blog.plee.me About software, technology and random things

4Jan/180

Using OpenVPN For All Network Traffic Except For LAN

Hi!

Recently I noticed that my Android smartphone was not able to connect to YouTube via third-party apps. I narrowed it down to the issue with it being able to resolve hostnames to the correct IPv6 addresses but not being able to connect to them (somehow the IPv6 part of my internet connection is broken. A problem for a different time).

In order to work around the problem I am using an OpenVPN connection which automatically forces all outgoing connections to use IPv4, not IPv6. The only problem was that internal LAN connections did not work any more.

In the .ovpn configuration file I am using

redirect-gateway local def1

(because it is a WiFi connection), but I was also using

redirect-gateway def1

before that, which did not make any difference in that regard.

If add a route directive like the following one after the redirect-gateway directive, you can add a route to the routing table, directing all traffic for the specified route to the WiFi connection instead of the VPN connection:

redirect-gateway local def1
route 192.168.0.0 255.255.255.0 net_gateway

You will probably have to adjust the network address and maybe even the subnet mask to match your network.

The routing table is basically a prioritized table which lets the operating system decide which network adapter it should use for a specific connection. With the above entry you add a rule with a higher priority, overriding the generic one(s) from the OpenVPN connection configuration. These ones are added because of redirect-gateway def1 and tell the operating system to send all traffic via the virtual VPN network adapter, effectively sending it all over the VPN.

If you are configuring this from the OpenVPN server side, of course you can still use these directives, but in the context of the push directive. I am not doing that, however, so I saved both directives in the client configuration.

Now I can watch / listen to YouTube videos with third-party apps AND connect to LAN devices!

I hope this was helpful to you.

Thank you for reading!

23Feb/170

Getting a Let’s Encrypt Certificate Through DNS Challenge With Cloudflare

Hi!

A couple of days ago one of my subdomains' SSL certificates expired.

Instead of paying for a renewal, I decided to have a first look at getting a free certificate from the Let's Encrypt Certificate Authority.

The ideal way would have been to set up a mechanism that would allow for an automatic certificate renewal, so I would not have to do it myself every 3 months. That is the maximum amount of time Let's Encrypt's certificates are valid for. However, in this case this was more easily said than done. The service I intend to use the certificate with is running on a shared IP and listening on a non-standard HTTPS port because the standard ports for HTTP and HTTPS are already used for something else. This prevented me from utilizing all HTTP / HTTPS based challenges to verify the hostname ownership which is an essential part of the Let's Encrypt certificate signing process.

After some searching I found a great solution that would enable me to do a somewhat half-automated, half-manual approach:

lukas2511's dehydrated ACME client in conjunction with kappataumu's Let's Encrypt Cloudflare hook.

This Shell-based ACME client allows the user to get a Let's Encrypt certificate using the dns-01 challenge. That way, you only have to create a DNS record (containing a generated value) in order to verify your ownership of the hostname instead of uploading content to the webserver. The DNS record can be created and deleted automatically through the Cloudflare hook if that is what you are using for your DNS record management.

The instructions for both the ACME client as well as the hook are pretty straightforward, so I recommend reading those if you are interested in trying this approach.

These are the changes I made in the config file (just as an example):

  • Set "http-01" as the CHALLENGETYPE (explanation below):
    CHALLENGETYPE="http-01"
  • Set "rsa" as the KEY_ALGO:
    KEY_ALGO=rsa
  • Add environment variables with config for the Cloudflare hook script at the end:
    export CF_EMAIL='[email protected]'
    export CF_KEY='1234567890abcdef1234567890abcdef'
    export CF_DEBUG=true

When attempting to execute dehydrated for the first time, it asks you to accept the terms. You can do that by simply entering this command:

$ ./dehydrated --register --accept-terms

Now you might have wondered why I set the CHALLENGETYPE to "http-01" instead of "dns-01"? So that we could accept the terms without any problems; "dns-01" gave me the following error: "ERROR: Challenge type dns-01 needs a hook script for deployment... can not continue."

The command I used to generate the certificates specified the challenge type "dns-01" explicitly anyway:

$ ./dehydrated -c -d hostname.example.org -t dns-01 -k hooks/cloudflare/hook.py

The first challenge attempt failed for me, but the execution went on to retry and ultimately finished successfully.

Afterwards, you can find the certificate files in the subdirectory "certs/hostname.example.org/".

I installed and executed the software in a local Linux virtual machine without any problems and then copied the certificate files over to the destination server manually. Technically I could have just done this on the production system as well, but I did not feel like saving my Cloudflare API credentials on it. It will be interesting to see how annoying the steps are going to get after a couple of repetitions. Maybe in time some other solution will have come around.

Hopefully this was a helpful recommendation for you.

Thanks for reading!

18Jan/170

PhonerLite With FRITZ!Box

Hello!

If you want to set up your PhonerLite VoIP/SIP client with the FRITZ!Box so you can receive phone calls on your computer as well, of course you should have a look at the official AVM documentation (like the one for the FRITZ!Box 7390).

However, I encountered the following problems:

  • outgoing calls would result in a "480 Temporarily Unavailable" error (even the test number **797)
  • saving the configuration (tab "Configuration" => "Save" button) repeatedly would cause the status bar to alternate between
    • showing a red indicator and the error message "sip:<number>@fritz.box not registered <Connectivity Checks Failed>" every second click
    • showing a green indicator and the message "sip:<number>@fritz.box registered" every other click

I changed the following server / connection settings to fix the problem:

  • Proxy/Registrar: <FRITZ!Box IP address instead of fritz.box, e.g. 192.168.1.1>
  • Domain/Realm: fritz.box

After that, every time I saved the configuration if would show the success indicator and message and telephony just worked in general.

My local network interface uses an external DNS server for hostname resolution and I have added the fritz.box name manually in my hosts file. This might be why this was causing me problems.

I hope this was of any help to you in case you encountered this as well.

Thanks for reading!