Monthly Archives: February 2015

Create .ovpn file from openVPN configuration files

The .ovpn file format is an embedded version of the usual 3-4 files openvpn format. It can be very handy when dealing with mobile setups like android or iOS or on some mac applications like Tunnelblick. According to my recent openvpn post you only need to follow this code:

client
remote example.com
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup

<ca>
-----BEGIN CERTIFICATE-----
# insert content of your ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
 # insert content of your user.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert content of your user.key
-----END PRIVATE KEY-----
</key>

Remember to transfer that key securely, do NOT send this via unencrypted email to you external device 🙂

 

OpenVPN Server with easy-rsa on Ubuntu 14.04 easy setup

In case you want to run an simple openVPN server on your own host, but like me think most of the tutorials do not focus enough on plain commands, feel free to follow this little instruction set:

# install openvpn and easy-rsa
sudo apt-get install openvpn easy-rsa
# copy sample config files
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# unzip files in the designated folder
sudo gunzip /etc/openvpn/server.conf.gz
# copy easy-rsa scripts (required for easy key generation)
sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa2
# sometimes the keys folder is missing, which is why we generate it to be sure
sudo mkdir /etc/openvpn/easy-rsa2/keys -p
#since 14.04 openvpn requires an additional key in the vars file
sudo sh -c 'echo "export KEY_ALTNAMES=\"Irgendwas\"" >> /etc/openvpn/easy-rsa2/vars'
# copy current openssl version to match default config sudo cp /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf openssl.cnf
# customize vars file with the est editor in the world: (but you could use vi,nano,... too)
sudo vim /etc/openvpn/easy-rsa2/vars

Set your /etc/openvpn/server.conf to:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa2/keys/ca.crt
cert /etc/openvpn/easy-rsa2/keys/server.crt
key /etc/openvpn/easy-rsa2/keys/server.key
dh /etc/openvpn/easy-rsa2/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Back in the terminal we will now start the crypto-foo:

# get root to simplify following commands
sudo -i
# change dir to the easy-rsa scripts folder
cd /etc/openvpn/easy-rsa2/
# set variables into current bash session
source ./vars
# clean existing dir (attention! deletes everything in keys folder)
./clean-all
# generate certificate authority key
./build-ca
# generate server key
./build-key-server server
# generate diffie hellmann parameter (can take some time)
./build-dh

And now you are basically done. In cases of firewalls remember to open the openVPN port (which is set in /etc/openvpn/server.conf and defaults to 1194).

To add a client with an own keypair use distinct key-name values:

sudo -E ./build-key client1
sudo -E ./build-key client2
sudo -E ./build-key client3

or in case you want it password protected (which requires to enter the password everytime you’ll connect):

sudo -E ./build-key-pass client1
sudo -E ./build-key-pass client2
sudo -E ./build-key-pass client3

Now safely(!) distribute the keys to your client machines, using PGP, secure USB sticks or printed paper 🙂 according to the following scheme:

Original by yed licensed under CC BY-SA 4.0

You might

Do not forget to start your server:

/etc/init.d/openvpn start server

If you want to use these files on the client with your Network-Manager, install the required plugin:

sudo apt-get install network-manager-openvpn

and set the following options:

openVPN-NetworkManagerIt is also possible to generate a .conf or .ovpn file, which is required by some apps e.g. on android and iOS but will be handled in a separate post soon.

my first Thinkpad T450s experiences

tl;dr probably my device was laptop version of a lemon car, which took me nuts, but still I want to have (a properly working) T450s again

IMG_20150221_193556

I recently got a brand new Thinkpad T450s, which I was waiting for since December and yet I am writing this post from my old sloppy Asus F3JA. You might just ask yourself why – well, the reasons are multifarious, but in the end lead to send it back to the producer. First the positive things: the 14” FullHD display is amazing, the magnesium case very stable and nice – the background led keyboard really impressed me and increased my coding experiences. Both of the integrated and the external battery held longer than every device I had but still…

iwlwifi drove me mad, unable to hold a connection longer than a few minutes – it interupted my workflow significantly. Furthermore several parts like brightness, power saving settings didn’t work properly and blended me at night while burning power. Last but not least, the squeak of doom:

Youtube Video

Every time you put your hand on the laptop it groaned as like it didn’t like to be used. After two days I shred the 320Gb SDD the times by overwriting it with random data and sent it back as a warranty case. Hopefully this device will be replaced as all of the errors I had didn’t occur on my colleagues T450s, who has got it in the same order and time.

But still and in conclusion: I really like the T450s, it is very light, feels right, is really powerful and mobile. Its 14” fit perfectly into an usual european A4 (default paper size) bag and its case keep it intact. Overall I really look forward to get a properly working version of this little fellow soon.

Goliath tracked mine – one of the first mobile robots

During my thesis I did some research about mobile robots.  Therefore the Goliath tracked mine, or the ‘Leichter Ladungsträger Goliath (Sd.Kfz. 302/303a/303b)’ in German as one of the first mobile robots always fascinated me. Created in the late 1940 and mass produced between 1942 and 1944 about 7500 of this remote cable controlled mobile bases could carry up to 60kgs of high explosives. Way before modern Robots like the iRobot BigDog or its successors this equally sounding robot is powered by two combustion engines.

After some research I figured out that in my area there is the Bundeswehr Military History Museum in Dresden, which is presenting one of this impressive machines. Therefore I went to Dresden an took some photos, which I want to share with you:

Some people also present them in action:

Youtube Video

In case there will be an bigger version of the aMoSeRo this robot might share its physical dimensions with it. Also the track system is impressive and in case its operable upside down really well suitable for heavy duty terrain.

Defending the planet using docker and ssl

In the recent days I moved this blog to a new server mainly to fix the latest SSL issues like POODLE- , Heartbleed – and SSL downgrade attacks. In order to save money I used the free of charge startSSL.com-signed certificate, which offers to sign in private generated certificate sign requests for your main site and one sub domain.  This does not just keep the little padlock next to the address pane green but furthermore allows a higher rank in google searches in future.

But moving a blog from a physical server usually means a lot of programming pain: files have to be moved, databases exported and imported back again, configuration files need to be adjusted and so on. To avoid this unnecessary work in future I was researching some possible solutions. First of all, its nothing new at all – visualization and containerization are multiple years old technologies.   The most remarkable approach in my optionion is docker. Its more lightweight than VMWare or VirtualBox, while supporting most of the features they offer. With its help you can run multiple instances of linux machines on a (single) physical host. Besides that is a real security feature as it keeps every process inside its on container never allowing to affect the functionality of the others even during security breaches.

Its also possible to version a dockerized application and share them over github.  In case of wordpress there are multiple versions available: docker-wordpress by jbfink, docker-wordpress-nginx by eugeneware, both of them lack of dockers VOLUME support, but after adding this, they still saved a lot of work.

In conclusion this blog is now in its own container, using its own http nginx, mysql and php instances. The container in turn is made public by a ssl reverse proxy nginx, which in case its required can be supplied by varnish caching in future.