Tuesday, May 29, 2018

Zanzibar: You Can't Get There in a Car

I have dreamed of going to Zanzibar ever since hearing so much about it while living in Oman. M has known of Zanzibar ever since he listened to this song as a kid. When he told me about the song, I didn't believe existed until he found it on YouTube and I still don't recognize it. Do you?

Anyway, Zanzibar was a fantastic and unique experience. We spent the whole time in Stone Town since we only had a weekend and were interested in the culture and history. We started the trip by hopping in a traditional-looking dhow, or boat, for a one-day snorkeling excursion on the famous Safari Blue.

The biggest bummer of the trip was getting completely rained out of our snorkeling experience after a few minutes of murky views and getting stung all over by sea lice (or something close to that, which we didn't know existed). We ended up huddling on the boat under a tarp as we were pelted with cold, heavy rain. As a consolation, we did get closer to wild dolphins than we'd ever been - we could see a bottlenose swimming right by us! It also stopped raining in time for our stop at a sandbank (the first photo of this post) and the Blue Lagoon, where we got to swim up to the mangrove trees.

Lunch was very tasty, and the main food was followed by a tasting of local fruits. Some we had never tried before - like (very sticky) jackfruit and baobab seeds! Others we were just surprised to see, like this grapefruit that just did not look like the grapefruit we expect from the U.S.

We wrapped up the day with dinner at Emerson Spice Tea House, a rooftop restaurant with a 5-course set dinner menu. The ambiance was lovely, with a candlelit view of Stone Town at night. Unfortunately, we would not recommend the food - to be honest, we were not impressed.

The next day, we tried our luck at The Rock Restaurant, perched literally in the ocean (at high tide). (You get from the beach to the steps of the restaurant by boat!) The gimmick was actually very cool, there were nice seating options inside and outside the dining room, and the food was delicious. If you go, we recommend reserving in advance online here and checking the tide schedule here to make sure you get there for that perfect high tide experience.

I'm going to take a break from talking about our fun experiences to point out a heartbreaking phenomenon that seems to plague every corner of the world at this point: garbage! Even though the Zanzibari beaches and waters looked very pure in many places, you could see trash at the high tide shoreline or in less well-maintained areas. I captured the view below on our way to The Rock Restaurant. It was awful! Our planet deserves better.

Now that I've gotten that out of the way, Zanzibar was buzzing at night. We felt very safe walking from our hotel to the nearby night market at Forodhani Gardens. Similarly to everywhere else in Stone Town, we were accosted there by a multitude of hyper-competitive street vendors, tour operators, and others trying to get some of our tourist money. I respect the hustle, but I also appreciate it when they take "no" for an answer instead of following us around until M yells at them.

In the end, M settled on a shawarma and I tried a "Zanzibar pizza" - a fried, thin, crepe-style pancake with egg, ground beef, laughing cow cheese, mayonnaise, and vegetables served with "ketchup" (definitely not the same as American ketchup).

I actually loved the Zanzibar pizza, but I wouldn't consider it even remotely related to an actual pizza. We also enjoyed a fresh squeezed sugar cane juice.

Our last day was our history-focused day. Some of the buildings we wanted to see were under construction, but others like the Old Dispensary pictured below were thankfully fully visible. This is just one example of the multicultural influences throughout Zanzibar; for example, we learned the ornate balconies of this building are a hallmark of Indian architecture.

We caught a view of the Old Fort, also known as the Arab Fort, which reminded me of the many forts I had seen in Oman.

We also swung by Mercury House, where Freddie Mercury (lead singer of Queen) once lived. Did you know he was born in Zanzibar? Full disclosure: Queen is a bit before my time, but M certainly appreciated it.

The most powerful stop of our trip was the former slave market, now located on the grounds of an Anglican church. There was a small, simple museum set up describing the history of slavery in Zanzibar. I learned a lot, like the fact that farming cloves was a major incentive for slave labor in the region and that Connecticut was one of the largest ivory import markets in the world for a long time. I found the stone sculpture of chained slaves outside especially moving. This stop is a must-see.

There's so much more to say about Zanzibar, but I simply don't have the space. I do want to share a tip for those traveling there during Ramadan: the population is predominantly Muslim, and a lot of the regulations are Islamic. Almost everywhere we tried to get lunch was closed, and we weren't allowed to eat our ice cream while walking outside. Definitely plan your food in advance if you go during Ramadan like we did.

As a final note, I do have to note the famous Zanzibari doors. The brass-studded ones visible on doors like the one pictured earlier at Mercury House were supposedly for protection against elephants! We also noticed some lovely Arabic inscriptions like the one above. Many of the doors seemed to tell their own story about the history of that building and its occupants, which was fascinating. All in all, we highly recommend Zanzibar for the bucket list of anyone who's willing to explore an interesting new culture (and doesn't mind spending more money than planned)!

Sunday, May 20, 2018

Distance Language Learning: Another Foreign Service Perk

Among the many benefits I enjoy as a Foreign Service Officer, language learning is pretty near the top of my list. I'm so lucky to have a job where I can get paid to learn a language full-time. No language was required for my current job, but I still have a few options for working on my language skills in the meantime. We have a full-time Kiswahili teacher at the U.S. Embassy in Nairobi who provides free lessons to staff and family members. Taking her classes once per week has given me the basic expressions I need to at least make people smile.

Another option, which is the main subject of this post, is distance language learning. The Foreign Service Institute (FSI, a.k.a. Diplomat School) has a wealth of online course offerings. I just began my third semester of distance language Arabic and can't recommend it highly enough. My class is called Contemporary Topics, which is designed for intermediate to advanced speakers who want to maintain or improve their skills. You must have a 2/2 or higher on the Interagency Language Roundtable (ILR) scale, and they will test you before the class to make sure you're places properly even if you already have a language test score on the books as I do.

Most classes exist on a progressive scale so you can advance to the next level after each semester. Contemporary Topics, on the other hand, is structured in a unique way that allows me to repeat it every semester: each week is a new topic chosen by the teacher, along with an accompanying article to read and video to watch before our 45-minute online review session. I'm also responsible for uploading my own video before class each week, talking for a few minutes about that week's subject.

The system also allows you to request the same teacher from a previous semester. In the case of Arabic, you can also request Modern Standard Arabic (MSA) or a specific dialect. After three semesters together, I feel like I know my Iraqi instructor, A, very well. It helps me look forward to our discussions every week, especially because they're usually late on a weeknight! (All of the review session times are set up with East Coast U.S. working hours in mind, so it's my nighttime in Kenya.)

So why might one want to use distance language learning? Besides it being just a cool opportunity, it can help you with bidding (i.e., competing for future assignments). It can help you demonstrate you're committed to developing your language skills in preparation for working in jobs requiring them or at least help you stand out from the competition. Some people even take the full language test after distance language learning alone. For me, it helps me avoid the complete language deterioration that naturally results from lack of use while I'm in Nairobi.

M recently joined me with the beginner Arabic language distance learning class. He's already mastered the first 11 letters of the alphabet! He's always wanted to learn the language, so it's great that the Foreign Service has some of these resources available for family members. I know not everyone loves foreign languages, but this is a huge perk for those like me who do! Technology is amazing.

Sunday, May 13, 2018

First Time in Kibera (Largest Slum in Africa?)

I went to Kibera for the first time last week. It was a work trip, as we're not normally allowed to go for security reasons. Kibera, located right here in Nairobi, is famous as the largest urban slum in Africa. Though some prefer the term "informal settlement" to "slum", I've heard locals (including those who live in these neighborhoods) use both.

My biggest takeaway from this visit was the friendliness of the residents! People were so happy and welcoming to me, even though I was so clearly an outsider. I dropped a few Kiswahili words and they were over the moon.

I was there for the commissioning of the SHOFCO School for Girls. SHOFCO (Shining Hope for Communities) describes itself as a movement, and it certainly has a unique story: a partnership between a Kenyan man who grew up in the slums and an American woman who studied abroad and never ended up leaving.

The event was attended by the U.S. Ambassador, the First Lady of Kenya, and several other high-level guests. I was really impressed by the grace, charisma, and warmth of the First Lady. I can see why she is so popular even among political opposition circles.

I also got a few small glimpses of life in Kibera in between stops at the work event. For example, this sign above shows the cost of a few things in the nice part of the neighborhood. Kenyan shillings are about equivalent to cents, so using this toilet costs 5 cents. Many still couldn't afford or chose not to spend that amount, as I learned when I picked up certain smells while walking around.

I've also never seen so many secondhand clothes street stalls, and they're pretty ubiquitous in Kenya. It definitely explains how we come to find random Kenyans wearing things like Virginia Tech football hoodies and even Ingress shirts.

Before I left, I grabbed a photo of this #vaccineswork sign because seeing the public health issues here has made me appreciate my privilege so much more. I never had to worry about polio as a child in the relatively-highly-vaccinated United States (something that is unfortunately starting to change). For the first time, I now know a polio survivor. Even those who have sanitation and eat healthy food can be at risk due to lack of access to vaccines. Many mothers would give anything to be able to obtain this level of protection for their children. I am so proud of the work my colleagues do to help expand access to these and other life-saving treatments around the world. Nobody should have to suffer from a disease we have the potential to eradicate.

I feel very fortunate to have had the opportunity to support this event and visit Kibera. Kenya is one adventure after another, and the diversity of Kenyan experiences never ceases to amaze me.

Thursday, May 3, 2018

How To: Free Private VPN On Home Router

Being able to appear as if you're in a different country online is a common issue for expats. Several services such as Netflix, Amazon, and Hulu have region locked content, while some websites completely block access from some foreign countries. Most people pay a VPN provider to help with this issue, but that is not always ideal. This guide is designed to walk you through setting up a free private VPN on a common consumer router that will be placed in the other country.

Pros Cons
  • Free
  • No usage caps
  • Extremely customizable setup
  • Nearly impossible to be blocked by a content provider
  • Only one location
  • No technical support
  • Internet traffic is not anonymous
  • Speed is limited by the upload bandwidth of the host



UPDATE (February 2019): Although all the instructions on this page will still work, I have found that using a Raspberry Pi for the VPN server is usually a better option. Instructions on how to use a Pi have been added below under VPN Server on Raspberry Pi.



The following steps are to setup SoftEther VPN running on a Linksys EA6700 with an AdvancedTomato GUI.

Table of Contents


Router Details

Linksys EA6700 - Amazon
  • Wireless AC
  • CPU: 2x 800MHz
  • RAM: 256MB
  • Flash: 128MB

Configuration

Flash AdvancedTomato

  1. Download the necessary files - https://drive.google.com/drive/folders/15Rf7KnH-kBqjTqcJ4eX0DXuKj7EYjRYS
  2. Disconnect or disable internet connection(s) on computer
  3. Set a static IP for the ethernet connection on the computer
    • IP address = 192.168.1.100
    • Subnet mask = 255.255.255.0
    • Default gateway = 192.168.1.1
  4. Run tftp.exe and fill in fields:
    • Server = 192.168.1.1
    • Password = admin
    • File = FW_EA6700_1.1.40.166281_prod.img
  5. Connect computer to router’s Ethernet 1 port
  6. Open a PowerShell/Terminal window
    • ping -t 192.168.1.1
  7. Plug in router power
  8. Wait until the TTL from the ping command is 100
  9. Click Upgrade (if there is an error, try again)
  10. Click OK
  11. Click Close
  12. Wait until the TTL from the ping command is 64
  13. Navigate browser to 192.168.1.1
  14. Select both checkboxes and click Next
  15. Click Login
  16. Default password = admin
  17. Click Sign In
  18. Click Troubleshooting
  19. Click Diagnostics
  20. Click Restore previous firmware
  21. Click Yes
  22. After the router restarts, sign in again
  23. Click Connectivity
  24. Click Choose File and select linksys-ea6700-webflash.bin
  25. Click Start
  26. Click Yes
  27. Click Ok
  28. Wait until the TTL from the ping command is 64
  29. Navigate browser to 192.168.1.1
  30. All three fields = admin
  31. Click Change Password
  32. Services > Secure Shell > Enable
  33. Click Apply Settings
  34. Navigate browser to http://192.168.1.1/backup/cfe.bin and save the file in case of necessary recovery
  35. Run cfe_edit.exe and open cfe.bin
  36. Click on Advanced Mode and edit the values for the specific router
    • et0macaddr = MAC address from the bottom of the router
    • 0:macaddr = MAC address + 2
    • 1:macaddr = MAC address + 4
    • secret_code = WPS code on the bottom of the router below the MAC address (no hyphen)
  37. Save the file
  38. Open a PowerShell/Terminal window on computer
  39. Unplug the router, hold the blue WPS button, plug in the router, and release the button when the Linksys logo starts flashing quickly
  40. Repeat the last step, but press the reset button immediately after releasing the WPS button, and hold it until the TTL from the ping command is 100
  41. Navigate browser to 192.168.1.1
  42. Click Restore default NVRAM values.
  43. Click Continue
  44. Click Choose File and select tomato-EA6700-AT-ARM-3.5-140-AIO-64K.trx
  45. Click Upload
  46. Wait until the TTL from the ping command is 64
  47. Click Continue
  48. Administration > Configuration > Restore Default Configuration > Erase all data in NVRAM memory (thorough) > OK > OK
  49. Wait until the TTL from the ping command is 64
  50. Navigate browser to 192.168.1.1
  51. Administration > Admin Access > Authorization Settings
    1. Enter a unique password
    2. Click Save
  52. Connect ISP connection to Internet port
  53. Set the ethernet connection on the computer to obtain an IP address automatically

Install SoftEther

  1. Login to router
  2. Administration > JFFS
    1. JFFS Partition > Enable > Enable
    2. JFFS Partition > Format / Erase…
    3. Click Ok
    4. Click Save
  3. Open a PowerShell/Terminal window on computer

Setup VPN Server

  1. Administration > Scripts
    1. Init =
      • modprobe tun
        openvpn --mktun --dev tap_soft
        
    2. Firewall =
      • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
        iptables -A INPUT -p tcp --dport 992 -j ACCEPT
        iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
        iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
        iptables -A INPUT -p udp --dport 500 -j ACCEPT
        iptables -A INPUT -p udp --dport 1194 -j ACCEPT
        iptables -A INPUT -p udp --dport 1701 -j ACCEPT
        iptables -A INPUT -p udp --dport 4500 -j ACCEPT
        
    3. WAN Up =
      • brctl addif br0 tap_soft
        /jffs/etc/softether/vpnserver start
        
    4. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click OK
    7. Wireless (2.4 GHz / eth1) > Enable Wireless > Disable
    8. Wireless (5 GHz / eth2) > Enable Wireless > Disable
    9. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. Click OK
  7. Click Connect
  8. Enter a new password
  9. Click Remote Access VPN Server
  10. Click Next
  11. Click Yes
  12. Click OK
  13. Enter a unique Dynamic DNS Hostname
  14. Click Exit
  15. Click Enable L2TP Server Function (L2TP over IPSec)
  16. Click OK
  17. Click Disable VPN Azure
  18. Click OK
  19. Click Create Users
  20. Create a user for the client router
    1. User Name = EA6700
    2. Auth Type = Individual Certificate Authentication
    3. Click Create Certificate
    4. Click OK
    5. Click OK
    6. Save the file
    7. Click OK
  21. Click OK
  22. Create as many users as wanted with User Name, Full Name, and Password
  23. Click Exit
  24. Click Close
  25. Click Local Bridge Setting
  26. Click the Virtual Hub from the dropdown
  27. Click Bridge with New Tap Device
  28. New Tap Device Name = soft
  29. Click Create Local Bridge
  30. Click OK
  31. Click Exit
  32. Click Exit
  33. Click Exit SoftEther VPN Server Manager

Connect VPN Router to Host Router

  1. Connect Internet port on VPN router to Ethernet port on host router
  2. Connect computer to host router
  3. Login to host router
  4. Set reserved IP for VPN router in DHCP settings
  5. Forward following ports to VPN router
    • TCP: 443, 992, 1194, 5555
    • UDP: 500, 1194, 1701, 4500

Setup VPN Client

  1. Administration > Scripts
    1. WAN Up =
      • /jffs/etc/softether/vpnbridge start
    2. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > DHCP = Disabled
    6. OK
    7. Wireless (2.4 GHz / eth1) & Wireless (5 GHz / eth2)
      • SSID = Any name
      • Channel = Auto
      • Security = WPA2 Personal
      • Shared Key = Choose a password
    8. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. OK
  7. Click Connect
  8. Enter a new password
  9. Click Next
  10. Click Yes
  11. Click Configure Connection Setting
    1. Setting Name = VPN
    2. Host Name = Dynamic DNS Hostname
    3. Virtual Hub Name = VPN
    4. Auth Type = Client Certificate Authentication
    5. User Name = EA6700
    6. Click Specify Client Certificate
    7. Select the file saved when creating the user
    8. Click OK
  12. Click Exit
  13. Click br0 under Set Local Bridge
  14. Click Close
  15. Click Exit
  16. Click Exit SoftEther VPN Server Manager

Optional Configurations

Separate Local Network

  1. Basic Settings > Network > LAN
    1. Bridge = 1 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.1 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.1 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 11 (or any other unused available VLAN)
    2. VID = 11 (match VLAN)
    3. Port 1-4 = Yes (for the ports that should not use the VPN; must be unselected for other VLAN)
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Click Save

Separate Guest Network

  1. Basic Settings > Network > LAN
    1. Bridge = 2 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.2 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN2 (br2) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.2 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 12 (or any other unused available VLAN)
    2. VID = 12 (match VLAN)
    3. Bridge = LAN2 (br2) (to match bridge that was just created)
    4. Click Add
    5. Click Save

VPN Server on Raspberry Pi

Using a Raspberry Pi as the VPN server hardware provides more benefits (e.g. better hardware for similar cost, remote access, smaller footprint, etc.), but it is slightly more technical than using a router. The below steps are meant to replace the steps above under Flash AdvancedTomato and Install SoftEther. These steps are designed for a headless setup (no display needed), and include TeamViewer for remote access. Although most Raspberry Pi models can be used, I recommend the Pi 4, as it includes a true gigabit ethernet port. Here is one possible kit that includes all the parts you would need to create a complete Raspberry Pi setup - CanaKit / Amazon
  1. Download and install NOOBS to the SD card (Some SD cards come pre-installed with NOOBS) - https://www.raspberrypi.org/downloads/noobs
  2. Edit the recovery.cmdline file and add silentinstall
    • sed -i '$s/$/ silentinstall/' recovery.cmdline
  3. Add a file named ssh to the root of the SD card (the contents do not matter)
  4. Insert SD card into the Pi
  5. Connect an ethernet cable between the Pi and router
  6. Connect the power cable to the Pi
  7. The Pi will now take up to half an hour to install the operating system
  8. Get the IP of the Pi from router once it is available
  9. Open a PowerShell/Terminal window on computer
    • ssh pi@<IP of the Pi> #password = raspberry
      sudo raspi-config nonint do_change_locale en_US.UTF-8
      sudo raspi-config nonint do_change_timezone America/New_York
      sudo raspi-config nonint do_configure_keyboard us
      sudo raspi-config nonint do_wifi_country US
      sudo raspi-config nonint do_resolution 2 82
      sudo apt update -y
      sudo apt full-upgrade -y
      sudo apt autoremove -y
      wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb
      sudo apt install ./teamviewer-host_armhf.deb -y
      sudo teamviewer setup
      curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/latest |
      grep "browser_download_url.*vpnserver.*linux-arm_eabi-32bit.tar.gz" |
      cut -d : -f 2,3 | tr -d \" | wget -O vpnserver.tar.gz -i -
      tar zxvf vpnserver.tar.gz
      cd vpnserver
      make
      sudo chmod 600 *
      sudo chmod 700 vpncmd vpnserver
      cd ..
      sudo mv vpnserver /usr/local/
  10. Create /etc/init.d/vpnserver with the below content
    • #!/bin/sh
      ### BEGIN INIT INFO
      # Provides:          vpnserver
      # Required-Start:    $remote_fs $syslog
      # Required-Stop:     $remote_fs $syslog
      # Default-Start:     2 3 4 5
      # Default-Stop:      0 1 6
      # Short-Description: SoftEther VPN Server
      # Description:       SoftEther VPN Server
      ### END INIT INFO
      DAEMON=/usr/local/vpnserver/vpnserver
      LOCK=/var/lock/subsys/vpnserver
      test -x $DAEMON || exit 0
      case "$1" in
      start)
      $DAEMON start
      touch $LOCK
      ;;
      stop)
      $DAEMON stop
      rm $LOCK
      ;;
      restart)
      $DAEMON stop
      sleep 3
      $DAEMON start
      ;;
      *)
      echo "Usage: $0 {start|stop|restart}"
      exit 1
      esac
      exit 0
  11. Set the VPN server to start automatically
    • sudo chmod 755 /etc/init.d/vpnserver
      sudo /etc/init.d/vpnserver start
      sudo update-rc.d vpnserver defaults
      sudo reboot
  12. Continue from step 4 under Setup VPN Server above, but skip steps 27 and 28



Additional Resources