Fazal Majid's low-intensity blog · Fazal Majid's low-intensity blog

Edgewalker, a DIY VPN server

2020-11-30 IT Network Security

TL:DR Don’t trust VPN services, roll your own with this easy script.

Rationale

There are many reasons to use a Virtual Private Network. Perhaps you are on an unsecured WiFi network. Perhaps you don’t want your Internet Service Provider to snoop on your browsing history using Deep Packet Inspection and compile a marketing dossier on your. Perhaps like my daughter you want to access video content on Netflix that is not available in your country. Perhaps you want to bypass the nanny state content filters the British government mandates.

Most VPN services are untrustworthy. You depend on the VPN provider’s assurances to protect your privacy, which completely defeats the purpose of a VPN. The only way you can be sure is to run your own, but baroque network protocols engendering complex software makes it difficult to do so even for the technically savvy.

Streisand was one of the first efforts to automate the process, using cloud virtual servers as the hosts operating the VPN. Trail of Bits implemented Algo to simplify it and remove some questionable choices Streisand made (although, to be fair, the Streisand project seems to have jettisoned many of them and converged on WireGuard).

Edgewalker is similar, but awesomer:

It is based on OpenBSD, widely considered the most secure general-purpose OS, rather than Linux.
Like Algo, it implements IPsec/IKEv2/MOBIKE rather than OpenVPN (read the Algo announcement for the reasons why).
- IPsec/IKEv2 works out of the box on iOS, iPadOS and macOS.
- In theory on Windows as well, although I have no idea how to make it work or simplify setup, any help is welcome.
It also implements WireGuard (recommended for Linux and Android, along with travel VPN-capable routers like the GL.iNet Mango)
It uses QR codes to simplify installation as much as possible on the client devices.
It uses Let’s Encrypt so your IPsec certificates just work (WireGuard does not rely on PKI)
It uses its own Unbound DNS server with DNSSEC validation support, for better privacy
It has no dependencies on Ansible, Python or anything else exotic you need to add on your own machine, other than a SSH client.
It is just a shell script with little bits of Python thrown in like Acme-Tiny, and easily auditable.

While you can run the script again as your Let’s Encrypt certificates expire (although it generates new credentials each time), I recommend simply destroying the VM and creating a new one. Of course, if you are running on physical hardware, you will want to rerun the script. If using WireGuard only, you don’t need to rerun the script as WireGuard keys do not expire and there are no certificates.

Prerequisites

You need:

A Let’s Encrypt account and key (I’m working on setting this up automatically for you, in the meantime you can use Step 1 on this page to do that for you).
An OpenBSD machine reachable from the Internet (it can be a physical machine you own, or a cloud VM like Vultr).
The ability to add a DNS record for the machine’s IP address (IPv4 only for now).
The 80x25 OpenBSD console does not support UTF-8 and cannot display the QR code in a single screen. Use a different terminal, or enter the profile URL by hand.

If you have a firewall in front of the OpenBSD machine, it needs to allow the following inbound traffic (possibly using static port mappings if you use NAT):

SSH (TCP port 22) so you can actually log in to your machine.
HTTP (TCP port 80) and HTTPS (TCP port 443) to allow Let’s Encrypt certificate issual and allow you to get the Apple-format Profiles that will ease setup on your iDevice.
UDP ports 500 (IKE), 1701 (IPsec) and 4500 (IPsec NAT traversal).
Optionally IPsec protocols ESP (IP protocol number 50, hex 0x32)) and AH (decimal 51 hex 0x33) and ESP for maximum efficiency, although many firewalls won’t support this.
UDP port 51820 (WireGuard).

Instructions

Clone the Github repository into one of your own, or copy the file edgewalker.sh somewhere you can download it without it being tampered with in transit, in practice that means HTTPS.
Edit the first lines in the script edggewalker.sh (X509 and USERNAME). Not strictly necessary, but make it your own.

pkg_add wget
wget -c https://raw.githubusercontent.com/YOUR_GITHUB_ACCOUNT_HERE/edgewalker/main/edgewalker.sh
sh -e edgewalker.sh

The script will ask you for:
- The DNS name of your OpenBSD machine.
- To copy-paste your Let’s Encrypt account key in PEM format.
It will then obtain Let’s Encrypt certificates, generate a QR code that you can use to download the profile on your iDevice to set up the VPN.

Credits

The OpenBSD team, for making their wonderful security-focused OS.
Reyk Flöter for making OpenIKEd, a breath of fresh air in the unnecessarily convoluted world of VPN software.
Jason A. Donenfeld for inventing WireGuard.
Let’s Encrypt, for making certificates cheap and easy.
Daniel Roesler for the fantastic Acme-Tiny.

Demo

I created a fresh OpenBSD 6.8 VM vpn42.majid.org on Vultr, and here is what the experience looks like:

Here is how to install the VPN on an iPhone:

Here is how to create a suitable VM on Vultr:

Canon Powershot Zoom review

2020-11-22 Photo Photo galleries

TL:DR A nice toy, useful for documentation purposes, but don’t expect amazing image quality.

I just received my Canon Powershot Zoom yesterday. It’s a relatively compact digital camera shaped like a monocular. Size-wise, it is comparable with monoculars like my Leica Monovid or Nikon 7x15 HG.

It’s not actually a zoom, but rather it offers 100mm-e and 400mm-e discrete magnifications (with nothing in-between), and a 800mm-e digital zoom setting that is best ignored. It will take 4000x3000 images or 1080p25 (if set to PAL) at 30Mbps. There is no built-in memory, you have to use a microSDXC card, in my case a 64GB one, there is no specified upper limit.

On paper it looks like an ideal birdwatcher’s camera, since the 400mm-e is roughly the same magnification as a pair of 8x magnification binoculars, but Canon’s specifications list it as 4.8x (and 9.6x for the digital zoom, which is closer to 8x as seen through my Swarovski NL Pure 8x42 binoculars). This suggests the EVF is a 60% magnification type. The actual focal length is 55.5mm on a 1/3" type sensor (actually the center of a 1/2.3" sensor) with a diagonal of 8.467mm, which compared to the 40mm diagonal of a 24x32mm 4:3 crop of a 24x36mm full frame would be 262mm-e or 5.24x magnification, not 400mm-e, so Canon’s specs are somewhat dubious, unless the equivalence is calculated from the 1/2.3" sensor size, but then why throw away those pixels?

That said, the 2.36 Mdot EVF resolution (so 0.8 MP, or basically 1024x768) is not on par with quality birdwatching optics and the field of view is tunnel-like. A 62cm ruler fills the horizontal width at 7.26m at the 400mm setting, so 85m at 1000m, thus 4.9º real horizontal field of view¹ And using the 4.8x magnification quoted by Canon, about 23º apparent field of view², which is abysmal. In comparison the Nikon 5x15 HG monoculars have a 43º AFOV , and full-size binoculars are considered mediocre if they don’t get at least 55º, and that understates the case since the field of view is a 4:3 rectangle, not a circle, so only 61% the AFOV³. Furthermore, the EVF is prone to blown highlights or muddy shadows in scenes with wide dynamic range. Eye relief for glasses is fine, and there is a tiny wheel for diopter adjustment. This gadget will not replace real optics anytime soon.

The image stabilization is a 4-axis lens-shift type, and quite effective while viewing, slightly less so for video.

The user interface is very basic given the few buttons available. I think the prominent zoom button on top would be better used as the photo-taking button, vs. the smaller and more fiddly one at the bottom. It would also be nice for the camera to remember the previous magnification setting rather than defaulting to 100mm-e every time it is powered on. There is a smartphone app that allows image transfer over WiFi and geotagging using the phone’s GPS, but I haven’t tested that functionality.

With a sensor that puny, you can’t expect amazing results. At night, the image quality falls apart. In the daytime, it has to crank up the ISO to have sufficient shutter speed to avoid motion blur, even with stabilization, aiming at 1/500 shutter speed when at the 400mm-e setting.

Scene at night
© Copyright 2020 Fazal Majid, All rights reserved.

Magpie in a tree
© Copyright 2020 Fazal Majid, All rights reserved.

Magpie in flight
© Copyright 2020 Fazal Majid, All rights reserved.

City rooftops
© Copyright 2020 Fazal Majid, All rights reserved.

Pigeons splashing in a gutter
© Copyright 2020 Fazal Majid, All rights reserved.

There are still planes flying, who knew?
© Copyright 2020 Fazal Majid, All rights reserved.

Here is a sample video (30MB H.264 in Apple Compressor, the 90MB original is here).

Inexplicably, Canon did not include a lens caps to protect the objective lens, so I designed and 3D-printed my own (the OpenSCAD source is here and gcode for Prusa i3 MK3S here). It would be much harder to make a lens cap for the eyepiece, but that’s less critical as it has no bearing on picture quality.

2×arctan(0.62/2/7.26)×180/π ↩︎
2×arctan(4.8×0.62/2/7.26)×180/π, see the revised ISO standard for details ↩︎
4×3/π/(5/2)² ↩︎

Exporting secrets from the Lockdown 2FA app

2020-11-14 Mac Go

The Lockdown app mentioned in this article was last updated in 2015, and if you don't already use it, I would not recommend your adopting it.

I am (very) slowly migrating away from the Mac to Ubuntu Linux as my main desktop operating system. The reasons why Apple has lost my confidence are:

The execrable software quality of recent releases like Catalina (I plan on sticking with Mojave until I have migrated, however long that takes).
Apple’s increasing locking down of macOS in ways antithetical to software freedom, e.g. SIP or the notarization requirements in Catalina with the denial of service implications
The fact they no longer even pretend not to price-gouge on the Mac Pro. My days of buying their professional workstations every 5 years have come to an end after 15 years (PowerMac G5, Nehalem Mac Pro, 2013 Mac Pro)
As the iPhone market is saturating, in their eagerness to come up with a replacement growth engine in “services”, they are pushing app developers towards the despicable and unacceptable subscription licensing model
The butterfly keyboard fiasco exemplifies the contempt in which the company seems to hold its most loyal customers

On the plus side, ThinkPads have decent keyboards, unlike all Apple laptops since at least 2008, the LG Gram 17 is both lightweight, powerful and its huge screen is a boon to my tired eyes, and I am favorably impressed with the deep level of hardware integration offered by Ubuntu (e.g. displaying the logo and boot status in the UEFI stages of boot), even if I am not enamored of the software bloat or systemd.

One of the tasks in my migration checklist is to find a replacement for my TOTP two-factor authentication solution, which is currently the Lockdown app on iOS, iPadOS and MacOS (based on this recommendation, not to be confused with the Lockdown firewall/VPN app). I don’t trust Authy, they have a record of security failures introduced by their attempts to extend standard TOTP with their proprietary garbage, but I digress…

Thus I need to export Lockdown secrets. The iOS app can print or email a PDF with QR codes as a backup, but that’s not a very usable format for migration.

As I had to add a new TOTP secret to the app recently, that was the impetus to do this as a weekend project. I implemented a small utility called ldexport in Go to decode Lockdown for Mac’s internal file into either JSON or HTML format. Here are some simulated samples:

[
    {
        "Service": "Amazon",
        "Login": "amazon@example.com",
        "Created": "2015-11-18T19:53:34.969532012Z",
        "Modified": "2015-11-18T19:53:34.969532012Z",
        "URL": "otpauth://totp/Amazon%3Aamazon%40example.com?secret=M7IoBWqA2WuzYG27ju82XTWsflPEha3xBafMQ3i9CgwKgp6RdBGh\u0026issuer=Amazon",
        "Favorite": true,
        "Archived": false
    },
    {
        "Service": "PayPal",
        "Login": "ebay@example.com",
        "Created": "2019-11-25T08:46:57.253684043Z",
        "Modified": "2019-11-25T08:46:57.253684043Z",
        "URL": "otpauth://totp/PayPal:ebay@example.com?secret=3gB0VWJFkaYcVIiD\u0026issuer=PayPal",
        "Favorite": false,
        "Archived": false
    },
    {
        "Service": "Reddit",
        "Login": "johndoe",
        "Created": "2020-08-07T19:58:37.930042982+01:00",
        "Modified": "2020-08-07T19:58:37.930042982+01:00",
        "URL": "otpauth://totp/Reddit:johndoe?secret=nDTxDMI6bEgVpHWCViZjDFhXKH1bysRa\u0026issuer=Reddit",
        "Favorite": true,
        "Archived": false
    },
    {
        "Service": "GitHub",
        "Login": "",
        "Created": "2016-05-04T19:04:12.495128989+01:00",
        "Modified": "2017-04-04T06:33:10.641680002+01:00",
        "URL": "otpauth://totp/github.com/johndoe?issuer=GitHub\u0026secret=bXh5qmeTMzcatKKz",
        "Favorite": false,
        "Archived": false
    },
    {
        "Service": "Google",
        "Login": "johndoe@gmail.com",
        "Created": "2015-11-13T05:06:07.103500008Z",
        "Modified": "2015-11-13T05:06:07.103500008Z",
        "URL": "otpauth://totp/Google%3Ajohndoe%40gmail.com?secret=o5MvqdWDt7ZEHHSTuH6rCAUr4M6ozGQD\u0026issuer=Google",
        "Favorite": false,
        "Archived": false
    }
]

Please update to Temboz 4.4.0 or later

2020-11-09 Temboz

TL:DR If you are using my Temboz feed reader, please update as soon as possible to version 4.4.0 or later.

This is somewhat related to the last security advisory for Temboz. Fields like article title, author or tags, or feed title or description that are supposed to be plain text (not even HTML) were not being sanitized. For XSS. The effect was demonstrated by this article in BoingBoing.

Once again I apologize for potentially exposing you to XSS attacks via malicious feeds, and I would recommend you subscribe to my RSS feed for it so you can get important announcements like this one in the future.

DNP D820A review

2020-10-01 IT Photo

A very solid and trouble-free printer that makes excellent prints, including spectacular panoramics, for a significant fixed price.

Despite striving for the paperless office, and believing photographic prints are mostly a relic, I have a substantial collection of printers (as my daughter points out, it’s 5 printers per person in my household):

HP OfficeJet Pro X551dw (extremely fast using PageWide fixed head technology, quite economical, huge paper tray capacity, very bulky)
Epson EcoTank ET-16600 (prints and scans A3, very economical, also very bulky but not considering the print size)
Brother QL-700, QL-820NWB, QL-1110NWB label printers (can make labels any length you want, the latter two are AirPrint compatible)
Rollo label printer (will take practically any label stock you can throw at it)
Fuji Instax SP100 instant photo printer (kids love them)
Canon Selphy QX10 portable dye-sub sticker printer for my daughter
two Dai-Nippon Printing DNP DS820A 8" dye-sub printers, one in storage
An Epson Stylus Photo R2400 in storage
a couple of Brother TZe label makers
a Dymo LabelWriter 450 Twin Turbo (unreliable garbage, at least on Mac, avoid)
A Selpic P1 on the way
A Prusa i3 MK3S 3D printer (not sure if that counts)

The DNP DS820A replaced my Epson R2400 for two reasons:

I print seldom enough that inks clogging in the nozzles was a big issue.
The Epson is a behemoth that is very hard to find a place for, even before I downsized.

The DNP uses dye-sublimation technology to make its prints. You may have encountered one at a drugstore self-service photo kiosk, or at photo events like Macy’s Santa Claus portrait sessions. These printers are designed specifically for these two use cases, and are built like tanks with a steel chassis. Since most events typically gang two or even four printers to maximize throughput, they are also very compact, with a footprint barely larger than an A3 sheet of paper, mine is on a lower shelf in my IKEA FREDDE computer desk.

Until the advent of fine-art photo printers with 6 or more color pigment inks, dye-sub was the top-end digital photo printing technology, thanks to the continous tones it can generate, like photographic processes (e.g. Fuji Frontier or Noritsu QSS digital minilabs, or large-format laser enlargers like the Cymbolic Sciences LightJet or Durst Lambda/Theta). Dye-subs have all but disappeared from the consumer market, however, apart from some Canon Selphy compact printers, and are now largely reserved for professional applications, with a price to match. The DNP DS820A used to cost $1100. They lowered the price to under $1000 a few years ago, but cheaped out by removing the print-catching basket that used to be included in the older package.

You pop off the front panel and install a roll of paper and a reel of dye ribbons in a tray above the paper inside the printer, then pop the front back in. Nothing protrudes and the media is protected from dust, which is really nice. There are two different sizes of media, 8x10 (130 prints) and 8x12 (110 prints). The size is mostly relevant for the dye ribbons that have CMY sections sized in increments of 10 or 12 inches, but a surprising consequence of this is that you cannot switch from 8x10 to 8x12 and vice versa (you can make smaller divisions and the printer will trim them to size using its built-in cutter). The cost per print is about $0.65 for 8x10, $0.80 for 8x12, $1.30 if you get the premium metallic paper. Since the paper and ribbon is consumed no matter the coverage, it’s a constant, unlike the variable costs of an inkjet printer.

The print quality is excellent, as can be expected, as is the color calibration out of the box. It may not quite have the tonal subtlety of an Epson, but there is no visible pixellation. Furthermore, the prints get a clear protective laminate, which makes them smudge-proof and very tough. You can even choose one of four different finishes applied by a roller so no media change required: glossy, luster, matte and fine matte.

One of the marquee features of the DS820A and its little 6" brother the DS620A is the ability to make panoramic prints. Each print is made by combining multiple pages together, with about 2" of overlap wastage, so if your printer is loaded with 8x12 media you can make 8x22 or 8x32 prints, with 8x10 media you can make 8x18 or 8x26. The 8x32 panoramic prints are absolutely spectacular, although finding a suitable frame for them is not a trivial undertaking, that not being a standard print size.

Unfortunately this functionality is not built into the printer driver, but you must use the DNP Hot Folder utility, and while it is available for both Mac and Windows, only the Windows version can make panoramic prints. DNP Hot Folder is meant to use for events where a single PC or server controls multiple printers. You drop the files into a directory per print size (hence the name “Hot Folder”) and the software will automatically print it on the next available printer loaded with the right media. Since the printers run in parallel, even if the print speed is not incredibly fast (about 30 to 60 seconds per print), aggregate throughput is sufficient for a busy event. I have mine on a USB switch (the printer has no network connectivity) to share it between my Mac and my gaming PC.