Using Freedome with any OpenVPN client

How to use Freedome VPN without the official client on Android, Windows, Linux, FreeBSD, anything basically you can run OpenVPN on.

Prerequisites you must download and install:
  1. Have Windows and the official client
  2. Download Wireshark and install it
  3. Download RawCap and install it
  4. Save the code below into openvpn.c and compile it for Windows ("MinGW" worked for me) and make sure to change the path to something you like
First steps:
  1. Run Freedome, log in with your account
  2. Start RawCap with RawCap.exe 127.0.0.1 capture.pcap
  3. Reconnect and disconnect from the VPN
  4. Stop RawCap - capture.pcap file will now contain the password for your user's key, store it somewhere safe [![password screenshot]]
  5. Copy the openvpn.c file you compiled as openvpn.exe to C:Program Files (x86)F-SecureFreedomeFreedome1x64` and `C:Program Files (x86)F-SecureFreedomeFreedome1`, you might also want to back up previous `openvpn.exe
  6. Reconnect and disconnect from the VPN
  7. The folder specified in openvpn.c now contains the openvpn configuration file
  8. Get the keys in C:ProgramDataF-SecureFreedomekeys
Cleaning up openvpn configuration file:
  1. You have to remove STX characters from the captured output
  2. Find the second </connection> tag and delete everything after it
  3. Remove empty lines before </ca>
  4. Remove all lines that start with management
  5. Remove block-outside-dns
  6. Replace cert [path] with where your client.crt is
  7. Place your password in a file of your choosing and add the line askpass [your file's name] to have it autologin to the VPN (You might also want to chmod 600 the file

Summary

In your OpenVPN folder you should have an openvpn configuration file, your client.crt and your password in a file.

Make sure the remote address (freedome-fi-gw.freedome-vpn.net) and the port (2745) is what you want to use, you can also see that in the TCP stream. If you don't want to use the Finnish gateway then feel free to sniff out other gateways, I suspect changing the two-letter code is enough...

openvpn.c

Take this code and put it inside the main function

char ch;
          FILE * fp = fopen("openvpn.cfg", "w");

          while(read(STDIN_FILENO, &ch, 1) > 0) {
              fwrite(ch, 1, sizeof(ch), fp);
          }

          fclose(fp);
          

Example configuration

If you have your private key, password, the CA cert already and the gateway you wish then you can replace values here .. code-block:

<ca>PLACE THE CA CERT HERE!!!!!!</ca>
          <key>PLACE YOUR KEY HERE!!!!!!!</key>
          cert client.crt
          askpass client.pass
          verb 4
          client
          dev tun
          suppress-timestamps
          preresolve
          route-delay 0 12
          push-peer-info
          setenv UV_CLP peerid:2
          replay-window 512 15
          tcp-queue-limit 128
          nobind
          float
          resolv-retry 20
          server-poll-timeout 10
          persist-key
          mute-replay-warnings
          ns-cert-type server
          comp-lzo
          cipher AES-256-CBC
          auth SHA256
          route-nopull
          pull-filter ignore redirect-gateway
          <connection>
          fragment 1400
          remote PLACE THE GATEWAY DOMAIN NAME HERE PORT udp
          proto udp
          explicit-exit-notify 1
          </connection>
          <connection>
          remote PLACE THE SECOND GATEWAY DOMAIN NAME HERE AND SECOND PORT tcp
          proto tcp-client
          </connection>

My experience with a few home automation systems available

// NOTE: This article is incomplete

MyController

The first home automation controller I tried was [MyController](https://github.com/mycontroller-org/mycontroller/).

UI

The UI was tolerable, not the prettiest but it worked without any hiccups.

The setup

That was really easy, I could just enter the right PostgreSQL credentials and database name. What didn't work was getting sensor readings into InfluxDB to have some really nice graphs. It also wasn't the most pleasant to get it under systemd's control, stop didn't really have a meaning to it.

MySensors integration

Really good configuration options, super-clear mesh status, everything worked. Smoothest of them all.

Home Assistant

I also tried Home Assistant (HASS for short)

UI

The UI was nice-looking but it had a few bugs, wasn't fast and really lacked any configurability.

The setup

It was easier than MyController's but actually setting up took much longer. Things like adding basic MyController support was annoying.

MySensors integration

Had a few annoying bugs like forcing a certain data type on a certain sensor, couldn't handle custom scales. It was also super delayed.

Actual automation

I really disliked it, the YAML is not nice and the scripting is worse than Scratch, I'd really rather like a Python API

Installing modsecurity as a static nginx module

This is a super minimal guide how to recompile nginx on Ubuntu 16.04/14.04 for ModSecurity.

A few external references:

I started with downloading nginx's sources and extracting them: .. code-block:: bash

wget https://nginx.org/download/nginx-1.13.12.tar.gz tar -xf nginx-1.13.12.tar.gz

Then I took the compilation flags of my current nginx build with nginx -V, modified to include modsecurity and to excude useless modules (you can always find the sources of the modules online and pray they work with newer nginx, remove --add-module=./modules/ngx_brotli if you want nginx without brotli):

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --sbin-path=/usr/sbin/nginx --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=./modules/headers-more-nginx-module --add-module=./modules/ModSecurity-nginx --add-module=./modules/ngx_brotli --with-compat
          

Building it is easy after that: .. code-block:: bash

make -j3 make install

Then I only had to restart nginx: .. code-block:: bash

sudo systemctl restart nginx

Configuration is left as an excercise for the reader :)

Usability

I tested it out for a while, it has a few bugs and the documentation is really lacking in terms of how to write brand-new rules for it. It's also super annoying to detect false-positives and I found the rule syntax vomit-worthy. I decided to drop using modsecurity, it just wasn't worth it, especially not just for fun™.

Posted by TaaviE on in Linux. updated Tags: nginx.

« newer articles | page 2