Site-to-site SSL VPN with Zeroshell

2015-06-08 by Administrator, tagged as virtualization, vpn

Although network connections and coverage get better every day and the days of "Always online" may become true soon, I still prefer to be as autarkic as possible. This means, I carry my most important files with me, either on the laptop itself or on an external storage device.

But with virtual test environments the limitation of laptop resources (mainly RAM) are reached quite quickly. So the idea was to create a site-to-site VPN between my laptop and my VM host at home. Since most of my virtual machines are Windows based I started using the integrated Routing and Remote Access Services for this purpose.

Though I did get PPTP (insecure DO NOT USE IN PRODUCTION) to work it was a bit of a hassle, mainly because the system had to be default gateway at the same time and I wanted to have Internet breakouts at each site. I also wanted to try L2TP but never found the time to do so. Furthermore, you need a protocol that passes firewalls when working at a site that blocks other traffic than HTTP, so some sort of SSL VPN was required. Since Windows 2008 SSTP is supported but I quickly came to the conclusion I needed a dedicated system for this with a really small footprint. Having this functionality on shared system removes a lot of the flexibility when it comes to re-organizing your environment.

This is where Zeroshell came into play. I was looking for something in the manner of a one-disk-router thingy and I thought I had used one before but I could not find it anymore. So searching the Internet I finally came across Zeroshell. The setup was so simple and it worked so reliably that I sticked with it since. In fact, it was so easy that I did not even do a documentation of the steps I did to configure the site-to-site SSL VPN that I could show here. Maybe I will update this post when I have to set it up again (am currently planning to extend my VPNed network to another site hosted on Azure so will see ;-)

It comes with a lot more features (e.g. RADIUS, certificate authority (CA), captive portal to name only a few) and administration is done through a web interface. Since I do not use it in production I did not do any research on security but it comes with an integrated update mechanism and patches are frequent and the project seems to be buzzing. Thanks to the developers for the good work.

Root the Alcatel One Touch Fire to import trusted PKI root authorities

2014-01-22 by Administrator, tagged as firefox, firefoxos, hardware, mozilla, smartphone

By kind permission of John Karakatsanis

I recently got hold of an Alcatel One Touch Fire. It comes with Firefox OS version 1.1 and I have to admit I am quite impressed. I mean, it is by far not comparable to Android, iOS, or even Windows Phone devices but updates are frequent and the light at the end of the tunnel seems near. At least for my requirements. And btw, it's only 99.- €uros.

One of the biggest issues I had is that it is not possible to import additional trusted root auhtorities or simply accept untrusted self-signed certificates in other applications than the browser. Because it turned out to be easier than I thought after doing some research on the web, I decided it's time for a simpler (I hope) description.
Good news: no need to compile anything here.

The whole process should also work from a Windows system but I prefer Linux as most tools are already in the repositories. I usually flash my mobile devices from a virtual Ubuntu system running in a VirtualBox VM, but this time Fastboot would not work with USB looped through to the VM so I had to use an old Xubuntu Laptop of mine where I could physically attach the device to an USB port.


Process Overview

  1. Install adb and fastboot on the host machine
  2. Install Mozilla NSS certutil on the host machine
  3. Get root access on device
  4. Update device certificate DB
  5. Reboot the device
  6. Have fun!


Install ADB and Fastboot

The tools are not in the official repositories but here is a link how to quickly get access: Install ADB And Fastboot Android Tools In Ubuntu Via PPA.

Once installed attach the device to the system via USB and invoke a terminal with root privileges, otherwise you might get permission issues when starting the ADB server. The following command tells you if your device is found:

root@host# adb devices
List of devices
015d21098658181a	device

The result should look like shown above. Otherwise something is wrong.

Install Mozilla NSS

On Ubuntu based systems an aptitude install libnss3-tools should be fine.

Get root access to device

I used the boot.img inside the ZIP from El Blog Simpicuitico and the steps were described in a response to this German post: Fehlende Berechtigungen oder falsche Datei in adb shell.Don't worry I'll translate.

First, you need to put the device into Fastboot mode. This is done by turning off the device and turning it on again. When turning it on make sure to press the VOLUME DOWN button for a short while. The device will not go further than the initial device vendor splash screen. To verify your device can be used with fastboot issue this command:

root@host# fastboot devices
HT08RPLo1735	fastboot

When a device is shown boot with the downloaded boot.img.

root@host# fastboot boot <PathToRootBoot.img>

Once booted, check if you get root access to the device console.

root@host# adb shell

The adb shell command gets you a console on the device. The prompt should tell you if you are root and if you are on the device.

Now check if you can access the folder where the certificate DB is stored in. Recognize the folder named with a random string, it is used later on.

root@android:/# ls /data/b2g/mozilla/

Hit <CTRL>-<D> to leave the device again.

Update device certificate DB

This step is a precise follow of this article Adding a CA to FirefoxOS

Create a folder and download the certificate DB from the device to it. Use the random string you found out in the step before.

root@host# mkdir -p keys && cd keys/
root@host# adb pull /data/b2g/mozilla/<RANDOMSTRING>.default/cert9.db .
root@host# adb pull /data/b2g/mozilla/<RANDOMSTRING>.default/key4.db .

Set an empty password for the DB. Just hit <RETURN> when prompted.

root@host# certutil -d sql:. -W
 Enter a password which will be used to encrypt your keys.
 The password should be at least 8 characters long,
 and should contain at least one non-alphabetic character.
 Enter new password: 
 Re-enter password: 

Now inject the certificate of the root certification authority (CA) that you want to add to the list of trusted CAs. The <CAName> can be arbitrarily chosen. <CAFile> is the path to your PEM encoded root CA certificate.

certutil -A -n "<CAName>" -t "PTCu,PCu,PTuw" -u "V" -d sql:. -i <CAFile>

Verify the last step was successful.

certutil -V -n "<CAName>" -u V -d sql:.

Finally, upload the DB back onto the device and reboot it. Use the same random string found out in the steps before.

root@host# adb push cert9.db /data/b2g/mozilla/.default/
root@host# adb push key4.db /data/b2g/mozilla/.default/
root@host# adb reboot


When the device has come up again you should now be able to use TLS/SSL services secured with a certificate that chains up to you own certification authority.


Shutdown Windows 8 the right way

2013-06-10 by Administrator, tagged as microsoft, software, windows

I start getting tired of hearing all those bizarre ways of how to best shutdown the new Windows 8 OS from Microsoft. Sometimes I hear people even recommending running shutdown.exe. WTF!?!

I have one way that works from Windows XP all the way up to 8 and even on KDE based Linux systems. Just hit:

<STRG> + <ALT> + <DEL>

and just hit the power button and click %quot;Shut Down"

UPDATE: Some people say <WIN> + I is one button less to press but is does not get you to the "Switch User" and "Sign out/Log off" functionality. Btw, anyone knows why the stupid design guys at Msft changed "Log off" to "Sign out"? My pattern matching brain does not like reading!

yEd - The Microsoft Visio Alternative

2013-06-04 by Administrator, tagged as java, office, productivity, software, tools

I mostly make use of Microsoft Visio for network diagrams and sometimes flow charts. In the good ole study days there sometimes also was a need for UML diagrams and entity realtionship models but that's not that common anymore.

I often tried to find a way to do the Visio stuff with a free alternative and I mostly came across tools like Dia, LibreOffice Draw, or Calligra Flow but I never got satisfied and came back to the Microsoft tool all the time. Just until now.

I know some of you will go nuts when I am talking about a Java application again but this time it's really worth it. Even if you are running Visio already you might want to consider this alternative just to make your diagrams look less boring or less like all the others.

The tool I am taking about is called yEd and it's free in terms of cost. I haven't found anything on the license model though. If you start if the first time you'll see that there a only a few stencils to chose from but it has IconFinder integrated. I personally prefer OpenClipart to search for SVG graphics that scale more friendly to the eye and import them into my own collection of stencils. Ah yes, there is also support for Visio stencils if you are the old fashioned kinda guy.

It is a recommended check out!

Plain IPsec connections between Linux and Windows with pre-shared key

2013-04-25 by Administrator, tagged as ipsec, linux, network, software, tools, windows

My employer publishes Windows shares via IPsec to the Internet. This way we have native access to our files whenever firewall rules permit IP protocol ID 50 (ESP) and 51 (AH) as well as ISAKMP / IKE UDP ports 500 or 4500 (NAT-T). This is a really nice setup with Windows clients, redirected home shares and Offline Files.

Anyways, although the shares are also published via WebDAV I wanted to access them natively through SMB/CIFS from Linux. This is where the Sourceforge hosted ipsec-tools come into play. The tools were originally developed for the BSD operating system as part of the KAME project but have been ported to Linux. If you want to use them to connect to a Windows machine it is absolutely essential that you have version 0.8 or later of the tools as it includes a patch that handles a phase 2 negotiation problem. If you are running OpenSuse 12.3 as I do you will not get compiled binaries out of the standard repositories (not even in factory). Fedora and Ubuntu are there already. A setkey -V will tell you if you are all set.

Once you have the tools installed there are mainly three configuration files that will be touched, all usually located in /etc/racoon.

  • psk.txt - this is where the pre-shared key is stored
  • setkey.conf - rules for the Security Policy Database (SPD)
  • racoon.conf - IKE daemon doing the dynamic key negotiation stuff

You should chmod 400 this file

# Format is
# <IP/email/domain> <complex PSK> sdhAFF3417C18C$74B2.5AiohA64!475F1B;E41:35,2\C

Windows default uses ESP only!

#!/usr/sbin/setkey -f
# Flush SAD and SPD

# Create policies for racoon

spdadd any -P out ipsec
#	ah/transport//require;

spdadd any -P in ipsec
#	ah/transport//require

Check man racoon.conf for details

path pre_shared_key "/etc/racoon/psk.txt";

#log [notify|debug|debug2];

remote anonymous {
	nat_traversal on;
	exchange_mode main;
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;

sainfo anonymous {
#	pfs_group 2;
	encryption_algorithm 3des,aes;
        authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

When everything is set as required the policy needs to be activated. This is done with
setkey -f /etc/racoon/setkey.conf
and you can verify with
setkey -DP
If you want to disable the rules flush the SPD with
setkey -FP
and the kernel will stop using IPsec.

Finally, run
racoon -F
(-F is for foregorund) and possibly change the logging level if something goes wrong.

Stay tuned for more as I'll dig into automatic start at boot time, less privileged user rules and certificates as authentication method.

A Tag Cloud for BlazeBlogger

2013-04-02 by Administrator, tagged as development, programming, software

I am using BlazeBlogger as my Content Management System (CMS) which is a bunch of Perl scripts that create static webpages from text files. Thus, no database or dynaminc content. So far it perfectly fitted my needs but as my catgories kept growing I started disliking the default list view for them (similar to the Archive list to your right).

I did some research and quickly found a Perl module that creates Tag Clouds and since the author of BlazeBlogger didn't respond to the email I sent containing the changes I did to the code, I just publish it here. Maybe someone finds this uselful.

I am running a Debian system and to get the Perl module HTML::TagCloud on to the system a simple aptitude install libhtml-tagcloud-perl is all it requires. You can alternatively get it from CPAN directly. Furthermore, I added/commented the following lines in the blaze-make file:

28 use HTML::TagCloud;

563   if (my %tags = %$tags) {
564     # Return the list of tags:
565     #return join("\n", map {
566     #  "<li><a href=\"" . fix_link("%root%tags/$tags{$_}->{url}") .
567     #  "\">$_ (" . $tags{$_}->{count} . ")"
568     #} sort(keys(%tags)));
570     ### ADDED begin ###
571         # Create tag cloud
572         my $cloud = HTML::TagCloud->new;
574         map {
575                 $cloud->add( $_, fix_link("%root%tags/$tags{$_}->{url}" ), $tags{$_}->{count} );
576         } sort(keys(%tags));
577         return $cloud->html_and_css(50);
578     ### ADDED end ###
579   }

In the end you'll get a beautiful nice little tag cloud as you can see to your right for the Categories :)

How to replace Outlook with Thunderbird to connect to Office365

2013-01-04 by Administrator, tagged as microsoft, office, office365, pim, software

With rich email clients dying (check here and here) this article may be already outdated but I thought I'd share it anyway. Maybe Outlook Web App (OWA) is going to be it after all ;-)

This concept is part of my migration from a Microsoft desktop to Linux, something I have been wanting to do for quite some time now but I always got stopped by one feature or another. And with this Windows 8 desaster for desktop users the whole idea got picked up with renewed enthusiasm (I know Metro uhm... the (new) Microsoft Design Language is the future of Windows but it's just not ready yet).

I narrowed down two primary functions that are required for my daily work: a client that works with the Microsoft Exchange/Office365 backend my employer provides, and support for Microsoft Lync for Instant Messaging (IM), conferencing, and audio/video calls. With the Office question long being solved and the announced Skype integration into Lync on the horizon, only a decent Outlook substitute is left to be found.

Well, if your usage profile is similar to mine then look no further.

BTW this has been tested with Thunderbird (TB) version 17.0 and I decided for a smooth migration path so currently I am still running on Windows 8 and I still have Outlook/Office installed in parallel with Thunderbird/LibreOffice.

Required Plug-Ins

Usage Profile

I consider myself a moderate Outlook user with a focus on email, calendaring, contacts, and a little bit tasks/to-dos. I have no idea what this Journal feature is for and I also do not know if my way to use Outlook is the best. I rarely access other colleagues' calendars and I never access other mailboxes or grant access to mine. I do use Outlook for business and the backend is Office365 for quite some time now.

In my day-to-day work email is the number one functionality and since I never organize emails into subfolders or anything alike, searching is the must have feature. I also use the possibility to create tasks/to-dos with the follow-up option but I do not categorize emails. When I create message rules I always try to make them server side, something I have always achieved so far ;-)

Calendaring of course gets me organized but I only have a single one. I do check calendars of my colleagues occassionally. Furthermore, I started to use tasks and to-dos more and although I'd be willing to use another tool for this purpose, I do like the interplay with emails/follow-up.

Last but not least contacts are not to be forgotten. Besides a reliable sync of the local address book, searching the Global Address List (GAL) is a must-have and using the GAL as a source for auto-completion is also a requirement.

Obviously, syncing reliably is very important. I actively use Android, iOS, Linux, MeeGo, and Windows devices with most of them using Exchange Active Sync to do the synchronization.

How it works

The gateway to Microsoft Exchange is Exchange Web Services (EWS). I was pretty surprised to find out that there are some advanced add-ons to Thunderbird that make use of this feature. Long gone are the days when OWA was used as a workaround to talk to the Exchange backend. Luckily, this gateway is open to Office365 users.


Currently I use IMAP to connect to my Office365 Exchange mailbox and I haven't tested ExQuilla for this purpose, yet. IMAP works reliably and fast and I do not see a reason why I should rely on an add-on here. Sending is done via SMTP

To find out your server URLs for the IMAP and SMTP service you can go to the Office365 website (usually something like<DOMAIN NAME> and check the OWA options. You should see a link Settings for POP, IMAP, and SMTP access...

ToDo: Screenshot walkthrough


The Exchange 2007/2010 Calendar and Tasks Provider add-on is used to synchronize calendars and tasks. It also supports contacts sync but I have found this to be a little bit unstable. Furthermore, auto-completion from the GAL is not supported yet (version 3.1.3).

This EWS provider also manages the Out-of-Office (OoO) settings which you can set on a per calendar basis (anyone can tell me a usae case for this?). First tests were successfull although you get a bunch of HTML crap if you take over the text set from an Outlook client.

Otherwise, this plug-in works reliably as far as I can tell and the developper suggests to check the official website for the latest version as submission to the TB catalog may take a while. Development is quite active (last stable release dates from October 2012) so this seems to be a good choice.

ToDo: Screenshot walkthrough


Tasks also uses the Exchange 2007/2010 Calendar and Tasks Provider add-on and you need to create a second calendar for tasks to work. Although it says it does support to-dos (what's the difference?)I haven't managed to get this working. But I can live with that.

Sometimes duplicate entries appear for events. Looks like every event also is a task in the Outlook mailbox. The task shows the free/busy information while the event itself does not. I haven't found out yet when those entries appear and disappear but you can always quickly disable the view for the tasks calendar item when you find this annoying.

ToDo: Screenshot walkthrough


Sadly, the EWS calendar and task provider unsufficiently supports contacts sync. Sometimes the address book completely hangs and you need to kill the whole Thunderbird process tree to get it back working. Furthermore, it also doesn't support auto-completion from GAL items. So this is where the ExQuilla add-on jumps in. In the end you have quite a few address books configured but hey, it works. OK, I know it's a little bit confusing and I do hope the EWS provider will bring reliable contacts support soon but for the time being...

ToDo: Screenshot walkthrough

What doesn't work?

ToDo: Update paragraph

So far I am pretty satisfied. Of course, one needs to adapt to the new UI and so on but most features relevant to me work fine (e.g. search).
Lync integration isn't there but TBDialOut let's me at least dial from the addressbook. It would be great if it would support dialing from an email (Sender, CC, etc.), too. Telify offers phone numbers as links in the email body though.
Opening calendars from colleagues or managing filter rules isn't possible either but I rarely have to so I use OWA for this.
Tasks do work (seem to need a separate calendar item) but To-Dos do not.

Other nice Add-Ons I use

Base64 decoding now also possible with DuckDuckGo

2012-10-26 by Administrator, tagged as duckduck, search, software, tools

Now that's something. Couple of weeks ago I mailed the DuckDuckGo support if they also support decoding base64 but they didn't. Today I am searching for an online decoder again and... there it is:

base64 decode -String-to-decode-

Just type base64 decode in front of any base64-encoded string into the search field of DuckDuckGo and that's it.

Keep up the great work you people at DuckDuckGo

Google go home!

Windows Server 2012 Internal Database Connection String

2012-09-21 by Administrator, tagged as microsoft, software, windows

With the new release of Windows Server Microsoft not only changed the location and name of the internal database to Windows Internal Database (WID) but also the string you need to use to connect to it for management purposes. It is now:


Now someone please update the Wiki article at

BTW I found this in the log file located under


Where you can also find details about the version of the WID running:

Microsoft SQL Server 2012 - 11.0.2100.60 (X64)
Feb 10 2012 19:39:15 
Copyright (c) Microsoft Corporation
iWindows Internal Database (64-bit) on Windows NT 6.2  (Build 9200: ) (Hypervisor)

(c) Microsoft Corporation.
All rights reserved.
Server process ID is 1648.
Authentication mode is WINDOWS-ONLY.
Logging SQL Server messages in file 'C:\Windows\WID\Log\error.log'.
The service account is 'NT SERVICE\MSSQL$MICROSOFT##WID'. This is an informational message; no user action is required.
Registry startup parameters: 
	 -w 65535
	 -T 1617
	 -e C:\Windows\WID\Log\error.log
	 -l C:\Windows\WID\Data\mastlog.ldf
	 -d C:\Windows\WID\Data\master.mdf
Command Line Startup Parameters:

Base64 encode with DuckDuckGo

2012-09-06 by Administrator, tagged as duckduck, search, software, tools

I searched for an online base64 en-/decoder with my search engine of choice DuckDuckGo and accidentally discovered that they directly encode any string you type if the first word is base64.

I checked but didn't find this feature documented. So I asked their support if they also support decoding. Sadly, they do not but took it as a feature suggestion.

So click this to encode The Perimeterless Network

Even more cool, since I use IE shortcuts I only need to type dd base64 String-To-Encode (dd being my DuckDuckGo shortcut) in my address bar and I have it directly encoded. And since the IE address bar is part of my Windows taskbar base64 encoding a string is a matter of not even switching windows.