Tuesday, 21 June 2016

OpenVPN Server on Debian Jessie

It was time to setup a way of getting secure access to my network while away and also to get a secure connection to the Interwebs while away from home, it also means that I can watch BBC Iplayer as if I'm at home.

I'm installing this on an old machine running Debian Jessie, it should work on a Raspberry Pi too, the only things I have installed during the initial setup process as the standard Debian utilities and ssh server so I can do everything remotely.

I've found lots on instructions out there but the one from this website was the easiest to follow, I've modified it slightly to make it easier to get at the keys.

I've modified a few things myself

First thing is to ensure we are up to date, lets switch to root for the install



apt-get update
apt-get upgrade

Time to start installing stuff

apt-get install openvpn easy-rsa

Then copy some example files over to make the job easier

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Now we edit the certificate variables

nano /etc/openvpn/easy-rsa/vars

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"

# X509 Subject Field
export KEY_NAME="server"

Time to generate some stuff and go and have a coffee, on a Pi, this may take some time

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Now we make the server certificate keys:

cd /etc/openvpn/easy-rsa
. ./vars
./build-key-server server

Let's copy them to where they belong

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Now time to make some changes to the network settings:

echo 1 > /proc/sys/net/ipv4/ip_forward

And let's make the changes permanent with:

nano /etc/sysctl.conf

Look for the following bit:

# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.ip_forward=1

Then remove the # from the second line so it looks like this:

# Uncomment the next line to enable packet forwarding for IPv4

Now we make the server config file:

nano /etc/openvpn/server.conf

Paste this lot into the empty file, this will run the VPN server on port 1194.

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
status logs/status.log
log-append logs/openvpn.log
verb 3

Now we make the log files:

mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log

And let's do some firewall configuration:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Now let's restart the server to put the changes into place:

systemctl restart openvpn@server.service

Now the original instructions came with a script file to help you create new keys for each user and device, pointless changing it.

nano /etc/openvpn/gen-client.sh

Paste this lot in:



# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding ca certificate to ovpn client configuration file
echo "Adding ca certificate to ovpn client configuration file"
echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user certificate to ovpn client configuration file
echo "Adding user certificate to ovpn client configuration file"
echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user key to ovpn client configuration file
echo "Adding user key to ovpn client configuration file"
echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn

mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/${username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/${username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}

cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/

chmod 0777 -R /etc/openvpn/clients

echo "Done"

echo "

            Configurations are located in /etc/openvpn/clients/${username}


                        Download friendly version with:

         'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .'


exit 0

Save it and then make it executable with:

chmod +x /etc/openvpn/gen-client.sh

Next we have to create the template file for this to use:

mkdir -p /etc/openvpn/clients/.tmp/

nano /etc/openvpn/clients/.tmp/.tmp.ovpn

Paste this in, change example.com for your external IP or server address

verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
cipher AES-128-CBC

Now, let's make some keys:

cd /etc/openvpn/

replace username with your username, I'm going to install this onto an S5 so it will be freds5 or something.

./gen-client.sh username

To make it easy to get the files off the server and onto my device, I've decided to install Samba and setup the client keys folder as a Windows share, this is how this is done.

apt-get install samba samba-common

Once it's finished we edit the Samba config file:

nano /etc/samba/smb.conf

Change the workgroup name at the top of the file and you can also add:

netbios name = servername under it if you want.

Add the bottom add the following

        path = /etc/openvpn/clients/
        browseable = yes
        public = yes
        writeable = no

Restart the server with:

service smbd restart

Just got to change the folder permissions to make sure we can get the files off:

chmod 0777 -R /etc/openvpn/clients

Onto my phone now, I've installed OpenVPN Connect from the play store, then I've copied the files from the Windows share into dropbox, then saved them into a folder on the phone called VPN, you could just install a file browser and do the same.

Then import the .ovpn file into OpenVPN connect and click on connect.

One last thing, make sure you give the server a static IP and forward port 1194 on the router.

Tuesday, 14 June 2016

The Chevy Fails

The Chevy Aveo managed to do about 65,000 miles with no issues apart from some bushes on the front suspension, some tyres and new brake pads. Then one night, a failure occurred that actually prevented the car from being driven.

The passenger headlight bulb died.

Now this is one area where Chevrolet have really let the side down. The last time I had to change a bulb on a car was on a Renault Laguna, I had to dislocate a couple of fingers and peel a few layers of skin off my hand to replace that bulb. On some of the new Fords, you have to remove the front bumper to replace a bulb, on one French car you have to replace it by going in through the exhaust with a specially designed bulb replacement tool only available from the Albanian spare department on a Thursday afternoon in September and on on Italian car you can only replace the bulb from the passenger seat of  a car parked in front of you, providing it's not a blue Vauxhall Astra.

So on the Chevy, I expected to at the very least to have to put the car over a manhole cover and go in from the underneath. But no, on this car you open the bonnet (hood if you're reading this in the colonies), pull a plug off the back of the bulb, remove the waterproof seal, unclip the bulb and put the new one in, you can even use 2 hands.

Honestly, in this day and age you would expect this to be far more complicated, the makers have even put the oil filter at the front in such a position that you can get hold of it easily. What were they thinking.

The whole bulb replacement process should take at least a few hours with specialised tools these day instead of the 5 minutes it took me in the dark.

Come on Chevrolet, get your act together.

Saturday, 16 April 2016

Ubuntu, what's happened

I've used Linux for many years now. started with Mandrake, then onto PCLinuxOS on my dekstop with Ubuntu on a laptop, then along came Unity which I initially hated but now find quite good and I can even say that I may prefer it over other desktops. I've had no issues at all with any versions of Ubuntu except for an annoying keyboard one which I've sorted and Ubuntu 14.04 works quite well on my desktop. Then along came Ubuntu 16.04 which I tested when in alpha build and it worked rather well. I went back to 14.04 for my day to day use until the final beta came out.

It came out, I downloaded it, wrote the image to a USB stick and booted, selected the option to install it and I got a black screen, the activity light on the stick showed it was still doing something. I've tried this with the latest daily build and still the same issue. I can get back to in install screen by adding a line on boot but the thing is I shouldn't have to.

All other versions of Linux install take me to an installer, Debian gives me the wrong resolution but that can be sorted. Only the latest version of a supposedly stable long term release of Ubuntu gives me this problem and I'm not running any strange exotic hardware here either. I know it's an issue with the Radeon graphics card driver and I can't be the only one suffering from this, things like this will stop people in their tracks when trying to install Linux.

Just as an aside, Mint,  PCLinuxOS, Fedora, Ubuntu 15.10 all boot to a graphical installer, 16.04 doesn't.

Get it sorted.

Monday, 15 February 2016

Testing Out A New Adaptor

For wildlife shots my 75 to 300mm zoom is just not good enough when things are far away, I really need a 400 ro 500mm lens but in the meantime I found a Minolta 35 to 105 zoom on Ebay with a Vivitar 1.4x adaptor, I won the auction and thought I'd give things a try at the local Wetlands centre.

One disappointment is that auto focus doesn't work with this lens and adaptor but on the other hand most of the stuff is better using manual focus, especially when there's a bird behind branches.

Looking at the LCD on the camera after taking the shots I wasn't happy but getting on the big screen they seem so much better.

All shots taken were handheld, ISO at 800, the lens at full stretch is 300mm, camera has a crop factor of 1.5 which gives it an effective zoom of 450mm, so with the adaptor that gives about 630mm.

The Sony A390 used may not be the best camera in the world but it really works well and with that amount of cheap lenses available is a brilliant piece of kit.

The Great Crested Grebe was really far away and was just a small spec in the middle of the picture, it's not good But I'm really happy with the quality.