Category Archives: English

Uwe Hermann: HOWTO: Using OpenVPN on Debian GNU/Linux

Here’s a quick HOWTO for setting up an OpenVPN server and client on any (Debian, in this case) Linux machine of your choice. I’m running an OpenVPN server on a box at home, and a client on my laptop, so I can securely route all my laptop traffic through my OpenVPN server, no matter where I am.

I highly recommend reading the official OpenVPN HOWTO from top to bottom, at least once. But here’s a short, condensed HOWTO (specifically geared towards my needs, yours might be different):

On the server:

Install OpenVPN (apt-get install openvpn), then copy the “easy-rsa” files to /etc/openvpn/easy-rsa from where we’ll use them to create our keys and certificates:

  $ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
  $ cd /etc/openvpn/easy-rsa

In the vars file change the KEY_SIZE variable from 1024 to 4096 for good measure:

  export KEY_SIZE=4096

Then, read in the vars file, clean old keys and certificates (if any) and create new ones:

  $ . ./vars
  $ ./clean-all
  $ ./build-ca

You’ll now have the chance to enter some data such as country code (e.g. “DE”), state/province, locality, organization name, organizational unit name, common name, name, and email address. The values you choose don’t really matter much (except for commonName, maybe, which could be your hostname or domain or such). Finally, the ca.key (root CA key) and ca.crt (root CA certificate) files will be created.

Next, we’ll create the server key:

  $ ./build-key-server server

You’ll have to enter lots of info again (see above), commonName could be “server” or such this time. Upon “Sign the certificate? [y/n]” say y, as well as upon “1 out of 1 certificate requests certified, commit? [y/n]”. Finally, the server.key and server.crt files will be created.

Same procedure for creating a client key (I used “client1” as filename and commonName here):

  $ ./build-key client1

Next up we’ll generate Diffie Hellman parameters (this will take a shitload of time due to keysize=4096, go drink some coffee):

  $ ./build-dh

When this step is done, you’ll have a dh4096.pem file.

As we want to use OpenVPN’s “tls-auth” feature for perfect forward secrecy (it “adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification”), we’ll have to generate a shared secret:

  $ openvpn --genkey --secret ta.key
  $ mv ta.key keys

So much for creating keys. Now, we’ll have to configure OpenVPN. Copy the default server config file and edit it:

  $ cd /etc/openvpn
  $ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
  $ gunzip server.conf.gz

The most important change in my setup is that I use port 443/TCP instead of the usual OpenVPN default of 1194/UDP. This increases the chances that you’ll be able to use OpenVPN in almost all places, even in environments which firewall/block lots of stuff. Port 443/TCP (for https) will almost always be usable. I also uncommented the following line, which tells the client to use the VPN interface (usually tun0) per default, so that all the client’s traffic (web browsing, DNS, and so on) goes over the VPN:

  push "redirect-gateway def1 bypass-dhcp"

Here’s my server config file (comments and commented out lines stripped):

  port 443
  proto tcp
  dev tun
  ca /etc/openvpn/easy-rsa/keys/ca.crt
  cert /etc/openvpn/easy-rsa/keys/server.crt
  key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
  dh /etc/openvpn/easy-rsa/keys/dh4096.pem
  ifconfig-pool-persist ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  keepalive 10 120
  tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
  user nobody
  group nogroup
  status openvpn-status.log
  log-append openvpn.log
  verb 3

You can now start the OpenVPN server, e.g. via

  $ /etc/init.d/openvpn restart

Server firewall setup/changes:

I’m running a custom iptables script on pretty much all of my boxes. Here’s the relevant changes needed to allow the OpenVPN server to work properly. Basically, you need to enable IP forwarding, accept/forward tun0 traffic and setup masquerading (change “eth0” below, if needed):

  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptables -A INPUT -i tun+ -j ACCEPT
  iptables -A FORWARD -i tun+ -j ACCEPT
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -t nat -F POSTROUTING
  iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

My firewall script gets run upon every reboot. If you don’t use such a script, you could add the above stuff to your /etc/rc.local file.

On the client:

Install OpenVPN (apt-get install openvpn), then copy the default client config file and edit it:

  $ cd /etc/openvpn
  $ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .

Change the parameters to match the server config (port 443/TCP, and so on) and use “tls-auth /etc/openvpn/ta.key 1” (note the “1” on the client, and the “0” on the server!). Replace with the public IP address of your OpenVPN server. If it doesn’t have a public, static IP address already, you can use services such as DynDNS, or (my preferred method), my ssh-based DIY poor man’s dynamic DNS setup.

Here’s my full client config:

  dev tun
  proto tcp
  remote 443
  resolv-retry infinite
  user nobody
  group nogroup
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/client1.crt
  key /etc/openvpn/client1.key
  ns-cert-type server
  tls-auth /etc/openvpn/ta.key 1
  verb 3

Now you only need to copy the required certificates and keys to the client (into /etc/openvpn): ca.crt, and ta.key. Do not copy the other, server-specific private keys and such to the client(s)! Also, the root CA key (ca.key) should not even be left on the server, but rather moved to some offline storage/box, so that it cannot fall into the wrong hands, e.g. in the case of a server compromise.

I prefer to manually start the client on my laptop when needed, so I use AUTOSTART=”none” in /etc/default/openvpn and then start the client via:

  $ openvpn /etc/openvpn/client.conf

That’s it. Comments and suggestions for improving the setup and/or the security aspects of it are highly welcome!

sslyze – Fast and Full-Featured SSL Configuration Scanner

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news…

Read the full post at

Francois Marier: Optimising PNG files

I have written about using lossless optimisations techniques to reduce the size of images before, but I recently learned of a few other tools to further reduce the size of PNG images.

Basic optimisation

While you could use to manually optimise your images, if you want a single Open Source tool you can use in your scripts, optipng is the most effective one:

optipng -o9 image.png

Removing unnecessary chunks

While not as effective as optipng in its basic optimisation mode, pngcrush can be used remove unnecessary chunks from PNG files:

pngcrush -q -rem gAMA -rem alla -rem text image.png image.crushed.png

Depending on the software used to produce the original PNG file, this can yield significant savings so I usually start with this.

Reducing the colour palette

When optimising images uploaded by users, it’s not possible to know whether or not the palette size can be reduced without too much quality degradation. On the other hand, if you are optimising your own images, it might be worth trying this lossy optimisation technique.

For example, this image went from 7.2 kB to 5.2 kB after running it through pngnq:

pngnq -f -n 32 -s 3 image.png

Re-compressing final image

Most PNG writers use zlib to compress the final output but it turns out that there are better algorithms to do this.

Using AdvanceCOMP I was able to bring the same image as above from 5.1kB to 4.6kB:

advpng -z -4 image.png

When the source image is an SVG

Another thing I noticed while optimising PNG files is that rendering a PNG of the right size straight from an SVG file produces a smaller result than exporting a large PNG from that same SVG and then resizing the PNG to smaller sizes.

Here’s how you can use Inkscape to generate an 80×80 PNG:

inkscape --without-gui --export-width=80 --export-height=80 --export-png=80.png image.svg

Sandro Tosi: Get the lines unique on the first field(s)

uniq is a great tool, since it returns the unique (adjacent) lines of the given input. But it has a limitation: it can’t check for uniqueness only the first N fields (while it allows to ignore them, weird).

So, what to do if you have a long file, and lines with several fields, but you’re only interested in getting the line with the different first 2 field (but all the rest of the line content? awk to the rescue!

$ awk ‘!x[$1]++’ file

will print the (complete) lines of file that has the first field unique. You can set $1$2 to have lines unique on the first 2 fields, and so on. Thanks to this forum post, but there’s some other interesting articles.

CodeSOD: The Anti-SQL Coalition

"There is a small coalition of developers at the office who are vehemently anti-database," writes Bob, "naturally, this faction also doesn’t value 'experience' — mostly, because they have none. At least, not outside their university studies. They'll often liken a database server to a file system, and suggest that it's just a convenient way to store blobs of data — but everything else is inelegant bloat."

"Of course, since this coalition doesn't have any actual decision making power, their strong opinions remain just that, and we stick with a standard tech of technology. Of course, their attitude often leaks into the code, as in this example of a simple search query that was used to search for an employee by name. The trick is we have employees with accented characters in our directory but, if a user search for the name without the accented char (e instead of é), it needs to return the result anyway."

  FROM Persons
 WHERE /* HACK! Being SQL, there's no concept of 
          RegEx, so we have to this horrible hack  */
       Replace(Replace(Replace(Replace(name, ' ',''),
       LIKE @name AND 
       /* HACK AGAIN! Oh yeah, no cod reuse.
          Why are we doing this in SQL!? */
       Replace(Replace(Replace(Replace(surname, ' ',''),
       LIKE @surname 
 ORDER BY name, surname

Bob added, "like most of their code, I was able to replace it with a much simpler block."

  FROM Persons 
 WHERE name collate Latin1_General_CI_AI LIKE @name 
   AND surname collate Latin1_General_CI_AI LIKE @surname 
 ORDER BY name, surname

sqlsus 0.7.1 Released – MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much…

Read the full post at