Monday, September 12, 2016

Installing Kali NetHunter

About the Kali NetHunter

Kali NetHunter is the mobile version of Kali Linux.  Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.

Kali Linux NetHunter for Nexus and OnePlus

The Kali Linux NetHunter project is the first Open Source Android penetration testing platform for Nexus devices, created as a joint effort between the Kali community member “BinkyBear” and Offensive Security. NetHunter supports Wireless 802.11 frame injection, one-click MANA Evil Access Point setups, HID keyboard (Teensy like attacks), as well as BadUSB MITM attacks – and is built upon the sturdy shoulders of the Kali Linux distribution and toolsets. Whether you have a Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10 or OnePlus One they’ve got you covered. 

Official Kali Linux NetHunter Downloads

Head over to Offensive Security's download page to get the latest official downloads for supported devices.  Follow their installation guide.  However, you are on a new version of Android than what's listed on their site, this guide is for you.

Unofficial Kali Linux NetHunter Downloads

FULL FRESH INSTALL STEPS
  1. Flash the latest Android Factory Image for your device (follow their guide about fastboot)
  2. Boot into device
  3. Complete setup wizard
  4. Flash TWRP recovery
  5. Reboot into recovery
  6. Flash kernel-nethunter-*.zip and nethunter-generic-armhf-kalifs-full-rolling.zip from idlekernel
  7. Boot into device
  8. Open the NetHunter app
  9. Use the Kali Chroot Manager to finish the installation
UPDATING TO A NEWER BUILD
  • Going from 3.0.0 and up, all you have to do is flash the new build in recovery and wipe dalvik cache.

UPDATING YOUR ROM
  • To get all your NetHunter and SuperSU functions back after flashing a new ROM, just flash the ~60 MB update-nethunter-*.zip from idlekernel.
SUPER SU

Thursday, April 7, 2016

SmartKeg

Arduino (Typical)
There are a bunch of "Smart Keg" projects out there.  This one is my own implementation of one tailored to fit my needs.  What originally started this project is a beer light I have.  It has just been sitting in my garage collecting dust.  Every now and then when I had a party I would turn it on and it would blink away but it is such a pain to plug it in and configure the switches.  I came up with an idea to use an Arduino to power a Ground Fault Isolated power outlet controlled by a 5v Power Relay to turn the sign off and on.  I think every time you pull the tap the light will start and will continue up to 2 minutes after you finish pouring and then every day at 5 pm too.

5V Power Relay
Liquid Flow Meter
2.8" TFT Capacitive Touch Screen
For the Arduino to know when the tap is pouring and power the relay, I bought a Liquid Flow Meter.  This way every time the beer flows, the flow sensor will send pulses to the Arduino letting it know to power the relay.  After some thinking, I realized that I can also use this flow sensor to monitor how much beer is poured and keep track of how much beer will be left in the keg.  Now that I was going to monitor how much beer was left in the keg, I decided I needed to add some type of LCD screen.  Originally I was just going to use the RGB LCD 16x2 Character Display.  But then I found a 2.8" TFT Capacitive Touch Shield.  This would provide me with a much cleaner display of information and be able to interact with the Arduino.  With this display, I might as well monitor the temperature inside the kegerator too.  So I bought a DROK Waterproof Temperature Sensor (DS18B20) to be display on the screen as well.

So after a few modifications to the original plan, I am now going to use the flow sensor to power a relay that will turn on my beer light.  It will also count how many beers are left in the keg and display that on the touch screen.  The temperature sensor will also display the temperature inside the kegerator on the screen.

Now that I have a touch screen, I can interact with the Arduino to reset the beer left counter once the keg is replaced.  I may also get another relay to control the temperature inside the kegerator.  Currently, there is a knob inside that's just numbered but you have to guess at the temperature.  Using the Arduino to control when the compressor turns on and off may help keep the beer at a more stable temperature.

All the parts are currently en route to my house.  Once they arrive I will post more pictures of how the build is going.  You can also find the source code, flow diagrams, and amplifying information over at my repository.

Saturday, December 28, 2013

Lotus Viewer on Linux for DoD Forms


Are you using Linux and need to view/edit an IBM Lotus Form; also known as a XDFL file from work?  Well here is how you can get it up and running.  There are a few known issues working with these forms on Linux.  1.) Unfortunately, you still cannot sign the forms within Linux.  2.) A lot of us know we need to fill the line.  While the fonts are slightly different and the form may differ slightly on Windows.  Lets begin the installation.

Install Wine

Wine is a free and open source software application that aims to allow applications designed for Microsoft Windows to run on Unix-like operating systems. Wine is a compatibility layer. It duplicates functions of Windows by providing alternative implementations of the DLLs that Windows programs call, and a process to substitute for the Windows NT kernel. This method of duplication differs from other methods that might also be considered emulation, where Windows programs run in a virtual machine. The name Wine initially was an acronym for WINdows Emulator. Its meaning later shifted to the recursive "backronym", Wine Is Not an Emulator in order to differentiate the software from other emulators. While the name sometimes appears in the forms WINE and wine, the project developers have agreed to standardize on the form Wine.

$ sudo apt-get install wine

Once you have that installed you will need to open the Configure Wine application and navigate to the Libraries tab.  It will be empty but we'll be adding additional libraries to make it look like this one.

Add Libraries

Click in the New override for library  type in the name of the library and then click the Add  button.  Then do it again for the next library in the list.

formobjectmodelstub
mfc71
mfc71u
pe_cc
pe_com
msvcr71
pe_crt71
pe_crtp71
pe_java
pe_mfc71u
pehelper
riched20
ssce5432
unicows [This one will give you a warning when you add it. Click OK.]
uwi_java

Install Lotus Forms Viewers

To get your forms to open properly you'll have to install two viewers.  Let's install the first one.  It is Lotus Viewer v8.  You can get it at http://www.nrc.gov and the second one is Lotus Forms Viewer 4.0.0 Fixpack 2 and you can get that one at http://www.e-publishing.af.mil/.  When you install this second one you will get a bunch of errors that pop up.  Just ignore them for the time being and don't touch any of the windows until the installation finishes.  If you look at the install window you will notice that even with the errors it continues to install.  Once the installation window shows that it is complete you can click the Finish button and then you can close the Program Error windows.

Opening a Form

Now that both viewers are installed you can actually open a form.  However, only one of the viewers works while the other just provides libraries to the other.  So yes, both are required but only one will work.  They almost look identical but Lotus Forms Viewer 4.0.0 Fixpack 2 will close/crash when you try to open a form.  Lotus Viewer 8.0 will allow you to open forms.  To find out which one you are using you will have to open a viewer and click Help menu and then click About IBM Forms Viewer within the menu.  You should see this pop-up.  Now you can use the menus at the top to open a form.



Tuesday, December 10, 2013

Using Ubuntu to access CAC-enabled DoD websites


The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) authentication and email. Overwhelmingly, the first thing most users need is PKI authentication.  We are going to set this up using FireFox on Ubuntu.

A few things you are going to need to be able to do this is a newer CAC reader and a current Common Access Card.  Most CACs will look like the one to the right.  This is where your PKI authentication is stored.  As we said earlier you need a newer CAC reader.  If you have an older square one, those are no longer supported by DoD websites.  The newer one is semi-round and looks like the one to the left.  Here in a moment we will use some commands to make sure you have a supported reader.  You need middleware to access a smart card using the SCard API (PC/SC), and a PKCS#11 standard interface for smartcards connected to a PC/SC compliant reader. US government smartcards may also need support for the Government Smartcard Interoperability Specification (GSC-IS) v2.1 or newer. The pcsclite project provides the middleware layer. Ubuntu splits pcsclite into a few packages.  So let's begin our installation.

Install Software Packages

Open a terminal and type the following:
$ sudo apt-get install libpcsclite-dev pcscd pcsc-tools libccid build-essential autoconf

Now for those packages you just installed to take effect you will need to restart your computer.  Once your computer comes back up you will need to plug in your CAC reader if you haven't done so already.  Open a terminal window again and type:
$ pcsc_scan

You should see something like this:
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: SCM SCR 3310 (21120839GXXXXX) 00 00

Mon Aug 15 11:47:42 2011
 Reader 0: SCM SCR 3310 (21120839GXXXXX) 00 00
  Card state: Card inserted, 
  ATR: 3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX

ATR: 3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX
+ TS = 3B --> Direct Convention
+ T0 = 7D, Y(1): 0111, K: 13 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 31 80 65 B0 XX XX XX XX XX XX XX XX
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 80
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 XX XX XX XX
    Tag: 8, len: 3 (status indicator)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)

Possibly identified card (using /home/user_name/.smartcard_list.txt):
3B 7D 96 00 00 80 XX XX XX XX XX XX XX XX XX XX XX XX
        DoD CAC card issued Jan XX, 2010

This means you have a compatible CAC reader.  If your window doesn't look like this and you have one that's more like this:

You either don't have a compatible CAC reader or it is unable to locate your CAC reader.  You can try unplugging and plugging your reader back in.  If that doesn't work you'll probably need a new reader.

The next step is to install the PKCS #11 module and FireFox extension.  NOTE:  A computer with working CAC authentication is required for the downloads. You'll probably have to download this part at work and email it to yourself.  You'll need to go to DISA's Linux development site and download the latest version of CACKEY and DoD Configuration Extension for Firefox.  Try this link for CACKEY https://software.forge.mil/ and this one for the DoD Configuration Extension for Firefox http://www.forge.mil/Resources-Firefox.html
Before install open a terminal and do the following:
$ sudo mkdir /usr/lib64

Once this is complete you can now install CACKEY.  If that installs successfully you are now ready to configure FireFox.  Open FireFox and go to the Tools menu.  Click on Add-ons.  Now up on the right next to the search bar that says Search all add-ons should be a drop down menu similar to the one pictured.

You want to click on Install Add-on From File.  Navigate to where you saved the DoD Configuration Extension for Firefox.  Let it install the plugin and restart; don't worry about all of the errors just click
through them and restart your browser.  You should now be good to go to use your CAC and CAC reader to access DoD websites.  There is a possibility that you might have to install the DoD Class 3 PKI Root Certificate Authorities.  If you get an error you can go to Download Root CA Certificate.  When they install you'll also get a lot of errors.  Just click OK through them and then restart your browser again.


Creative Commons License
Using Ubuntu to access CAC-enabled DoD websites by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Based on a work at https://militarycac.com/linux.htm.

Saturday, December 7, 2013

Installing ownCloud on Ubuntu

What is ownCloud?

ownCloud is a free and open-source web application for data synchronization, file sharing, and remote storage of documents ("cloud storage").  It is pretty much Dropbox, Box.net, or Google Drive but on steroids and you control it.  ownCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web. Installation has minimal server requirements, doesn't need special permissions and is quick. ownCloud is extendable via a simple but powerful API for applications and plugins.  For a full list of features please check out ownCloud's website.  https://owncloud.org/features/

Installation

First this assumes you already have Ubuntu or another version of Linux installed.  Preferably a server edition that will not be used for normal desktop use.  Ensure you have the most current updates.

$ sudo apt-get update && sudo apt-get upgrade

Now you're ready to install ownCloud.

$ sudo apt-get install owncloud

During installation you'll get a pop that will have you set the root user password for your SQL server.  Don't forget this password! That's it! Now that it's installed you just need to point your web browser to the installation for setup.  You the computer name or ipaddress or if you have a domain name setup for it followed by owncloud.
yourwebsite.com/owncloud

Setup

Once you're on the webpage you should see something similar to below.
Here is where you're going to setup your user account that will administor ownCloud.  Type in your username and password.  Don't worry about changing the data folder it should already be set for you.  You can change it if you know you will be saving data somewhere else.  Now is where you're going to use that root user from the SQL server and that password you were suppose to remember.  For the database name type in owncloud and click Finish setup.  Everything else should be pretty self explanatory.

Desktop Client

Next thing you'll probably want to do is head over to the desktop client website and pick out the specific client you'll need for your desktop.


Next time we'll be connecting our ownCloud to our FreeNAS box over samba to enable even more storage.



Saturday, October 5, 2013

Create another encrypted VPN using sshuttle!

Create another encrypted VPN using sshuttle!

What is sshuttle? Well from their website, it is a "Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling."

With our last write up using OpenVPN, not all of your traffic is sent over the tunnel.  Such things like DNS lookups and a lot of command-line tools will just ignore the proxy. You’re also encapsulating TCP-over-TCP, which could cause performance problems.

Using sshuttle solves a lot of common problems with encrypting your traffic, and it does so in a very efficient way.  There’s no need for a complicated pre-existing infrastructure. All you need is Python 2.x installed on your local machine and a remote machine you can SSH into that also has Python installed. You don’t even have to be an administrator/root on the remote machine.

LETS GET STARTED

First thing is to install sshuttle and Python.  I found both within the Ubuntu Software Center.  You can also build sshuttle from source.  And download Python from python.org.  That's all there is to it! Now you're ready to connect to your remote server.  Before you connect if you want to check your current external IP address, go to http://www.ipchicken.com/.  We'll check it again after we connect to your server.

The basic command to achieve our goal looks like this in a terminal:
$ sudo sshuttle --dns -r example.com 0/0

If you have a different username or port on the remote server than you do on your local machine you can also use something like this example:
$ sudo sshuttle --dns -r username@example.com:2222 0/0

Let's check your IP address again and see if you're now tunneling through your server. http://www.ipchicken.com/.

To stop forwarding traffic, just press Ctrl-c back in the terminal. We can do a bit better though by forking the process into the background so we don’t tie up our terminal session. These are the aliases I use to make setting up and tearing down the tunnel easier.  I opened and edited my .bashrc in my home folder:
alias tunnel='sudo sshuttle --dns --daemon --pidfile=/tmp/sshuttle.pid --remote=example.com 0/0'
alias tunnelx='[[ -f /tmp/sshuttle.pid ]] && sudo kill $(cat /tmp/sshuttle.pid) && echo "Disconnected."'

Known Bugs
You may see a bunch of “warning: closed channel …” messages when running sshuttle (either on STDOUT or in your system.log), but these warnings are safe to ignore. The developer knows about the issue and is thinking of the best way to suppress/eliminate the condition.

LETS MAKE LOGIN EVEN QUICKER USING RSA KEYS

The next things are accomplished as root.  Be careful running as root!
$ sudo su
Enter your password and you should now be root and ready to create your RSA key pair.  Type:
# ssh-keygen -t rsa
It'll ask you where to save your public/private RSA key pair.  The default is /root/.ssh/id_rsa just press enter here.  It will then ask you to enter a passphrase.  The password you enter here will need to be entered every time you use the RSA key but fortunately, you can set NO passphrase by pressing Enter. However, the upside is that you only have to remember this one passphrase for all the systems you access via RSA authentication and you can change the passhrase later with "ssh-keygen -p".  This process creates two files, id_rsa and id_rsa.pub.  The id_rsa.pub is your public key and the one we will be moving to the server.  Type the following to transfer your public key to the server:
# scp .ssh/id_rsa.pub username@example.com:~
We'll also have to copy id_rsa to your home folder so you can log into your server without having to be root.  NOTE: This is not the id_rsa.pub. So lets move that over doing the following replacing USER with your username:
# cp .ssh/id_rsa /home/USER/.ssh/
# exit
Next, connect to the remote host through SSH, don't use sshuttle at this point. RSA authentication won't be available just yet, so you'll have to use the old method to login. Once you are connected, add the new hostkey to the file /root/.ssh/authorized_keys if you have root access or .  If the .ssh directory doesn't exist, create it.  You can check if the  directory exists by using the ls -la command.  If you need to create it use mkdir .ssh now that it created type the following commands:
/home/USER/.ssh/authorized_keys
$ cat id_rsa.pub >> .ssh/authorized_keys
The two right-angles will add the contents of id_rsa.pub file to the authorized_keys file, so in case the file already exists, you won't have to worry about the existing content being modified. You are all set. To test the RSA authentication, initiate a ssh connection. If everything worked out well, you should be either asked for the passpharase (if you entered one), or get directly logged in. If you are prompted for the SSH password or get an error message, retry the above command using -v in order to turn verbose mode on and to be able to track down and correct the problem. If you didn't have any problems you can now disconnect your SSH and start using sshuttle without it asking you for a password!



Creative Commons License
Create another encrypted VPN using sshuttle! by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Friday, September 27, 2013

Using Ubuntu and have a Fingerprint Reader on your laptop? Make it work!

FINGERPRINT AUTHENTICATION FOR UBUNTU BASED ON FPRINTD

This PPA contains packages that add a comprehensive fingerprint-based authentication functionality to Ubuntu, including a seamless integration into GNOME 2.x, Unity and GNOME 3.x. At this time of writing it supports releases of Ubuntu are 12.04, 12.10, 13.04. Please note that since version 12.10 these packages are present in the standard repositories (still, this PPA supports a wider range of fingerprint readers).

Step 1
You should be running Ubuntu 12.04, 12.10, 13.04 or any derivative thereof, and you need to have a supported fingerprint reader. To find out your reader's ID, run the lsusb command and look into the sixth column of the output. Supported devices are:
          045e:00bb    08ff:1683    08ff:2580    08ff:268d
     045e:00bc    08ff:1684    08ff:2660    08ff:268e
     045e:00bd    08ff:1685    08ff:2680    08ff:268f
     045e:00ca    08ff:1686    08ff:2681    08ff:2691
     0483:2015    08ff:1687    08ff:2682    08ff:2810
     0483:2016    08ff:1688    08ff:2683    08ff:5501
     05ba:0007    08ff:1689    08ff:2684    08ff:5731
     05ba:0008    08ff:168a    08ff:2685    138a:0001
     05ba:000a    08ff:168b    08ff:2686    138a:0005
     061a:0110    08ff:168c    08ff:2687    138a:0008
     08ff:1600    08ff:168d    08ff:2688    147e:1000
     08ff:1660    08ff:168e    08ff:2689    147e:2016
     08ff:1680    08ff:168f    08ff:268a    147e:2020
     08ff:1681    08ff:2500    08ff:268b    147e:3001
     08ff:1682    08ff:2550    08ff:268c    1c7a:0603

Step 2
If you have a supported device add this PPA to your sources:
      sudo add-apt-repository ppa:fingerprint/fprint
   sudo apt-get update
   sudo apt-get upgrade

Step 3
Install the software:
     sudo apt-get install libfprint0 fprint-demo libpam-fprintd gksu-polkit

Step 4
Launch “fprint project demo” from your Unity/GNOME applications menu and check that you can enroll and verify your fingerprints and that your reader is indeed supported.  This does NOT save your fingerprints. This just test to make sure it is working.

Step 5
Run fprintd-enroll in terminal to save your fingerprints.

NOTE:
If you have experimented with fingerprint authentication before and have changed your /etc/pam.d/common-auth, you may be presented with a screen asking whether you want to override those changes. Select Yes. Under very special circumstances, you may get an error saying
    pam-auth-update: Local modifications to /etc/pam.d/common-*, not updating.
  pam-auth-update: Run pam-auth-update --force to override.
In this case, run sudo pam-auth-update --force, exactly as suggested, and enable the fprintd profile manually. Leave the standard system profiles (Unix, Keyring and ConsoleKit) enabled as well.

Known issues

=================
1. No fingerprint and password at the same time
At the moment, you cannot type in your password right away when you are asked for fingerprint. You need to make the fingerprint authentication fail first (swipe wrong finger or let it time out) before you are asked for password. This is a limitation of PAM because its modules mustn't be threaded and hence cannot support multiple means of authentication at the same time.
2. Missing support in gksu. When you run Synaptic or a similar graphical application that requires unlimited, full root privileges, the standard authentication window doesn't get displayed. Yet the fingerprint reader is ready, and a swipe will authenticate the user. The informative window not appearing is a major bug in GNOME's gksu, which will never be fixed because of its inner limitations. Instead, a replacement called gksu-polkit is being developed (its latest version is in this PPA). With this package installed, you can then adjust your menu items to call gksu-polkit instead of gksu. Go to System > Preferences > Main Menu, select the item you want to modify, click Properties and in the Command field change "gksu [options...] command" to "gksu-polkit /full/path/to/command" (note that you need to drop all the options to gksu, if any, and full path to command is required).

Note on keyrings and passwordless logins

=================================
If you log in with your fingerprint, the default keyring manager will not have access to your password or any other secret data to decrypt your enciphered content with. The same applies to encrypted partitions and their automatic unlocking with libpam-mount or eCryptFS. Please note that it is not possible to unlock the keyring unless you have typed in your password (there's nothing to unlock it with, and having a key stored somewhere on disk is a very naïve and insecure solution). There are basically 2 possible solutions to the keyring issue:
1. Keep logging in with your password as before (you will need to make the fingerprint authentication fail first by scanning a wrong finger) and then use fingerprint only for sudo and locked screens. This way you will have your standard password available in your session, and keyring and encrypted partitions will work as before.
2. Remove the password from your default keyring. This way the passwords in it will be stored unencrypted, but this may be perfectly acceptable for you if you store only insensitive data in it (such as passwords to Wi-Fi networks). If you decide to take this route, here is a short how-to: Go to Applications > Accessories > Passwords and Encryption Keys, card Passwords, right click on Passwords: login, Change Password and set it to empty string.



Creative Commons License
Using Ubuntu and have a Fingerprint Reader on your laptop? Make it work! by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Monday, September 23, 2013

Have a RaspberryPi? Need a VPN server?

The Raspberry Pi is a credit-card sized computer that costs between $25 and $35 that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video.  The SoC is a Broadcom BCM2835. This contains an ARM1176JZFS, with floating point, running at 700Mhz, and a Videocore 4 GPU. The GPU is capable of BluRay quality playback, using H.264 at 40MBits/s. It has a fast 3D core accessed using the supplied OpenGL ES2.0 and OpenVG libraries.  The GPU provides Open GL ES 2.0, hardware-accelerated OpenVG, and 1080p30 H.264 high-profile decode.
The GPU is capable of 1Gpixel/s, 1.5Gtexel/s or 24 GFLOPs of general purpose compute and features a bunch of texture filtering and DMA infrastructure.  That is, graphics capabilities are roughly equivalent to Xbox 1 level of performance. Overall real world performance is something like a 300MHz Pentium 2, only with much, much swankier graphics.
A VPN (virtual private network) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from encryption.
A VPN connection across the Internet is similar to a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network.
VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely and cost-effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. VPN technology is also used by ordinary Internet users to connect toproxy servers for the purpose of protecting one's identity.

Let's setup an OpenVPN server using your RaspberryPi


First of all you'll need to ensure you have Raspbian installed and running on your RaspberryPi. If you need to download the latest version you can get that here.  If you need help installing the operating system you can find help here.  Once you have your operating system installed and you have verified it is up and running you can proceed with the steps below.

Step 1
To be able to install the latest program versions we should update our packet sources, open a terminal windows and type:
sudo apt-get update
Step 2
Now we are installing OpenVPN and OpenSSL via the terminal.
sudo apt-get install openvpn openssl
Step 3
We are switching to the directory of OpenVPN and paste a directory we will be needing later into it.
cd /etc/openvpn
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Step 4
Now we open the file easy-rsa/vars with nano and apply some changes.
nano /easy-rsa/vars 
export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
Step 5
We change the directory, log in as root user and execute some configurations.
cd easy-rsa
sudo su
source vars
./clean-all
./pkitool --initca
ln -s openssl-1.0.0.cnf openssl.cnf
Step 6
Now we are able to generate the components for the encryption of OpenVPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.
./build-ca OpenVPN
./build-key-server server
./build-key client1
Step 7
The calculation of the last components can take a few minutes.
./build-dh
exit
Step 8
We have to switch the directory again and create the file openvpn.conf with the following content:
cd ..
sudo touch openvpn.conf
sudo nano openvpn.conf
Nano is a word processing program that opens within the terminal, type the following:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
You can change the DNS-servers to any DNS you like, these are Google's.  After you have finished typing that all in you can press Ctrl + o  to save it to the open file.  After you've saved it you can press Ctrl + x to exit the word processing.  If it asks you to save again just say yes.
Step 9
Now, create the internet-forwarding for the VPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.  Wifi will most likely be "wlan0".
sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Step 10
One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.
cd ..
sudo nano sysctl.conf
Step 11
A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):
crontab -e
@reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Step 12
Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the internal IP address of your Pi or, if you are using a DynDNS service,  by the given domain.
sudo su
cd /etc/openvpn/easy-rsa/keys
nano raspberrypi.ovpn
dev tun
client
proto udp
remote
RASPBERRY-PI-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
Step 13
Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.
tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn
mv openvpn-keys.tgz /home/pi
chown pi:pi /home/pi/openvpn-keys.tgz
exit
Step 14
Restart the OpenVPN server.
sudo /etc/init.d/openvpn start
exit
Finished! Now we are able to download the file die openvpn-keys.tar.gz on the client and extract the files to your OpenVPN client folder.




Creative Commons License
Have a RaspberryPi? Need a VPN server? by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Wednesday, December 29, 2010

Free yourself from that expensive cable company

I have been using the Boxee software on my laptops and desktops for several years. Now they have teamed up with D-Link and made a stand-alone set top box for your TV. But let me shut-up now and you can watch a video...with a hot chick! She says you need to pair your remote, however when I sat mine up, I didn't have to pair them.


Now that was a quick little intro, if you'd like to see more of the interface, checkout some more videos below.
This box will put out 1080p resolution and can play almost any video format you throw at it. Not only will it stream off the internet but you can have it pull content you have saved on other computers or NASes you have on your network. You can hook it up with an ethernet cable or with a 802.11n wireless connection. If interested and have more questions about it, let me know. I'll be glad to answer them for you. If you think you are read to purchase one, head over to Amazon or if you want to try the software just on your computer first, head over to Boxee.tv



Creative Commons License
Free yourself from that expensive cable company by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.