Tag Archives: OpenVPN

A dev’s MacBook from scratch

I’ve been a long time Apple user. I hate a lot about the company’s policy and how they treat their power users, but I love the tight integration between their software and hardware. Another thing to love is their migration tools. You buy new hardware, you click Restore from backup and you are done. Safari even opens up the tabs you had open on the old device. However recently, I’ve splurged on a new MacBook 12” and decided to set it up from scratch. For the fun of it. Here are some notes of how I’ve set it up for myself, for future reference and if someone is in a similar position.

Tips:

  • Don’t sign into iCloud during installation as that starts syncing everything to iCloud and you might not want that.
  • I moved over some files manually from a Time Machine external disk and they got “locked” i.e. I had to enter the admin password for any change to them. This is how I “unlocked” them: xattr -c -r FOLDER_WITH_LOCKED_ITEMS/ && chmod -RN FOLDER_WITH_LOCKED_ITEMS/

System configuration:

  • First off, update to the latest version of OS X, since every major update overwrites some system configuration and you don’t want to duplicate your work.
  • Turn on auto updates. Doh.
  • Go through all System preferences panes and see what works for you. Take your time to see what’s there, it pays off.
  • I disabled Location services, because I use VPNs a lot and then Location Services get totally confused.
  • Enable sending/receiving SMS and calls on OS X — a killer Apple feature for me.
  • Disabled Document Handoff because I don’t want all my docs in the cloud by default.
  • On a MacBook 12″ moving the Dock to the right makes the most sense in my eyes.
  • Set a nice “return for reward” message to be displayed on Locked screen. Something along the lines of “If you have found this laptop, please call me on MY NUMBER or send me an email to MY EMAIL and get a sweet reward! Thanks!”
  • Check Require an administrator password to access system-wide preferences. Doh.
  • Turn on FileVault and Firewall. Double-doh.
  • Firewall -> Advanced -> enable Stealth Mode. Though need to remember to turn it off when diagnosing network problems.

Finder preferences:

  • Show extensions.
  • When performing a search: Search the Current Folder, otherwise it searches the entire computer by default and almost kills Finder.
  • New Finder windows show: my home folder. I hate the “All My Files” default view. Absolutely hate it.

Various tools and apps:

  • Resilio Sync: fantastic app for sharing files among team members, based on bittorrent.
  • Slack: team communication, we use it religiously.
  • Crypho: secure team communication. I’m looking forward to the day when we can replace Slack with Crypho, so we have all communication secure, but as it is, Slack is just way more convenient for everyone to use.
  • LittleSnitch: allow/disable connections per app/port/protocol/address. Fantastic to prevent apps from contacting ads/tracking services and getting more insight into what goes on in the background.
  • Alfred: great productivity app, “replaces” Spotlight and then some!
  • Bartender: get that Menu Bar under control!
  • Flux: same as Redshift on Linux, adjusts screen colours for late night hacking sessions.
  • AppTrap: automatic cleanup of files that apps leave laying around after you delete them
  • iStat menus: to always be able to see what my system is doing with a glance.screen-shot-2016-10-05-at-20-44-24
  • Seashore: GIMP/Photoshop clone with a Mac-style UI. But seems an abandoned project, need to find a replacement …
  • Calibre: eBook management.
  • iBank: keeping my finances in check.
  • LibreOffice. And removed Apple’s Numbers & Pages.

Development environment:

  • Homebrew: the quintessential package manager for OS X.
  • Twitter: funny as it sounds, but Twitter is a great way to stay on top of latest patches/releases/news in tech.
  • Colloquy: a lot of Open Source still happens on IRC and this is how I keep in touch.
  • Chrome: been using it a few years now for browsing and development, but I want to switch back to Firefox soon. Extensions I cannot live without: BackStop, The Great Suspender, Send to Kindle, StayFocusd and Full Page Screen Capture.
  • Tunnelblick: the OS X OpenVPN client.
  • ExtFS for Mac: so I am able to mount ExtFS volumes (Linux drives, Raspberry PI SD cards, etc.)
  • pgAdmin3 and pgweb: admin interfaces for PostgreSQL, lately pgweb sees way more usage than pgAdmin3. Also sqlite browser for SQLite.
  • dotfiles: I keep a private git repo with all my “dotfiles” so history is tracked.
  • travis-cli & heroku-cli: working with Travis and Heroku from the comfort of the terminal window.
  • Vagrant: for simple virtualization needs, when I want to test out something without polluting my main environment.
  • Shush: a vital tool for any remote worker, to keep unwanted background noise from polluting teleconferencing.
  • Sublime Text: I’ve been a TextMate user for quite a while but I jumped ship when I saw how much faster ST is. That was years ago and I’m sticking with ST for now, got used to it and it works for me. I did migrate to ST3 recently though. The list of plugins I use:
    • GitGutter
    • SideBar Enhancements
    • Requirements Txt
    • Color Highlighter
    • CSS3
    • jQuery
    • SublimeLinter
    • SublimeLinter-annotations
    • SublimeLinter-pydocstyle (sudo pip2/3 install pydocstyle)
    • SublimeLinter-flake8 (sudo pip2/3 install flake8)
    • SublimeLinter-jshint (npm install -g jshint)
    • SublimeLinter-shellcheck (brew install shellcheck)
    • SublimeLinter-pyyaml (sudo pip3 install pyyaml)
    • SublimeLinter-json
    • BracketHighlighter
    • Jedi – Python Autocompletion
    • theme: SoDaReloaded Light.sublime-theme
    • pdb snippet: https://gist.github.com/phalt/72117041fbb7cf4c4697
    • starting ST from the current dir in console by typing subl -n .: https://www.sublimetext.com/docs/2/osx_command_line.html

OpenVPN over SSH

Prelude

I’ve recently moved to Barcelona to continue my Computer Science studies on UB. First thing I noticed walking into the University building was my mobile happily notifying me that it has found a known network. Ah, of course: eduroam. My Slovenian eduroam account from University of Ljubljana should be valid throughout Europe for accessing the eduroam wireless network. And indeed it is. Nice.

Troubles on the horizon

Alas … there is a downside. Apparently the IT dept at UB is filtering OpenVPN and IPsec traffic. I’m soo used to having these that I feel “naked” using a public network without encrypting all my communications.

Now wait a minute, what do I see here, SSH traffic goes through without problems? If SSH goes through, then it should possible to tunnel basically anything through it. Even an OpenVPN tunnel. Yep, tunneling a tunnel over a tunnel, that’s the idea :).

The solution

After some fiddling around, this is how I did it (referencing my original setup):

  1. Find a server somewhere on the net you can SSH to, so you can setup a SOCKS proxy:

    $ ssh <some_IP_on_the_net> -D 6666
    
  2. Change protocol in OpenVPN’s server.conf to use TCP rather than UDP. Normally, using UDP is better, but if you want tunneling over SOCKS, you need TCP:

    proto tcp
    
  3. Change protocol in OpenVPN’s iptables config:

    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
    
  4. Now modify the client.conf to use TCP and to use SOCKS proxy:

    proto tcp
    socks-proxy 127.0.0.1 6666
    route <some_IP_on_the_net> 255.255.255.255 net_gateway
    

Notice the last line: it adds a specific rule to route traffic to your SSH server directly and not through OpenVPN. This keeps the SOCKS proxy alive and kicking. All other traffic is still routed through OpenVPN tunnel to keep your communications safe.

Multiple configurations for Tunnelblick

A while ago I wrote about configuring Tunnelblick OpenVPN client for OS X. Here is how you can have multiple OpenVPN configurations with TunnelBlick:

1. Open ~/Library/Application\ Support/Tunnelblick/Configurations/ with Finder.

2. Rename openvpn.conf to openvpn-location-a.conf.

3. Duplicate openvpn-location-a.conf and rename the duplicate to openvpn-location-b.conf.

4. Open both of these configurations and change values such as server IP, etc.

5. Restart Tunnelblick.

This should be it. Now you should be able to choose between configurations when clicking Tunnelblick’s tray icon.

DD-WRT + Tunnelblick = OpenVPN

Debating about VPNs on the Sauna Sprint, sprinters convinced me that we should use VPN for remote access to our internal services in our office. And for an extra layer of security when using public networks. So here it goes.

Certificates

I didn’t want to install openssl and openvpn on my Macbook just so I could generate access certificates. Luckily, Rackspace Cloud instance with Ubuntu was only 2 minutes away. From there on I just followed the tutorial on creating certificates.

OpenVPN server

Since we already have a Linksys WRT54G router running DD-WRT firmware it was an obvious decision to just use this piece of hardware to act as an OpenVPN server. Off to the DD-WRT download page and grab the package that also has OpenVPN support (dd-wrt.v24_vpn_generic.bin). Quick flash of the router’s firmware and we are set.

  1. Enable OpenVPN server in Services and set it’s Start type to WAN Up.
  2. Paste in certificates created in advance on a Ubuntu cloud instance.
  3. Paste in OpenVPN server config (find it below).
  4. Configure iptables by going to Administration -> Commands, pasting in iptables config (find it below) and clicking save firewall.
  5. Reboot router.

Tunnelblick OpenVPN client

For OS X users the recommended application for using OpenVPN is Tunnelblick.

1. Go to Tunnelblick’s website, download Tunnelblick 3.0 application and install it.

2. Run Tunnelblick. Click install and edit sample configuration file and paste into it client configuration (find it below).

3. In this configuration, find SSL/TLS parms. and replace text bob with a name you used in the first step when creating certificates (same as filename of certificates).

4. Use Terminal to add certificate keys to your Tunnelblick configuration (keys created on Ubuntu cloud instance), again replacing bob in filename.

  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.crt
  • nano ~/Library/Application\ Support/Tunnelblick/Configurations/bob.key

Now you are ready to use your VPN. Click on Tunnelblick icon next to current time in the top-right corner of your screen and select connect ‘openvpn’. All your traffic should now be routed through a secure tunnel to your office.

Confirm this by visiting http://whatismyip.com. The IP displayed should be your office’s IP, meaning you are accessing internet through a tunnel from your office. Hooray!

Config files

OpenVpn server config

push "route 192.168.1.0 255.255.255.0"
server 192.168.2.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

iptables config

# enable tunnel
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
# NAT the VPN client traffic to the internet
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Tunnelblick config

# Specify that we are a client and that we will be pulling certain config file directives from the server.
client

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun0

# Are we connecting to a TCP or # UDP server?  Use the same setting as on the server.
proto udp

# The hostname/IP and port of the server.
remote <your office IP> 1194

# Keep trying indefinitely to resolve the host name of the OpenVPN server.  
# Very useful on machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# NOTE: this cause problems with reverting to default route once VPN is disconnected
# user nobody
# group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot of duplicate packets.  Set this flag to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
ca ca.crt
cert bob.crt
key bob.key

# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# from wiki
remote-cert-tls server
float

# route all traffic through VPN
redirect-gateway def1
dhcp-option DNS <your ISP's primary DNS IP>
dhcp-option DNS <your ISP's secondary DNS IP>