Tag Archives: security

Creating OpenVPN .ovpn Files for Android (Any?) Clients

In another post I cover setting up and OpenVPN server on a Tomato powered router and making client connections to that server.

In setting up a new phone, I see the OpenVPN for Android app will now import yourVPNclient.ovpn files (much easier than transferring and importing the separate key and cert components as covered in my prior post). It took a bit of Googling to find out how to create the .ovpn files, but now that I’ve found the file format, setting one up turns out to be a piece of cake. Here’s the template:


client
proto udp
remote your.openvpnserver.url.net
port 1194
dev tun
nobind

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

I edited the “remote” directive to point to my VPN (router’s) dynamic DNS address and then copied the specified parts of the files from the /etc/openvpn directory as created in my prior post to this template. Then saved the consolidated file as myserver+clientname.ovpn.txt on my linux box.

Why with *.txt extension? Because otherwise the bluetooth file transfer from my desktop linux box to my phone would fail (unsupported file type). Text file transfer is supported, .ovpn is apparently not.

I then simply renamed the file on my Android phone to drop the .txt suffix and imported the resulting file in the OpenVPN for Android app (it turns out you can leave it, but the app will include that text in the connection name by default, so I now simply cut it there). I still needed to go through and set some options properly in the app to match my server config (LZO, persistent TUN, etc.), but the heavy lifting was already done.

Connected successfully on my first try! I see no reason why the same file set up would not work in NetworkManager on Linux or some other client, but I haven’t tried myself. Good luck!

Credit for the .ovpn template content goes to this ServerFault discussion thread .

QR Codes as a Password/Key Storage Mechanism

I was doing some recent volunteer work for the Concord Scout House, Inc., setting up a new network and telephony infrastructure for this non-profit enterprise. In setting up the various pieces of equipment, I was sure to create strong passwords and use key and certificate based encryption or similar security mechanisms in order to keep things secure.

Of course, I kept copies for my own records in a suitable electronic format (I personally do local plus encrypted cloud backups of critical files via Spider Oak). As this is a volunteer job, it is very possible someone else will need to do something with this infrastructure at a later point – when I may no longer be involved with the organization. This left me with the problem of how to document and pass on those passwords and keys in a convenient and durable fashion to those who may follow.

I could prepare a DVD or flash drive with the passwords and keys, etc. in simple text files to hand over. This could work fine but also quickly fall prey to changes in applications or operating systems (e.g.: Wordpad or vi? Unix or DOS line feeds?), hardware technology (how many Android phones have a DVD reader? will USB2/3 ports be usable in 10 years?) or simple hardware failure (scratched DVD). For convenience’s sake, I will provide a soft copy on DVD (as that may be stored easily in a file folder) but there’s one medium all organizations still know how to deal with and store safely: paper.

I could simply print out the passwords and certificates/keys as plain text on sheets of paper, but then someone trying to use it would have to accurately type in that text at a later point where/when required. As we’re talking 100+ characters in some cases, this simply won’t work. Here’s where QR codes come in. I happened upon this blog post which mentioned the idea of using QR codes to store such text as a paper record, able to be machine read for accuracy at a later point. Brilliant!

So here’s a practical example of generating such a paper copy of a password using only online free resources, so no software installation required (of course, there are many programs or apps you may install, should you wish to be off-grid):

The password example:

This1sMy_SuperS3kr3t-pASSwORD=wh1ch*woulD_b3-a-R0y4l+payn3>2>tyP3!

This is a very strong password which, although it isn’t simply random, is still quite secure due to its length (66 chars.) alone. Even the NSA with all its resources would take a very long time to crack it, provided the encryption mechanism doesn’t suffer from a back door or other systemic vulnerability. Given the pseudo english phrasing it would be possible to type or even memorize this password, but it wouldn’t be easy. And a single character discrepancy means not getting in to wherever it protects.

Generating the QR code:
One of many free online QR code generation sites is qrstuff.com. Taking the above password there, we can plug it into their on-line code generator:
Generating the QR code online

And download the image file of that password in a QR code:
Generated QR code

This QR code can then be placed on a printed page.

Reading the QR code to “reawaken” the text:
There are also many online QR reader/decoding sites, including: webqr.com.

This site provides for you to either take a picture of the code via your device’s camera, or upload a file with the code image (say from a scanner or photo of the paper page) and returns the code content.

Uploading the above QR code image file results in the following:
Decoding the QR image

A perfect copy of the original plain text password!

Password and Files Encryption/Sync/Backup: Gettin ‘er Done!

One of my to-do list items for quite some time now has been to get my computer files organized and to set up automated backup and synchronization across my computing devices.

I’d kept putting this one off because I wanted to deal with some foundational issues first:

  • pruning down my files and eliminating duplicates both within my desktop machine’s file system as well as with my netbook’s files
  • selecting a sync solution
  • converting my password safe from my former J-Pilot/Palm solution
  • etc.

I did a ton of research and would get close to doing something then another priority would take charge and it would get put on the back burner again. Well, in recent months I’ve finally selected and put in place several needed building blocks:

  • Password Sync: originally I’d selected KeePassX but I then looked further into LastPass, which does much the same thing and has many more features bundled in – they key one being a native cloud sync and backup capability for all our passwords. Works on effectively every platform I would ever consider including my Debian (Linux Mint Debian Edition) and Linux Mint machines, my wife’s Mac and a possible future smart phone/tablet, etc. Firefox, Safari, Chrome, etc. all supported! Done on my machines, pending on the Mac (which got KeePassX in the interim). [Update 1 Jan 2014: Mac is finally done, had to update OS X to enable Safari to update to a version supported by LastPass. I’m not a Mac expert and it is just different enough from Linux/Unix that I had to figure a bit out.] Use my referral code and we’ll both get a free month of LastPass Premium! https://lastpass.com/f?2884566
  • File Sync and Cloud Backup: I selected SpiderOak because of great cross-platform support. Think of it as Dropbox but with built-in cloud encryption so no worries about the files being compromised on the server/network. I’d considered rolling my own solution using a power-sipping always-on Linux ARM-based device with rsync and/or a PogoPlug but realized SpiderOak did what I needed in much easier fashion. Done on my desktop, pending on the others.
  • Local File Encryption: Protecting our sensitive files in case of having a machine fall into someone else’s possession. I selected TrueCrypt because of (getting to sound like a broken record?) similar excellent cross-platform support. I’d considered other solutions including the built-in Windows, Linux and Mac filesystem encryption options, but what I wanted was a single solution that would work with all of them plus enable syncing the secured files across all our devices using SpiderOak. The kicker for me was when I figured out that what really required the local protection of encryption was actually quite small compared to our number of overall files – I don’t care if someone finds out what I paid for our gas bill or my various basic correspondence, yet our financial account details, tax records and similar would need protection (these files end up taking well under a Gig of space). Remember, LastPass protects all our passwords separately. Done on my desktop, others pending.

The best part of all this is that every one of these solutions is free for the basic features we need and they all work across all the machines we have and anticipate being interested in at any point in the future. If/when we grow to need additional features or capacity, they are priced quite attractively (SpiderOak and LastPass). TrueCrypt is totally free for all features. Most are open source too.

Once I realized the amount of encrypted storage required was so small, my interest in consolidating and eliminating file duplicates became a nice-to-have vs. a need (I had previously been concerned that syncing a large TrueCrypt volume over the internet would be a significant performance issue). Getting to a secure solution was more important and a brief scare when I left my netbook behind at a public dance a few weeks ago (with several financial files on it) pushed me to make that part happen sooner rather than later.

Getting a NewEgg mailing with a Shell Shocker special on a 500GB hybrid (solid state and conventional platter) drive for under $80 put the final bit in place – now my netbook could have more space than my total desktop disks, so it would all fit as is without further winnowing. And with the SSD portion of the new drive used as OS and program storage, the machine promises to scream along compared to before and last a lot longer on battery power.

In order to make this solution the best it can be, my first major consolidating step will be to start over with a totally fresh install of the latest Linux Mint Debian Edition (LMDE) with the new disk on my Asus EeePC 1000HA and then layer in the individual pieces as described above. I’m starting on that work now and will post more when done.

I’m excited to have this work finally coming to fruition! After my netbook is done, I’ll be moving on to finishing the same things on my desktop machine and my wife’s Mac (after a required Snow Leopard update there – to update Safari – to support LastPass). Wish me luck!