Certificates, keys, SSL and Openvpn on Synology

Crypto-systems and keys

Nice article here about safer key usage:
https://blog.g3rt.nl/upgrade-your-ssh-keys.html

Generate your new sexy Ed25519 key (EdDSA using Twisted Edward curves) and a robust RSA key (Rivest–Shamir–Adleman).

ssh-keygen -o -a 100 -t ed25519
ssh-keygen -t rsa -b 4096 -o -a 100

Add these to the SSH agent via ssh-add:

 ssh-add

OpenVPN

Important reading:
https://blog.g3rt.nl/openvpn-security-tips.html

https://community.openvpn.net/openvpn/wiki/Concepts-Authentication

There is a good tool that helps you create your key pairs and certificates for OpenVPN with Client Certificates called easy-rsa. But it does rely on the fact that you are your own Certificate Authority.

We want to use CA-Cert to sign our certificates, so we must make a Certificate Signing Request

Note that OpenSSL and OpenSSH use different formats for there keys. OpenSSH uses a propriety format PKCS#1 PEM-encoded for its private key, OpenSSL uses a standard format IIUC.

For OpenVPN (SSL) we use the OpenSSL toolset to generate the certificates.
I could not find how to convert the private OpenSSH key to a OpenSSL format. So we will regenerate the keys with OpenSSL. (PEM format)

OpenSSL command line cannot create Ed25519 keys (not yet, anyway).

openssl genpkey -algorithm RSA \
   -pkeyopt rsa_keygen_bits:4096\
   -pkeyopt rsa_keygen_pubexp:65537 | \
   openssl pkcs8 -topk8 -nocrypt -outform pem > rsa-4096-private-key.pem

openssl pkey -pubout -inform pem -outform pem \
 -in rsa-4096-private-key.pem \
 -out rsa-4096-private-key.spki

Some interesting readings on OpenSSL:
https://www.sslshopper.com/article-most-common-openssl-commands.html

Generate the CSR, fill in the details as required. You could leave everything empty if the certificate will only be used by OpenVPN. As your email address is not in the certificate, the certificate cannot be used to track you.

openssl req -new -sha256 -key rsa-4096-private-key.pem -out rsa-4096-private-key.csr

Send this to CA-Cert, and receive a signed certificate from them by email.

Information from certificates and CSRs can be obtained with this:

openssl x509 -noout -subject -in <certificate>.crt
openssl req -in <request>.csr -noout -text

The big question that now pops-up is if we trust CA-Cert enough to let them sign the certificates. If we would be our own Certificate Authority, we would know exactly which certificates we have signed.

If you are using OpenVPN for your organisation it is probably better not to use any public certificates for OpenVPN but create your own CA and only accept certificates issued by this CA. This is actually the way proposed in the OpenVPN Howto. This way you are in full control of the certificates and even if some of the public CA’s gets compromised and issues certificates in your name then none of your OpenVPN endpoints will accept these, because only certificates issued by your own CA gets accepted.

Apart from that: Using a self-signed certificate does not impose a risk by itself, not for VPN and not for HTTPS. The risk is only if the certificate is not fully validated. A self-signed certificate can not be validated without additional information. So if a client connects to a server, the connection is  encrypted, but the server is not verified.

If the server is not verified a man in the middle attack is possible. This not only includes stealing the VPN credentials but intercepting the traffic or modifying the traffic. Since VPN connections are often considered as safe as internal connections inside the company the attacker can thus get access to interesting data or mount attacks against internal clients.

Knowing this, we will need to add some extra security measures.

  • Besides certificates, also make use of a Username/Password combination for the clients.
  • Get a server certificate for a full domain name. This would make it more difficult for a MitM attach, where you would need to spoof the VPN server.
  • Let the server verify if the common name used in the client certificate matches the username, and disconnect if not.
    https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/ucn.pl
    Unfortunatly, CaCert does not put the CN in their certificates if you are not a “Trusted User (WoT)”.

Generate a private key for the VPN server, and a Certificate Signing request. No need for a public key.

openssl genpkey -algorithm RSA \
 -pkeyopt rsa_keygen_bits:4096\
 -pkeyopt rsa_keygen_pubexp:65537 | \
 openssl pkcs8 -topk8 -nocrypt -outform pem > rsa-4096-server-key.pem

openssl req -new -sha256 -key rsa-4096-server-key.pem -extensions server -out rsa-4096-server-key.csr

If you get the error:

openssl req -new -sha256 -key rsa-4096-server-key.pem -extensions server -out rsa-4096-server-key.csr 
Error Loading extension section server

It means the openssl configuration file ( normally at ​/etc/ssl/openssl.cnf) is missing this extension. So add it:

[ server ]
# comment that this section was added manually by myself 
nsCertType = server

Generate the DH parameters

openssl dhparam 2048 > dh2048.pem

If you want to harden the security, you could have a look at the openVPN server options:

username-as-common-name
client-config-dir <dir>

 

openssl x509 -noout -subject -in

Convert one to another with:

openssl pkcs8 -topk8 -in <server.key> -out server-pkcs8.key –nocrypt

 

ssh-keygen -o -a 100 -t ed25519 -f <username>.key

openssl req -key <username>.key -new -out <username>.csr

 

sssh-keygen -f <input>.key -e -m pem

But these are SSH k

 

openssl genrsa -des3 -out private.pem 4096

openssl genpkey -algorithm Ed25519 -out ed25519key.pem

openssl req -new -sha256 -key za -out za.csr

/usr/syno/etc/packages/VPNCenter/openvpn

 

/opt/share/easy-rsa#

/var/packages/VPNCenter/target/scripts/openvpn.sh {start|stop|restart}

Now, we need to build a router key/certificate pair:

./build-key-server server1

 

Generate a private key for the VPN server, and a Certificate Signing request. No need for a public key.

openssl genpkey -algorithm RSA \
   -pkeyopt rsa_keygen_bits:4096\
   -pkeyopt rsa_keygen_pubexp:65537 | \
   openssl pkcs8 -topk8 -nocrypt -outform pem > rsa-4096-server-key.pem

openssl pkey -pubout -inform pem -outform pem \
 -in rsa-4096-server-key.pem \
 -out rsa-4096-server-key.spki

openssl req -new -sha256 -key rsa-4096-server-key.pem -extensions server -out rsa-4096-server-key.csr

 

Radeon HD8890M graphics card and Ubuntu 18.04

To see which graphis card is installed:
https://www.cyberciti.biz/faq/linux-tell-which-graphics-vga-card-installed/

lspci | grep -i –color ‘vga\|3d\|2d’
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Venus XTX [Radeon HD 8890M / R9 M275X/M375X] (rev 83)
sudo lspci -v -s 01:00.0 # Note the Device ID from the previous output
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Venus XTX [Radeon HD 8890M / R9 M275X/M375X] (rev 83) (prog-if 00 [VGA controller])
Subsystem: Dell Venus XTX [Radeon HD 8890M / R9 M275X/M375X]
Flags: fast devsel, IRQ 16
Memory at c0000000 (64-bit, prefetchable) [size=256M]
Memory at dfe00000 (64-bit, non-prefetchable) [size=256K]
I/O ports at e000 [size=256]
Expansion ROM at 000c0000 [disabled] [size=128K]
Capabilities: [48] Vendor Specific Information: Len=08 <?>
Capabilities: [50] Power Management version 3
Capabilities: [58] Express Legacy Endpoint, MSI 00
Capabilities: [a0] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [100] Vendor Specific Information: ID=0001 Rev=1 Len=010 
Capabilities: [150] Advanced Error Reporting
Capabilities: [200] #15
Capabilities: [270] #19
Kernel modules: radeon, amdgpu

I used the early preview AMD driver Amdgpu-pro-18.20-579836. It seems to work fine with my notebook and docking station. The normal version is installed, the pro version seems to give issues.

Run sudo lshw -c video, and look for the line with “configuration”. The loaded driver is prefixed with “driver=”

And this gives you loads of information on the driver itself.

modinfo $(modprobe --resolve-alias radeon)

lspci -nnk | grep -i vga -A3 | grep 'in use' also shows which graphics option is being used in the current configuration.

You can blacklist the radeon driver by adding blacklist radeon to /etc/modprobe.d/blacklist-radeon.conf
and by adding blacklist radeonfb to /etc/modprobe.d/blacklist-framebuffer.conf

Note that this does NOT stop the card from being turned on at boot, and consuming a lot of power.

Setting driver options:

Follow this page on info of kernel module features and settings.
https://wiki.archlinux.org/index.php/Kernel_module

Driver features can be set  by adding specific options to your boot environment in grub /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash radeon.dpm=1"
sudo update-grub

An alternative is adding files to /etc/modprobe.d/, that will be read at boot time

/etc/modprobe.d/radeon.conf
# Force the Dynamic Power Management
options radeon dpm=1

resulting settings are made visible with this command:

systool -v -m radeon

More power settings

The Radeon driver supports more power settings. See here:

https://www.x.org/wiki/RadeonFeature/#index3h2

You can see the current selected method, profile and details with:

cat /sys/class/drm/card0/device/power_method
cat /sys/class/drm/card0/device/power_profile
sudo cat /sys/kernel/debug/dri/0/radeon_pm_info

Disabling the Radeon HD8890M to reduce power consumption

Discrete graphics cards have the disadvantage that they consume a lot of power, and are best used with external power connected.
But what if you do not need the extra graphical power, battery time is more important?

You can unload the radeon driver by blacklisting it or using driver feature radeon.modeset=0. This will make you use the embedded graphics.
In both cases, no driver is loaded, but the card is still switched on and consuming power like it is switched on in full.

An other option is to disable the card in the BIOS/UEFI. On my Dell Precision 7510, this is however not possible.

Then the final option would be to use the power settings in the previous text to reduce the consumption. This seems to work pretty good.
Power some statistics with the different options

  • No driver loaded
    power drawn from battery with no load: 27W
  • Driver loaded, radeon dpm=0,
    echo dynpm > /sys/class/drm/card0/device/power_method

power drawn from battery with no load: 34W

sudo cat /sys/kernel/debug/dri/0/radeon_pm_info
default engine clock: 925000 kHz
current engine clock: 924980 kHz
default memory clock: 1125000 kHz
current memory clock: 1125000 kHz
voltage: 1200 mV
PCIE lanes: 16

  • Driver loaded, radeon dpm=0,
    echo profile > /sys/class/drm/card0/device/power_method
    echo default > /sys/class/drm/card0/device/power_profile

power drawn from battery with no load: 34W

sudo cat /sys/kernel/debug/dri/0/radeon_pm_info
default engine clock: 925000 kHz
current engine clock: 924980 kHz
default memory clock: 1125000 kHz
current memory clock: 1125000 kHz
voltage: 1200 mV
PCIE lanes: 16

  • Driver loaded, radeon dpm=0,
    echo profile > /sys/class/drm/card0/device/power_method
    echo low > /sys/class/drm/card0/device/power_profile

power drawn from battery with no load: 19W

sudo cat /sys/kernel/debug/dri/0/radeon_pm_info
default engine clock: 925000 kHz
current engine clock: 299990 kHz
default memory clock: 1125000 kHz
current memory clock: 150000 kHz
voltage: 825 mV
PCIE lanes: 16

  • Driver loaded, radeon dpm=1, which uses hardware on the GPU to dynamically change the clocks and voltage based on GPU load. It also enables clock and power gating

cat /sys/class/drm/card0/device/power_method
dpm
cat /sys/class/drm/card0/device/power_profile
default

power drawn from battery with no load: 20W

sudo cat /sys/kernel/debug/dri/0/radeon_pm_info
uvd vclk: 0 dclk: 0
power level 0 sclk: 30000 mclk: 15000 vddc: 900 vddci: 0 pcie gen: 3

 

Final remarks:

I did not look at vgaswitcheroo only at the driver options.

 

Ubuntu software update window

If you’re looking to open the software update window from the command line (which is what I gathered you were getting at, mostly because that’s why I searched for this and ended up here as that is my goal) in order to give yourself root access to the GUI window (I had a permission issue trying to do this from remoting in)

sudo update-manager

SMB printer definition in Gnome 3 Shell

The standard interface for adding printers in Gnome 3 is not very extensive. When you need to add a lot of options, better to use the following:

system-config-printer

This will start a GUI that mimics the inputs and outputs of CUPS, that you can find on http://localhost:631/
CUPS does not allow for some characters to be entered in the forms, where system-config-printer does.
The command lets you browse and search for your printer, but if you already know the URL, then entering that URL directly is preferred. Consider the following:

smb://<user_name>:<password>@<domain_name>/<server_name>/<printer_name>

The password will be stored unencrypted in a file only readable by root and CUPS, so will be safe.
You can find this file here:

/etc/cups/printers.conf

After changes to this file, restart CUPS

sudo systemctl restart cups.service

Please do not forget to install the packages smbclient and python3-smbc.

Install VideoLAN VLC and VLSub on

VLSub is not working with Vlc 2.1.x on any platform because the lua “net” module needed to interact with opensubtitles has been removed in this release for the extensions.

We will install a daily build from Videolan, but we will need some custom PPA’s for that. Use at your own risk.

PPA Videolan for vlc and vlc-nox:
sudo add-apt-repository ppa:videolan/master-daily
sudo apt-get update
sudo apt install vlc

If VLC crashes when playing MP4, have a look at:

Video output module:
Tools->Preferences->Video->Output

Hardware acceleration:
Tools->Preferences->Input/Codec->Hardware accelerated decoding

and play with the options.

I think aptitude is more friendly then apt-get, whatever…
sudo aptitude install vlc

VLSub will be auto installed and functional withing VLC. Also all codecs should be available

PidGin & Office Communicator

There is a good plugin for Office Communicator, or Office Lynx for PidGin:

pidgin-sipe

And it is available through the standard repositories of Ubuntu.

Remember to use the DOMAIN name before the username (DOMAIN\user.name) and that the domain name is in uppercase.

Synology certificates, SSL and Open VPN [DSM 5.0]

Information for DSM 5.0 The certifiactes can be found here: /usr/syno/etc/ssl This page gives you good information how to create home made certificates for your Synology NAS: http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates I prefer to let a Certificate Authority sign my certificates. CA Cert offers this as a free services (https://www.cacert.org/). It will not give you 100% guarantee, but it is better then using the self signed certificates from synology:

  • You can import the root certificate of the CA to most tools/OS. That way you do not need to add a security exception when connecting.
  • Some tools do not allow you to add security exception, so using a self signed certificate is not an option.

Restart OpenVPN server: /var/packages/VPNCenter/target/scripts/openvpn.sh {start|stop|restart} But it does not stop, you need to kill the processes manually. But reastart works, wierd….. /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf contains the configuration file for the OpenVPN server. Enable the logging option log-append /var/log/openvpn.log To get useful information on what is happening with the server The SSH keys used for OpenVPN can be found here:

/usr/syno/etc/packages/VPNCenter/openvpn/keys
In the config file openvpn.conf, there are pointers to these files.

note that the certificates we use are probably not from the type “server”.  If you get this error when connecting to the server:

VERIFY nsCertType ERROR: CN=<yourHostName>, require nsCertType=SERVER

then remove this line from the client config:
ns-cert-type server