yoursunny blog
computer, Internet, and life

Install OpenConnect VPN Server with Trusted Certificate from Let's Encrypt

Junxiao Shi

OpenConnect VPN server, or ocserv, is an SSL VPN server compatible with Cisco AnyConnect. It can easily be installed in a cheap OpenVZ Virtual Private Server (VPS) with TUN capability. However, most online tutorials for installing OpenConnect VPN server rely on certtool to generate a self-signed certificate via OpenSSL. Afterwards, since the self-signed certificate is not trusted by operating systems, either the VPN client must be configured to skip certificate checking, or the self-signed certificate must be imported as a trusted certificate on the VPN client machine. Both practices are insecure. Bypassing certificate checking would allow an attacker to impose as the VPN server. Importing a trusted certificate does not seem wrong at first, but in case the private key is compromised, an attacker would be able to impose as any server to the client, including online shopping and bank websites, using a certificate signed by that private key. Remember that the self-signed certificate's private key is stored on the VPS filesystem, it is much less secure than Hardware Security Modules used at real CAs to store private keys, and therefore it is a bad idea to trust such certificates in client machines.

Let's Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a domain-verified certificate within minutes, and without paying anything. Certificates from Let's Encrypt are trusted by most modern operating systems. They are ideal for securing an OpenConnect VPN server.

This article explains how to request a proper trusted certificate from Let's Encrypt for use with ocserv, how to install OpenConnect VPN Server and use the Let's Encrypt certificate, and how to configure Cisco AnyConnect client to connect to ocserv. These steps are verified with an OpenVZ Ubuntu 16.04 64bit VPS provided by SecureDragon. It is required to enable TUN devices for the VPS, typically through a button in SolusVM or other control panel provided by the hosting company.

Request Let's Encrypt Certificate for OpenConnect VPN Server

Before requesting a certificate from Let's Encrypt, you must have a Virtual Private Server with an IPv4 address, and have a domain name (could be subdomain) resolved to the server so that you are able to ping the server via the domain name.

(read more)

ndnping Jewelry on ESP8266

Junxiao Shi

I was wearing a unique piece of jewelry at NDN community meeting, Mar 2017: a pair of ESP8266 units that communicate with each other over the NDN testbed. They are ugly, but it is a nice way to demonstrate my creation in a Named Data Networking community meeting.

Two Witty Cloud boards are tied to my wrists, and powered by a USB powerbank in my pocket. One of them runs a ndnping client, and the other runs a ndnping server. The client sends Interests to a router in Arizona, the Interests (under a multicast prefix) are flooded through the testbed, and reach the server which is connected to a router in Memphis.

Arduino Code

Library: esp8266ndn

(read more)

Count-Up Timer on ESP8266 and I2C LCD

Junxiao Shi

I need a count-up timer on the desk so that I can do a presentation without turning my head to the wall clock. So I wrote one with ESP8266 and I2C-connected LCD unit.

photo of LCD count-up timer using ESP8266

#include <LiquidCrystal_I2C.h>

LiquidCrystal_I2C lcd(0x3F, 16, 2);

void
setup()
{
  lcd.begin(16, 2);
  lcd.init();
  lcd.backlight();
}

void
loop()
{
  int seconds = millis() / 1000;
  int minutes = seconds / 60;
  seconds %= 60;

  lcd.clear();
  lcd.print(minutes);
  lcd.print(':');
  if (seconds < 10) {
    lcd.print('0');
  }
  lcd.print(seconds);
  delay(100);
}

Hardware is Losant LCD Kit. I'm using Marco Schwartz's LiquidCrystal_I2C library.

(read more)

Repost Twitter to Facebook through Losant and IFTTT

Junxiao Shi

Twitter and Facebook are two primary social networks that I regularly use. Despite many arguments against synchronizing contents across different accounts, I still think it's beneficial to repost my tweets onto my Facebook timeline. There are already many solutions to achieve cross-posting between Twitter and Facebook, but they are not ideal, because I'm very picky on what I want:

  • I want to cross-post from Twitter to Facebook, not the other way around.
  • I want to tweet with native Twitter clients, not through a third party website or app.
  • I don't want those tweets created by my Swarm check-ins to be re-posted onto Facebook, because Swarm app can directly post to Facebook.
  • For plain text tweets, I want them as plain text Facebook status updates, without a link to Twitter which could only confuse my Facebook friends.
  • If I tweet a photo, I want that photo to be uploaded to Facebook, instead of posting a link on Facebook.
  • If I tweet a link to some webpage, I want Facebook to display a preview of the webpage.

IFTTT is one of my favorite online services. It allows me to create a recipe for certain automated actions. The name "IFTTT" stands for IF This Than That, where This could be "posting a new tweet", and That could be "posting a Facebook status". However, IFTTT does not allow filtering: I couldn't specify conditions like "the tweet is not posted by Swarm", which is necessary to achieve my goals. Therefore, I need a more advance solution to repost my Twitter feed to Facebook.

This year the world is greeted with Losant, an Internet of Things platform that allows makers to connect their sensor devices, collect data into the cloud, and take actions through workflow execution. While neither Twitter nor Facebook has anything to do with IoT, Losant workflow has some great capabilities that makes it suitable for non-IoT usage:

  • trigger execution from a timer or an HTTP request
  • parse and stringify JSON
  • send HTTP request to any server
  • store execute state in a variable
  • most importantly, execute raw JavaScript!
(read more)

Issue Your Own NDN Certificates

Junxiao Shi
last updated

UPDATE 2021-06-03: NDN certificate format changed since ndn-cxx 0.5.0. Certificate names in this article are following a previous version of certificate format specification. Nevertheless, the basic concepts are still applicable.

To publish contents into a Named Data Networking (NDN) backbone network, you need to connect your NFD end host to the NDN Testbed, run a local producer application, and let the world reach your NFD through Automatic Prefix Propagation. However, a limitation with NDN Forwarding Daemon (NFD)'s Automatic Prefix Propagation is that, the prefix registered toward your end host is always the identity name of your certificate. While this works fine when you only have one or two machines, two problems arise when you want to deploy multiple end hosts:

  • Every certificate request needs an email verification and manual approval process, which is inconvenient. Or, you can copy your certificate and private key onto every machine, but in case any of these machines is compromised, your one and only private key will be exposed.
  • Certificates requested with the same email address have the same "identity name" and hence Automatic Prefix Propagation would register the same prefix. Unless all your machines serve the same contents, registering the same prefix toward all machines hurts network performance because the router has to rely on flooding and probing to figure out which of your machines serves a certain piece of content.

The solution is to issue your own NDN certificates, and let the world trust them.

The Hierarchical Trust Model

(read more)

Access C.H.I.P UART Wirelessly with ESP8266

Junxiao Shi

A year ago, a Kickstarter campaign CHIP - The World's First Nine Dollar Computer caught my attention: it's a $9 computer smaller than a banana. Unlike the Raspberry Pi, it comes with onboard storage so I don't need to buy a separate SD card, it has WiFi instead of wired Ethernet so I don't have to run wires everywhere, and it is compatible with my existing VGA monitor through a $10 adaptor so I don't have to buy another HDMI monitor. Therefore, I snagged two of these little computers along with one VGA adapter during the campaign.

During the whole year of waiting, Next Thing Co sent me regular email updates on the development progress, with each email ending with mmmtc (much much more to come) and a lot of hearts. NTC also clarified that C.H.I.P is strictly B.Y.O.B. Finally, my pair of CHIPs and a VGA DIP arrived in my mailbox on Jun 16. An hour later, yoursunny.com homepage is displayed on its Debian desktop.

A few more hours later, I start to discover a limitation of C.H.I.P software: The Linux kernel comes with CHIP operating system has very limited features.

$ sudo modprobe fuse
modprobe: FATAL: Module fuse not found.

Obviously, the solution to this problem is to compile my own Linux kernel with more features. The compilation can be done on the C.H.I.P itself. I managed to do that when the CHIP is powered by a 5V 1A phone charger plus a 1500mAh LiPo battery. I had the compilation running under screen(1) and attended to it intermittently, and it finished in a day.

(read more)

Let the World Reach Your NFD

Junxiao Shi
last updated

UPDATE 2021-11-15:

  • nfdc command syntax changed since NFD 0.6.0, in which nfdc register has been renamed to nfdc route add, but the underlying protocol remains the same. If you want to follow along, type nfdc route add in place of nfdc register.
  • remote-register-prefix command is replaced by register-prefix-remote. If you want to follow along, type ndn6-register-prefix-remote in place of remote-register-prefix.
  • The command output may be different.

Named Data Networking (NDN) is a potential future Internet architecture designed as a distribution network. My last post described how to connect an end host running NDN Forwarding Daemon (NFD) to the NDN Testbed, a backbone NDN network for research purposes, and retrieve contents from that network. An equally important topic is: how can you publish contents into the backbone network?

As mentioned in the last post, NDN communication is receiver driven. Interests expressed by the consumer application are forwarded toward the producer following the routing table, and Data packets carrying contents flow back on the reverse path of Interests. Every end host and router along the path between consumer and producer needs to have a route in its routing table, so that NFD can forward the Interest, hop by hop, toward the producer. On your own machine, nfdc register command adds a route to the routing table; however, if you want to publish contents into the backbone network and make them available for others to retrieve, you won't be able to directly execute nfdc register command on a terminal of the routers. How can you add a route without console access?

(read more)

Do Evil with ESP8266: Slow Down the WiFi

Junxiao Shi

While hackers do good most of the time, we occasionally do evil and play a prank. The ESP8266, unlike JSON, allows me to do evil. Thus, I programmed the microcontroller for an evil purpose: slow down the WiFi.

How it Works

802.11 WiFi typically operates in infrastructure mode, where a router acts as an access point, and other hosts (stations) connect to the router on a wireless frequency (a channel).

One property of the wireless channel is that, at any moment, only one party (station or access point) can be transmitting. If multiple senders are transmitting at the same time, the wireless signal will be jammed, and the recipient is unlikely to receive the packet correctly. In this case, the sender would have to transmit the packet again at a later time.

Packets can be transmitted at different speeds on the wireless channel. With 802.11g standard, the maximum speed is 54Mbps, and the minimum is as slow as 1Mbps. The sender (station or access point) dynamically chooses a speed for every packet depending on its perception of wireless channel quality. Usually, we prefer to transmit at a higher speed, so that the wireless channel can be freed as soon as possible for other senders to use. However, if the sender and recipient are far apart, high speed transmission is less likely to succeed because signals can be faded, and a slower speed is necessary to increase the chance of a successful transmission.

(read more)

Flash ESP8266 Witty Cloud Board with 6 Wires

Junxiao Shi

Witty Cloud board is an ESP8266 development board that has a unique two-PCB design: the top PCB carries the ESP8266 microcontroller and an AMS1117 voltage regulator, and the bottom PCB carries a CH340G USB-serial chip. The top PCB can operate independently. It has a pair of 8-pin male headers that expose ESP8266's GPIO pins, which can be used to control peripherals such as LEDs and buttons. The bottom PCB is needed only for flashing the ESP8266. It has a pair of 8-pin female headers. The top PCB should be inserted into the bottom PCB when the firmware is being flashed from a computer, or when we want to use Arduino's serial monitor.

Sometimes, we may want to simultaneously connect ESP8266's GPIO pins to peripherals, and keep the ability of flashing the firmware or monitoring the serial console from a computer. Can we achieve that?

From electric point of view, when the male headers on the top PCB are inserted into the female headers on the bottom PCB, each of the 16 pins on one PCB is connected to the corresponding pin on the other PCB via a wire. Thus, if we connect the two PCBs with 16 jumper wires, everything should work.

But it's tedious to connect 16 wires every time. Can we connect the two PCBs with less jumper wires? Let me find out.

I started with four wires:

(read more)

Understanding the Photoresistor on Witty Cloud Board

Junxiao Shi

One of my favorite electronic elements is the photoresistor, an element whose resistance decreases with increasing incident light intensity. I played with a photoresistor as part of an electronic building blocks toy kit when I was in elementary school, and made a geocaching trackable out of that experience. But I want a deeper understanding of the photoresitor: what's the correlation between its conductivity and the light intensity?

photoresistor circuit symbol

Recently I acquired some Witty Cloud boards. This board is built around an ESP8266 microcontroller; a photoresistor (aka Light Dependent Resistor, LDR) is connected to the analog input port of the ESP8266. With one line of code in Arduino (analogRead(A0)), we could read the light intensity as a number between 0 and 1023. However, what's the unit of this number, and how does it translate to the standard units such as lumens?

I couldn't find any formula for this translation, because it does not exist. Adafruit explains photoresistor readings nicely:

The readings taken are not in any useful units of light intensity. Photoresistors are not carefully calibrated sensors. If you wanted to make a light meter, with absolute measurement of light intensity in meaningful units, you would need to create a lookup table that related readings with readings taken from a properly calibrated light meter.

(read more)