StrongSwan VPN (and ufw)

2015-01-26 17:29:54 PST

Tags: , , , , ,

I make ample use of SSH tunnels. They are easy which is the primary reason. But sometimes you need something a little more powerful, like for a phone so all your traffic can’t be snooped out of the air around you, or so that all your traffic not just SOCKS proxy aware apps can be sent over it. For that reason I decided to delve into VPN software over the weekend. After a pretty rushed survey I ended up going with StrongSwan. OpenVPN brings back nothing but memories of complexity and OpenSwan seemed a bit abandoned so I had to pick one of its decendands and StrongSwan seemed a bit more popular than LibreSwan. Unscientific and rushed, like I said.

So there are several scripts floating around that will just auto set it up for you, but where’s the fun (and understanding allowing tweeking) in that. So I found two guides and smashed them together to give me what I wanted:

strongSwan 5: How to create your own private VPN is the much more comprehensive one, but also set up a cert style login system. I wanted passwords initially.

strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH has a few more details on a password based setup.

Additional notes: I pretty much ended up doing the first one stright through except creating client certs. Also the XAUTH / IKE1 setup of the password tutorial seems incompatible with the Android StrongSwan client, so I used EAP / IKE2, pretty much straight out of the first one. Also seems like you still need to install the CA cert and vpnHost cert on the phone unless I was missing something.

Also, as an aside, and a curve ball to make things more dificult, this was done one a new server I am playing with. Even since I’d played with OpenBSD’s pf, I’ve been ruined for iptables. It’s just not as nice. So I’d been hearing about ufw from the Ubuntu community from a while and was curious if it was nicer and better. I figured after several years maybe it was mature enough to use on a server. I think maybe I misunderstood its point. Uncomplicated maybe meant not-featureful. Sure for unblocking ports for an app it’s cute and fast, and even for straight unblocking a port its syntax is a bit clearer I guess? But as I delved into it I realized I might have made a mistake. It’s built ontop of the same system iptables uses, but created all new tables so iptables isn’t really compatible with it. The real problem however is that the ufw command has no way to setup NAT masquerading. None. The interface cannot do that. Whoops. There is a hacky work around I found at OpenVPN – forward all client traffic through tunnel using UFW which involves editing config files in pretty much iptables style code. Not uncomplicated or easier or less messy like I’d been hopnig for.

So a little unimpressed with ufw (but learned a bunch about it so that’s good and I guess what I was going for) and had to add “remove ufw and replace with iptables on that server” to my todo list, but after a Sunday’s messing around I was able to get my phone to work over the VPN to my server and the internet. So a productive time.

OpenSSH + 2 and 3 factor auth

2014-08-30 08:01:03 PST

Tags: , , ,

Windows and C#, oh my!

2014-08-28 14:12:38 PST

Tags: , ,

So this happened at work


That’s right, after 13 years of being a purely Linux user, work asked if I’d like to be cross trained in Windows/C# development and I said “sure” and here I am.

So first thoughts: VirtualBox’s ability to boot from a harddrive is a massive help, crutch, safety blanket and amazing, I have my origional work Ubuntu install runing off the harddrive in VirtualBox fullscreened on one of my two screens fairly seamlessly interacting with the host Windows (copy/paste etc). Windows 8.1 is less broken than I remember my one half hour of messing around with Windows 8 to be. Also little apps like AltDrag help ease the transition. Although there have been a good few cases of wrong window typing because I’m about 13 years out of practice with click-to-focus. Visual Studios + ReSharper are at least trying to ease the burden of coming up to speed on a new language, environment and code base by making exploring easier, so that’s appreciated (“Find declaration/implementation/usage” are getting a lot of usage from me).

As for a deeper why? Well, my new director basically made a more complelling argument about Visual Studios and C# being good languages for a lot of productivity in a way that clearly got my interest unlike anyone else in the past. Naturally final verdict is TBD (will need some good time on that one), but I appreciate the oppurtunity because this stack isn’t one that would often land in my lap to experiment with and learn on.

So, new learning adventure comenses. We’ll see where this takes me.

Link: Linux Encryption in the Cloud using LUKS on Linode

2014-08-26 21:42:13 PST

Tags: , , , , ,

Linux Encryption in the Cloud using LUKS on Linode – an excellent guide to setting up a Linode with root disk encryption – 2013
Work around for 14.04 …

USB passthrough to a VM, via GUI only

2014-05-26 06:43:15 PST

Tags: , ,

It sure has gotten easier to add USB devices to VMs with libvirt-manager and it’s nice UI

Email server todo: read up on DMARC

2014-04-07 15:55:22 PST

Tags: ,

The latest bolt on top email security specification, on top of SPF and DKIM is DMARXC. Need to read up on and get to implementing I suppose.

git branch in bash prompt

2014-03-18 13:20:31 PST

Tags: ,

Adding ‘$(__git_ps1)’ to my .bashrc PS1 bash prompt was the greatest idea/discovery I’ve had in a bit, as now I know exactly what branch any repo I enter is on:

dan@dan-work:~/src/work-project/ (master)$ 

Ubuntu 14.04 because I couldn’t wait

2014-03-14 06:33:49 PST


Well, for better or worse, I semi impulsively upgraded my main laptop Minerva to Ubuntu 14.04 a month and a bit ahead of release. I used to upgrade to all the latest Ubuntu versions a month and change ahead of release because back in the 10.04 and before days the Ubuntu alpha’s and beta’s had amazing stability. After that the stability went away, even in some case from the actual releases (12.04 has always been a bit unstable to my mind, even two years later). But so far (knock on wood) nothing has exploded so that’s good.

I’ve always been a fan of ‘focus follow mouse’ so while I had previously just removed the Ubuntu appmenu (because the two do no work together and also appmenu degrades functionality on bigger screens) I’m now trying their new “Menus in title bar”. I’m glad they are now remembering and acknowledging big desktop interface users.

Now I just need to track down the new beta’s of ROS that will work on Ubuntu 14.04 and we’ll really be cooking…

Warning: Ubuntu 12.04 kernel 3.8.0-37 panics during init and fails to boot (for me)

2014-03-11 10:17:40 PST


So I installed some packge updates on my work machine and rebooted and… kernel panic during init. Repeatedly. So that was surprising, concerning and worrying. On the fourth try I booted the previous 3.8.0-36 kernel and the system came up fine. So they shipped a kernel than panics, at least on my system. Not good. There seems to be some confrimation popping up on AskUbuntu and I chimed in there.

But I was curious why the first google hit was AskUbuntu and not launchpad for a pretty dire bug. So I hoped over to launchpad. Logged in for the first time in a very long time and looked around. No “report bug” link. Ok. That’s odd, it’s their bug reporting system. So I poked around and eventually figured maybe I had to pick a project (not super obvious from their front page) so I found Ubuntu and poof, there was the report bug link! Except it linked to a long detailed help document on how to report bugs. I just want to report a non-booting kernel. So in there after some other non working links to more documentation I found a link specifically for reporting System Crashes. But I’m still on their wiki, and just being passed around to read more and more and not actually report a bug. I don’t want to read pages of documentation on their convuluted bug reporting process at work. I have work to do they’ve already crapped all over by shipping a buggy kernel, and now I’m wasting my time reading aobut their kafka-esque reworking of a bug tracking system. Have they removed the web report a bug system and replaced it only with wiki pages and some programs? I’m sure it’s great once you’ve drank the kool-aid, spent the requisite month in solitude learning it. But FFS, for a random guy who just had a system crashing bug, it’s all useless. I’m trying not to be rude but I’m pretty angry. How hard is it to have a web interface for bug reports? Were they just getting too much so hide it behind a maze of wiki page or just removed it and repalced it with a bunch of apps you have to install and read manual pages on to use? Not really acceptable IMHO. I know the inundation of bugs might have been a problem, but obfuscating the process for only people who have a load of time to drop seems like not the answer. If you screwed up you should probably make the barrier for finding out as low as possible. Get a smarter system that auto groups likely dups, don’t write a barage of docs and desktop/cli apps and hide behind those instead. So maybe they’ll not learn today they are shipping a kernel-panic bug. Awesome.

Huge really amazing fail Ubuntu both on shipping a non booting kernel and then making AskUbuntu the only way non-super initiated people can report it.

Getting started with my softkinetic DepthSense 325

2014-03-08 20:29:35 PST

Tags: , , ,

So a bit ago I bought a DepthSense 325 camera. I’ve been pretty busy since then but today I finally sat down to get started with it. First thing, it was on my netbook so I had to resetup the software stack and SDK. The SDK is free from softkinetic and works on Linux (which is awesome, and also a big reason I bought this camera) but I think it’s more aimed at Ubuntu 12.04 so there was one or two extra steps to make it go on 13.10.

First, regardless of Ubuntu version, you need to add the DepthSense libraries to the LD_LOAD_PATH and the now recommended way is adding a file to /etc/ like this



Then run ‘sudo ldconfig‘ to regenerate the cache or what ever. Now you can link agianst the libraries.

Next, at least for Ubuntu 13.10, you need to fake having Thankfully worked fine so run

sudo ln -s /lib/x86_64-linux-gnu/ /lib/x86_64-linux-gnu/

At this point DepthSenseViewer that comes with the SDK should work and you are good to go.

So today’s mission after getting set up was to get some code pulling form the camera and displaying using opencv (because I ultimately want to feed it through ROS filters and as was suggested on a forum post, the best way to hook the DS325 into ROS was through openCV and then the ros opencv bridge). Thankfully I found what I needed on the softkinetic forum in Example Linux/OpenCV Code to display/store DS325 data. The first code needed some slight fixes as detailed in the second (but slightly corrupted formatted) post. With a little poking and proding I had it compiling and working.

g++ ds_show.cxx  -I /opt/softkinetic/DepthSenseSDK/include/ -L /opt/softkinetic/DepthSenseSDK/lib -lDepthSense  -lopencv_core -lopencv_highgui

Not actually that much coding today, but a lot of pieces in place.

DepthSeense 325 now being polled by my code and openCV

Valid XHTML 1.0!
Valid CSS! is proudly powered by WordPress
Entries (RSS) and Comments (RSS).
17 queries. 0.500 seconds.