Page 35 of 342 for Scott Gruby’s Blog

Sep 5, 2016
Review: Feit 48ft. LED Outdoor String Lights
Recently my neighbor has been redoing his backyard and I saw that he put in low voltage lights around the perimeter of it. This made me a little jealous as I only put in low voltage lightning under parts of our deck and not around the perimeter. While I do have floodlights in the backyard, they are for security lightning and not really lighting the backyard when we use it. So, my choices for adding lights were quite limited.

I remembered that Costco had some string lights, so I looked online and found some Feit LED string lights. I ordered 2 sets of these and they arrived last week. I chose these over the cheaper incandescent ones because of the lower power consumption, plastic bulb covers, and ability to dim them. After getting the lights, I strung them up without reading the instructions (what could they say besides plug them in?). They looked nice, but there was a lot of tension in the wire and the connection between the 2 sets had a lot of stress that didn't make it secure.

So, I decided to glance at the directions and it said that for spans over 24 feet, that the lights should be secured to a cable or wire. That made a lot of sense. This past Saturday, I prepared my parts list, went to Home Depot, and went about securing the wire rope to a pole, my house, and our deck. It was a clean install, just a bit time consuming. I then used small black zip ties to attach the string lights to the rope. One huge advantage of using the wire over just supporting the lights from the ends was that they didn't sag.

When it finally started getting dark, I turned on the lights and lit up the backyard. Even though the lights are about 15W each strip, they put out a significant amount of light. My wife loved them and I was pretty pleased with my work. The next evening we had friends over and we got positive comments about the lights which made me feel like putting up the lights was another good decision.

The lights appear well constructed, are UL listed (the transformer/rectifier is UL listed for being rainproof, but I have it in an outdoor box with a cover).

Pros
- Put out a lot of light.
- Dimmable.
- Can choose from a few colors. (Not sure that is a pro.)
- Wireless remote to turn the lights on or off.
- UL listed.
- Low power consumption.
Cons
- For longer spans, an extra wire/cable is needed which adds to the expense and makes installation harder.
- Wireless remote seems a bit flakey.
- Colors other than the white are pretty useless.
Summary

If you're looking for a way to light up a backyard (or even a front yard), these lights should do the trick. I noticed yesterday that Costco sold them in the warehouse which would have saved me $10 shipping. Of course with anything plugged in outside, make sure it is UL listed. This set of lights meets that requirement for me. I'm quite pleased with the results and am not sure why I didn't think of it sooner. Buying them from Costco made the purchase a no-brainer because of Costco generous return policy; there is nothing to lose by trying them.
Aug 10, 2016
Setting up an EdgeRouter Lite for an On Demand iOS VPN
Ever since I started my career, I've used Virtual Private Networks (VPN) to connect to a company network. My first experience is with AppleTalk Remote Access and I thought it was neat to be able to have my home computer on the work network. Over my career, I've used VPNs mostly as a user as I had no use for one as a home user.

When I setup cameras at my house over 3 years ago, I wanted to remotely connect to the cameras. Since I put together my own system, there wasn't an out of the box way to view the cameras (it does have a web interface, but I didn't want to directly expose that to the world). This gave me the first experience in setting up a VPN. I turned on Mac OS X Server's VPN, configured my iOS devices for the VPN and I was easily able to connect.

Recently I've been working with mobile device management (MDM) and one of the features that I've been reading about is on-demand VPN. I became curious about it and wanted to see if I could set it up more of an exercise than anything else, but also it would be useful to hop on any WiFi network and automatically connect to my home network. The iOS on-demand VPN requires that the VPN use certificate authentication instead of just a username and password. Unfortunately, the OS X Server's L2TP IPSec VPN doesn't support certificates, so I had to look to other options. Luckily, my EdgeRouter Lite can be configured as an OpenVPN server with certificate authentication. Given that, the only obstacle to setting this up was time and some futzing to get things right. I've scoured the web and managed to find the pieces to get things working.

The rest of this entry will document how to setup the server as well as the iOS client side. For the server setup, I followed this article, but had to make a few changes to get things to work the way I wanted. I then used another article to setup the iOS side.

This is a really long setup, but it is straightforward. If you're intimidated by command lines and editing text files, this process is not for you!

Certificate Setup
1. SSH into the EdgeRouter Lite
2. Setup a new certificate authority that will be used to create new client certificates for the VPN. Issue the following commands, one per line. Follow the prompts when you run the commands.
```
configure
sudo su
cd /usr/lib/ssl/misc/
./CA.sh -newca
```
3. Create a new server certificate and sign it. Follow the prompts when you run the commands; you'll need to enter a password for the new request. We'll remove it in another step.
```
./CA.sh -newreq
./CA.sh -sign
```
4. Copy the certificate authority key and certificate to an area of the router that will survive a firmware upgrade.
```
cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
```
5. Also copy the server certificate to the same place.
```
mv newcert.pem /config/auth/server.pem
```
6. Display the certificate authority certificate using cat /config/auth/cacert.pem and then copy it into BBEdit or another text editor on your local computer; save it to your hard drive.
7. Remove the password on the private key for the server so that the VPN server can start automatically.
```
openssl pkcs8 -in newkey.pem -out /config/auth/server-pem.key
```
8. Generate the Diffie-Hellman Paramters; this takes a long time.
```
openssl dhparam -out /config/auth/dhp.pem -2 1024
cp dhp.pem /config/auth
```
9. The next part is generating the client certificates. The recommendation is to have 1 client certificate per client. However, this would require me to have 1 for my iPad and 1 for my iPhone complicating setup. While having 1 certificate for both may not be recommended, it is the route I chose. When prompted, enter a password for the new key and then the last line will remove it. Don't enter a challenge password.
```
./CA.sh -newreq
./CA.sh -sign
mv newcert.pem client-cert.pem
openssl pkcs8 -in newkey.pem -out client-key.pem
```
10. Display the certificate using cat client-cert.pem and past it into BBEdit and then saved it.
11. Do the same thing with the key using cat client-key.pem and saved it to my Mac.
12. On my Mac, do the following in Terminal (make sure you're in the same directory as where you saved the certificate and key). When exporting, set a password that you'll use later.
```
openssl pkcs12 -export -out client1.p12 -inkey client-key.pem  -in client-cert.pem
```
OpenVPN Server Setup
1. SSH into the EdgeRouter Lite if you haven't already.
2. Exit out of sudo mode using exit if you're still using the same session as before.
3. Enter configuration mode:
```
configure
```
4. Start editing the VPN tunnel (I didn't know that by entering a full path to an object, you didn't have to enter a full command for subsequent items):
```
edit interfaces openvpn vtun0
```
5. Setup the server.
```
set mode server
set local-port 1194
```
6. Select a subnet. Choose a subnet that doesn't overlap with other subnets on your LAN. Notes have also indicated that you should pick an IP range that isn't used on other networks as you could have routing problems, but I'm not completely positive that is true. If you're routing everything over the VPN, the device should use that route first.
```
set server subnet 10.0.20.0/24
```
7. Configure the TLS parameters
```
set tls ca-cert-file /config/auth/cacert.pem
set tls cert-file /config/auth/server.pem
set tls key-file /config/auth/server-pem.key
set tls dh-file /config/auth/dhp.pem
```
8. The notes indicate for EdgeMax 1.8 firmware and higher, you can turn on IPv6 support. I'm not running that, yet, so I didn't do this.
```
set protocol udp6
```
9. For my purposes, I want all the traffic to go over the VPN. I'm not sure if the second line is strictly needed.
```
set openvpn-option "--push redirect-gateway"
set server push-route 10.0.1.0/24
```
10. Since I run Pi-hole for blacklisting advertising, I want to continue to do that even when connected to my VPN. (Yes, I know websites make money off the ads, but the ads really need to get better and more relevant before I'll turn this off.) I set my DNS to the same entries that I set on the EdgeRouter's DHCP server.
```
set openvpn-option "--push dhcp-option DNS 10.0.1.2"
set openvpn-option "--push dhcp-option DNS 10.0.1.1"
```
11. Now a few extra OpenVPN options. I allow the same certificate to be used by multiple clients, so I have that option as well as one to enable compression.
```
set openvpn-option --comp-lzo
set openvpn-option --duplicate-cn
```
12. Next up are the firewall rules to allow clients to connect from the outside to the EdgeRouter Lite.
```
top
edit firewall name WAN_LOCAL 
set rule 4 action accept
set rule 4 description “OpenVPN”
set rule 4 destination port 1194
set rule 4 protocol tcp_udp
set rule 4 log disable
```
13. If you have an IPv6 firewall, you might add something like this.
```
top
edit firewall name WANv6_LOCAL 
set rule 4 action accept
set rule 4 description “OpenVPN”
set rule 4 destination port 1194
set rule 4 protocol tcp_udp
set rule 4 log disable
```
14. That's it for the server setup! Finally do:
```
commit
save
exit
```
15. Check that the OpenVPN server is running using:
```
ps -ef | grep openvpn
show openvpn server status
```
The last line can be used when clients are connected to monitor it.

Good work if you've followed along this far! Next up is the client setup which has a bunch of steps as well.

iOS Client Setup
1. Locate the p12 file that you created on your Mac.
2. Download Apple Configurator from the Mac App Store.
3. Select New Profile from the File menu.
4. Fill out the General information for the profile. You can leave the Identifier as is.
5. Click on Certificates and then press Configure. Select the .p12 file you created way back in the first part of the instructions.
6. Give the certificate a name and enter the password you used when exporting the p12 file.
7. Select the VPN section and click Configure.
8. Enter a name for the connection.
9. Select Custom SSL for the Connection Type.
10. Enter net.openvpn.OpenVPN-Connect.vpnplugin for Identifier.
11. Enter the hostname for the Server. I recommend your Dynamic DNS hostname here. I wouldn't recommend a CNAME as I'll explain later.
12. Enter some username for the account; it won't be used.
13. Enter a placeholder key/value pair. You'll edit this by hand later.
14. Select Certificate for User Authentication and then pick the certificate you added earlier.
15. Enable VPN On Demand. You'll hand edit this later as well.
16. Select a Disconnect on Idle value; I selected Never.
17. Save the profile to your Desktop (or somewhere else). Don't sign it as signing it will prevent you from editing it by hand which is needed to properly setup the VPN On Demand. Configurator doesn't handle all the options present in current iOS versions.
18. Open the .mobileconfig file in BBEdit. BTW, if you haven't bought BBEdit, you should definitely buy it. While the current version offers basic functionality for free, this is a tool that should always remain in your tool belt.
19. Look at the section called VPN. Mine is basically below. You'll need to change a few entries.
```
    VPN
    
        AuthName
        scott
        AuthenticationMethod
        Certificate
        DisconnectOnIdle
        0
        OnDemandEnabled
        1
        OnDemandRules
        
            
                Action
                Disconnect
                SSIDMatch
                
                    My Network 5 GHz
                    My Network
                
            
            
                Action
                Disconnect
                InterfaceTypeMatch
                Cellular
            
            
                Action
                Connect
                InterfaceTypeMatch
                WiFi
            
            
                Action
                Ignore
            
        
        PayloadCertificateUUID
        SOME_IDENTIFER_REPLACE_WITH_WHAT_YOU_HAVE
        RemoteAddress
        vpn.example.com
    
    VPNSubType
    net.openvpn.OpenVPN-Connect.vpnplugin
    VPNType
    VPN
    VendorConfig
    
        dev
        tun
        proto
        udp
        remote
        vpn.example.com 1194
        cipher
        BF-CBC
        resolv-retry
        infinite
        nobind
        NOARGS
        persist-key
        NOARGS
        persist-tun
        NOARGS
        comp-lzo
        NOARGS
        link-mtu
        1542
        ca
        -----BEGIN CERTIFICATE-----\nMIID...bAqZZCQYgHwAh9bW\n-----END CERTIFICATE-----\n
        cert
        -----BEGIN CERTIFICATE-----\nMIID...1jCCAr6gAwIBAgIBC\n-----END CERTIFICATE-----\n
        key
        -----BEGIN RSA PRIVATE KEY——\nMIIG4wIBAAKCAYEA...psUtuM+qAfu\n-----END RSA PRIVATE KEY-----\n
    
```
20. Change the PayloadCertificateUUID to whatever is already in your config file.
21. Change the vpn.example.com references to your VPN address.
22. For the section that starts with BEGIN CERTIFICATE for the ca, find the cacert.pem that you saved to your hard drive. Open that in BBEdit and remove all the returns in the file. After the first line replace the return with \n. Before the last line put a \n and then another one after the line. You should end up with a big long line!
23. For the cert, repeat the above using the client-cert.pem from earlier.
24. For the key, repeat the above using the client-key.pem from earlier.
25. The OnDemandRules are described in Apple's documentation. My setup basically says that if I'm on a trusted network, disconnect the VPN. When on cellular, also disconnect the VPN (I trust the cellular network for now). If I'm on any other network, connect the VPN. The last item just falls through, but I suspect it will never get there. In my example, change the names of the trusted SSIDs.
26. The VendorConfig section are the OpenVPN options that should match the server.
27. Save the file.
28. Transfer the .mobileconfig file to your iOS device. I drop the file on AirDrop to my devices. If the formatting of the file is correct, the iOS device will ask you to install the file.
29. In the VPN section in iOS Settings, Connect and cross your fingers. That's it! Now when you wonder onto an unknown WiFi network, the VPN should automatically connect. It may take a few seconds for the connection to come up.
If you've made it this far, congratulations! I spent a few days working on this and hopefully I captured all the steps. Please send me corrections or feedback.

Notes
1. I mentioned earlier that a CNAME entry for my VPN server caused a problem and that is because if I'm connecting from inside my firewall (yes, I know it isn't needed), the client tries to go to the external IP address. By using an A DNS entry and doing the following on the EdgeRouter Lite:
```
configure
set system static-host-mapping host-name vpn.example.com inet 10.0.1.1
commit
save    
```
  You can have your client connect to the VPN from inside the firewall. This is useful if iOS gets confused and wants to connect to the VPN when it shouldn't.
2. I've noticed that sometimes iOS connects to my VPN even when it is on my network. The On Demand connection is evaluated when the network changes and I suspect iOS gets confused and starts evaluating the On Demand rules prior to getting an SSID. This isn't a big deal as my clients can connect to the VPN even on my own network.
3. The default certificates are good for 1 year. So you'll need to renew then after a year. I'll cross that bridge when I come to it.
4. If the certificate is compromised, I don't know how to do certificate revocations.
5. Treat the certificate and keys just as if they were passwords. This goes for the .mobileconfig file as well. The mobileconfig file has the password to the p12 file in clear text and anyone with that file can connect to your VPN and access your network.
6. The OnDemand rules are evaluated when the device changes networks and may take a few seconds to bring up the VPN. I always wait for the VPN icon to come up before doing anything on my device.
7. OpenVPN runs on UDP port 1194 by default. You can configure it for TCP 443, but I won't go into that because it seems like a pain and requires more changes.
Aug 7, 2016
10 Years of Storing Receipts Electronically
Just about 10 years ago, I got frustrated trying to find a receipt and embarked on storing all my receipts electronically. At the time, I couldn't find a Mac application to do this, so I wrote my own called ReceiptWallet, now called Paperless. I started scanning in just about every receipt and stored the receipts by year. This may seem quite excessive to many, but I've found that having easy access to receipts is invaluable.

Yesterday I found a crack in my toilet tank and after finding the warranty information, I contacted support (lifetime warranty on the toilet) and they wanted a copy of the receipt. It took me about 30 seconds to find the receipt and was able to easily email the PDF (along with pictures of the problem) to support. If I didn't scan in receipts, the chances of me finding it would have been very slim.

While scanning in every receipt may not be completely necessary, I don't have to worry later about missing a receipt. Yes, the $2 parking receipt isn't all that helpful, but when trying to categorize business expenses for taxes, it gives me another chance to easily see if I missed any expenses. Anyone that has a small business knows that it is quite important to track all business related expenses.

One of the keys to preserving receipts is to start with a high quality scanner. My scanner of choice (and has been for years) is the Fujitsu iX500 ScanSnap. The scanner isn't cheap, but it is fast and works well. The other is a good program to manage the receipts. I still use Paperless all the time; I try to scan in receipts a few times a week. A few minutes at a time is all it takes for me to keep up with the receipts.

It takes a certain kind of person to keep up with this process. I've found it easy to do and is proven to be helpful time and time again. It isn't for everyone as it requires some planning and up keep.
Aug 7, 2016
EdgeRouter Lite and Namecheap Dynamic DNS
For years, I'be connected back to my home network when I was away for various reasons. As my home network is on a residential cable modem, the IP address of the network is not guaranteed to remain the same. While it remains the same for long periods of time, I don't really want to take the risk of the IP address changing while I'm not home and not being able to access the network. The solution, of course, is Dynamic DNS (DDNS) where you run a small client on a machine that is running all the time that monitors the external IP address and then updates a DNS provider when it changes; the DNS provider uses a short TTL (time to live) to guarantee that the cached DNS entry doesn't last too long. For years, I've run SecuritySpy which has a built in DDNS client that connects to a service that the company runs. This has run flawlessly for me; I setup a CNAME DNS entry to point to the DDNS entry so that I can use a name that I remember. The CNAME lookup usually works fine, but I ran into a problem this weekend where it was causing problems for a VPN client. So, a quick search turned up that the registrar I use, Namecheap has a DDNS service that is already built into their DNS dashboard. Since I already use their DNS, setting up a DDNS entry took a few seconds.

Now that I had the entry setup, I needed something to update the entry when my IP address changed. Turns out that my EdgeRouter Lite has a built in DDNS client with Namecheap as one of the options. Unfortunately, it wasn't obvious what to put in all the fields. After a little searching, I found a post which had the magic formula. Basically Namecheap generates a password that is used to update the entry.

Here are the instructions for configuring it:
1. Login to the EdgeRouter Lite.
2. Click the Services tab.
3. Click the DNS tab.
4. Select the appropriate interface (in my case, it is eth0 that is my WAN).
5. Select namecheap as the service.
6. Enter the name of the host you setup in your DDNS entry on Namecheap; don't include the domain.
7. For the username, enter your domain.
8. For the password, enter the Dynamic DNS password from Namecheap.
9. Apply the changes and force an update.
It's pretty straightforward, but I wanted to document this so that I wouldn't have to search in the future.