Configuring IPsec IKEv2 in OpenWrt 15.05

The interoperability of IPsec implementations on various platforms has been becoming better and better over the last few years. For example, Windows 7 and newer releases fully support the IKEv2 (RFC 4306) and MOBIKE (RFC 4555) standards, and iOS started to support configuration of IKEv2 in the GUI since version 9.0.

In this tutorial, we’ll install strongSwan 5.3.3 in openwrt 15.05, configure it to provide IKEv2 service with public key authentication of the server and username/password based authentication of the clients using EAP-MSCHAP v2, and finally setup the VPN clients in Windows, Android and iOS so they can connect to it. Much of the complexity of IKEv2 configuration lies in the creation of SSL certificates.

Installation

First of all, install necessary strongSwan packages in openwrt 15.05:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install strongswan-minimal strongswan-mod-eap-mschapv2 strongswan-mod-eap-identity strongswan-mod-constraints strongswan-mod-md5 strongswan-mod-pem strongswan-mod-pkcs1 strongswan-mod-revocation

Continue reading Configuring IPsec IKEv2 in OpenWrt 15.05

GnuPG——每个人都可以使用的高强度加密软件

PGP(Pretty Good Privay)是一套用于数据加密、解密和数据签名生成、验证的软件。它由一系列散列、数据压缩、对称密钥加密和公钥加密算法组成。每种功能提供几种算法可供选择。

不对称的公钥加密算法使密钥的安全交换变得简单,通常使用收件人的公钥来加密只用一次的会话密钥,再用安全的对称加密算法和这个会话密钥对数据进行加密。每个人都可以生成自己的公钥/私钥对。公钥,顾名思义就是可以公开的密钥,可以分享给所有跟你联系的人,也可以上传到用于交换公钥的OpenPGP公钥服务器;而私钥必须严格保密,不跟任何人分享。别人使用你的公钥加密的信息,只有你使用对应的私钥才能解密。在数字签名时,则使用你自己的私钥对数据进行签名,而别人用你的公钥对你的签名进行验证,确保数据在传送过程中未被篡改。

公钥算法在数学上保证无法通过公钥计算出对应的私钥。以目前的技术手段,如果使用计算集群或量子计算机可能可以破解的话,也必须付出高昂的成本代价。对我们个人或一般企业而言,PGP加密套件提供了足够的加密强度。

GnuPG(Gnu Privacy Guard)是以GPL许可协议发行的,免费、开源、完整的PGP替代软件,遵从OpenPGP标准(RFC 4880)。
Continue reading GnuPG——每个人都可以使用的高强度加密软件

A Dummie’s Guide to Flashing Factory Firmware on Nexus 7 [2013]

This guide aims to teach people with basic computer skills to flash factory firmware image on Nexus 7 [2013] using Windows 7/10. It should apply to other modern stock Android devices.

Note: To prevent unauthorized access, unlocking the bootloader will delete all personal data on the device. Therefore, you must backup important data first before proceeding with the following procedure.
Continue reading A Dummie’s Guide to Flashing Factory Firmware on Nexus 7 [2013]

Keeping track of svn repositories using git

  • Clone an svn repository with entire history.
  • git svn clone --prefix=origin/ svn://svn.dd-wrt.com/DD-WRT
    

    Note: This can be very time-consuming on a large svn repository, esp. when the network connectivity is poor.

  • Clone an svn repository with recent history only.
  • git svn clone --prefix=origin/ -r 28015:HEAD svn://svn.dd-wrt.com/DD-WRT
    

  • When cloning fails on a large repository, keep fetching until it’s done.
  • cd DD-WRT
    while ! git svn fetch; do sleep 10; done
    

  • Fetch unfetched commits from the svn repository and rebase current work against it.
  • git svn rebase
    

  • Checkout an older svn revision.
  • git checkout `git svn find-rev r28015`
    

  • Return to the latest revision.
  • git checkout master
    

  • Remove untracked files in the current directory.
  • git clean -n
    git clean -f
    

给Windows中执行的wget设置证书包文件

在Windows中执行时,wget会在四个地方查找wgetrc配置文件,按照优先级高低它们分别是:

  • 环境变量WGETRC指向的文件。
  • 如果设置了环境变量HOME,则配置文件为%HOME%\.wgetrc。
  • wget.exe所在目录的.wgetrc。
  • wget.exe所在目录的wget.ini。

Continue reading 给Windows中执行的wget设置证书包文件

Removing alternative Ubuntu flavors completely

When Ubuntu users want to try other Ubuntu flavors, e.g. Xubuntu and Lubuntu, they usually just install their meta packages:

$ sudo apt-get install xubuntu-desktop

or

$ sudo apt-get install lubuntu-desktop

apt-get can install their dependencies automatically. However, when users want to remove the alternative Ubuntu flavors completely, they are out of luck, because inter-dependencies among many packages can be rather complex, and apt tools simply does not automatically remove the dependencies of meta packages.
Continue reading Removing alternative Ubuntu flavors completely

Upgrading Ubuntu 12.04 to 14.04 on Pentium-M computers

Starting from 12.10, Ubuntu no longer offered non-PAE kernels. Some Pentium-M processors do not announce the PAE flag, although they actually have the PAE capability. When doing a release upgrade from 12.04, the Ubuntu release upgrade tool will complain of missing PAE feature on such computers and then abort after printing a link to the EnablingPAE document on the Ubuntu community help website. However, this document only covers fresh Ubuntu installation on such computers, leaving release upgrade users out in the cold.
Continue reading Upgrading Ubuntu 12.04 to 14.04 on Pentium-M computers