blog.mirabellette.eu

A blog about digital independence and autonomy

Privacy

A highly secure OpenVPN 2.4 configuration in 2018

Written by Mirabellette / 04 november 2018 / 4 comments

Hello everyone,

Introduction

Today I would like to talk about OpenVPN. For those who did not know, OpenVPN is a free and open-source software application that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities * from Wikipedia. It is developed by OpenVPN Incorporation and they offered a service of VPN with the product privatetunnel.

Nowadays, there a plenty of OpenVPN tutorial which describe how to install and configure it. Contrary to them, I will try to choose the most secure configuration possible in 2018 of OpenVPN 2.4.0 with Debian 9.5. I will try to describe as much as possible each step of the tutorial in order to be clearly understood.

Preliminaries

First of all, we have to install the OpenVPN package and some extra tools with the user root

apt update
apt upgrade
apt install -y iptables-persistent openvpn vim sudo

Generate certificates

Downloads and configuration of EasyRSA

To generate certificates, we will use EasyRSA. EasyRSA is command line interface utility to build and manage keys and certificates. You can download the latest version for your desktop here EasyRSA is one the easiest tool to use to generate Certificate for OpenVPN. This article was focused on OpenVPN configuration and not the certificate part. That means I used the recommend certificate generation tool by OpenVPN, EASYRSA.

Unfortunately, it appears it does not allow to use the more secure cryptographic digest available today to generate a certificate. If you really want to use them, you need to use OpenSSL directly. An amazing tutorial is available here and could help you.

mkdir /tmp/openvpn
cd /tmp/openvpn/
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
tar xf EasyRSA-nix-3.0.5.tgz
cd EasyRSA-3.0.5
cp vars.example vars
vim vars

You must now modify the vars file in order to enable elliptic curve mode and improves the hash algorithm uses. Regarding the elliptic curve choosen, it appears that curves and cryptographic tools provided by the National Institute of Standards and Technology (NIST) were deliberately weaken. That's why, I choose to recommend the curve Curve25519 because it is similarly strong than secp256, faster, safer and was not create by the NIST. They are curve which are more secure but they are also dramatically slow.

# Enable elliptic crypto mode
set_var EASYRSA_ALGO ec

# Define the named curve - choose what you like and what is supported - openvpn --show-curves
set_var EASYRSA_CURVE Curve25519
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE 3650

# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE 3650

# In how many days should the control happen?
set_var EASYRSA_CRL_DAYS 3650

# Define the Cryptographic digest use, unfortunately, only the md5 and sha family is currently available with EasyRSA
set_var EASYRSA_DIGEST "sha512"

Generate certificates

Please write carefully about the Common name you choose for each certificate, especially for the server certificate. This one will be used by the client to verify the server certificate in order to avoid Man in the middle attack.

# generate a directory to store all files
./easyrsa init-pki

# generate an autority certificate
./easyrsa build-ca nopass

# create server key (server.key) and certificate signing request (server.req)
./easyrsa gen-req server nopass

# sign server certificate signing request by autority certificate (server.ca)
./easyrsa sign-req server server nopass

# create client key (client.key) and certificate signing request (client.req)
./easyrsa gen-req client nopass

# sign client certificate signing request by autority certificate (client.ca)
./easyrsa sign-req client client nopass

Generate certificates

# we will now create a more easy to read directory tree
mkdir /tmp/openvpn/server/
mkdir /tmp/openvpn/server/certificates
cp /tmp/openvpn/EasyRSA-3.0.5/pki/ca.crt /tmp/openvpn/server/certificates/ca.crt
cp /tmp/openvpn/EasyRSA-3.0.5/pki/issued/server.crt /tmp/openvpn/server/certificates/server.crt
cp /tmp/openvpn/EasyRSA-3.0.5/pki/private/server.key /tmp/openvpn/server/certificates/server.key

mkdir /tmp/openvpn/client/
mkdir /tmp/openvpn/client/certificates
cp /tmp/openvpn/EasyRSA-3.0.5/pki/ca.crt /tmp/openvpn/client/certificates/ca.crt
cp /tmp/openvpn/EasyRSA-3.0.5/pki/issued/client.crt /tmp/openvpn/client/certificates/client.crt
cp /tmp/openvpn/EasyRSA-3.0.5/pki/private/client.key /tmp/openvpn/client/certificates/client.key

Network configuration

Let's consider that the ssh server listens the 22 port and 443 for the VPN server.

Firewall rules

We have to define firewall rules in the file /etc/iptables/rules.v4:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward the VPN traffic to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

*filter

# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Allow TCP traffic.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and keeping time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT

# Allow traffic on the TUN interface.
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# then reject them.
-A INPUT -j REJECT
-A OUTPUT -j REJECT

COMMIT

Be sure to adapt these rules to your needs before applying them.

sudo iptables-restore < /etc/iptables/rules.v4

We can check if the rules are correctly implied:

sudo iptables -L

Enable ipv4 forwarding and disable ipv6

In the file /etc/sysctl.d/99-sysctl.conf, add the following lines to enable ipv4 forwarding and disable ipv6:

net.ipv4.ip_forward = 1

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

and then apply the new configuration

sudo sysctl -p

Remove ipv6 lines in /etc/hosts:

#::1 localhost ip6-localhost ip6-loopback

Reject ipv6 traffic by editing the file /etc/iptables/rules.v6, it must contains:

*filter

-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT

and apply:

sudo ip6tables-restore < /etc/iptables/rules.v6

Examples of very secure configuration

In order to continue, we will use the highly secure configuration below. Be careful, you need to follow the tutorial until the end to make it workable.

Example of server configuration

Please copy the following code in /tmp/openvpn/server/server.conf. It is the OpenVPN server configuration. Don't forget to replace local IP_OF_YOUR_OPENVPN_SERVER by your server ip.

#/tmp/openvpn/server/server.conf
local IP_OF_YOUR_OPENVPN_SERVER
dev tun
topology subnet
proto tcp
port 443
server 10.8.0.0 255.255.255.0
tls-server

ca /etc/openvpn/server/certificates/ca.crt
# crl-verify /etc/openvpn/server/certificates/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key
tls-crypt /etc/openvpn/server/certificates/tls_crypt.key

dh none
ecdh-curve ED25519
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-tun
compress

persist-key
keepalive 10 120

user ovpn
group ovpn

status /var/log/openvpn-status.log
log /var/log/openvpn.log

push "redirect-gateway"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
push "route-ipv6 2000::/3"

Example of client configuration

Please copy the following code in /tmp/openvpn/client/client.conf. It is the OpenVPN client configuration. Don't forget to replace remote IP_OF_YOUR_OPENVPN_SERVER by your server ip and COMMON_NAME_OF_THE_SERVER_CERTIFICATE by the Common name you gave to the server certificate .cf Generating certificates.

# /tmp/openvpn/client
client
dev tun
remote IP_OF_YOUR_OPENVPN_SERVER 443
proto tcp
resolv-retry infinite
compress
nobind
verify-x509-name "COMMON_NAME_OF_THE_SERVER_CERTIFICATE" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
auth-nocache
persist-key
persist-tun

status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3

ca /etc/openvpn/client/certificates/ca.crt
cert /etc/openvpn/client/certificates/client.crt
key /etc/openvpn/client/certificates/client.key
tls-crypt /etc/openvpn/client/certificates/tls_crypt.key

Harden OpenVPN configuration

This part will describe most of the security parameters chosen in the final configuration. You will be able to find an example of the final configuration in the last part.

TCP/IP protocol and port listening

In order to avoid most of firewall limit, it is highly recommended to switch from udp protocol to tcp. OpenVPN configured with TCP protocol is a little bit slower but it has more chances to be accessible from a network you do not control.

You also have to configure the OpenVPN server to listen the port 443. Port 443 is the usual port used by a web server configuration and it is most of the time open in firewall output. Moreover, it will also make your OpenVPN configuration harder to detect because it is not the standard OpenVPN port. The standard port is 1194.

proto tcp4
port 443

Diffie-Hellman

Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel. In OpenVPN, this protocol is used in the first steps of TLS establishment connection. With a key of 1024 bits and lower size, it is vulnerable to Logjam exploits. The authors of the vulnerability recommend using primes of 2048 bits or more as a defense or switching to elliptic-curve Diffie–Hellman. In this tutorial, we use elliptic-curve Diffie–Hellman

HMAC signature during TLS handshake

Since openVPN 2.4, it is recommended to replace tls-auth by tls-crypt. Mainly because tls-crypt will also encrypt the TLS control channel. That means, to add the following line in server.conf:

tls-crypt /etc/openvpn/certificates/ta.key 0

and generate the HMAC key file in the openvpn server directory and client directory:

openvpn --genkey --secret /tmp/openvpn/server/certificates/tls_crypt.key
cp /tmp/openvpn/server/certificates/tls_crypt.key /tmp/openvpn/client/certificates/tls_crypt.key

Persistent tun/tap device and key

While your connection might be interrupted and OpenVPN is trying to reconnect, you may be using the default network routes again, bypassing the tunnel. For accessing private networks this might not be a big issue as the network addresses may not be reachable from outside the tunnel, but it may expose information you'd rather keep private like an HTTP request containing cookies.

persist-key is not a security option but a problem solving in case OpenVPN restart and the OpenVPN user is not able to read the key file anymore. This parameter avoid this situation.

persist-tun
persist-key

Limited user

Probably one of the most important configuration setting. In order to limit the impact of an OpenVPN vulnerability, it is highly recommended to run it with a user with limited rights. To do that, we have to create a user for our OpenVPN applications. This user has limited privileges:

adduser --system --shell /usr/sbin/nologin --no-create-home ovpn
groupadd ovpn
usermod -a -G ovpn ovpn

and specify the user in the OpenVPN configuration:

user ovpn
group ovpn

Ciphers and digests

In the file /etc/openvpn/server.conf, we have to specify the ciphers and digest we want to use. It looks recommended to use GCM instead of CBC. More information about why here and here

tls-version-min 1.2
ncp-ciphers AES-256-GCM:AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ecdh-curve ED25519
dh none

We will force to use SHA512 to manage the authentication mechanism. unfortately the best digest available is still sha family. Enabling the auth-nocache parameter will prevent to cache passwords in memory.

auth-nocache
auth SHA512

Compression algorithms

In the OpenVPN version 2.3, it was the LZ0 compression algorithm which was by default. Since OpenVPN version 2.4, the compression algorithm LZ4 is available. Contrary to what the documentation says, it is not the best one available. There is also the version 2, lz4-v2 of it which is available but not documented yet.

If security if your only criteria, you should disable this feature. Indeed, a family of vulnerability like Beast, Crime and Voracle exist . Those vulnerabilities could allow an attacker to gain information about an encrypted communication in very specific circumstances. To explain differently, if the attacker knows exactly what he is supposed to receive and capture enough packet with little predictable changes, this could help him to reduce the time required to break the encryption.

For me, in the real world, it is really complicated to use this kind of vulnerability. The OpenVPN company recommends to disable compression algorithm and already did it on their products. In the configuration files provide here, it is, of course, disable because we are only focused on security. Feel free to make some performance test with speedtest if you hesitate.

Pushing configuration to the client

OpenVPN is allowed to push some network rules to the server. The most important is push "redirect-gateway" which forces to route all the client traffic throw the vpn. This parameter replaces the gateway route in the client configuration.

A second very useful possibility is to push a route for ipv6 which does not work. This will avoid in case your client is configured to work with ipv6 to make it unusable.

push "route-ipv6 2000::/3"

Revoke and unrevoke a client

Revoke a client

Sometime, you want to revoke an access to the vpn to a client. OpenVPN uses Certification Revocation List (CRL) to determine if a certificate is revoked or not. You need to execute the following command:

./easyrsa revoke client
./easyrsa gen-crl

Those commands also modify the file index.txt in the directory of /tmp/openvpn/EasyRSA-3.0.5/pki. For our setup and since we had revoked client, this file should be like that.

V 893632988188Z CWGT67WFA9QLQ9YZ65VGB8FLJKUKV3JL unknown /CN=server R 943755258824Z Y9BFEB757EFV47Y9ENNBUGJLKGP9KQCD unknown /CN=client

As you can see,the first column is V or R. V means valide and R means Revoke. We also have a new file crl.pem in /tmp/openvpn/EasyRSA-3.0.5/pki. It is this file which contains the list of revoked certificate. We have to copy it in a place accessible for the OpenVPN application and modify server.confwith a command.

cp /tmp/openvpn/EasyRSA-3.0.5/pki/crl.pem /etc/openvpn/server/certificates/crl.pem
chown ovpn:ovpn /etc/openvpn/server/certificates/crl.pem
# in server.conf
crl-verify /etc/openvpn/server/certificates/crl.pem
systemctl restart openvpn

Unrevoke a client

The certificate revocation list contains is a unique value even if you revoke multiple client certificate. If you want to unrevoke a client, you need to generate a new certificate revocation list. To do that, you need to modify /tmp/OpenVPN/EasyRSA-3.0.5/index.txt and replace the R for the certificate by V then generate a new certificate revocation list and finally replace the crl.pem loaded by OpenVPN.

Tuning and performance improvement

OpenVPN could be tuned in a lot of way to improve performance. I will not talk a lot about that because it requires an article by his own. You could change for example, the encryption algorithm, the TCP/IP protocol or modify those parameters to improve it.

  • mssfix
  • fragment
  • tun-mtu
  • compression algorithm

Feel free to read this page to know more about tuning OpenVPN.

Deployement and cleaning

Congratulation! The most complicated part is over. We just have now to deploy each directory in the proper place.

Directory structure

You should have this directory structure in /tmp/openvpn/server/. The server will need the following files to run properly:

  • server.conf
  • certificates/ca.crt
  • certificates/crl.pem
  • certificates/server.key
  • certificates/server.crt
  • certificates/tls_crypt.key

You should now have this directory structure in /tmp/openvpn/client/. The client will need the following files to run properly:

  • client.conf
  • certificates/client.crt
  • certificates/client.key
  • tls_crypt.key

A reader made a very good comment about the client configuration file. You can summarize in client.conf all the cryptography data required to establish the connection to the OpenVPN server. It makes it easier to transport and manage. To do that, you should remove the line about ca, cert, key and tls-crypt and replace them with the following lines.

<ca>
--STRIPPED INLINE CA CERT--
</ca>
<cert>
--STRIPPED INLINE CERT--
</cert>
<key>
--STRIPPED INLINE KEY--
</key>
<tls-crypt>
--STRIPPED INLINE KEY--
</tls-crypt>

Last configuration and deployement

Before moving directories, we will make them available only for the root user in reading mode.

chmod 400 -R /tmp/openvpn/

We will also move the all public and private key to a safe place and move the server directory to the right place:

cp -r /tmp/openvpn/server /etc/openvpn/
cp -r /tmp/openvpn/ /etc/ssl/openvpn-pki
ln -s /etc/openvpn/server/server.conf /etc/openvpn/server.conf

In the client which should be another computer. You just have to copy and paste the directory /tmp/openvpn/client to /etc/openvpn/ and create a symbolic link from /etc/openvpn/client/client.conf to /etc/openvpn/client.conf

Running

To run OpenVPN with Systemd, you need to modify /etc/default/openvpn by uncommenting AUTOSTART="all" and replacing "all" by the name of configuration file. For example with in the server side, you should replace "all" by "server".

systemctl daemon-reload

You are now able to run it with systemctl and the following command:

systemctl start openvpn

You need to do the same thing for the client.

Cleaning

Be careful, do not forget to remove the directory /tmp/openvpn. It contains all your certificates.

Conclusion

Social media

Thank you for your reading, I hope this article was helpful for you. Don't hesitate to comment and if you think I made a mistake, it will be a pleasure to discuss it. If you find this article interesting, feel free to subscribe to the RSS flux of the blog and to follow me on Mastodon.

Sources

This article would not have been possible if other people does not share information about it. Their work help me a lot, thank you!

Why and when install a custom Android distribution?

Written by Mirabellette / 04 september 2018 / no comments

Hello guys,

Sorry for the little delay but I was not sure about what I wanted to write for the month of September.

android_logo

Introduction

Today, I would like to talk about operating system for mobile and especially those based on Android. For those who do not know, Android is an open-source operating system and each manufacturer may customise it with features or tweaks. A customise Android operating system is called a distribution. I do not know the IOS environment that is why I will not talk about it here.

A little lexicon below:

  • IOS: Iphone operating system
  • FAD: Factory Android Distributions
  • CAD: Custom Android Distributions
  • Why and when install a custom Android distribution?

    The issues with the Factory Android Distribution (FAD)

    manufacturers make a lot of work to provide a good mobile phone. However, they are motivated by money contrary to the users who are motivated by good experience and good products.

    Firstly, the most important issue is about updates. Android mobile phone tends to be in general updated for only two years. After this period, your smartphone will not be updated anymore. That means it will contain known vulnerabilities without any possibility to fix it.

    As your phone has very sensitive features (GPS, microphone, camera, sensitive personal data). A mobile phone compromise could create a lot of issues. For example, the GPS could be used in an abusive way. An example with the recent vulnerability published the 29th of August.

    You can find below the list of Android system deploy on smartphones.

    android_version_distribution

    You can see in February 2018, there are:

    • Around 10% in Android 4.4 (published in October 31, 2013)
    • Around 25% in Android 5.0-51 (published in November 12, 2014)
    • Around 28% in Android 6.0 (published in October 5, 2015)
    • Around 25% in Android 7.0-7.1 (published in August 22, 2016)

    I do not know if you understand how bad it is. That just means around 90% of the FAD are not up to date and contain known vulnerabilities. Or, if we are less exigent, it is 65% which is obsolete. For me, that just means one thing. Never trust your Android smartphone or the Android smartphone of your friends. IOS (the operating system for Apple phone) is better but not perfect about security update. I do not find the chart but most of the devices are "up to date".

    Secondly, as they are interested mainly by benefits or have to follow government rules. It appears that some device tracks phone calls, contacts, data and phone usage.

    Pros

    • Custom Android Distribution (CAD) generally tends to provide a more recent Android version. That means better security, better performance, better features and better autonomy
    • CAD do not contain manufacturers features and improvements. You are also free not to install Google applications. That means no tracking features.
    • CAD generally add features which are able to improve the management of your cellular phone. That means, for example, have a better tool to manage backup, update or security. They often have features to manage privacy more precisely. Some applications are made by the maintainers and are free to install.
    • I do not know about the other distributions but LineageOS community provides a very good tutorial about how to install it on your smartphone. An example can be found here with the Galaxy S3.

    Cons

    • Replacing the Factory Android Distribution by one of your choices is not easy and required time. You need to understand the different steps of the process and how an Android operating system works in the main line. Contrary to what you could think, you will not develop at all. You also need to do a little analyse about what you will earn and lose and you need to make the required backup. It required me approximately 12 hours to do it and have a mobile phone which was fully operational whereas I had not a lot of knowledge about the process.
    • CAD do not contain manufacturer features and improvement. It could be positive but it could also be negative. You could lose manufacturer tweaks and have worse performance. You will never know before making a try.
    • Most of the time, unlocking the bootloader (which is a step required to replace your Android distribution) will stop the guaranty.
    • Some features may not work properly (high consumption energy, cameras which do not work or even crash sometimes). However, it could be fixed in the next release which is published each week on LineageOS. For example, I was for one month without a front camera and GPS.
    • Less stable than FAD, the mobile phone may crash and have a higher possibility to lose your data when update. Hopefully, you also have a better tool to get it back but it could not work all the time.

    When to replace the factory Android distribution?

    lineageos_logo replicant_logo

    For casual users or users who do not want a lot of issues,
    when your mobile phone is not updated anymore. When you are in this situation, that means your mobile phone is older than 2 years and the CAD should be quite stable. The tutorial should be quite complete. Issues should be known, fixed or with some work around available.

    For expert users and experimental users,
    some months after the manufacturer releases the new phone. It should let to the maintainers the time to develop enough stable version for your phone. In case of issues, you should be able to roll back to the previous release on your own.

    Advice and warning about a mobile phone with CAD

    • Choose a mobile phone quite popular. The most you have people who use it, the most it is probable than a custom Android distribution will support it well. Quite popular does not mean with a lot of hardware backdoors, you have some choices.
    • Do as little as possible with your phone. First of all, because the mobile phone environment is far more dangerous than the desktop environment. Proprietary applications can literally siphon your data, track your location, use your camera, heard around you.

      Even if you are up to date with a recent phone, your mobile phone could be exploited to hear what it is around you, to locate you, to film around you. Secondly, because you use a CAD, it means less stability, you should be ready for it.

    • Each custom Android distribution has his own purpose. Choose carefully the one you will install regarding stability, performance, security and maintainability.

    Conclusion

    You now have some arguments to make your decision.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Host Firefox booksmarks with syncserver

Written by Mirabellette / 01 may 2018 / 8 comments

I received some demands to translate in French the article I made about hosting Firefox bookmarks with Syncserver. You can find here the French version of this article.

Contrary to what was written, syncserver also hosts preferences, passwords, tabs, bookmarks (of course), addons, forms and history.

Introduction

In order to be more and more independent about my digital ecosystem. I decided to manage my bookmarks by myself. I use the browser Mozilla Firefox and Mozilla allows you to manage your own synchronization server. Syncserver stores only bookmarks, it didn't manage your Firefox account or the authentication mechanism. This could be done in installing Firefox Accounts Server but it is not the purpose of this tutorial.

firefox_logo

It was pretty annoying to deploy it because there aren't a lot of information available and it requires to me to do some basic stuff by myself. It took me something like 10 or 15 hours to make this article. By the way, it works now and you can read this tutorial and I hope you will find it useful :)

The Github repository isn't very active, one release in 2017 and 2016, two release in 2015 and 2014. Just add the Github repository to your RSS agregator to get news about update. If we trust the past, it shouldn't be done very often.

Configure the Firefox Synchronization Server

  • This setup was made on Debian stretch
  • To build the application, you need to be able to access to internet or to the python repository in order to download all dependencies includes in requirements.txt
  • Dependencies

    adduser --system --shell /usr/sbin/nologin --no-create-home firefox
    apt-get install python-dev git-core python-virtualenv g++ sqlite
    cd /opt
    sudo -u firefox git clone https://github.com/mozilla-services/syncserver

    Basic configuration

    The server is configured using an .ini file to specify various runtime settings. The file “syncserver.ini” is this file for the application. There is some setting that you must specify before building the application. Feel free to adjust the [server:main] part to your configuration. You can find the final syncserver.ini file here (some adjustment still required).

    The parameter public_url. You should modify it in order to match the interface where syncserver will be accessed by. Even if you run it inside a container or a virtual machine, you have to setup the public url.

    public_url = https://example.com

    The parameter sqluri. I choose to use a Sqlite database to store bookmarks because it is easy to backup. Feel free to use the one you want and modify the syncserver.ini. If you don't specify a Sql database, your bookmarks will be store in RAM and be reset each time you restart the server.Replace sqluri = sqlite:////tmp/syncserver.db by :

    sqluri = sqlite:////opt/syncserver/syncserver_data.db
    *//// means absolute path

    The parameter secret. It is better to generate a secret key for signing authentication tokens. If you don't, the server will generate it each time it start. That could mean a weak key if the random generator seed isn't good enough. Uncomment the parameter and set the value with the result of the next command:

    head -c 20 /dev/urandom | sha1sum

    The parameter allowed_issuers. If you are using the account system offered by Mozilla Firefox, you may want to restrict access to just that domain like so:

    allowed_issuers = api.accounts.firefox.com

    Don't forget to set it to false after the first successful synchronization or everybody will be able to use your syncserver as bookmarks server.

    The parameter force_wsgi_environ. I setup the server behind an Apache2 reverse proxy. I make some try with false but it didn't work. I even open an issue in the official Github repository. The only to make it works was to set the force_wsgi_environ to true.

    force_wsgi_environ = true

    Build

    Don't skip the configuration step or your syncserver will not work as expected. As you build the application, you should configure syncserver.ini BEFORE build the application. If you don't, the modifications did to syncserver.ini will not be read.

    chown -R firefox:firefox /opt/syncserver
    cd /opt/syncserver
    sudo -H -u firefox make build
    sudo -H -u firefox make test

    After that, if you run sudo -u firefox make serve, you should be able to see some lines about syncserver listening. It could tell you if something go wrong.

    Update

    After building the application, you could now see two new folder : syncserver.egg-info and local. You should delete them to be able to build the server again, for example for an update.

    rm -r syncserver.egg-info
    rm -r local

    Apache2 virtualhost

    I create a classic reverse proxy Apache2 virtual host. It just redirects flux to the virtual machine interface. You can find the script here.

    Configure your browser

    The procedure varies a little between desktop and mobile Firefox, and may not work on older versions of the browser. I will only describe the process for desktop version of firefox. Feel free to find more informations here

    • Enter “about:config” in the URL bar picture.

      about_config

      You should display this warranty screen, confirm your choice to continue.

      warranty

    • Made a research for “identity.sync.tokenserver.uri” as name. Double click on the line and replace the string by your public URL.

      tokenserver_uri

      The syntax should be like this https://example.com/token/1.0/sync/1.5.The current version is 1.7 but the endpoint didn't change ... * the original one is the one display in the previous picture https://token.services.mozilla.com/1.0/sync/1.5

    • Restart Firefox for the change to take effect.

    Note that this must be set prior to loading the sign-up or sign-in page in order to take effect, and its effects are reset on sign-out.

    Hardening and clean up

    Lock the instance for your own usage

    As you can see, you now use your own server to store your bookmarks. To avoid someone else could do that, you have to set the parameter allow_new_users to false in syncserver.ini and build the application again.

    vim syncserver.ini
    rm -r syncserver.egg-info
    rm -r local
    sudo -u firefox make build

    Systemd script

    Astonishingly, there is no Systemd script provides by the official tutorial. You could find the one I created here. You have to put it in /etc/systemd/system/ and execute systemctl daemon-reload then systemctl enable syncserver.service. It will start syncserver at each boot.

    Cleanup

    If you install make and g++ just for building this application, feel free to remove them.

    apt purge make g++

    Of course, setup the firewall in the correct way.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

    Fix openvpn mbuf packet dropped

    Written by Mirabellette / 11 april 2018 / no comments

    Hello everyone

    I hope you are going great and everything was fine for you.

    Use case

    I have an openvpn daemon running with TCP on 443 port on a Debian system. I got thousands of error messages since months about MBUF packet dropped. The message was

    openvpn MBUF: mbuf packet dropped

    It occurs only if you use openvpn over TCP. I know it is considered to be a bad practice because it unneeded traffic but you have to make choice.

    What I do

    After hours of research, I was able to fix it. I add this two lines to the server configuration file:

    tcp-queue-limit 4096
    bcast-buffers 4096

    Now, you have to restart openvpn with this command : systemctl restart openvpn or service openvpn restart if systemd isn't installed on your system.
    You should not see this message in log anymore \o/ and get a little bit more stable connection thanks to the undropped packet.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

    Advertising domain name blocking with Unbound

    Written by Mirabellette / 06 march 2018 / 6 comments

    I realized that Shaft made his script available here ... It is more powerful but also longer than this one because it makes some verification. To be honest, I think it is also better in some way. Feel free to combine them to make your own.

    Hello everyone,

    Today I want to talk to you about advertising in Internet and how to block a part of it with a domain name resolver like Unbound.

    You must be aware that there are thousands of way to track user's activities on internet. A good protection against this kind of things is to directly block the resolution of the domain which is trying to gather information about you. It is, of course, not perfect but it is a first good step to begin to reduce tracking about your online activity.

    Sometime I read journalduhacker.net, it is a website which gathering "good" article from French open source community. I found a very interesting article from Shaft about blocking a list of domain name with unbound. It is a very nice article which present how do it. It mention a very good trick to reduce the size of the ads list and the ram load of unbound. Thanks to him for his sharing. I just got a warning message with unbound, I don't know why but it works. I will investigate in it later and will of course tell you how to fix it. The warning message is like that:

    [1520173472] unbound[1259:0] warning: duplicate local-zone

    Unfortunately, I didn't find a script to modify ads list file from the source directly. They are commonly wrote like a host file. That's why I decided to made it by myself and to share it. I delete comments and other information in the original source file in a very strictly way. I do it in order to avoid any problem with Unbound. Some domain name could be deleted from the source list but with ~97400 domain name in it, I think the script I made works well enough.

    Most of ads list in the script are from Shaft article. I add this one too which is well reputed.
    Thanks to Sabre comment, I discovered that StevenBlack already provide an unique host list which contains AdAway, yoyo.org and MVPS hosts list. You can access to his list here. It is the one which is now in the script.

    vim /etc/unbound/unbound.conf.d/generate_domains_list_ban.sh

    # list of ads domain names
    array=( https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts )

    for i in "${array[@]}"
    do
      wget $i -O w
      grep -v " #\|<td>\|<p>\|<meta>\|<link>\|<title>\|href\|title=\|=\|<" w > adsList.txt
      rm w
      dos2unix adsList.txt

      # remove host syntax and clean file
      sed -i 's/0.0.0.0//g' adsList.txt
      sed -i 's/127.0.0.1//g' adsList.txt
      sed -i 's/localhost//g' adsList.txt
      sed -i 's/.localdomain//g' adsList.txt

      # remove commentary after domain name
      sed -i 's/#.*//' adsList.txt

      # remove tabulation character and carriage return
      sed -i "s/\t//g" adsList.txt
      sed -i "s/\r//g" adsList.txt

      # remove useless space
      sed -i 's/ //g' adsList.txt

      # remove empty lines
      sed -i '/^\s*$/d' adsList.txt

      # add prefix and suffix for unbound
      sed -i "s/.*/local-zone: \"&\" static/" adsList.txt

      cat adsList.txt >> adsListFinal.txt
    done

    # order list by name, it didn't cost a lot and could maybe increase unbound performance
    sort adsListFinal.txt -o adsListFinal.txt

    # remove duplicate ads domain in order to avoid warning with Unbound
    uniq adsListFinal.txt > adslist.txt

    # remove tempory files
    rm adsListFinal.txt adsList.txt

    service unbound restart

    You now have to tell to Unbound to load the advertise domain list. Add this line to /etc/unbound/unbound.conf and under the parameter server:

    # include: /YOUR_ADS_LIST_PATH
    include: /etc/unbound/unbound.conf.d/adslist.txt

    At the end of the process, I got a file of 4.1M with ~97400 domain names in it. Contrary to what we could think, It isn't slow. We just have to create a crontab job to be sure the list is oftenly updated. I think to update it each week is a good schedule.

    # 5 2 * * Sun /YOUR_GENERATE_ADS_LIST_SCRIPT_PATH
    5 2 * * Sun /etc/unbound/unbound.conf.d/generate_domains_list_ban.sh .sh

    It took me hours to make the script and this article. I hope you will find it useful and interesting. Don't hesitate to comment it and share it.
    Thank you for reading.

    sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

    Classified in : Privacy / Tags : none