Showing only posts by TaaviE. Show all posts.

Weird quirk in ReST with code blocks

In some weird cases (I've been unable to determine so far) Pelican will throw you a generic error about an unexpected unident in your code block like this:

ERROR: Could not process inputfile.rst
            | SystemMessage: /inputfolder/inputfile.rst:55: (WARNING/2) Definition list ends without a blank line; unexpected unindent.

Turns out that in order to fix it, you have to have an empty line before the beginning of the code block (in addition to the one in front of it), then it gets parsed correctly. Seriously annoying caveat if you're new to ReST.

Using Freedome with any OpenVPN client

How to use Freedome VPN without the official client on Android, Windows, Linux, FreeBSD, anything basically you can run OpenVPN on.

Preparation

Prerequisites you must download and install:

  1. Have Windows and the official client
  2. Download Wireshark and install it
  3. Download RawCap and install it
  4. Save the code below into openvpn.c and compile it for Windows ("MinGW" worked for me) and make sure to change the path to something you like

First steps

  1. Run Freedome, log in with your account
  2. Start RawCap with RawCap.exe 127.0.0.1 capture.pcap
  3. Reconnect and disconnect from the VPN
  4. Stop RawCap - capture.pcap file will now contain the password for your user's key, store it somewhere safe [![password screenshot]]
  5. Copy the openvpn.c file you compiled as openvpn.exe to C:Program Files (x86)F-SecureFreedomeFreedome1x64` and `C:Program Files (x86)F-SecureFreedomeFreedome1`, you might also want to back up previous `openvpn.exe
  6. Reconnect and disconnect from the VPN
  7. The folder specified in openvpn.c now contains the openvpn configuration file
  8. Get the keys in C:ProgramDataF-SecureFreedomekeys

Creating the configuration file

  1. You have to remove STX characters from the captured output
  2. Find the second </connection> tag and delete everything after it
  3. Remove empty lines before </ca>
  4. Remove all lines that start with management
  5. Remove block-outside-dns
  6. Replace cert [path] with where your client.crt is
  7. Place your password in a file of your choosing and add the line askpass [your file's name] to have it autologin to the VPN (You might also want to chmod 600 the file

Summary

In your OpenVPN folder you should have an openvpn configuration file, your client.crt and your password in a file.

Make sure the remote address (freedome-fi-gw.freedome-vpn.net) and the port (2745) is what you want to use, you can also see that in the TCP stream. If you don't want to use the Finnish gateway then feel free to sniff out other gateways, I suspect changing the two-letter code is enough...

openvpn.c

Take this code and put it inside the main function

char ch;
          FILE * fp = fopen("openvpn.cfg", "w");

          while(read(STDIN_FILENO, &ch, 1) > 0) {
              fwrite(ch, 1, sizeof(ch), fp);
          }

          fclose(fp);

Example configuration

If you have your private key, password, the CA cert already and the gateway you wish then you can replace values here .. code-block:

<ca>PLACE THE CA CERT HERE!!!!!!</ca>
          <key>PLACE YOUR KEY HERE!!!!!!!</key>
          cert client.crt
          askpass client.pass
          verb 4
          client
          dev tun
          suppress-timestamps
          preresolve
          route-delay 0 12
          push-peer-info
          setenv UV_CLP peerid:2
          replay-window 512 15
          tcp-queue-limit 128
          nobind
          float
          resolv-retry 20
          server-poll-timeout 10
          persist-key
          mute-replay-warnings
          ns-cert-type server
          comp-lzo
          cipher AES-256-CBC
          auth SHA256
          route-nopull
          pull-filter ignore redirect-gateway
          <connection>
          fragment 1400
          remote PLACE THE GATEWAY DOMAIN NAME HERE PORT udp
          proto udp
          explicit-exit-notify 1
          </connection>
          <connection>
          remote PLACE THE SECOND GATEWAY DOMAIN NAME HERE AND SECOND PORT tcp
          proto tcp-client
          </connection>

Installing modsecurity as a static nginx module

This is a super minimal guide how to recompile nginx on Ubuntu 16.04/14.04 for ModSecurity.

External references

Instructions

I started with downloading nginx's sources and extracting them: .. code-block:: bash

wget https://nginx.org/download/nginx-1.13.12.tar.gz tar -xf nginx-1.13.12.tar.gz

Then I took the compilation flags of my current nginx build with nginx -V, modified to include modsecurity and to excude useless modules (you can always find the sources of the modules online and pray they work with newer nginx, remove --add-module=./modules/ngx_brotli if you want nginx without brotli):

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --sbin-path=/usr/sbin/nginx --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=./modules/headers-more-nginx-module --add-module=./modules/ModSecurity-nginx --add-module=./modules/ngx_brotli --with-compat

Building it is easy after that: .. code-block:: bash

make -j3 make install

Then I only had to restart nginx: .. code-block:: bash

sudo systemctl restart nginx

Configuration is left as an excercise for the reader :)

Usability

I tested it out for a while, it has a few bugs and the documentation is really lacking in terms of how to write brand-new rules for it. It's also super annoying to detect false-positives and I found the rule syntax vomit-worthy. I decided to drop using modsecurity, it just wasn't worth it, especially not just for fun™.

This also seems to hold true in 2023 as it did back in 2018.

Posted by TaaviE on in Linux. updated Tags: nginx.

« newer articles | page 2