WireGuard VPN Setup with QR Code - Mobile Security and Ad Blocking


This post will go over setting up a WireGuard VPN server using OpenWRT. Part 2 will focus on setting up Pi-Hole. You could also use a $5/month VPS service, but I already had all the hardware needed to do it at home. Skip to instructions.

What you will need:

  1. An OpenWRT router with LuCi and enough space to install the WireGuard software and DDNS software. 
  2. A domain name. I am using namecheap.com which includes a Dynamic DNS service. It can be ANY domain name, even the $.99 per year type. 
  3. Raspberry Pi with PiHole installed (Optional) 

 What this will do: 

  1. Add security when using public wifi or cellular data. Since all data is encrypted and sent through your home internet connection, traffic cannot be sniffed or intercepted. 
  2. Keep your browsing history private - meaning the wifi owner or cellular carrier will not be able to see your internet activity. 
  3. Bypass content filters put in place by wifi hotspot operators or cellular carriers. 
  4. Remove ads without installing a plugin or app. (Optional) 

 What this will NOT do: 

  1. Anonymize your traffic through your ISP. If you are trying to pirate content or do something else undesirable, this is NOT the walkthrough you are looking for. In fact, this will do the opposite of what you are looking for, since your ISP will have even MORE usage metrics from your account. I mention this because when you do a "VPN" search on google, most results are for shady VPN companies. 
  2. This will not save battery life! It will drain your battery faster than normal when the VPN is active.
  3. Increase speed. Your download speed will be limited to the upload speed of your home internet, which is typically somewhat slow. 

Parts used in this post:

  1. TP-Link Archer C7 v2
  2. OpenWRT 18.06
  3. Namecheap DNS register and DDNS  https://www.namecheap.com
  4. Raspberry Pi 3
  5. Pi-hole https://pi-hole.net

Here are some of the sources I used when configuring:
https://openwrt.org/docs/guide-user/services/vpn/wireguard
https://www.wireguard.com
http://chrisbuchan.co.uk/uncategorized/wireguard-setup-openwrt/

Windows 7 Extremely Long Update Check

This issue has hit me many times lately, so I'm creating a post for easy reference. If you are starting from scratch with a Windows 7 SP1 ISO or CD, checking for updates through the Windows Update control panel can take hours. In my experience it will completely max out 1 core.

The easiest fix I've found is to install the April 2015 servicing stack update and then July 2016 update rollup.

Unfortunately the links above won't work on a brand new install because Microsoft is currently blocking IE 8. Use these direct links to download the updates:

April 2015 Servicing Stack Update:
KB3020369 x86
KB3020369 x64

The service stack update must be installed first or the update rollup will say it's not applicable to the computer!

July 2016 Update Rollup:
KB3172605 x86
KB3172605 x64

After rebooting, Windows should now check for updates in a reasonable amount of time. Hope this helps someone.

Graylog Cisco ASA Syslog ID Extractor

I recently did an in-place upgrade on the Graylog appliance and unfortunately it created a new "appliance-syslog-udp (Syslog UDP)" input that took priority over my custom syslog input already running on UDP 514. This caused the extractor configured on the original input to no longer be active.

I was able to easily export the extractor from old input and then import it to the new input using the web interface. Here is the JSON data in case anyone else out there is interested in extracting syslog IDs from a Cisco ASA. This will allow your to search your data using ASASyslogID.

Graylog Cisco ASA Syslog ID Extractor

{
  "extractors": [
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%ASA-\\w-(.{0,6})"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "ASASyslogID",
      "title": "ASA Syslog ID"
    }
  ],
  "version": "1.3.0 (04201bb)"
}

Browse Securely Using an SSH Tunnel and Raspberry Pi

Any time you use an unsecured wifi connection at a public location such as a coffee shop, you run the risk of a nearby device spying on data you are sending and receiving. This post will go over setting up an SSH tunnel connected to a Raspberry Pi (or other linux device) at home that will not only secure your connection, but also get around any content filtering the location may have in place. It is also a quick and easy way to remote into your home network without having to use a VPN.

The Raspberry Pi is an ideal device for this because it is cheap, easy to setup, and uses very little power. 

Keep in mind, this does not anonymize your internet activity so don't get any ideas about using this for nefarious purposes.

If you already have your SSH server configured, skip ahead to the computer setup.
Mac
Linux
Windows

Hardware Requirements
1. Raspberry Pi Model B running Raspbian and connected to your home LAN.
2. Internet router capable of port forwarding
2a. Internet router capable of Dynamic DNS (Optional)
2b. Dynamic DNS Service (Optional)

Actually, any model Raspberry Pi will do. I list the Model B because all you need to do is plug it into your home network.
For the router, I think it would be harder to find a device that doesn't support port forwarding. Consult your manual for setup, as the process can be quite different depending on the brand you have.
I definitely recommend using a dynamic DNS service as it will make your life a lot easier in the long run. While I haven't used it, I have read good things about Duck DNS at https://duckdns.org/about.jsp

Raspberry Pi Setup
Follow one of the many multitudes of setup guides. This is an excellent place to start: http://www.raspberrypi.org/help/quick-start-guide/
For this guide, the Pi must:
1. Be able to reach the internet
2. Have a static IP on your LAN.

Please note your LAN IP address for the router setup.

Router Setup
Follow the instructions for your router to forward port 22 to the IP address of the Pi..

Note your home IP address
If you don't have a static WAN IP and are not using a Dynamic DNS service you need to check your IP before you leave home. There are many options to find your IP, here are a few:
  • Go to google.com and type "what is my ip" and your public address should be at the top of the page. 

Setup Your Device

OS X Yosemite
1. Open the terminal and type the command below. Change user to the username on the destination Raspberry Pi (usually "pi"), and home_fqdn to your Dynamic DNS name or WAN IP.

ssh -D 5000 -N user@home_fqdn

-D = Port to listen on
-N = Don't execute a remote command
-C = Compression (only use on very slow connections)

Type type yes if prompted about a security certificate, and then type the password for your user. When you hit enter the cursor will move down  to a new blank line. Leave the terminal window open until you are done using the internet.

2. Configure your internet browser.
  • Go to "System Preferences"
  • Go to "Network"
  • Click your connection (probably Wi-Fi) and then click the advanced towards the bottom right.
  • Click "Proxies" then check "SOCKS Proxy"
  • In the "SOCKS Proxy Server" field that appears on the right, type "localhost" in the first box, and "5000" in the  second box.  Click OK, then apply.

At this point Safari and any other browser that check the system preferences (Chrome and Firefox) will now use the SSH tunnel. You can test by going to http://dustinbarnett.com/ip and your home IP address should be displayed.

When you are done, go back to the terminal and press ctrl-c on the keyboard, then reverse the network configuration settings.

Linux
Open a terminal and type:

ssh -D 5000 -N user@home_fqdn

Type type yes if prompted about a security certificate, and then type the password for the user. When you hit enter the cursor will move down  to a new blank line. Leave the terminal window open. Configure a SOCKS proxy server that points to localhost:5000. The procedure for this depends on the browser and distribution you are using.
When done, hit ctrl-c on the terminal to end the ssh session, then reverse the proxy settings.

Windows
For Windows, the process is different since it doesn't have a built in SSH client. First download Putty here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(Don't mind the sketchy-looking download link)

1. Open Putty, click on "Tunnels" located under Connection->SSH tree.


2. Type "5000" into the Source port field.
3. Click the "Dynamic" radio button.
3. At the top of the menu tree click "Session"
4. Enter your home IP in the host name field, Then click the save button. Next time you want to connect you can just use the saved session as long as your IP stays the same.
5. Edit the SOCKS proxy to localhost:5000 and you're good to go.

Hopefully my instructions are clear enough. Let me know if you have any questions!