Archive for the ‘mobile phones’ Category

OpenVPN Server on DD-WRT with iOS 10 Client

Sunday, October 9th, 2016

iOS 10 removed PPTP support. Sure, as a protocol it’s not secure and open to man-in-the-middle attacks so I get it. But I want a way to network back home.

So… if you have DD-WRT installed on your router and want VPN access to your home network then you’ve got to choose another option. DD-WRT supports OpenVPN. That can work with your iOS 10 devices with the OpenVPN Client from the App Store. I have it working on my Linksys 1900AC (Nighthawk running Firmware: DD-WRT v3.0-r29147 std (02/23/16)).

Here’s how:

Step 0: Check your free memory

All the data from the Web GUI is permanently stored in memory. You must have the free space to accommodate it. Before you start test how much NVRAM space is left (and used). You need about 6000 bytes available in NVRAM.

Telnet or ssh into your router and type:

nvram show | grep size


Step 1: Self-sign certificates and create keys

I followed this post on dd-wrt wiki. Read that post.

I used an Ubuntu box to create all the certificates so I’m not providing any Windows instructions for this section. To keep things simple I did not use TLS auth. This was my flow:

  1. sudo apt-get install easy-rsa
  2. make-cadir path
  3. cd path
  4. // edit the “vars” file as in the post – really easy: just use your location, organization, email, etc.
  5. // As “root” user
    source ./vars
    ./build-key-server server
    ./build-key client1

Now you have all the key and cert files you need in <path> on your Ubuntu box.

Step 2: Configure DD-WRT

This was a pain because the docs are out of date. In short you need to copy-paste:

Box File to insert
CA Cert ca.crt
Public Server Cert server.crt
Private Server Key server.key
DH PEM dh1024.pem
TLS Auth Key blank
Additonal Config push “route”
push “dhcp-option DNS”
server tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem# Only use crl-verify if you are using the revoke list – otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl# management parameter allows DD-WRT’s OpenVPN Status web page to access the server’s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001script-security 2


And finally, the firewall rules. Go to the “Administration” tab then subtab “Commands” and paste:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Click “Save Firewall”

Step 3: Configure iPhone / iPad with iOS 10

Install the OpenVPN client from the App store.

This app needs an “.opvn” file and the certificates/keys from step 1. The ovpn file is just a text file that must match the server config from Step 2. If you run into problems carefully think through your server and client configurations. Make sure they match.

My .ovpn file which I called “home.ovpn”:

# Sample client-side OpenVPN 2.0 config file
# for connecting to multi-client server. 
# This configuration can be used by multiple 
# clients, however each client should have 
# its own cert and key files. #

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
;cipher AES-256-CBC
cipher bf-cbc

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

The key thing in this file was to use “cipher bf-cbc”.

Step 4: Upload the .ovpn and key/crt files to your iOS device

Plug your iPhone/iPad into your laptop. In iTunes Click on the iPhone and then “Apps”. Scroll down to “File Uploads” and click on OpenVPN client.

Add the files:

  • home.ovpn
  • ca.cert
  • client1.key
  • client1.cert

Step 5: Test it works

Turn off wifi and launch OpenVPN on your iPhone. Import the new profile and tap the slider to “connect”. You should be asked about allowing OpenVPN to manage VPN connections on your phone. Click OK then you’ll connect.

iPhone 4S Storing Numbers in Wrong Format

Wednesday, October 26th, 2011

My new Verizon iPhone 4S was showing incoming SMS messages with different numbers than incoming calls. I save my contacts with +1 (NNN) NNN-NNNN format so that I can call when roaming abroad without adding the US country code prefix. But SMS messages were coming in (NNN) NNN-NNNN which the phone didn’t match to the +1 version I’ve stored and I noticed that when I stored new numbers they were an odd NNNNNNNNNN form.

Anyway, I found a post that explained how to force an update from Verizon on the Apple Forum. It says:

  1. Open the Phone and dial *228. This is a Verizon over-the-air programming number.
  2. When the system answer press 1 for “Program or activate your phone”
  3. Wait for the call to disconnect. You should get a prompt stating something like, “Settings updated.”
  4. Open the Task Manager and kill the Phone, Message, and Contacts Applications
  5. Wait a few minutes (I waited 3 just to be extra safe)
  6. Open the Message App to verify the fix.

This fixed it.

My old iPhone was AT&T and I set up my new 4S by restoring from the old data. I’m not sure if that caused this problem but I’m glad it went away.

Easy jailbreak your iPhone

Wednesday, September 8th, 2010

With jail breaking an iPhone suddenly became too easy not to do. I’ve jail broken iPhones before with ultrasn0w but this is too simple. Just go to that site on your pre-4.0.1 iPhone, slide your finger across the screen and you’re done.

Simple! But what next?

Your new app installer is called “Cydia”. It’ll be on your home screen. Go play with Cydia and install some apps. Not all are free and none of them are approved by Apple. Now that you can install anything on your iPhone you need to be a little more cautious. It is no different from downloading apps from the web and installing them on your computer — the code is not vetted by any single governing body and you need to be thoughtful as to what you’re installing.

First thing is to fix the root password. iPhones have a default root password of alpine. So install “mobile terminal”, open it and type “passwd” to change your password. Alternatively, connect to your home wifi network, install openssh on your iPhone then go to Settings  -> WiFi and take note of your IP address. Then from your laptop ssh into your iPhone and change your password with the passwd command. Also change the “mobile” account password with “passwd mobile”.

Next install the PDF Patch fix (since that security vulnerability let you jailbreak your iPhone via in the first place).

Now follow these simple steps to unlock your iPhone so you can use it on different networks.

Finally, go have fun. Change themes, message alert tones and customize to your heart’s content. When new versions of IOS come out be sure to download and jailbreak before you install them to your device. Don’t just click “install” in iTunes.

Location based services for mobiles

Friday, January 8th, 2010

Location based services have been around for a number of years in the research community. They were always fun to build and excellent research vehicles but needed something to change before hitting the streets. Well, now we’re beginning to carry GPS enabled devices these services have hit the mainstream. I regularly use Yelp and Around Me on the iPhone to find local restaurants, gas stations, and coffee shops. The integration with the maps application is a fantastic coupling. Now Google have released their search services with the “Near me now” service (iPhone and Andriod in US only).

Location data for these applications is usually derived from GPS readings but it is not limited to that. You can use wifi spotting, video capture, parse user calendars or discover location by inference (I am near Alice and Alice knows where she is so I can find where I am). But in practice are these other inputs really required? Or are they all part of a larger model of the real world?

Location based services are a manifestation of pervasive computing in the real world. Next will come more complex context aware services with social aspects and recommendations. I’ve oft heard the question “who will pay for the infrastructure for pervasive computing?”. I think the answer is still “we will” but now you can add “and already are”.

Augmented reality steps closer

Wednesday, August 12th, 2009

BBC tech News is reporting on mobile phone handsets with augmented reality. The article says that this is the first time AR has been available on handsets which is not strictly true. In CIS at Strathclyde University we had MSc students developing prototype map assistants on handsets with AR back in 2003, and I’m sure we were not the first. Maybe the BBC mean this is the first time AR handsets have hit the mainstream.

If you read the article bear in mind that the cyborg theme is erroneous and misleading. Yet another UK media attempt to glamorize a story and attract attention. Regardless, the technology is very cool. Sign me up.