Secured connection to network (Android + OpenVPN)

Maybe you are using free wifi hotspots in your favorite cafe, restaurant or on airport.

Maybe your GSM Carrier is tracking your traffic in internet, of course for profiling/ad cause (I’m looking at you T-Mobile, I remember that you inject your internet plans ads in Twitter app)

Security wise there is a lot more of danger waiting at you at those ‘free’ hotspots.

So what to do?

What if I told you that you can still can use those bad but free hotspot while having somekind of protection? That you could hide some of that sweet-sweet traffic for yourself…

The solution that I want to introduce to you is a VPN

You don’t have to root your android phone to use vpn.

“OpenVPN fo Android” will work with payed service as self-hosted one (this is how you can setup one)

Advanced settings that will save your battery:

To protect your connection VPN need to be connected all the time – vpn don’t know when your application will get push notification, or when your friend will make a wificall to you. So it can drain battery a bit more than without using it. But you don’t have to sacrifice your battery life that much. We can tweak some settings to make it less battery hungry.

Edit two options in your vpn server config file /etc/openvpn/server.conf:

proto tcp
keepalive 1800 3600

1 2	proto tcp keepalive 1800 3600

Allow new TCP port to accept connection:

ufw allow 1194/tcp

1	ufw allow 1194/tcp

Now change one setting on your android openvpn client config:

proto tcp

proto tcp

Remember to restart/reload your openvpn server so the new config will be used.

small Warning: TCP Protocol wasn’t meant to be used with VPN connection, with unstable internet connection you can fell a bit discomfort, but still the battery drain will be significant lower than with UDP setting.

FreeNas, Transmission and Corrupted Files – Part 1

After many years of just ‘taking’ I mature and upgraded my setup to be able to give community back what I took.

I setup RAID 6 FreeNas machine. Thanks to playing with those I understood why everybody in FreeNas community hate Realtek and why people just say to throw it away and get something that works (FreeNas: Realtek 8111F and re0: Watchdog Timeout Error and FreeNas: Realtek 8111F and “re0: Watchdog Timeout Error” – universal solution). In the end I join the ‘hate club’ and bought Intel PRO 1000 PT Dual Port NIC. Fun part is that Linux handle Realtek with ease but I been with Linux when It didn’t like most of hardware that Windows support so I can understand that there are still hardware issues with FreeBSD.

Cool, FreeNAS install without any issues.

If you unfamiliar with FreeNAS it comes with ‘plugins’ that are basically jails with pre-configured application that ‘just works’.

I slap that Install button and almost instantaneous I had working Transmission 2.93 (FreeNAS should work about pushing updates to plugins faster but yeah, nothing to complicate that we cannot fix ourself if needed)

I mounted needed directories, slap few torrent files that I already had there and enjoyed how transmission is handling all those sweet, sweet files out there.

And Tranmission was working and it was doing good. But after many, many torrent more that join the seeding happy farm not many people did connect to share the love from me. I started tweaking Transmission. Setting by setting I scope documentation looking for holy grail, some magic setting that would boost simultaneous connections. I found few. So I created new config file, and it was good. Not the best but I notice some connection increase. But I was thinking that maybe its because the application is inside jail aka virtual network interface. Few threads on popular forums, many many blog post later I saw the solution allow.raw_sockets=true. Great I saw a big improvement with connections – but who know if that was really all this tweaking doing or just someone join the swarm.

Few days later I notice big (I could even say tremendous) packet drop from/in my network. What was happening ? Router that is used between NAS and WAN have working QoS rules so it shouldn’t be a problem with using to much of bandwidth… So what was it ?

Culprit here was the CPU inside the router – we need to remember that using fancy feature that make router even smarter use CPU. QoS, Firewall, VPN all of them take some of that sweet-sweet pie (CPU). But why its dropping packets you ask? Simple, there is less and less CPU power to handle all the traffic that is going to and from network so everything is super slow. But wait, didn’t it work before Transmission? Yes it did – and we could disable some functions but we can do better. Lets optimize some firewall rules, we can cut QoS from 10 types to 5 without big sacrifices. Is that enough? No, but we can tweak both Transmission and firewall rule for it. Let set ‘Max connections’ to smaller number and double that with same (or 1% more on firewall rule so we are double sure that anything that is marked as ‘new connection’ and is about our limit get dropped).

And this gave enough room for that sweet-sweet pie named CPU could handle ‘few’ packets more.

And it was good for months and months…

Until the corruption start to show !

(continue in part 2)

Sniffing traffic on Mikrotik routers

Mikrotik routers are great hardware. With one you can mirror traffic that go thru on so you will be able to sniff trafic as you would being directly connected between target and router (or behind one)

#enable sniffing tool
/tool sniffer set streaming-enabled=yes streaming-server=ip.you.will.operate
/tool sniffer start

#enable sniffing tool

/tool sniffer set streaming-enabled=yes streaming-server=ip.you.will.operate

/tool sniffer start

This way you can run tool like wireshak on your computer (the ip you put as streaming-server) and look thru it.

Remamber that mirrored traffic will be transported as TZSP (udp port 37008)

Mikrotik – Send email with information about clients connecting to WiFi network

Mikrotik devices give a lot of configuration options to play with, and this post is one of those configuration which automatically register information about login/logouts in wifi network, and at daily basis send them to custom email address.

Let assume you have already configure email capability in mikrotik system.

Next we want to set topic of information we want to store to file (ex. wifi.log):

#winbox
system > logging > actions > add > wifilog, type:disk, filename: wifi.log
system > logging > rules > add > topics: wireless, info action: wifilog

#console
/system logging action add name=wifilog disk-file-name=wifi.log target=disk
/system logging add action=wifilog topics=wireless

#winbox

system > logging > actions > add > wifilog, type:disk, filename: wifi.log

system > logging > rules > add > topics: wireless, info action: wifilog

#console

/system logging action add name=wifilog disk-file-name=wifi.log target=disk

/system logging add action=wifilog topics=wireless

Next lets create script that will be backuping log file, send it to your email account, delete backup to free up some space and delete user that will do those things to not make it a easy target:

#winbox 
system > scripts > add > name: event_wifi

#console
/system script add name=event_wifi

#wklejamy zawartość skryptu:
/user group add name=wifi policy=ftp,read comment="wifi log"
/user add name=wifi group=wifi address=127.0.0.1 comment="wifi log" password=your_password disabled=no
/tool fetch address=127.0.0.1 mode=ftp user=wifi password=your_password src-path=wifi.log.0.txt dst-path=wifi34.txt
:delay 10
/tool e-mail send file=wifi.txt to="your_email@example.com" body="raport" subject=([/system identity get name] . " " . [/system clock get time] . " " . [/system clock get date] . " WiFi Log")
/file set wifi.log.0.txt contents=""
:delay 30
/file remove wifi.txt
/user remove "wifi"
/user group remove "wifi"

#winbox

system > scripts > add > name: event_wifi

#console

/system script add name=event_wifi

#wklejamy zawartość skryptu:

/user group add name=wifi policy=ftp,read comment="wifi log"

/user add name=wifi group=wifi address=127.0.0.1 comment="wifi log" password=your_password disabled=no

/tool fetch address=127.0.0.1 mode=ftp user=wifi password=your_password src-path=wifi.log.0.txt dst-path=wifi34.txt

:delay 10

/tool e-mail send file=wifi.txt to="your_email@example.com" body="raport" subject=([/system identity get name] . " " . [/system clock get time] . " " . [/system clock get date] . " WiFi Log")

/file set wifi.log.0.txt contents=""

:delay 30

/file remove wifi.txt

/user remove "wifi"

/user group remove "wifi"

Don’t forget to setup scheduler that will run our script on daily basis:

#winbox
system > scheduler > add > name: wifi interval: 24:00:00 on event: event_wifi

#console
/system scheduler add name=wifi interval=24:00:00 on-event=event_wifi

#winbox

system > scheduler > add > name: wifi interval: 24:00:00 on event: event_wifi

#console

/system scheduler add name=wifi interval=24:00:00 on-event=event_wifi

M	T	W	T	F	S	S
« Dec
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31