktop app instead, with versions available for Windows, Mac OS and Linux. I have Gentoo Linux on my laptops and Lubuntu Linux on the family desktop, so I have installed the Linux desktop Signal app on those machines.

Unlike WhatsApp, the phone app and the desktop app do not sync earlier messages. By this I mean that, if you install the desktop app and launch it, you will not see any earlier messages that are visible in the phone app. Similarly, if you delete a message in the phone app it will not be deleted in the desktop app, and vice versa. This is a bit of a nuisance, but is OK once you get used to it. Perhaps this has been done with security as well as storage capacity in mind; Signal stores as little of your data as possible on its servers.

Below are a few aspects of Signal functionality that I prefer over WhatsApp:

• In the phone app it is possible to set the colour of the background (‘wallpaper’) for contacts, not just the top-level page. Thus I have made the background black for contacts to help a little to conserve the phone’s battery charge.
• When I forward a message that includes an image, Signal includes the original text as well as the image. Further more, it gives me the opportunity to edit the message text before actually forwarding the message.
• When I forward a message containing an image, the whole image is displayed. For example, recently someone sent me a WhatsApp message containing a cartoon which I did not understand; I did not realise there was a caption until I tapped on the image to expand it. When I forwarded the message to a Signal contact (by selecting the message in WhatsApp and tapping the Share icon), the caption at the bottom of the cartoon was visible in the resulting Signal message without needing to tap on the image.
• The Signal phone app lets you disable link previews (a.k.a. ‘URL previews’) easily in Settings, whereas you cannot disable link previews in WhatsApp (see Should WhatsApp let you disable URL previews?).
• Signal allows you to specify a message lifetime (‘Disappearing messages’). You can specify that messages will never be deleted automatically, or will be deleted after a certain time has elapsed (user-selectable from 5 seconds up to 1 week).
• Although WhatsApp uses Signal’s encryption technology, unlike Signal it does not encrypt backups.
• Unlike WhatsApp, Signal does not store message metadata.
• Signal is fully open-source (and free of charge, with a promise of no advertising). WhatsApp is closed-source.
• The icons of contacts are obtained from your phone’s contact list, not specified within the app itself. Some of my WhatsApp contacts have not bothered to create an icon in WhatsApp, but I had set up an icon for them in my phone’s contact list, and that icon is used in Signal.

Below are a few aspects of WhatsApp functionality that I prefer over Signal:

• Signal has the ability to show link previews for a few Web sites (currently for Imgur, Instagram, Reddit, and YouTube only), whereas WhatsApp shows them for all sites. (From a security perspective some people might regard this as a disadvantage of WhatsApp.)
• I prefer the white/green ticks in WhatsApp to the unfilled/filled circles with ticks in Signal, but that is purely an aesthetic opinion.
• WhatsApp syncs all messages between the phone app and the Web UI, not just new messages, whereas Signal just syncs the messages sent and received since you installed the desktop app. (From a Security perspective some people might regard this as an advantage of Signal over WhatsApp.)

Conclusion

In general I find Signal as good as WhatsApp, if not better. I had been worried I would not find an alternative to WhatsApp that is as easy to use and as intuitive. In fact Signal is very good, and, once you understand the security features I mentioned above, it is essentially the same as WhatsApp, which was a relief to me as I like the general concept of the WhatsApp UI.

At the moment I am having to use both WhatsApp and Signal because some of my contacts only use WhatsApp, but I have already persuaded some contacts to switch to Signal and I anticipate more will migrate to Signal once WhatsApp begins displaying adverts next year.

A correct method of configuring Samba for browsing SMB shares in a home network

SMB
SMB (Server Message Block) is the underlying protocol that Microsoft Windows computers use to connect to resources, such as file shares and printers, and to transfer information when the connections are established. Samba is the Linux implementation of SMB that allows file and printer information to be transferred between Windows and Linux computers. An early variant of the SMB protocol is known as ‘CIFS’ (Common Internet File System). CIFS is actually obsolete, so the correct term to use these days is ‘SMB’ (see the blog post Why You Should Never Again Utter The Word, "CIFS"), although ‘CIFS’ is still used sometimes when referring to SMB.

Terminology
You are likely to come across several terms when reading about Samba, such as NetBIOS, Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Kerberos, Windows Internet Name Service (WINS) and Winbind, to name but a few. Most are used in larger corporate or enterprise networks but you can ignore most of them – only broadcast NetBIOS name resolution or WINS are necessary to configure Samba in small home networks. For example, my home network uses broadcast NetBIOS name resolution and sometimes has up to 15 devices connected (Linux, Windows 7/10, macOS, Android and iOS), all of which can browse file shares using SMB/Samba.

Note: You should not use Broadcast NetBIOS Name Resolution and WINS at the same time.

To explain the terminology – Active Directory is a central database of user accounts and passwords used primarily in Windows networks to authenticate users, and LDAP is the protocol that clients and servers use to access the Active Directory database. Kerberos is a separate encrypted authentication mechanism used for client-server applications, such as computers that access a specific file or web server, or SQL database. WINS is a mechanism for storing Windows computer name to IP address mappings on a central server – the WINS Server. Computers in a LAN interrogate the WINS server to obtain the IP addresses of other computers. It’s a bit like DNS except that the WINS Server stores Windows computer names rather than URLs or domain names. Winbind is a Unix/Linux mechanism that allows Windows NT accounts to look like a Unix service to Unix/Linux machines.

NetBIOS
How is NetBIOS relevant to Samba? Samba uses NetBIOS in three different ways:

1. NetBIOS over UDP Port 137 to advertise Windows computer names for name to IP address resolution;
   

2. NetBIOS over UDP Port 138 to advertise services that the computer offers and to elect a ‘Master Browser’ (explained below);
   

3. SMB over NetBIOS over TCP/IP Port 139 to connect to file shares or printers. Once connected, the computers may negotiate using SMB direct over TCP/IP Port 445 to improve efficiency of the connection.

NetBIOS over UDP (Port 137) is a connectionless broadcast protocol that Windows machines use to advertise over the LAN their names and corresponding IP addresses. Other computers receive the broadcasts and cache the names and IP addresses in a name to IP address mapping table.

NetBIOS over UDP (Port 138) is a connectionless broadcast protocol that Windows machines use to advertise their eligibility to become the Master Browser or Backup Browser for a Windows Workgroup in the LAN. An automatic election process elects only one machine in a Workgroup to become the Master Browser for that workgroup, and elects one or more ‘Backup Browsers’ in the Workgroup. The Master Browser and Backup Browser(s) collate a list of all the computers in the Workgroup and the services that they offer. It is more efficient for a single computer to assume the master role and to collate the information than it is for the information to remain distributed. When you click on ‘Network’† in File Explorer’s ‘Network Neighbourhood’‡ window, your computer interrogates the Master Browser(s) to obtain a list of the Windows Workgroups in the LAN, the members of the Workgroup(s) and the file and printer services that each Workgroup member offers. If the Master Browser fails or is disconnected, a re-election takes place and a new Master Browser is elected from the list of Backup Browsers in that Workgroup. The same process occurs if you are using a Linux file manager (Dolphin in KDE, Nautilus in GNOME, etc.) with Samba. You can configure the ‘priority’ of the Samba server in each machine in the Workgroup so that it is either more likely or less likely to be elected the Master Browser for the Workgroup. You could even configure Samba on a Linux machine so that it will never be a Master Browser. (It is also possible to configure a Windows machine so that it will never be a Master Browser.)

    † Renamed ‘Entire Network’ in some versions of Windows.
    ‡ Renamed ‘My Network Places’ or simply ‘Network’ in some versions of Windows.

SMB over NetBIOS over TCP/IP (Port 139) is a connection orientated protocol that Windows computers use to connect to file shares and printers, to retrieve directory listings and to transfer files. Having obtained a list of computers and file shares from the Master Browser, if you click on a particular file share to connect to it, your computer looks up the name of the target computer in the local name table, obtains the target computer’s IP address and initiates a SMB over NetBIOS over TCP/IP connection to it. The target computer then issues a username and password prompt for you to complete the connection. If authentication is successful, the SMB protocol is used to transfer a directory listing of the contents of the share. If you drag and drop a file from the share to your local machine, or vice-versa, SMB is used to transfer the file. Behind the scenes, during the initial connection set-up, your computer and the target carry out a negotiation. If both machines support SMB direct over TCP/IP, the directory listing and subsequent file transfer are transported using SMB over TCP/IP Port 445. This is much more efficient because it eliminates completely the NetBIOS overhead.

When you install and configure Samba on a Linux computer, the ‘smbd‘ and ‘nmbd‘ daemons enable all of the functionality above. In a small network you do not need to enable or use AD, LDAP, Kerberos, WINS, Winbind or anything else for that matter. Samba and its built-in NetBIOS mechanisms will allow you to participate in a Windows Workgroup environment to share and use folders, files and printers.

Workgroups
The majority of Windows computers running in home networks are configured, by default, in a single Workgroup. A Workgroup is a simple way for computers in small networks to advertise and share resources, such as folders and printers, with other members of the same group. You can configure multiple Workgroups in the same LAN but each computer can belong to only one Workgroup. The theory is that different computers can share different resources within their group.

Please Note: A Windows Workgroup is not the same thing as a Windows HomeGroup. The latter concept was introduced in Windows 7 and is an ‘evolution’ of the Workgroup concept, in which you share folders and files but specify a pre-determined group password. All computers wishing to join the HomeGroup specify the same password to connect to the resources in that group. Samba does not participate in Windows HomeGroups because the latter is a Windows-only feature.

Configuring Samba
Firstly, install Samba on the Linux computer. Use Samba 4 and avoid Samba 3, which is obsolete. I have several laptops and a Network Addressable Storage (NAS) server, all running Linux with various releases of Samba 4. I also have a desktop computer running Windows 10 for family use. In addition, family and friends connect various laptops running Windows 7 and Windows 10 to my home network, as well as tablets and smartphones (see How to Access Shared Windows Folders on Android, iPad, and iPhone). This NAS runs 24/7 so I could have configured Samba to always make it the Master Browser but this is not necessary as the remaining computers in the network will elect a new Master Browser should the NAS fail.

Below is a summary of the steps to configure Samba in a Windows Workgroup:

1. Configure the same Workgroup name on all of the Windows computers (for example, How to Change Workgroup in Windows 10). The default Windows 10 Workgroup is called ‘WORKGROUP‘. In the example further down I used the Windows GUI to change the Workgroup name to ‘GREENGABLES‘. There is plenty of information on the Internet about how to configure Windows file sharing so I won’t repeat any of it here (for example, How to Enable Network Discovery and Configure Sharing Options in Windows 10 and How to set up file sharing on Windows 10 (Share files using File Explorer)).
   

2. Configure Samba on the Linux machines by editing the file ‘/etc/samba/smb.conf‘ on each. The contents of the file ‘smb.conf‘ are shown below for a Linux NAS and two Linux laptops. The NetBIOS name of the NAS is ‘akhanaten‘ and the laptops are ‘tutankhamun‘ and ‘smenkhkare‘. You can use either of the smb.conf files of the two laptops as a template for the smb.conf file of any Linux computer in your own home network. You can ignore the smb.conf file of the NAS if you simply want to be able to browse SMB/Samba shares on other computers in your home network.
   

3. Use the command ‘pdbedit‘ on each Linux machine to define and configure the Samba users on that machine. The command ‘smbpasswd‘ is an alternative to ‘pdbedit‘ but I recommend you use the latter, as ‘smbpasswd‘ is deprecated. Each Samba user must exist as a Linux user because it is the Linux users who own the shares and are used for authentication.
   

4. The NAS has Linux users ‘anne‘, ‘marilla‘, ‘matthew‘ and ‘guest‘, whereas each of the laptops has a Linux user ‘anne‘. The user name does not have to be the same on different computers.
   

5. The purpose of each variable in ‘smb.conf‘ is explained on the applicable Samba manual page (enter the command ‘man smb.conf‘ in a terminal window) and the Samba documentation page for smb.conf on the Web.

Furthermore, make sure the Winbind daemon is not running. If Winbind is installed, make sure the service is not running and is disabled.

smb.conf of NAS running Ubuntu Server Edition:

[global]
# SMB uses ports 139 & 445, as explained in this blog post
smb ports = 139 445
netbios name = akhanaten
workgroup = greengables

# Use either NetBIOS broadcast for name resolution or entries in the /etc/hosts file
name resolve order = bcast host

# Don't care if the workgroup name is upper or lower case
case sensitive = no

# User authentication is used to access the shares
security = user
map to guest = bad user
guest account = guest

# Don't allow the use of root for network shares
invalid users = root

# Domain master only applies to LANs that are inter-connected across a WAN
domain master = no

# This machine is eligible to be a Master Browser and its priority is 4
# (the higher the os level, the more preferred to be Master Browser)
# (the maximum allowable value for os level is 255)
preferred master = yes
os level = 4
dns proxy = no

# Always advertise the shares automatically
auto services = global

# Interfaces on which to listen for NetBIOS broadcasts and to allow SMB connections
# Include "lo" because it is the internal interface
# em1 is the name of the Ethernet interface, found using the ifconfig command
interfaces = lo em1
bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes

# Don't synchronise the Linux and Samba user passwords - they can be different
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

# This Samba configuration does not advertise any printers
load printers = no

# File to map long usernames to shorter Unix usernames, if necessary
username map = /etc/samba/smbusers

# Allow guest user access if specified in the shares
guest ok = yes

# First user share is called "anne" - only user "anne" specified below can connect to the share
[anne]
comment = "anne share"
path = /nas/shares/anne
writeable = yes
valid users = anne

# Second user share is called "marilla" - only user "marilla" specified below can connect to the share
[marilla]
comment = "marilla share"
path = /nas/shares/marilla
writeable = yes
valid users = marilla

# Third user share is called "matthew" - only user "matthew" specified below can connect to the share
[matthew]
comment = "matthew share"
path = /nas/shares/matthew
writeable = yes
valid users = matthew

# Fourth user share is called "guest" - any user can connect to the share
[guest]
comment = "guest account"
path = /nas/shares/guest
writeable = yes
guest ok = yes
valid users = guest anne marilla matthew

smb.conf of laptop #1 running Gentoo Linux:

[global]
;no need to specify 'smb ports' as ports 139 & 445 used by default
workgroup = GREENGABLES
netbios name = tutankhamun
case sensitive = no
browseable = yes

;If this machine becomes a Master Browser, the following parameter allows it to hold the browse list
browse list = yes

printcap name = cups
printing = cups

log file = /var/log/samba/log.%m
max log size = 50

security = user
map to guest = bad user

encrypt passwords = yes
passdb backend = tdbsam

domain master = no
local master = yes
preferred master = yes
; os level = 6 on the other laptop, so I have made it 5 on this laptop.
os level = 5
name resolve order = bcast
wins support = no
dns proxy = no

;Listen for NetBIOS on Ethernet and Wireless interfaces
;Names of the interfaces found using ifconfig command
interfaces = enp4s0f1 wlp3s0

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
printable = yes
create mask = 0700

[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes

[anne-share]
path = /home/anne/anne-share/
guest ok = yes
;read only = no
writeable = yes
browseable = yes
valid users = anne

[Public]
path = /home/anne/Public/
guest ok = yes
;read only = no
writeable = yes
browseable = yes

smb.conf of laptop #2 running Gentoo Linux:

[global]
;no need to specify 'smb ports' as ports 139 & 445 used by default
workgroup = GREENGABLES
netbios name = smenkhkare
case sensitive = no
browseable = yes

;If this machine becomes a Master Browser, the following parameter allows it to hold the browse list
browse list = yes

printcap name = cups
printing = cups

log file = /var/log/samba/log.%m
max log size = 50

security = user
map to guest = bad user

encrypt passwords = yes
passdb backend = tdbsam

domain master = no
local master = yes
preferred master = yes
; os level = 5 on the other laptop so I have made it 6 on this laptop
os level = 6
name resolve order = bcast
wins support = no
dns proxy = no

;Listen for NetBIOS on Ethernet and Wireless interfaces
;Names of the interfaces found using ifconfig command
interfaces = eth0 wlan0

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
printable = yes
create mask = 0700

[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes

[anne-share]
path = /home/anne/share-share/
guest ok = yes
;read only = no
writeable = yes
browseable = yes
valid users = anne

[Public]
path = /home/anne/Public/
guest ok = yes
;read only = no
writeable = yes
browseable = yes

Samba Commands
The following are Samba commands you can use on any of the Linux computers to find information on the Samba shares.

The ‘smbtree‘ command lists the computers currently using SMB in the local network:

user $ smbtree
GREENGABLES
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\SMENKHKARE                    Samba 4.2.14
                \\SMENKHKARE\Samsung_CLX-8385ND Samsung CLX-8385ND
                \\SMENKHKARE\Canon_MP510_Printer        Canon MP510 Printer
                \\SMENKHKARE\Virtual_PDF_Printer        Virtual PDF Printer
                \\SMENKHKARE\Canon_MP560_WiFi   Canon MP560 WiFi
                \\SMENKHKARE\IPC$               IPC Service (Samba 4.2.14)
                \\SMENKHKARE\Public         
                \\SMENKHKARE\anne-share     
                \\SMENKHKARE\print$         
                \\SMENKHKARE\netlogon           Network Logon Service
        \\TUTANKHAMUN                   Samba 4.2.11
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\Public
                \\TUTANKHAMUN\anne-share
                \\TUTANKHAMUN\print$
                \\TUTANKHAMUN\netlogon          Network Logon Service
HOME
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)

‘BTHUB5‘ is a BT Home Hub 5 (a network router and broadband modem). Notice that it is configured by default to be in a Windows Workgroup named ‘HOME‘. The BT Home Hub 5 has a USB port to which an external USB HDD could be attached, so I assume computers in the home network could have been configured to use the HOME Workgroup instead of GREENGABLES and hence access that USB HDD, i.e. use it as a NAS. However, no HDD is attached to the BT Home Hub 5, so just ignore the BTHUB5 device and the HOME Workgroup.

The ‘nmblookup‘ command is used to see which services each computer offers. The strings ‘..__MSBROWSE__.‘ and ‘<1d>‘ in the output indicate that the computer is currently the Master Browser (see the Microsoft TechNet article NetBIOS Over TCP/IP for details):

user $ nmblookup akhanaten
192.168.1.70 akhanaten<00>

user $ nmblookup -A 192.168.1.70
Looking up status of 192.168.1.70
        AKHANATEN       <00> -         B <ACTIVE>
        AKHANATEN       <03> -         B <ACTIVE>
        AKHANATEN       <20> -         B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

user $ nmblookup tutankhamun
192.168.1.79 tutankhamun<00>

user $ nmblookup -A 192.168.1.79
Looking up status of 192.168.1.79
        TUTANKHAMUN     <00> -         B <ACTIVE>
        TUTANKHAMUN     <03> -         B <ACTIVE>
        TUTANKHAMUN     <20> -         B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

user $ nmblookup smenkhkare
192.168.1.90 smenkhkare<00>

user $ nmblookup -A 192.168.1.90
Looking up status of 192.168.1.90
        SMENKHKARE      <00> -         B <ACTIVE>
        SMENKHKARE      <03> -         B <ACTIVE>
        SMENKHKARE      <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1d> -         B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

‘..__MSBROWSE__.‘ and ‘<1d>‘ in the above output indicates that the laptop named smenkhkare is currently the Master Browser of the Workgroup named GREENGABLES. See the Microsoft TechNet article NetBIOS Over TCP/IP to interpret the output.

Now let’s look at what happens when thutmoseiii, the Windows 10 desktop connected to this home network, is powered up:

user $ smbtree
GREENGABLES
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\SMENKHKARE                    Samba 4.2.14
                \\SMENKHKARE\Samsung_CLX-8385ND Samsung CLX-8385ND
                \\SMENKHKARE\Canon_MP510_Printer        Canon MP510 Printer
                \\SMENKHKARE\Virtual_PDF_Printer        Virtual PDF Printer
                \\SMENKHKARE\Canon_MP560_WiFi   Canon MP560 WiFi
                \\SMENKHKARE\IPC$               IPC Service (Samba 4.2.14)
                \\SMENKHKARE\Public
                \\SMENKHKARE\anne-share
                \\SMENKHKARE\print$
                \\SMENKHKARE\netlogon           Network Logon Service
        \\TUTANKHAMUN                   Samba 4.2.11
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\Public
                \\TUTANKHAMUN\anne-share
                \\TUTANKHAMUN\print$
                \\TUTANKHAMUN\netlogon          Network Logon Service
        \\THUTMOSEIII                   Lounge Computer
HOME
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)

user $ nmblookup thutmoseiii
192.168.1.74 thutmoseiii<00>
192.168.56.1 thutmoseiii<00>

user $ nmblookup -A 192.168.1.74
Looking up status of 192.168.1.74
        THUTMOSEIII     <20> -         B <ACTIVE> 
        THUTMOSEIII     <00> -         B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1e> - <GROUP> B <ACTIVE> 

        MAC Address = AA-BB-CC-DD-EE-FF (anonymised by me)

So Linux computer smenkhkare remained the Master Browser. This is because the Windows 10 computer has its Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList set to ‘Auto‘, and also there is no subkey \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster so implicitly its value is False (i.e. the computer is not a Preferred Master Browser). See Microsoft TechNet article Specifying Browser Computers for details.

By the way, notice that two IP addresses are listed for thutmoseiii. This is because thutmoseiii is connected to two network adapters: 192.168.1.74 is the IP address of thutmoseiii in the home network, and 192.168.56.1 is the IP address of the virtual network interface for the virtual computers in VirtualBox installed on thutmoseiii.

If the Samba service on smenkhkare is now stopped from the command line, Windows 10 computer thutmoseiii is elected Master Browser after more than a minute has elapsed:

user $ nmblookup -A 192.168.1.74
Looking up status of 192.168.1.74
        THUTMOSEIII     <20> -         B <ACTIVE> 
        THUTMOSEIII     <00> -         B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1e> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1d> -         B <ACTIVE> 
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>

        MAC Address = AA-BB-CC-DD-EE-FF (anonymised by me)

If the Samba service on smenkhkare is then restarted from the command line and the Windows 10 computer is allowed to go to sleep, the laptop named smenkhkare becomes the Master Brower again as expected.

NetBIOS Commands in Windows
Now let’s look at some NetBIOS equivalent commands on the Windows 10 computer (Windows computer name: thutmoseiii).

First let’s see which remote computers thutmoseiii detects:

C:\WINDOWS\system32>nbtstat -c

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    No names in cache

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    AKHANATEN      <20>  UNIQUE          192.168.1.70        381
    TUTANKHAMUN    <20>  UNIQUE          192.168.1.79        407
    SMENKHKARE     <20>  UNIQUE          192.168.1.90        416

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Four adapters are listed in the above output: ‘VirtualBox Host-Only Network 2‘, ‘Ethernet‘, ‘WiFi‘ and ‘Local Area Connection* 11‘. Let’s look at why they are listed:

• The first adapter listed exists because VirtualBox is installed on thutmoseiii and has a virtual network adapter to enable virtual computers to be networked together (see What Is A Oracle VM VirtualBox Host-Only Network Adapter? if you don’t know what is a VirtualBox Host-Only Network Adapter).
  

• The second adapter listed is the computer’s Ethernet adapter. thutmoseiii is connected to the home network via this interface, and the above output shows that thutmoseiii has correctly detected the three other computers connected to the home network.
  

• The third adapter listed is the computer’s wireless adapter. thutmoseiii also has a Wi-Fi interface, currently disabled in Windows, hence no active wireless connection is listed.
  

• The fourth adapter is a ‘Microsoft Wi-Fi Direct Virtual Adapter’ according to the output of the ipconfig/all command. As the Wi-Fi interface is currently disabled in Windows, no active connection is listed here either.

Now let’s see what thutmoseiii reports about itself:

C:\WINDOWS\system32>nbtstat -n

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

The above is correct: thutmoseiii is the Master Browser in the Windows Workgroup of VirtualBox Host-Only Network 2, but not a Master Browser in the GREENGABLES Workgroup to which thutmoseiii is connected by Ethernet cable. As the Wi-Fi interface in thutmoseiii is currently disabled, no active wireless connection is listed.

Now let’s take a look at what thutmoseiii reports about akhanaten:

C:\WINDOWS\system32>nbtstat -a akhanaten

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    AKHANATEN      <00>  UNIQUE      Registered
    AKHANATEN      <03>  UNIQUE      Registered
    AKHANATEN      <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as akhanaten is indeed not a Master Browser.

Now let’s have a look at what thutmoseiii reports about tutankhamun:

C:\WINDOWS\system32>nbtstat -a tutankhamun

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    TUTANKHAMUN    <00>  UNIQUE      Registered
    TUTANKHAMUN    <03>  UNIQUE      Registered
    TUTANKHAMUN    <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as tutankhamun is indeed not a Master Browser.

Now let’s have a look at what thutmoseiii reports about smenkhkare:

C:\WINDOWS\system32>nbtstat -a smenkhkare

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SMENKHKARE     <00>  UNIQUE      Registered
    SMENKHKARE     <03>  UNIQUE      Registered
    SMENKHKARE     <20>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as smenkhkare is indeed the Master Browser (notice the ‘☺☻__MSBROWSE__☻‘ and ‘<1D>‘).

Q.E.D.
So there you have it; Browser Elections take place and the Master Browser is any one of the Linux or Windows computers in the home network, thus enabling SMB browsing to take place. No WINS, no LDAP, no AD, no Kerberos. All SMB communication is carried out using NetBIOS over TCP/IP and Broadcast NetBIOS Name Resolution, as shown by the output of the command ‘nbtstat -r‘ on thutmoseiii:

C:\WINDOWS\system32>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 65
    Resolved By Name Server   = 0

    Registered By Broadcast   = 233
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           BTHUB5         <00>
           呂啈㕂†††††䱃噅坏㌲匰⁓†
           TUTANKHAMUN    <00>
           AKHANATEN      <00>
           SMENKHKARE     <00>

I assume the line of Chinese and other characters is because of some deficiency in NBTSTAT.EXE, CMD.EXE or Windows 10 generally — despite having entered ‘CHCP 65001‘ and chosen a Unicode TrueType font in CMD.EXE — but the important point is that the statistics listed by the ‘nbtstat -r‘ command clearly show that only broadcasts are used for NetBIOS Name resolution, as promised. NetBIOS name resolution works fine in the home network and all the sharing-enabled computers in the home network can browse SMB shares on other sharing-enabled computers, whether they are running Windows, Linux, macOS, Android or iOS. I reiterate that this is for a typical home network.

Command to find Master Browsers
In Linux you can use the ‘nmblookup‘ command as follows to find out which machine in the home network is currently the Master Browser in each Workgroup:

user $ nmblookup -M -- -
192.168.1.254 __MSBROWSE__
192.168.1.90 __MSBROWSE__
192.168.56.1 __MSBROWSE__

You can see above that there are currently three Master Browsers in this home network. Let’s check the details for these three Master Browsers:

user $ nmblookup -A 192.168.1.254
Looking up status of 192.168.1.254
        BTHUB5          <00> -         B <ACTIVE>
        BTHUB5          <03> -         B <ACTIVE>
        BTHUB5          <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        HOME            <1d> -         B <ACTIVE>
        HOME            <1e> - <GROUP> B <ACTIVE>
        HOME            <00> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

You can see above that the machine BTHUB5 (which is actually the home network’s router) is the Master Browser in the Workgroup named HOME (see earlier).

user $ nmblookup -A 192.168.1.90
Looking up status of 192.168.1.90
        SMENKHKARE      <00> -         B <ACTIVE>
        SMENKHKARE      <03> -         B <ACTIVE>
        SMENKHKARE      <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1d> -         B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

You can see above that computer SMENKHKARE is currently the Master Browser in the Workgroup named GREENGABLES.

user $ nmblookup -A 192.168.56.1
Looking up status of 192.168.56.1
No reply from 192.168.56.1

You can see above that the network node 192.168.56.1 is inactive, which is not surprising considering that it is a node on a VirtualBox virtual subnet on the Windows 10 computer thutmoseiii (see earlier) and VirtualBox is not running at the moment on that computer.

On a Windows machine it is not quite so easy to find out which machines are currently Master Browsers. However, on the face of it the third-party utility lanscan.exe can do it (see How to Determine the Master Browser in a Windows Workgroup):

C:\WINDOWS\system32>lanscan

LANscanner v1.67 - ScottiesTech.Info

Scanning LAN...

Scanning workgroup: HOME...

Scanning workgroup: GREENGABLES...

BTHUB5            192.168.1.254    11-11-11-11-11-11  HOME         MASTER
THUTMOSEIII       192.168.56.1     22-22-22-22-22-22  GREENGABLES  MASTER
SMENKHKARE        192.168.1.90     aa-bb-cc-dd-ee-ff  GREENGABLES  MASTER
TUTANKHAMUN       192.168.1.79     33-33-33-33-33-33  GREENGABLES
AKHANATEN         192.168.1.70     55-55-55-55-55-55  GREENGABLES

Press any key to exit...

(MAC addresses anonymised by me.)

Notice above that lanscan.exe listed the VirtualBox virtual subnet node 192.168.56.1 in Windows 10 computer thutmoseiii (see earlier) but omitted to list the node 192.168.1.74 (also thutmoseiii) in the real network. Now, in this particular case thutmoseiii on 192.168.1.74 is not a Master Browser. Nevertheless, as lanscan.exe is supposed to list all nodes, its failure to list the node 192.168.1.74 is a shortcoming.

And what happens if thutmoseiii on node 192.168.1.74 becomes a Master Browser? In that case lanscan.exe still omits the node from the list and, in addition, wrongly shows tutankhamun as a Master Browser:

C:\WINDOWS\system32>nbtstat -n

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\WINDOWS\system32>nbtstat -A 192.168.1.79

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    TUTANKHAMUN    <00>  UNIQUE      Registered
    TUTANKHAMUN    <03>  UNIQUE      Registered
    TUTANKHAMUN    <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

C:\WINDOWS\system32>lanscan

LANscanner v1.67 - ScottiesTech.Info

Scanning LAN...

Scanning workgroup: HOME...

Scanning workgroup: GREENGABLES...

BTHUB5            192.168.1.254    11-11-11-11-11-11  HOME         MASTER
THUTMOSEIII       192.168.56.1     22-22-22-22-22-22  GREENGABLES  MASTER
TUTANKHAMUN       192.168.1.79     33-33-33-33-33-33  GREENGABLES  MASTER
SMENKHKARE        192.168.1.90     aa-bb-cc-dd-ee-ff  GREENGABLES
AKHANATEN         192.168.1.70     55-55-55-55-55-55  GREENGABLES

Press any key to exit...

(MAC addresses anonymised by me.)

Linux appears to have the edge on Windows in this respect, as the Samba command ‘nmblookup -M -- -‘ detects all the Master Browsers correctly in the above situation:

user $ nmblookup -M -- -
192.168.1.254 __MSBROWSE__
192.168.1.74 __MSBROWSE__
192.168.56.1 __MSBROWSE__

So it appears that, from a Windows computer, the only sure way to find all Master Browsers is to use the command ‘nbtstat -a <computer name>‘ to check each remote machine in the home network, plus the command ‘nbtstat -n‘ to check the Windows computer you are using.

Footnote
The ebuild of the current Gentoo Stable Branch package net-fs/samba-4.2.11 (and probably the ebuild of the Testing Branch package net-fs/samba-4.2.14 as well) is not entirely correct, as it pulls in unnecessary dependencies (see Gentoo Bug Report No. 579088 – net-fs/samba-4.x has many hard dependencies, make some optional). For example, Kerberos is not required at all if you are not using LDAP, AD, etc. and are just using NETBIOS Name Resolution by Broadcast in a Windows Workgroup (like most home users). However, the Gentoo samba ebuild forces the user to install Kerberos (either the MIT implementation app-crypt/mit-krb5 or the Heimdal implementation app-crypt/heimdal) even if you specify that Samba should be built without support for LDAP, AD, etc. This does not cause any harm, but it is unnecessary.

user $ eix -I samba
[I] net-fs/samba
     Available versions:  3.6.25^t 4.2.11 ~4.2.14 [M]~4.3.11 [M]~4.4.5 [M]~4.4.6 [M]~4.5.0 {acl addc addns ads (+)aio avahi caps (+)client cluster cups debug dmapi doc examples fam gnutls iprint ldap ldb +netapi pam quota +readline selinux +server +smbclient smbsharemodes swat syslog +system-mitkrb5 systemd test (+)winbind zeroconf ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python2_7"}
     Installed versions:  4.2.11(19:40:03 16/09/16)(avahi client cups fam gnutls pam -acl -addc -addns -ads -aio -cluster -dmapi -iprint -ldap -quota -selinux -syslog -system-mitkrb5 -systemd -test -winbind ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_TARGETS="python2_7")
     Homepage:            http://www.samba.org/
     Description:         Samba Suite Version 4

If you are a Gentoo Linux user, you can merge the package net-fs/samba with the same USE flags shown above (obviously change “-systemd” to “systemd” if you use systemd instead of OpenRC), and use the laptops’ smb.conf files shown in this post as templates, and you will be able to share files and printers using Samba and NetBIOS name resolution. Don’t forget to use pdbedit to define the Samba users, and don’t forget to stop and disable winbindd if it is already installed.

Further reading

• How NetBIOS name resolution really works
• Name Resolution and Browsing (See the section Browser Elections)
• How Computer Browser Service Works
• NetBIOS Over TCP/IP
• Nbtstat
• Windows Networking

ADDENDUM (October 30, 2016): You probably already use the Public folder in Windows. If not, you can find a brief explanation in the article Simple Questions: What is the Public Folder & How to Use it?. There are a number of default sub-folders in C:\Users\Public\ on a Windows machine. There are some differences depending on the version of Windows, but in Windows 10 (Anniversary Update) these sub-folders are named:

C:\Public\Libraries
C:\Public\Public Account Pictures
C:\Public\Public Desktop
C:\Public\Public Documents
C:\Public\Public Downloads
C:\Public\Public Music
C:\Public\Public Pictures
C:\Public\Public Videos

These predefined sub-folders are not ordinary folders, and I have noticed a surmountable minor limitation when accessing them from a Linux machine using Samba, as explained below.

If I enable Public Folder Sharing on a Windows machine (‘Turn on sharing so that anyone with network access can read and write files in the Public folders’) and configure the security permissions of the Public folder for Everyone, from another Windows machine in the Workgroup I can copy files to the first machine’s Public folder and default sub-folders. From a Linux machine in the Workgroup I can copy files to the Public folder on Windows machines in the Workgroup but I cannot copy files to the default sub-folders (the Dolphin file manager displays the error message ‘Access denied. Could not write to .‘). However, this is not a big deal because I can copy files into the Public folder itself and into manually created sub-folders in the Public folder.

ADDENDUM (February 13, 2018): Windows 10 Version 1709 and later have the SMBv1/CIFS protocol disabled by default, so the Lanscan utility will no longer work in Windows 10 Version 1709. That is not a big deal if you also have Linux machines on your home network; just use the Samba commands from one of those Linux machines instead. If you have devices on your home network that only support SMBv1/CIFS protocol and they cannot be configured to use the SMBv3 protocol, your only option is to configure Windows 10 Version 1709 to use the SMBv1 protocol, which is less secure than the later SMB protocols. See e.g. the article Cannot browse network neighborhood under Windows 10 Fall Creators update 1709 and newer for how to configure Windows 10 Version 1709 to use the SMBv1 protocol. In my case, all my Linux machines using Samba can be configured via the smb.conf file to use a newer version of the SMB protocol (see ‘server min protocol’ and ‘server max protocol’ in the Samba documentation for smb.conf).

KDE Connect on a hotel Wi-Fi network

I am a fan of KDE Connect (see my 2014 post about an earlier version), but had previously been unable to use it with a hotel network. However today I managed to do that, and here is how I did it …

I first connected my laptop and my Samsung Galaxy Note 4 to the hotel’s Wi-Fi network, then used the ifconfig command in Linux on my laptop to find the IP address of my laptop on the hotel’s network. Note that the IP address one sees if one uses a Web site such as WhatIsMyIPAddress will be the laptop’s outward-facing IP address, not the IP address of the laptop on the hotel network. For example, the ifconfig command has just shown me that my current DHCP-allocated IP address is 10.154.245.40 on this hotel’s network for this session whereas the Web site WhatIsMyIPAddress is showing my IP address as 78.100.57.102.

By the way, I can also use the excellent Android utility Fing on my Galaxy Note 4 to find the IP address of my laptop on the hotel’s network. It is quite interesting to use Fing to see what other devices (their hostname and IP address) are currently connected to the hotel’s network.

Anyway, then I launched KDE Connect on the Galaxy Note 4, tapped ⋮ and ‘Add devices by IP’, and entered the laptop’s IP address (10.154.245.40 in this specific case). I was able to pair with KDE Connect running on my laptop and send files from my phone to the laptop, and vice versa.