I was trying to set up a vpn server to allow multiple roadwarrior users in our company to access our internal network.
We are using openswan installed on an alix board and I found that there is bit of a lack of documentation about how to configure it on openswan.
Specially we tried at first to set up a roadwarrior configuration with PSK and we discover that it is not possible to have simultaneous connection for different users.
This procedure explains how to create a roadwarrior configuration with SSL-certificates authentication (that allow also simultaneous connection).
We generate the Certification Authority itself and sign the certs with the CA afterwards.
This can also be done by a free Certification Authority like CaCert.
Here some good reads:
Step by step example:
Create a the necessary directory structure for openssl
(may you want also to change openssl configuration, generally under /etc/ssl/openssl.cnf):
cd /etc/ipsec.d rm -rf ./demoCA mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private touch demoCA/index.txt echo "01" >> demoCA/serial
Create the CA (valid for 10 years)
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout /etc/ipsec.d/private/caKey.pem -out /etc/ipsec.d/cacerts/caCert.pem
Create a certification request for the server
openssl req -newkey rsa:2048 -keyout /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverReq.pem
Convert the server key in order to be read by openswan
openssl rsa -in /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverKey.pem.openswan
Sign the certification request with our just created certification-authority (CA) (valid for 2 years)
openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 -out /etc/ipsec.d/certs/serverCert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
Create a client certification request
openssl req -newkey rsa:2048 -keyout /etc/ipsec.d/private/userAKey.pem -out /etc/ipsec.d/private/userAReq.pem
Sign the client certification request
openssl ca -in /etc/ipsec.d/private/userAReq.pem -days 730 -out /etc/ipsec.d/certs/userACert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
Add server private key, file /etc/ipsec.secrets:
: RSA serverKey.pem.new "your password"
Configure ipsec. Example /etc/ipsec.conf:
conn roadwarriorsrsa authby=rsasig # left= ??? leftid= ??? leftsubnet= ??? leftrsasigkey=%cert leftcert=serverCert.pem # right=%any rightrsasigkey=%cert # PHASE 1 # negothiation mode aggrmode=no ike=3des-sha1;modp1024,aes256-sha2256;modp2048 ikelifetime=3h # PHASE 2 type=tunnel phase2=esp phase2alg=3des-sha1;modp1024 salifetime=3h
conn useruserA also=roadwarriorsrsa rightid=@userA.yourdomani rightsubnet= ??? rightcert=userACert.pem auto=add
conn useruserB also=roadwarriorsrsa rightid=@userB.yourdomani rightsubnet= ??? rightcert=userBCert.pem auto=add
User A and B are two roadwarrior users that can connect at the same time to your server.
Here an example of a shrewsoft client configuration for the above setting:
n:version:2 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:0 n:client-dns-used:1 n:client-dns-auto:0 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:phase1-dhgroup:2 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 s:network-host: ??? s:client-auto-mode:disabled s:client-iface:virtual s:client-ip-addr: ??? s:client-ip-mask: ??? s:network-natt-mode:enable s:network-frag-mode:enable s:client-dns-addr: ??? s:client-dns-suffix: ??? s:auth-method:mutual-rsa s:ident-client-type:fqdn s:ident-server-type:address s:ident-client-data:userA.yourdomain s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:esp-3des s:phase2-hmac:sha1 s:ipcomp-transform:disabled n:phase2-pfsgroup:2 s:policy-level:auto s:policy-list-include: ??? s:auth-client-cert:userACert.pem b:auth-client-cert-data: ??? s:auth-client-key:userAKey.pem b:auth-client-key-data: ??? s:auth-server-cert:caCert.pem b:auth-server-cert-data: ???
Some usefull shell command:
Check ipsec loaded your CA certifcates:
ipsec auto --listcacerts
Check ipsec loaded your certifcates:
ipsec auto --listcerts
List loaded public keys:
ipsec auto --listpubkeys
Check a certifcate:
openssl x509 -text -noout -in /etc/ipsec.d/cacerts/caCert.pem
Check a Key:
openssl rsa -in privateKey.key -check
Recently I bought the DeLonghi KG79 coffee grinder.
I thinks that cheap and middle price coffee grinder are not really able to grind your coffee for a good espresso.
So I decide for this grinder after I found this post and see that it can be easily modify.
This grinder is also quite cheap (I bought on amazon for 33 Euros).
I'm posting some more photos cause, even if the previous post is well made, I found some details are missing.
Specially about how the two know are hold in place and how you can better remove.
there are 4 clips you can push using a screwdriver.
there is no clip, you have just to pull it. I found this one much more difficult to remove compared with the one on the side.
I've used some tape to avoid scratches:
Also I din't cut the stop piece on the side, instead I have first set the grind settings to the finest set. Than I've removed the 4 screws and simple turn the wheel to the middle position. This will protect your grinder and, if you use the grinder for espresso only like me, you will never want to use it for a coarse coffee.
The result is really good, the coffee is really fine and, even if the container is just plastic, static electricity is not a problem.15 Jan 2014
First some more details about hardware:
I've started by downloading this source code and remove all the unnecessary parts. Than I've introduced some libraries:
The files config.h and config.cpp contain the whole configuration and initialization methods for the SPI, VS1053b(audio decoder) and keypad.
The SD card should contains 12 directories numbered from 0 to 11. Inside any directory the player expects to find files named with a consecutively number, starting by 0, plus an extensions: ".mp3" or ".wav". Here an example of a data structure:
. ├── 0 | ├── 0.mp3 | ├── 1.wav | └── 2.wav | ├── 1 | ├── 0.mp3 | ├── 1.mp3 | ├── 2.mp3 | └── 3.mp3 . . .
The current directory and file number are stored respectively into dirN and fileN.
At any iteration of the method play() the player checks if the current file exists. If yes it starts playing else restart the play list from the beginning.
It reads file data into a 32 byte buffer and transfer to the mp3 chip.
The audio decoder chip signals with a high DREQ pin, that it can receive data. For more details read the VS1053b data sheet
During the time when the audio decoder chip is busy and it cannot receive any further data we can read the status of the keypad buttons. This is done into the method AvailableProcessorTime().
If a button is pressed the current playing song is stopped by setting the playStop variable to 0.
If the button is associated to the current play list then it simply increment the fileN variable in order to point to the next file.
If the button is associated to a different play list then the new play list number is saved into dirN and the variable fileN is reset to 0.
Hope the code itself is simple and self explaining.10 Jan 2014
Few months ago I bought, as a present, an mp3 player for children called hörbert. It is really well made and the sound quality is pretty good. I really suggest as a product. The only problem is that it is quite expensive, so I thought that it would be a nice and easy project for a Christmas present for my daughter.
It was already clear since the beginning that the project would be powered by an arduino uno.
So I started looking around in order to find a good way to play mp3 files with arduino and I found the Freaduino MP3 Music Shield.
It is the cheapest mp3 board I found.
The board contains an sd card slot, decodes "MP3,WAV,MIDI,Ogg Vorbis" and, they wrote, has an "Excellent sound quality with ±1dB Frequency Response". Also the board is well documented on the wiki. They provide even a source code example for a very basic player. The only doubt I had was that there was almost no other resources in internet about it, specially if compared to other boards.
Than was the time to choose a mono audio amp (I didn't want to spent time to build one my selfe).
I ordered two amps, one from China(left) and one from Sparkfun(right).
The Chinese version is a stereo amp, really cheap, but the sound was really full of noise.
The Spark fun version has a good sound quality and has all the necessary holes for solder in order to be easily integrate in you project.
The feature I really appreciate of the Sparkfun board is the possibility to really easily change the gain resistors, see Mono Audio Amplifier Quickstart Guide. I opted for two 10K resistors, so it does not come too loud when my 2 years daughter is playing with it.
The keypad is also a product from Sparkfun.
For the battery I chose a 2600mAh power bank, with two usb connectors, one for charging and one for power source.
All components are placed into a wood box I friend made for me and a piece of an old climbing rope is used as grab.
In the back I also added an usb port to easily charge the power bank.
Here the inside of the MBox:
The MBox is supporting SD card FAT 16 or 32.
The SD card contains 12 directories named starting from 0 to 12.
Every button of the keypad is associated to a directory.
A directory represents a play list and contains files (mp3 or wav) name with number, example: 1.mp3.
MBox plays cyclic trough the play list by simple increase a counter and search for a file with that name. Any time a button is pressed, if MBox is playing a different play list it simple switch to the associated play list and start playing file number 0 else simply play next file in order. The way how button work is not mine idea, is the way how the hörbert works.
My daughter is really happy and she is using quite a lot. I was really impressed to see how quick she was able to learn how to select the track she wants to play, Thanks hörbert.
Bill of materials:
I'm testing a jekyll you tube plugin I found here. It runs well on local preview:
$ jekyll server
but after I push it on github I received a Page build failure email.
A fast search and I found that github pages does not support unsafe plugins.
Before push your new post to github is a good practice to build you site in safe mode and check for errors:
$ jekyll build --safe
Of course in that case the plugin is really unnecessary so I've removed the plugin and add the html code myself as suggested by gitthub.
Here is the result, my "little" sister playing for Lucca Philharmonic Orchestra:
09 Jan 2014
I found a really cool an scary article about cryptanalysis. They are able to attack GnuPG using a mobile phone microphone placed 30cm away of your pc.09 Jan 2014
This blog is based on [jekyll]. I've choose this option after I discover github pages, where this blog is currently deployed.
With github pages you can publish your post with a simple
$ git push
Githup is using jekyll to generate automatically static contest from Markdown post. I was looking for a simple static blog generator, so, cause I like github, I decided to give it a try.
The first impression it that it looks quite simple,powerful and well used.
Jekyll installation is quite simple:
install ruby and rubygems. Remember to add in your path:
$(ruby -rubygems -e "puts Gem.user_dir")/bin
$ gem install jekyll -V
Here jekyll quite start guide.
After installation I generate my template using bootstrap.
Other links:09 Jan 2014
This is my first post.
Why I decided to start a sort of blog? Don't really know the right answer. I think the most obvious is to share my current readings and findings, but also I think can be a nice way to index them.
Not really sure now how long I'll keep writing...hope this will be worth it.
p.s. it is also a good way to improve my English skills