Mikrotik + Android + LetsEncrypt + OpenVPN Bridge + DHCP = Possible!

Recently I am traveling a lot doing my business so I often need to access my home network from remote locations around the world. The obvious solution to arrange this is to build the Road Warrior VPN setup on a home router or a home computer acting as server.

There are a ton of guides on the web but all of them describe making a connection to a desktop client in the tunnel mode. On the other hand, for my needs I would like to create the VPN link which will make my remote devices behave just like it is on my home WiFi net.

Once I have finally solved this challenge, I am eager to share the solution to other people facing the same problem.

As a server side I use a MikroTik RB951 router:

This $70-priced SOHO-class router is ideal for home networks operating in "set it and forget it" mode, where the power of MiktoTik's own software platform, RouterOS, makes nearly any configuration of a home network possible. The only drawback of the device is a single core CPU running at 750MHz max and no hardware AES encryption making OpenVPN encryption purely CPU-necked.

My goal was to make a VPN link which will truly bridge the remote device into the network, including DHCP address assigning, full IPv6 support and smooth UDP transfers. As a client side, I use the stock Android 7.1.2 phone. 

I decided to use OpenVPN bridge for my setup. OpenVPN is de-facto an industry standard for organizing virtual private networks. Its open-source implementation and availability for every platform (including Android, iOS, Blackberry and Windows Phone) makes it a perfect choice for remote networking worldwide.

Unfortunately, MikroTik's OpenVPN server implementation lacks some standard features of OpenVPN protocol, such as:

• UDP packet encapsulation - only TCP mode is available
• No LZO compression
• No official support for DHCP assignment of a peer IP address
• No EAP-based authrentication

Considering this I was initially very upset about the possibility of my venture, but during the extensive search I found a paid but very feature-rich VPN client for Android named VPN Client Pro.

VPN Client Pro (Google Play) by Paolo Colucci is a paid VPN client which supports OpenVPN and SSTP VPN protocols. For OpenVPN it also features a unique component named TAP emulator, whose purpose is to overcome the traditional limitation of Android VPN API: the inability to use interface bridging on Android without root access and kernel module support for TAP interface driver. With TAP emulator, every Android client can use internal network's DHCP server to obtain the IP address from, just like the device is associated with a corporate or a home WiFi.

The typical VPN setup begins from certificate generation. However, once I already have a domain in posession running a LetsEncrypt client for certificate manipulation (I prefer acme.sh LetsEncrypt client: get it on GitHub), I decided to use the LetsEncrypt certificate for OpenVPN as well.

I saved my certificate and its private key as "ovpn-server" and "ovpn-server-key" files respectively. The trusted root CA and intermediate CA certificates forming the server certificate chain can be found on the LetsEncrypt website:

ISRG Root X1 Root CA certificate used by LetsEncrypt Signing Authority
LetsEncrypt X3 CA certificate cross-signed by ISRG Root X1 Root CA

These certificates were saved as "ovpn-ca" and "ovpn-intermediate" as well.

After all ovpn-* files were uploaded to the router using the previously configured SSH access, the configuration of MikroTik was pretty straightforward. For the reference, I used the guide from Taisto with some changes.

I wrote a simple RouterOS script to estabilish everything at once:

================ CUT HERE ===============
# declare a variable to store the ID of a IPv4 firewall rule
# dropping everything from WAN side for security
:local dropruleid

# import OpenVPN certificates and keys
/certificate
import file-name="ovpn-ca" passphrase=""
import file-name="ovpn-intermediate" passphrase=""
import file-name="ovpn-server" passphrase=""
import file-name="ovpn-server-key" passphrase=""

# create OpenVPN user and password
/ppp secret
add name="myunguessableuser" password="mysupersecretpassword" service=ovpn

# create an OpenVPN interface to be bridged into a local
# bridge with router's LAN and WLAN ports
/interface ovpn-server
add name=ovpn-user user=myunguessableuser

# create OpenVPN service profile describing the
# local address of bridge
/ppp profile
add bridge=bridge-local local-address=the-router-local-IPv4-address name=openvpn use-encryption=yes

# configure the OpenVPN server instance using profile and
# certiifcates listening on TCP port 443 (HTTPS)
/interface ovpn-server server
set auth=sha1 certificate=ovpn-server_0 cipher=aes128,aes256 default-profile=openvpn enabled=no mode=ethernet port=443

# Add firewall rules allowing external connections from a WAN side
# and denying connections to VPN server from internal network
/ip firewall filter
:set $dropruleid [/ip firewall filter find where comment="defconf: drop all from WAN"]
add action=accept chain=input comment="accept OpenVPN connections on WAN" in-interface=ether1-gateway dst-port=443 protocol=tcp place-before=$dropruleid
add action=reject chain=input comment="reject OpenVPN connections on other interfaces" dst-port=443 protocol=tcp place-before=$dropruleid

# start the OpenVPN server
/interface ovpn-server server
set enabled=yes

# protect VPN interface from neighbor discovery
/ip neighbor discovery
set ovpn-user discover=no

# remove unnecessary files
/file
remove ovpn-ca
remove ovpn-intermediate
remove ovpn-server
remove ovpn-server-key
================ END OF CUT ===============

To use the script, replace the bold values of username, password and router's local IP address in the script and copy-paste it in terminal of WinBox or SSH console. As a result, OpenVPN server becomes configured and running.

Once the VPN server part was over, the Android client configuration was simple:

1. Open VPN Client Pro:

2. Tap "+ New" button in the right-corner of screen. The VPN settings menu appears:

3. Select "New OpenVPN Profile" and write the connection name of your choice and server info:

4. Save the ISRG X1 Root CA and LetsEncrypt X3 Signing Autohrity certificates to Android phone internal storage (aka /sdcard) as "ISRG.pem" and "LetsEncrypt.pem" and import them in the "Certificates" tab of OpenVPN connection settings. Import the ISRG X1 Root CA certificate to VPN client as a Certificate Authorities entity, and the LetsEncrypt intermediate CA certificate as an "Extra certficates" entry:

Select "CA(TLS) + password" authentication type and enter the VPN username and password chosen in the OpenVPN configuration script.

WARNING: Choose user name and password wisely. The user name should not be guessable easily or be a common English word - these kinds of user names and password are easily brute-forced by hackers!

5. Set encryption options to use SHA-1 authentication and AES-128-CBC encryption:

Also AES-256-CBC can be used for a paranoid setup, but I think it is enough for now to use 128-bit encryption.

6. To enable DHCP address assignment, find out the phone WLAN MAC address (either by finding it in Settings - About Phone dialog or typing "ifconfig" or "netcfg" from Android terminal or ADB) and specify it in "Set MAC Address" field under "Use tap device" group under "Options" pane. Also yo set IPv6 address policy if IPv6 is configured on the router side:

7. Save the changes, disconnect the Android device from the WiFi hotspot and start the OpenVPN connection:

Congratulations! The OpenVPN bridged connection between Android phone and MikroTik router should be estabilished and the IP address of the phone should match the one assigned to the phone in a WiFi network.

Within this setup, I can easily watch online videos from Youtube  via VPN link and do the remote debugging of applications on my phone from my home computer or gain the remote access to PCs in my home network from my phone easily. 

In case of a simpler VPN setup, if the bridged connection is an overhead, the regular OpenVPN connection using a tunnel mode can be configured using the ofiicial MikroTik's wiki on OpenVPN.

As a final note, I am not affiliated neither to MikroTik nor to Paolo Colucci and his awesome VPN client app. However, this setup is cheap and working, so try it out!

Good luck and stay tuned!

The SolidWorks User Group Korea is born!

Last Saturday, May 16th 2015, the new SolidWorks User Group was born in the world. I have attended the opening meeting of SWUGN KOREA and I want to share my experience with rest of SolidWorks fans.  

Last year was definitely poor year for me on events related to SolidWorks community. Working at Samsung Ukraine R&D Institute with already-manufactured devices, I have no need to touch the CAD stuff. But the old passion keeps holding me, and I was nostalgically viewing the SolidWorks User Group Network official website (www.swugn.org), searching for a miracle... And noticed the announcement of First (Opening) Meeting of SolidWorks User Group Korea in Seoul in the fancy book center Booktique on Nonhyeon-dong.

Luckily I am in Seoul these days. Even more, I stay at the hotel few dongs away from the meeting place! I felt I just can't stop. So I called my good friend  Se-Young (Shawn) Yun from SolidWorks Korea and asked him to pick me on the event. 

We arrived something around 1.30pm and I saw a small yet convenient library-like room with around 50 people inside. Most of them don't speak English very well, but I was introduced very quickly and we got our places to listen to opening speech.

 

Every attendee received a gift of What's New in SolidWorks 2015 book in Korean. I also got mine :)

Waiting for official session to start, I was introduced to Donghyeon (Daniel) Won, the Group leader, Certified SolidWorks Expert from 2012 and the founder of Korea's most active and productive online community - PlaySOLIDWORKS  (http://cafe.naver.com/playsw and https://www.facebook.com/PlaySOLIDWORKS). Daniel told me he founded the community in 2010 in Naver, Korea's largest and most well-known web search and entertainment portal. Now PlaySOLIDWORKS community counts 19.000 active members and is the center of all SolidWorks-related events in Republic of Korea. This year he decided to transform the community into an official User Group.

I have got my SWUGN KOREA membership card, and the session has been started.

After the short story of PlaySOLIDWORKS community and the declaration of goals of a newly-created User Group, the technical sessions started. What's New in SolidWorks 2015, how to use PropertyManager Editor, Productivity in Assemblies - everything was prepared with passion and joy.

Community members traditionally asked questions, and even a lovely child of one of the colleagues present at the meeting looked interested :)

After the meeting in a coffee break I got acquainted with mostly everyone present and felt I am finally back to place and time I love.

SolidWorks User Group Korea has the amazing future. Its potential of a new-born child is in good hands! The next meeting is not scheduled yet, but I am already waiting for the show going on.  And now I am seriously thinking about some sort special event we organize for Korean SolidWorks fans this year.

Last but not least, I would like to say thanks to Se-Young Yun for taking me to the event, escorting and translating key things, Daniel Won for amazing meeting, the group itself and some photos I used for this post and to everyone I met there.

The Ideal CAD Viewer for Android: A Diary of eDrawings Modder Part One

It has been a while since eDrawings for Android has been released, and it is quite interesting to look at the Google Play stats on it. Keeping in mind the enormously warm meet of an iOS version of SolidWorks' most-beloved CAD viewer and strong expectations for its Android port, in a half-year after initial release I can state that these expectations are slowly turned into reality. I would say, even, very slowly.

The average rating of eDrawings at Google Play now is about 3.7 - that means that the product - in its basic view - offers expectable functionality for its price, but in-app purchases are somewhat unexpected by Android CAD users. Stating this I will end discussing the price policy of Dassault Systemes SolidWorks and continue my own story about this interesting application.

I purchased a copy of eDrawings for Android next day it became availiable on Google Play. As a native-speaking Ukrainian customer born in ex-USSR, I expected the application to offer at least Russian UI, but.... it was sooo English! That looked strange because desktop eDrawings suite offers the same language set as a 'big' SolidWorks does. Dramatically, SolidWorks was one of the first CAD packages to offer localized UI, help and support, so I expected the eDrawings team to follow the rules, but in a release rush everything went flappy.

There were some minor UI bugs in the aforementioned first release that I reported to Support Intern Brittany Chin of eDrawings team and then to Support Engineer Tim Riley of the same. By that time only three bugs were critical for me as a customer:

1. The inability to display drawings and assembly notes in language other than English - that was really inacceptable, having notes displayed as rows of squares instead of what they intend to be.

2. The bug with file type associations - everyone faced it at least once in a lifetime, when one started downloading a video in web browser and eDrawings took the cover back downloading this and that into /sdcard/eDrawings/ folder on an external card.

3. The lack of folder support in My Files - I have to admit it is really inconvinient to have tons of assemblies consuming time for preview generation every time you load an application.

So I contacted Tim Riley and reported several SPRs to him. Since the most annoying bug for me was the file type associations, I tried to fix it myself and succeeded! After several releases this bug was finally partly-fixed officially, (I hope) following my guides left for eDrawings programmers two months before. So I decided to step ahead and make an ideal viewer to show how good the open-source Android platform can be for a CAD guy.


Step Zero: The File Associations Go Right

The file association bug was the first attempt of mine to overcome the slow-fix policy of SolidWorks Corporation. By that time I had some success in CyanogenMod compiling and porting so I decided to decompile an APK and find out what was wrong.  After some digging and Android log tracing, I found out a stupid bug in the Android manifest file (a file describing permissions ans contents of an Android application package) that I easily fixed with a newly-breeded application package file. I called Tim and sent a detailed instruction on how to fix the bug exacty, but the next three releases up to a mid-December were buggy. That was my first win!

Step One: The i18n Quest

Despite my English is fluent, I also took care about the internationalization of the viewer, because my friends in Ukraine and Russia have also purchased the app and were dissatisfied with its only-English interface. So I decompiled the newcomer package and added a Russian translation in an easy manner. The whole XML file containing string resources fits into several kilobytes of Unicode text and I spent less than an hour or two to make the things fancy. Based on that I dont understand why such a powerful corporation pays no attention to such a simple but such a vital question for non-English customers.

This time I posted the screenshots in LinkedIn but it did not cause an appropriate reaction. Despite of the active SPR about languages, the version 2.0.1 from February the 6th 2014 is still monolingual.

Here how it looks like for version 1.0:

and for version 2.0:

Despite all my friends wanted to test the translated app live, I did not share a translation for legal reasons.

Mission accomplished!

Step Two: In Soviet Russia, drawings watch YOU!

One can imagine my mood when I made a translation and was ready to fight the drawings bug. So I waited for a nearest Sunday, took a bath and a cup of coffee and started my investigation. That took me a while - a whole weekend and a Monday evening and night, but I managed to get the beast running like

instead of poor-looking stock experience:

First of all, I fired up the Android debugger and checked the possibility of incorrect Unicode transform of a model text. Since eDrawings viewer is based on freeware HOOPS Viewer from TechSoft3D, that was easy... and false! Everything was Unicode! So I decided to trace the font load on a desktop eDrawings and a mobile one. I used a font monitor and a GNU debugger for Android to see which fonts are loaded and when. I was naturally shocked when I revealed that someone at eDrawings team has simply turned off FreeType fonting! I re-enabled it in debugger, hit Continue et....voila! A couple of simple tricks can make it running again. In the following example only one font (Arial Narrow Unicode) is loaded, but the root cause is clear. I hope in a next release this branch of code will be optimized and turned back on.

Step Three: Drawers and Folders

The last bug I really want to get rid of for now is the lack of folder support. Since eDrawings already has the hidden directory view functionality, I doubt it is so hard to implement. Just a couple of lines in smali files... but I have not completed it yet so screenshots will be made availiable in a next part of the story. Stay tuned!

Final Thoughts and Disclaimer

The purpose of this post is to show how --should-- a program from a respected company look like. I am not an owner of the code, resources or any part of the program, but in terms of ethical hacking I am ready to collaborate with eDrawings team and share the tricks and instructions freely - if they want me to.

The key difference between desktop and Android is not only the processing power limit for 3D applications - but also the variety of Google-backed community apps, free and paid, with practically similar functionality. For example HOOPS viewer or 3D CAD viewer capable of rendering HSF / IGES / STEP / PARASOLID are free, though they cannot parse eDrawings files yet. Of course, SolidWorks is a brand, and the brand means the support, but the slow-fix policy of SolidWorks Corporation sometimes ruins the adorement - even if support engineers do their best to collect issues.

There are still many possible perfections in the workflow of the app. For example:

• How about getting rid of the version 1.0's face selection menu aka 'Show / Transparent / Isolate / Show All' and use one drawer for all activities, such as measurement, view manipulation, animation control etc? 
• How about the augmented reality present in iOS and KitKat's printing API support? 
• How about part  name scrolling in a drawer so long part names are highlighted Android-style?

Together we could make a record-breaking CAD viewer for mobile devices, and I am proud to start this initiative.

The last question I guess my readers have is - why. Why? Because we can! And we love what we do!

Happy eDrawing!

I want to thank Tim  Riley and Brittany Chin for their brilliant support. Good engineers - good wills!

Lazarus FreePascal IDE: How to compile 32-bit and 64-bit applications on one machine

I love Pascal. Pascal is a great programming language, since it has a simplicity of a lang-for-study and flexibility of C when it comes to pointers and memory operations. I beloved Delphi 7 many years but the lack of 64-bit support finally forced me to migrate to Lazarus. Lazarus is an open-source IDE for open-source FreePascal compiler capable of making binaries for Windows, Linux, Mac, Android and WinCE. It is free as a free speech and has a strong community of active developers and bug-hunters. You can find more info about it here.

Today I re-installed the latest build once more and found a problem - I cannot switch processor modes to create several configurations for simulataneous builds on Windows 32 bit and 64 bit. I started googling for a handy howto but got no luck. Finally I managed to get it working and here is how.

Let's assume you have a Windows 7 64-bit host machine.

1. Go to Lazarus downloads and grab a Windows64-bit version. for instance, http://sourceforge.net/projects/lazarus/files/Lazarus%20Windows%2064%20bits/Lazarus%201.0.10/lazarus-1.0.10-fpc-2.6.2-win64.exe/download. Please note on FreePascal compiler version - it is 2.6.2 in my example. You will need the corresponding Win32 compiler bundle in the next steps so remember this at once.

2. Install Lazarus to the folder of you choice (for example C:\Lazarus)

3. Go to FreePascal SourceForge download page, then select Win32 and the compiler version you just remember (2.6.2). It is crucial to have win32 and win64 compilers of the same version. Download the Win32 installer, like http://sourceforge.net/projects/freepascal/files/Win32/2.6.2/fpc-2.6.2.i386-win32.exe/download.

4. Start installing your new compiler, select Custom install, and point the installation folder to "lazarus-installtion-folder"\fpc\"lazarus-version", like C:\lazarus\fpc\2.6.2.

then answer Yes on a prompt.

5. Select Custom install and select the following checkmarks only:

then press Next button to let FPC install itself.

6. Now you have a working dual-architecture setup and it is time to configure Lazarus. Open Lazarus and go to Tools-Options. Select the path to FPC compiler (fpc.exe) as follows

$(LazarusDir)fpc\$(FPCVer)\bin\$(TargetCPU)-$(TargetOS)\fpc.exe

7. Finally, go to your Project settings, open Code generation tab and select your processor arch (i386 or x86_64) and target version (win32 or win64) then apply changes. You will be able to build Win32 and Win64 binaries at your choice.

You can even adjust the build profiles and activate them when necessary.

Enjoy!

PS: To use architecture-specific code and constants, one can use the following snippet:

{$IFNDEF WIN64} // x32 code {$ELSE} // x64 code {ENDIF}

and declare -dWIN64 in Project options - Miscellaneous - Special switches under appropriate build profile (e.g Win64):

-dWIN64

That will trigger platform-specific defines like in C++.