Monday, August 5, 2013

Openvpn on android

First off, I'm running android Jelly Bean v4.1.2.   Below I'll describe in brief detail about how to setup Openvpn on Android.

First off I tried both major applications, OpenVPN for Android and OpenVPN Connect, and personally I prefer "OpenVPN Connect".   The major reason being, "OpenVPN for Android" is a menu driven application vs "OpenVPN Connect" being file driven.  If you prefer toggle switches and pasting file content then "OpenVPN for Android" is for you.  However, if you prefer creating files elsewhere then simply copying them to your phone and pointing the application to them, then "OpenVPN Connect" is your hands down choice.

Through some trial and error I found out that "RSA-SHA512" is not a supported authentication digest on Android, as I was getting a "Polarssl_cipher_not_found" error for the "auth RSA-SHA512" setting in my config.ovpn.  However, I did find that "auth SHA512" does work instead.  There may be others that do and don't work but for now this suits my needs.

To test my client configuration somewhere else, I placed the hand-configured "config.ovpn" and  related keys and certificates on my laptop(MAC) and used tunnelblick to connect.

Once the configuration is functional, simply copy all the files to a folder on your Android device and use "OpenVPN Connect" to import/open your configuration and then connect.
Posted by at No comments:

Saturday, August 3, 2013

Openvpn rules! A primer on setting up Openvpn.

Well, that took a while.  Babies sure do suck up free time.  Enough said on that front.

Have you ever wanted to access data on your home network remotely but didn't want expose lots of ports to insecure applications or setup forwarding for lots of services or applications?  Then using Openvpn might be the solution for you.  Now onto the good stuff.

In my case an HTPC will be the host for a new Openvpn server.  My overall structure will be as follows:  OpenVPN Client > My Router > OpenVPN Server.  It should also be noted that I personally take security very seriously so these steps follow nearly all the major recommendations for hardening security on the Openvpn server discussed here.

First, install Openvpn on your server machine.  In my case, I'm using Ubuntu Precise(12.04):

sudo apt-get install openvpn

Next create the required keys for the server and any clients(I recommend 2048 bit keys, as the strength is excellent and I have not noticed any connection or performance issues).

Then, modify the configuration for the server:

mode server
tls-server

local 192.168.1.100 # LAN IP of openvpn server
port 1194 ## default openvpn port
proto udp

dev tun

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key    # This file should be kept secret
dh dh2048.pem
tls-auth ta.key 0 # This file is secret
tls-cipher AES256-SHA
cipher AES-256-CBC
auth SHA512       # Supported on Android phones

# Network info
topology subnet   # Topology easing configuration & setup
server 192.168.2.0 255.255.255.0 # VPN subnet clients will get IPs from
push "route 192.168.1.0 255.255.255.0" # Route to LAN IPs
client-to-client  # Allow client to connect to the LAN IPs
max-clients 2     # Max number vpn clients connected at a time
ifconfig-pool-persist /etc/openvpn/ipp.txt
comp-lzo

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Then setup the first client:

client
dev tun

proto udp

# Server to connect to
remote ###.###.###.### 1194 # Public IP/hostname of router

resolv-retry infinite

nobind
user nobody
group nobody

persist-key
persist-tun

# Certificates
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

# Increased security (prevent man-in-the-middle attacks)
ns-cert-type server 

# Encryption - Must match server side
cipher AES-256-CBC
tls-cipher AES256-SHA
auth SHA512

comp-lzo
verb 3

You should now be able to connect to the Openvpn server from your client.  However, connecting to systems on your LAN is yet to be solved.  To do that you'll need to do two things:
  1. Enable IP forwarding on the system running Openvpn
  2. Setup a static route for the new subnet on any router(s) on your LAN network
Posted by at No comments:

Sunday, October 16, 2011

A new day

So its been a while...  I've been finding that life seems to take precedence over typing.  Anyhow, I've got a fully functional HTPC now, using the .24 stream of mythtv via mythbuntu.  Works like a champ and although I haven't actually watched any of my shows, its recording gobs of them(thank goodness for cheap drive space).  Took a bit longer than I thought to get things up and running the way I like in mythtv, but more or less got it running smoothly. 

I also realized recently I'm going to need a wireless N router soon to stream much of this HD over my home network(removing any chance of playback lag), but fortunately a friend has an early model he's looking to get rid of so I'll see if that works for my needs.  If possible I'll update it to the opensource dd-wrt.

Items still on my todo list, which will have to wait a bit longer are wall mount the TV, get a new entertainment center, and attic mount the antenna. 
Posted by at No comments:

Wednesday, March 23, 2011

New addition.

The new LED backlit LCD TV arrived yesterday in all its glory.   It was the IPS model panel as I'd hoped rather than VA(less quality apparently from ugoogling).  Its a bit larger in the room than I'd though(55" goes a long way), so now I get to figure out how/where to wall mount it and we'll also start the hunting process on a new entertainment center.  Overall though I'm very pleased and a 1.2" thick TV is just crazy to see.

I started playing with the new features of course, and immediately upgraded the firmware.  Netflix integration works as planned and UPnP / DLNA is nearly as good as I'd hoped.  I'm having some trouble streaming full HD content from my HTPC(using MediaTomb), but that'll be something I can resolve with time if needed.  For now I'll just switch inputs to MythTV on my HTPC for any recorded HD content.  On a good note, the nearly 200 movies I have stored on the HTPC play just fine remotely, so at least its a step.

My one gripe so far is the HDMI-CEC functionality provided by LG(otherwise known as Simplink).  Apparently they only certify LG products, but I was really hoping to drop a DVD or Blu-Ray in my PS3 and have LG's Simplink give me control or ideally begin playing without me having to switch inputs.  Unfortunately though, it looks like it doesn't even recognize the PS3, so I imagine without a future firmware update, I'll be forced to manually switch inputs and possibly remotes(*sigh*).

So next on the agenda(in no particular order) will be to hang the LCD, get a new entertainment center, attic mount my antenna, clean up the cabling for all this, figure out a single remote solution(that's opposite sex friendly), and test out the optical digital out from the TV to my receiver(in hopes that I can keep from having to switch inputs on my receiver too).
Posted by at No comments:

Wednesday, March 16, 2011

To begin with...

I should start this off by saying, I cut the digital TV cable at least four years ago in favor of OTA and have never looked back since. I've also used homebrew DVRs for longer than that as well, probably nearing on six years, so this blog will most definitely reference topics in this area.

Found the cordcutters sub-reddit today and will have to check this often so I can watch for new happenings in the MythTV and homebrew DVR area.

I plan to upgrade to the latest MythTV via Mythbuntu in the next week or two as I've decided to delve into the flat panel TV area and will want to stream video via MediaTomb soon.
Posted by at No comments:

First...

Trying out this whole "blogging" thing.  The goal here is to see how many people I can put to sleep at once with technology stuff... starting now.
Posted by at No comments:
Subscribe to: Posts (Atom)