Sunday, October 21, 2012

Google Voice Poetry

The coolest feature about the Android is its excellent voice recognition capabilities. I like to send it difficult or unintelligible syntax, and I appreciate how the software seems to understand part-of-speech and grammar so well that it makes complete sentences out of what I dictate:

You'll have to wait for the Apes to happen
They keep some noise
The evening has no eyes
Nothing undoing the drawers in the middle of this s*** shoe box

I think that, somewhere on the Internet, a microcontroller is crying.

Product review: Republic Wireless Defy XT 557

I admit: I'm a luddite. Although I worked as a mobile software developer for several years, I'm one of the last to acquire a smart phone. But now, I am the owner of a Motorola Defy XT, thanks to Republic Wireless. I guess that it's about time that I joined 2010 (my previous phone is a Verizon Samsung SCH-U620).


Frankly, I'm kind of pissed off that this has happened. Nobody does voice calls any more. Everyone seems to want to live a quiet, silent life of text messaging. When I ride mass transit, people look at each other when they make voice calls. I was very happy with my itty bitty Samsung device with physical buttons that fits conveniently in my pocket, but not happy with the prospect of paying $60 per month for a data package that I deemed useless. Republic Wireless' voice roaming onto 802.11 wireless networks was just hackerly enough for me to appreciate their innovative business model, and actually want to try out their service.


I can do everything that I can do on the smartphone better on my netbook computer. As I've attempted to let the smartphone take over my life, I've noticed that it takes me a lot longer to communicate with others. I suppose that the smartphone thing is pretty cool for people who don't regularly touch type, but the lack of a physical keyboard is a serious drawback.

However, the ubiquitous 3G data roaming onto Sprint's network within the greater Los Angeles area has been superb. I'm very impressed with how easy it is for me to do simple email communications and web browsing on the small platform. That stated, if I amortize the cost of the device out over one year, the device costs me $43 per month. At that price, it is extremely competitive with any existing Verizon wireless plan, and I have all of the features that I could possibly want. Plus, any dead zones that I regularly encounter on USC's campus are filled in with Republic Wireless' ability to roam onto wireless networks.

Overall, I'm really impressed with the product. My only quibble is that I cannot unlock / root the phone, because the SPC / MSL numbers don't seem to be readily accessible, although it's probably just a matter of time.

Monday, October 15, 2012

Setting up OpenVPN on FreeBSD

I've found a few tricks to help improve OpenVPN setup on FreeBSD. First off, there's a reasonably good PERL script that makes the process a bit easier. Install security/ssl-admin.

Next, set up your /usr/local/etc/openvpn/server.conf file:

proto udp
port 1194
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 172.17.2.0 255.255.255.0

# Makes a local area network available to other clients
# This could be the IP block of your home network
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
comp-lzo
client-to-client
duplicate-cn
user nobody
group nobody
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify /usr/local/etc/openvpn/crl.pem

Edit /usr/local/etc/ssl-admin/ssl-admin.conf.default and save as ssl-admin.conf in the same directory. Examples for the United States are shown below:

$ENV{'KEY_COUNTRY'} = "US";
$ENV{'KEY_PROVINCE'} = "CA";
$ENV{'KEY_CITY'} = "PASADENA";
$ENV{'KEY_ORG'} = "FOOBAR.NET";
$ENV{'KEY_EMAIL'} = 'CATS@FELINEHA.US';
Next, use the ssl-admin tool to create server certificates. Launch ssl-admin. You're presented with a "user-friendly" menu, but the menu requires knowledge about ssl certificate exchange. This knowledge isn't really necessary in order to set up a server. When the program initially executes, it will automatically ask you to create a certificate authority (CA) identity. Make sure you encrypt this certificate with a password. Next, choose options dh, and option S. Option S will prompt you for an "owner name." To make things less confusing, type "server" as the owner name.

Once these certificates have been generated, you'll want to copy them into your OpenVPN configuration directory:

cd /usr/local/etc/ssl-admin/active
sudo cp server.crt server.key ca.crt ../prog/crl.pem ../dh2048.pem /usr/local/etc/openvpn/

Edit /etc/rc.conf and add the lines:
# OpenVPN Server openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Configure your firewall to allow traffic into OpenVPN. If you use ipfilter, add the following lines to your /etc/ipf.rules file and then restart the ipfilter service:
# OpenVPN
pass in quick on XXXX proto udp from any to any port = 1194 keep frags
Now you should be able to start the OpenVPN server.
/usr/local/etc/rc.d/openvpn start

Server configuration is complete! Now you can create certificates for clients. I suggest creating  /usr/local/etc/openvpn/client.conf:
client
dev tun
proto udp
remote server.felineha.us
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
verb 3

Make a symlink so this configuration is included in the client configuration archive:
ln -s /usr/local/etc/openvpn/client.conf /usr/local/etc/ssl-admin/packages/client.ovpn

Using the ssl-admin tool, choose option (4) to create certificates for a client. The script will prompt you for another owner name -- choose something that is descriptive of the remote host so that you can figure out what certificate is for what host.

When the script asks you "Can I move signing request (xxxx.csr) to the csr directory for archiving?", choose Yes. After the script creates the certificate for the remote host, choose option (z).

Although this blog post will get you started, some of the methods used are dated. Apparently Ubuntu 10.10 now allows import of  pkcs12 .p12 files. Essentially, these files replace the archive created by ssl-admin's option (z).