Category Archives: Debian

OpenVPN on Tomato with Android and Linux Clients

I’ve been wanting to do this for a very long time. When away from home I sometimes need access to the systems (or data residing on those systems) back at home. I wanted to set up a secure means to access the machines behind my router’s firewall and one of the most versatile and secure ways to do that is with a Virtual Private Network (VPN). The problem was that this stuff is pretty complicated and even though the open source firmware we run on our router has had a VPN-enabled version available, I’ve been loathe to try implementing it.

Well, the garage control system project I was recently working on had a hardware failure such that I could not implement it in the original way intended (until I replace the CAI WebControl board central to it). The board failed in such a way that it would not accept PLC programming but would still respond through the default web interface – which unfortunately is not sufficiently secure to expose to the internet directly. However, we were going away for an extended period and I needed to be able to access it while away. A perfect application for VPN technology, I could keep the “vulnerable” system firewalled behind the router and poke a secure hole through it using the VPN to control it from afar when needed. Just the shove I needed to get going on the VPN!

Curiously enough, in googling, I was able to find various basic tutorials about setting up a Tomato VPN-enabled router (which is Linux based) as a VPN server with Windows clients and creating the certificates and keys on Windows but pretty much nothing simple about doing so with other platforms like mine – Android (again Linux based), Linux and Mac. The ones about setting up a VPN with Linux all seemed to want you doing everything down in the weeds of config files and installing VPN packages on your own server (not a router). Not what I wanted.

The good news for you and me is that I figured out how to get this done with minimal effort and it pretty much worked perfectly on the first try, so I’m writing it up here for future reference and to share with any others following this path. Looking back, it wasn’t that hard but the lack of clear guidance made it all confusing. All that said, here’s some clarity on how to get it done:

Creating Certificates and Keys

On Linux Mint LMDE (Debian Linux) workstation, using Synaptic or another package manager install:
openvpn
easy-rsa

This will install the easy-rsa scripts into
/usr/share/easy-rsa

Taking note of the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#pki, I did the following:

Copy the easy-rsa files to another location that will persist after package upgrades (note, this location already existed as a result of the openvpn installation and contained the single file update-resolv-conf, so maybe that claim is misleading?) and cd into that directory:
sudo cp -R /usr/share/easy-rsa/* /etc/openvpn/
cd /etc/openvpn

Edited the vars file using vi to set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. These were at the bottom of the file for me. From what I can tell, the two email entries are identical but for the quote symbols. I presume the quoted one is meant to be the “real life name”, but nothing I could easily find via google confirmed or contradicted this – so I just set them both to the same address.

export KEY_COUNTRY="US"
export KEY_PROVINCE="MA"
export KEY_CITY="MyCity"
export KEY_ORG="My ORG Name"
export KEY_EMAIL="vpn_contact@myDomain.com"
export KEY_EMAIL=vpn_contact@myDomain.com

I then completed the rest of the steps at the above link using root/sudo priviledges, creating the certificate authority, server certificate and key and then the client certificates and keys. What I found online was not very informative on this point, but the Commmon Name (CN) must be entered each time you build these items and should be varied so as to be descriptive. So, for each command:

./build-ca
For this I specified my own name as the Common Name (I’m my own certificate authority) and it generated two files, ca.crt and ca.key (note, these are not named after the Common Name given, unlike the following).

./build-key-server ServerName
I gave my intended VPN server name as the ServerName which it then used as the Common Name and generated ServerName.crt, ServerName.csr, ServerName.key plus a 01.pem file and changed the index.txt and serial files in the keys directory.
NOTE: I also here encountered something different than that laid out at the above URL, for each key it asked me for:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
which I simply clicked Enter through (I presume to set as blank, as no password was later asked for).

./build-key ClientNameHere
I gave unique descriptive names for each client and it created similar files to the server ones above, named per the client names I gave, created sequentially numbered pem files and updated the index.txt and serial files.

./build-dh
Returned Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
(But it didn’t – it was less than 5 seconds on my main Linux 64 bit workstation)

In the Arch Linux wiki entry for EasyRSA it stated that there was a need to convert the server certificate to an encrypted .p12 format for use on Android. I found this to not be needed, using the OpenVPN for Android client from the Google Play Store.

In order to provide additional TLS security and to protect against potential denial of service attacks against my router/VPN server I also set up an HMAC signature:
openvpn --genkey --secret ta.key

Setting the server and clients up…

As I created all the certificates, keys, etc. on my main Debian workstation, I needed to transfer those files to the associated machines. First I used my browser and the Tomato-powered router (VPN server) web interface to set up the VPN server following the info here *except* for using TUN instead of TAP. Installing Tomato is covered in my other blog post. Here’s screenshots of my settings (click on them to enlarge):
Tomato-Version
Tomato-VPN-Basic
Tomato-VPN-Advanced
Tomato-VPN-Keys
Tomato-VPN-Status

Connecting with a Linux machine. I then set up the test client on my Mint LMDE/Debian laptop following the leads at https://support.hidemyass.com/hc/en-us/articles/202721596-OpenVPN-Setup-with-Network-manager-on-Linux-Mint-Mate , which dragged along a bunch of other required packages including openvpn, easy-rsa, etc. I imported the certificates and keys when setting up the VPN connection using NetworkManager. Trying to connect via this initially failed. I thought this might be because I was on my home network at the time, so I proceeded to set up my phone as a client to see if I could use the cellular network to test outside access.

Connecting via Android. I installed OpenVPN for Android from the Google Play store onto my cell phone. Copied over the certs and keys to my phone using USB cable and set up the connection in the app. Took a bit of twiddling to figure out where everything went and which boxes to check, but it connected quickly once set up. Could access private resources behind the router firewall now! I went on to set up my Android tablet with the same app.

Connecting from an Outside Network. Brought my phone, Linux laptop and Android tablet for a drive to find an available Xfinity Wi-Fi connection. Tried each client to access the VPN once connected to some poor folks’ wireless access point (why folks stand for Comcast doing this, I don’t know), and they all connected quickly and could access my Garage Control System web interface on my home network… success!

Note that in none of these set-ups did I need to edit or create any configuration files manually on the clients or server, despite lots of other tutorials making great points of this! It appears each of the OpenVPN server and client implementations I used took care of this for me.

The only bit of weirdness is that I cannot figure how to directly disconnect from the VPN using NetworkManager under MATE desktop on my Linux laptop. I can disconnect the VPN by dropping the wireless connection overall. There should be a “Disconnect VPN” option within NetworkManager but I don’t see it on my laptop when I’m connected (it is there when I’m not!). But that’s a (minor) problem for another day.

I’ve found the disconnect option in the VPN menu under NetworkManager and that can be used to drop the VPN connection. The Android clients have a connection status entry in the notifications list which provides a disconnect option once clicked on. All good to go now!

gLabels Avery 5167 Template Problem

Was having trouble printing some 5167 Return Address labels using gLabels. The alignment was significantly off in my set-up using the default predefined template installed with gLabels on my Linux Mint LMDE netbook.

In comparing the template definition file with the stock measurements I found several things to be off slightly. In addition, my Samsung ML-2851ND laser printer appeared to be shifting the page image a bit also.

I created a custom template, adjusted for what I was experiencing, and now I can print consistent cleanly formatted labels within the stock outlines. Should you be experiencing similar issues, you could use my custom 5167 template. Just save into a file named as your_filename_here.template in the location set by your distribution (for Linux Mint LMDE, I discovered that was in ~/.confg/libglabels/templates).

BTW, should you need to customize the template further, see this documentation.

Good luck!

Recovery of Files from a Unbootable VirtualBox VDI

I do most everything computer-wise with open source software, but the one hold out remaining that requires the use of a proprietary OS is TurboTax. As a result, TT ran in a Windows XP virtual machine under VirtualBox on my Linux desktop. Unfortunately, after completing our most recent return, I got a little excited to do some basic housekeeping and tried to merge snapshots from the VM in order to save some disk space. Unfortunately, as the attempt at merging snapshots resulted in an error being reported by VirtualBox that basically amounted to “you’re really screwed, buddy” but put in much geekier terms with a bits and bytes error code. A later attempt to re-merge or boot the VM again did not work. The virtual machine claimed that key windows files (like the kernel) were not available. Argh!

OK, so I’m usually pretty careful and save off critical files from the Windows VM to the Linux host. I sadly did not do that for the very-last-as-filed TurboTax working file (I had an interim copy from several hours earlier but I know we made changes later). Had the pdf copies of our returns but not the final version of the .tax2011 file, which normally copies over key details to our next year’s return. And of course, hadn’t yet set up SpiderOak to backup the files from within the VM to the cloud. Double argh!

As the VM would not boot, I tried various alternative boot scenarios to get at the files but none of them worked, using either a Windows install CD or a Linux live CD image within the VM. Furious Googling finally turned up a useful working solution to allow access the files on the Virtual Disk Image (VDI) associated with the VM. Was then able to copy out the files needed from within the virtual Windows environment to native Linux file storage. Phew, dodged that bullet! Here’s what I did under Linux Mint LMDE 64-bit to get access and then clean up afterwards:

Install Required Packages
Using Synaptic, installed the qemu-utils package, which dragged along a bunch of dependency packages.
bridge-utils (1.5-6)
ipxe-qemu (1.0.0+git-20120202.f6840ba-3)
libaio1 (0.3.109-4)
libiscsi1 (1.4.0-3)
libspice-server1 (0.12.4-0nocelt1)
libusbredirparser0 (0.4.3-2)
libvdeplug2 (2.3.2-4)
qemu-keymaps (1.1.2+dfsg-6a)
qemu-kvm (1.1.2+dfsg-6)
qemu-utils (1.1.2+dfsg-6a)
seabios (1.7.3-1)
sharutils (1:4.11.1-2)
vgabios (0.7a-3)

Gain Access to the Disk Image
Within a terminal window, executed the following commands:
lsmod | grep -i nbd
Nothing was returned, so the nbd module was not loaded already. Loaded it:
sudo modprobe nbd max_part=16
Run qemu-nbd to expose the entire unbootable image as a block device named /dev/nbd0, and the partitions within it as subdevices.
sudo qemu-nbd -c /dev/nbd0 WinXP_VirtualBox.vdi
The referenced blog posting/commentary said to issue a partprobe command, but I got an error about it not being available and didn’t seem to need it as the partitions were visible without it. Could see this by:
ls -l /dev/nbd*
To determine partition details:
sudo fdisk /dev/nbd0
and press p
This revealed the desired Windows NTFS partition from the virtual disk:
Disk /dev/nbd0: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xdc94dc94

Device Boot Start End Blocks Id System
/dev/nbd0p1 * 63 20948759 10474348+ 7 HPFS/NTFS/exFAT

Access and Copy Off Files
OK, so create a mount point for the virtual disk and mount it READ ONLY:
cd /
sudo mkdir RECOVER
sudo mount -t ntfs -r /dev/nbd0p1 /RECOVER

Finally I could look at that mount point and recover the files:
cd /RECOVER/
cp -p /final/linux/resting/place/

Cleaning Up
Once I got all that I needed off the VDI, unmounted the image and shut down the qemu-nbd service:
sudo umount /RECOVER
sudo qemu-nbd -d /dev/nbd0

Then used Synaptic to remove all the qemu packages I’d just installed, to prevent the accretion of bloat hopefully never needed again. I’m trying to keep this Mint LMDE install tidy and avoid an OS reinstall for a good long time!

Train Firefox mailto: to use Google Apps – Take 2

In a prior post I’d detailed the method of using a javascript entry to add an external mail resource to allow clicking on mailto: links to use the Google Apps version of gmail. Unfortunately, when I tried to repeat that method on my newly reloaded Netbook running Linux Mint LMDE with the default Firefox 20, it didn’t work. I’d enter the javascript string in the browser URL bar but nothing happened this time. I wonder if it had something to do with copying the text from my prior blog post and it not containing a proper html entity for the ampersand (‘&’) character, but I found another way to fix it anyway that’s a little more geeky but actually easier to do, as there’s no about:config action required.

My solution was to track down where these options are set and then manually edit the mimetypes.rdf file in the user’s firefox profile folder with all instances of Firefox closed. Enabling the Google Apps selection required adding both a
NC:possibleApplication RDF:resource= and a
RDF:Description RDF:about="urn:handler:web:
entry. Once completed, the agent was selectable in the preference Applications setting and worked properly for me.

Here’s the entries I made (NOTE: replace veino.com in the below with your own Google Apps domain):

Find
<RDF:Description RDF:about="urn:scheme:handler:mailto"
and add above the other similar entries below there the following:
<NC:possibleApplication RDF:resource="urn:handler:web:https://mail.google.com/a/veino.com/mail/?extsrc=mailto&url=%s"/>

Find <RDF:Description RDF:about="urn:handler:web:https://mail.google.com/mail/?extsrc=mailto&url=%s"
and add below that entry the following:
<RDF:Description RDF:about="urn:handler:web:https://mail.google.com/a/veino.com/mail/?extsrc=mailto&url=%s"
NC:prettyName="veino.com email thru Gmail"
NC:uriTemplate="https://mail.google.com/a/veino.com/mail/?extsrc=mailto&url=%s" />

Restart Firefox and change your application preferences for mailto: links to use the new agent and you’re all set.

Password and Files Encryption/Sync/Backup: Gettin ‘er Done!

One of my to-do list items for quite some time now has been to get my computer files organized and to set up automated backup and synchronization across my computing devices.

I’d kept putting this one off because I wanted to deal with some foundational issues first:

  • pruning down my files and eliminating duplicates both within my desktop machine’s file system as well as with my netbook’s files
  • selecting a sync solution
  • converting my password safe from my former J-Pilot/Palm solution
  • etc.

I did a ton of research and would get close to doing something then another priority would take charge and it would get put on the back burner again. Well, in recent months I’ve finally selected and put in place several needed building blocks:

  • Password Sync: originally I’d selected KeePassX but I then looked further into LastPass, which does much the same thing and has many more features bundled in – they key one being a native cloud sync and backup capability for all our passwords. Works on effectively every platform I would ever consider including my Debian (Linux Mint Debian Edition) and Linux Mint machines, my wife’s Mac and a possible future smart phone/tablet, etc. Firefox, Safari, Chrome, etc. all supported! Done on my machines, pending on the Mac (which got KeePassX in the interim). [Update 1 Jan 2014: Mac is finally done, had to update OS X to enable Safari to update to a version supported by LastPass. I’m not a Mac expert and it is just different enough from Linux/Unix that I had to figure a bit out.] Use my referral code and we’ll both get a free month of LastPass Premium! https://lastpass.com/f?2884566
  • File Sync and Cloud Backup: I selected SpiderOak because of great cross-platform support. Think of it as Dropbox but with built-in cloud encryption so no worries about the files being compromised on the server/network. I’d considered rolling my own solution using a power-sipping always-on Linux ARM-based device with rsync and/or a PogoPlug but realized SpiderOak did what I needed in much easier fashion. Done on my desktop, pending on the others.
  • Local File Encryption: Protecting our sensitive files in case of having a machine fall into someone else’s possession. I selected TrueCrypt because of (getting to sound like a broken record?) similar excellent cross-platform support. I’d considered other solutions including the built-in Windows, Linux and Mac filesystem encryption options, but what I wanted was a single solution that would work with all of them plus enable syncing the secured files across all our devices using SpiderOak. The kicker for me was when I figured out that what really required the local protection of encryption was actually quite small compared to our number of overall files – I don’t care if someone finds out what I paid for our gas bill or my various basic correspondence, yet our financial account details, tax records and similar would need protection (these files end up taking well under a Gig of space). Remember, LastPass protects all our passwords separately. Done on my desktop, others pending.

The best part of all this is that every one of these solutions is free for the basic features we need and they all work across all the machines we have and anticipate being interested in at any point in the future. If/when we grow to need additional features or capacity, they are priced quite attractively (SpiderOak and LastPass). TrueCrypt is totally free for all features. Most are open source too.

Once I realized the amount of encrypted storage required was so small, my interest in consolidating and eliminating file duplicates became a nice-to-have vs. a need (I had previously been concerned that syncing a large TrueCrypt volume over the internet would be a significant performance issue). Getting to a secure solution was more important and a brief scare when I left my netbook behind at a public dance a few weeks ago (with several financial files on it) pushed me to make that part happen sooner rather than later.

Getting a NewEgg mailing with a Shell Shocker special on a 500GB hybrid (solid state and conventional platter) drive for under $80 put the final bit in place – now my netbook could have more space than my total desktop disks, so it would all fit as is without further winnowing. And with the SSD portion of the new drive used as OS and program storage, the machine promises to scream along compared to before and last a lot longer on battery power.

In order to make this solution the best it can be, my first major consolidating step will be to start over with a totally fresh install of the latest Linux Mint Debian Edition (LMDE) with the new disk on my Asus EeePC 1000HA and then layer in the individual pieces as described above. I’m starting on that work now and will post more when done.

I’m excited to have this work finally coming to fruition! After my netbook is done, I’ll be moving on to finishing the same things on my desktop machine and my wife’s Mac (after a required Snow Leopard update there – to update Safari – to support LastPass). Wish me luck!

Palm GnuKeyring Conversion to KeepassX

I was a very early user of the original PalmPilot device. Way back when I actually had the PalmPersonal syncing with my ’90s era Sun Microsystems SPARCstation 4 work calendar and email, etc. I eventually moved on to a Treo90 which I think was the optimal personal organizer of its era (I ended up owning three of them over time, ultimately).

Sadly, the Palm solution no longer is feasible, even under Linux. The deal breaker for me was the lack of being able to dependably sync my google-based calendar, etc. with the Palm. So time to move on, which I did for most everything, but…

I had been using J-Pilot’s Keyring plug-in to manage my set of passwords – I hung on to this handy tool until I finally became unable to use J-Pilot to sync via USB with my Treo and was forced to manually sync my password info across my desktop and netbook. Enough became enough!

Research discovered that the excellent Windows application KeePass had been ported/reinvented for Linux, Mac (and even Win) as KeePassX. As a free open source application with excellent encryption, it was an obvious solution to fit my Linux-based environment (and my wife’s Mac). A side benefit was that there was even a KeePass version available for my J2ME-based mobile phone, so the Palm-type “on hand at all times” capability could be available once more. All these versions could work from the same password database file format, so syncing a file across them would enable the info to be always up to date anywhere I would be!

My final concern was how to get my all my existing Keyring data into that KeepassX solution. Well it turns out that someone else named Wouter blazed my trail there through a similar migration and it only required minor changes to work perfectly for me. Here’s what I did to modify Wouter’s method to suit my needs.

Note: when Wouter refers to extracting the file saxon.jar from the Saxon downloaded zip file, the actual file name is saxon9.jar. Also the Jochen Hoenicke conduit to export the Keyring file to XML is actually named export.jar, not xmlexport.jar as in Wouter’s command line.

So I gathered all the files into the working directory as Wouter recommended. I then executed the (modified) command line
java -jar export.jar Keys-Gtkr.pdb MY-KEYRING-PASSWORD-HERE > keyring.xml
which created the keyring.xml file.

I paused here to go into the XML file and make edits as required to clean up my old Keyring data, as it was much faster to do it here in bulk rather than the one-record-at-a-time editing that would be possible in the KeepassX GUI application. For instance, in Keyring there was no dedicated URL field like in KeepassX, so I had put them all in a notes field before. Now I moved them all over to the dedicated field. In other places I had comments in the user name or password fields, but these totally screw up the Autotype function in KeepassX, so I moved or deleted them. Once this was done I could move on to the next step from Wouter.

I executed
java -jar saxon9.jar -xsl:keyring-to-keypassx.xsl -s:keyring.xml -o:keypassx.xml
to create the final KeepassX XML import file. This was then able to be opened in KeepassX successfully with all my data in the categories I had originally set up, etc. Great stuff – thanks, Wouter!

Next step is to get KeepassX installed on my other machines and set up a Dropbox or similar synch mechanism to keep them all aligned automagically. That will have to wait for tomorrow!

Linphone: a VOIP Softphone for Linux (and others)

In an earlier blog post I mentioned I was using Twinkle as a softphone client for my VOIP service from Galaxyvoice (GV). As I also mentioned in this entry I’ve now switched my netbook over to a Debian Linux. I’d not yet got around to (re-)installing a VOIP client on the renewed EeePC. So when I saw that GV was now recommending something called Linphone, which seemed to be very cross-platform (Win, Lin, Mac, Android, etc.), I decided to check it out.

Turns out Linphone is available in the Debian repository, so it was a trivial task to install via Synaptic. As GV recommended Linphone, they also provided account settings info. – so about 3 minutes later, I was making my first call from the netbook – worked great!

I’ve not yet tried out the video calling, but the camera preview looks smooth and lag-free so I expect it will be great as well.

I recommend you check out Linphone!

Linux Mint Debian Edition (LMDE) on an Asus EeePC 1000HA

I’m a long time user of UNIX-based computers and have been using Linux exclusively for my primary computing for close to 10 years now. For the past couple of years Linux Mint has become my favorite distribution for desktop and laptop use.

This EeePC netbook had been running Eeebuntu Linux, which was fantastic. Eeebuntu 3.0 was based on Ubuntu 9.04 and Debian Unstable. Built with customization to various packages and a modified kernel it provided support to this netbook that was a perfect fit. That project enabled all the function keys to work and had outstanding power management that kept the machine running on battery for extended use.

Sadly, the Eeebuntu project seems to have broken down as they pursued new goals. IMHO they lost direction and got sidetracked with developing a fancy website for their proposed new release and expanding their project’s scope significantly. In the end this stalled any real end-user progress. In the mean time the old Eeebuntu became outdated and, being based on Ubuntu 9.04, stopped getting any updates. So things like Flash stopped working, etc. I waited as long as I could for their new release, but needed to move on.

Getting tired of the need for repeated reinstalls required by both Windows and Ubuntu-based Linux, I became very interested in Debian Linux. Debian is a rolling release, meaning updated software is available regularly for your existing installation. In practice, this means a software environment that should never require reinstallation but will still keep up with application development! And Linux Mint happened to announce the availability of a version based on Debian (called LMDE)… this gave me the push needed to give Debian a go on this netbook.

So I installed the latest available image of LMDE on my Eeepc in Fall 2011 from a USB stick. Everything went smoothly, no real hiccups at all. There was a minor issue with a package due to an upstream Debian problem which was fixed by marking one package to not update (this was covered in a note on the LMDE page). When installed, I had a good working system with most of the standard function keys working – the machine was totally usable but the dedicated keys for webcam switching, etc. did not operate (unlike how they had under Eeebuntu) and the power management was not tuned for battery preservation.

Luckily one of the former Eeebuntu developers (Andrew Wyatt, a.k.a. fewt) has made available an applet for power management of EeePCs (and other machines) that could be installed. Called Jupiter, it allows switching the CPU to one of three power scaling modes automatically on power events, enabling much longer battery life. It has other functions as well including video mode/external monitor selection and touchpad control.

The combination of LMDE and Jupiter have become a great solution for this netbook and I look forward to using them together for a long, long time to come!