## WPS flaw on routers allows WPA protected WIFI networks to be cracked

This post discusses how one could use Reaver to make use of a flaw in WPS to recover a WPA password. Tomato and DD-WRT firmwares don’t support WPS so my network is safe. Lesson: buy and use a router that you can flash Tomato or DD-WRT.

On another note, WEP passwords could also be compromised using BackTrack.

## OpenDNS on Tomato router for faster web experience

I saw this post and decided to opt to use OpenDNS as my DNS server instead of my ISP’s server. I followed these instructions to set it up. Basically, I activated a second DDNS service (Basic > DDNS) and entered my login information for OpenDNS. When activating it, I set it to update my dynamic IP and to use it as my DNS server. It was as simple as that.

## Google Voice on a telephone without a server

I already discussed how one can make use of Google Voice with Asterisk – the possibilities are limitless. However, all this requires a server running Asterisk. I recently explored how one can explore other options of Google Voice (or other VoIP services) without the use of a server.

Since I own routers running tomato and dd-wrt, I can exploit Optware to have asterisk run on an embedded device. Installation is quite easy. You can buy a cheap router like the Asus WL-520GU to get things going. However, it might be kind of slow for asterisk. I own an Asus RT-N16, which based on my readings, is plenty of power of asterisk. However, I only want to use the router as a router, dedicated to that one task, to have a stable home network. I don’t want to run asterisk or an embedded web server for the sake of stability. However, knowing I have that option feels quite good.

I recently discovered the OBi100 and the OBi110 ATA’s that was released in late 2010 that can connect to Google Voice (and other SIP providers) natively. Based on this review and the reviews from Amazon, the product seems quite good. I went ahead and ordered the OBi110 to try it out, and I might update once I try it out.

Setup is outlined here. The drawback with GV is the inability to dial 911 in an emergency. The end of the post illustrates how you can get around this. I called my Verizon home phone service and once the line is disconnected, 911 service is not retained. I might pay for another VoIP with E911 (local 911 operator + phone number and physical address transmission) capabilities just for the ease of mind, even though we all own cell phones. This is another possibility by routing the 911 to the local police station, but E911 capabilities will not be available.

I just might port my home phone number to GV soon.

## Be on my home network when I’m away from home via OpenVPN

In my previous employments, I remember co-workers having to use VPN when they work from home. They can access everything at the company as if they were physically on-site. I haven’t tried configuring it on my home network since if I ever needed anything, I ssh’d into my home NAS, and grabbed stuff from there. I guess VPN can be useful in that everything I do on the remote machine will seem like I’m at home, meaning all my mounted access to different directories on the NAS, access to the router, etc, are available while I’m away.

Been wanting to play around with VPN for a while since I know both DD-WRT and Tomato routers has OpenVPN bundled in them.

Instructions are clearly documented at the USB Tomato wiki (look here to get the easy rsa files in newer versions (14.04) of Ubuntu). Note that when pasting stuff into the web browser, include the BEGIN and END lines. Also note that in order to generate the files, you have to do so as root; sudo doesn’t cut it. On Ubuntu, do sudo -i to imitate su.

Keep the generated files in a safe place. The files that I keep on my laptop (client) to VPN into my home network are ca.crt, Client1.crt, and Client1.key. Then create this Client1 file:

##########################################
# ______ __
# /_ __/___ ____ ___ ____ _/ /_____
# / / / __ / __ __ / __ / __/ __
# / / / /_/ / / / / / / /_/ / /_/ /_/ /
# /_/ ____/_/ /_/ /_/__,_/__/____/
##########################################
# The hostname/IP and port of the server. You can have multiple remote entries to load balance between the servers.
remote server.dyndns.org 1194
# Specify that we are a client and that we will be pulling certain config file directives from the server.
client
ns-cert-type server
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun21
# Are we connecting to a TCP or UDP server?
proto udp
# Keep trying indefinitely to resolve the host name of the OpenVPN server. Useful for machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
nobind
# The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun
float
# SSL/TLS parms.
ca ca.crt
cert Client1.crt
key Client1.key
# Enable compression on the VPN link.
comp-lzo
# Silence repeating messages
;verb 3
# Silence repeating messages
mute 20


When I need to VPN, just do

sudo openvpn Client1 ## do this in directory where the 3 files are stored


Thank you open source community!

I wanted to add a password feature to my VPN since I’m afraid someone might get access to my key files. I asked how to do so on the Tomato forum, and was referred to this post. It is quite easy to implement. 10/25/2014: Did more research to see if it’s better to implement a passphrase for the key instead of what I implemented before, but this post confirms that the auth-user-pass-verify method is indeed the recommended way to implement authentication.

In the tomato web config, add the following:

echo '#!/bin/sh
user1="user1name"
pass1="user1pass"
test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
exit 1' > /tmp/quickAuth.sh
chmod 755 /tmp/quickAuth.sh


Restart the router or, better yet, execute the above code on the “System” page under “Tools”.

Under the “Advanced” tab on the VPN Server page, enter the following under “Custom Configuration”:

script-security 3
auth-user-pass-verify /tmp/quickAuth.sh via-env


Now, on my Client1 file above, add the line auth-user-pass somewhere (I placed it after comp-lzo).

Now when I vpn to the network, I have to enter a username and password. This is awesome.

## UPDATE 1/1/2011: Issue with PeerGuardian/MoBlock

I have issues connecting to a computer on the local network through OpenVPN. See this post for more details. To connect to it, just turn off PeerGuardian (sudo pglcmd stop).

## UPDATE 10/6/2011: Channel all internet traffic through VPN

The above method allows me to access computers on my home network. To direct all internet traffic from my current device to the VPN network (so that the IP the world would see is the VPN’s network), check the Direct clients to redirect Internet traffic checkbox in the Advanced Tab when setting up VPN in Tomato (according to this post). That way, I can use the internet securely when on a public network. I will only turn this feature on when I truly need it.

Unfortunately, there DNS names doesn’t resolve (only IP addresses will work). I seeked help here obtained a solution there and here. To fix the DNS issue, I added the following three lines to the end of the config we created earlier:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


push "dhcp-option DNS 8.8.8.8"


to the “custom configuration” field under the “Advance” tab of the VPN server page on Tomato. The latter just says to use Google’s DNS server.

## UPDATE 10/25/2014: Use on Android

I can VPN on Android via the OpenVPN app. It should work after I copy all my files (Client1.ovpn, Client1.key, Client1.crt, and ca.crt) into a single directory on Android, and import Client1.ovpn in the app. However, I don’t want to leave my keys on my phone like that for security reasons, so the Help file in the OpenVPN app suggests creating a pkcs12 file and adding that to the Android keychain. To do so, first remove the 3 lines referencing in Client1.key, Client1.crt, and ca.crt in Client1.ovpn file. Import this ovpn file instead. On Linux, do

openssl pkcs12 -export -in Client1.crt -inkey Client1.key -certfile ca.crt -out Client1.p12


to generate Client1.p12. Enter an extracting password (will be asked when importing into Android keychain). Transfer to phone and import it via the OpenVPN app (so only Client1.ovpn and Client1.p12 files needed); enter the extracting password. Now one should be able to connect to the VPN after entering the username and password from the auth-user-pass-verify method. This is cool!

## Tomato on Asus RT-N16 router

Recently I’ve been playing with DD-WRT as my firmware of choice for my main router at home and the one I use as a wireless bridge. I recently purchased an Asus RT-N16 for a variety of reasons:

1. Gigabit ethernet,
2. DD-WRT,
3. 2 usb ports (for NAS and printers),
4. Wireless N, and
5. Great with bittorrent.

Reason 1 was the real reason I wanted a new router since I have a NAS connected to it via ethernet, and I plan on getting an HTPC soon (connected either wirelessly or through ethernet) and/or some net top boxes that can connect to the NAS (I’m tired of copying things to USB). Reason 3 wasn’t too much of a concern anymore since I recently bought an Acer NAS with Ubuntu server loaded on (this derserves its own post). I’ve been hearing this thing called tomato that is supposedly even better than DD-WRT. Been wanting to try it, especially since it is supposed to work well on the Asus router, especially to get the USB support (don’t think USB is supported in DD-WRT, but it’s a random guess since DD-WRT is great and has a large community supporting it). I decided to load this (currently beta) mod of Tomato (don’t use this since it does not support the NT-R16). Had trouble loading it after flashing the router to DD-WRT. Turns out I need an exact version of DD-WRT loaded first. Follow this guide to get it going.

Note: I had a problem getting wireless working with my Macbook. Things worked when I flashed the openvpn version of tomato with TKIP/AES encryption in WPA/WPA2 (think this part is the answer).

Also: To do a factory reset (erase NVRAM?) on the Asus, all I have to do is unplug router, press on WPS button, plug router, and release WPS button. Don’t think I have to do the 30-30-30 reset (don’t even know if that works on here).