Windscribe VPN

It is quite common to hear that you need to use a VPN any time you are on a wireless network. Your typical free wireless network at the mall or your favorite coffee shop is not encrypted in any way. If you travel, you can rest assure that hotel wireless internet is terribly insecure, just because you never know if there is someone in the next room sniffing all your packets. Lastly, the internet service provider for the hotel is not to be trusted at all. However, VPN companies themselves can be shady and there is not a good way to verify who can be trusted with your internet communications. It is possible for technically minded people to spin up for a virtual machine and provide your own VPN service, but this requires some effort and virtual machines costs can add up. In the end, I decided to go ahead and pay for a dedicated VPN service.

iPhone with Windscribe VPN

My VPN usage is primarily for my iPhone and so I am not gong to go into any detail about using Windscribe on a Mac or Windows machine. Needless to say, Windscribe provides multiple clients and setups for all your devices. I chose Windscribe VPN because of their reputation and my initial experience with their free trial. I pay for a yearly plan, so that I can keep my costs down. Anything beyond a year for a service seems to be a gamble. No one wants to sign a 5 year lease, so don’t do it for software as a service either!

Windscribe iOS App

The iOS app allows you to connect to a variety of locations. I specifically choose the Chicago locations and select Wireguard as the protocol. My experience with iOS and VPN apps is that once you plug in your phone to charge, iOS will close out your VPN after a period of inactivity. This means I have to open the Windscribe app and establish the VPN connection. You can create rules that exempt your home wireless network or other wireless networks you trust so that the VPN is bypassed. For the most part I keep Windscribe on for all connections, wireless and Verizon cellular. I know for a fact that if you do not use a VPN and are on your cellular network, that a telecommunications engineer can actually see all your data in real time, (if they connect to the cellular tower device). If you have a VPN, you might as well use it all the time.

No VPN Allowed

Now there are some exceptions, when you cannot use a VPN connections and you might want to turn it off. These are annoying to say the least, but there is not much choice.

Some eCommerce sites do not allow VPN connections. The website will most likely give you an HTTP error such as 404 with a message that proxy connections are not allowed. I have had this issue with Lowes.

Warehouse stores and my Verizon cell service do not work well. Often when I am at Menards, Lowes, or The Home Depot, I will get zero bars and if I try to use the in store WiFi, they do not allow VPNs and so my choices are to walk out to the outside yard of the store and use my cell service or connect choose an insecure store wifi network.
I do have to say that Target and Walmart have great WiFi and their mobile apps make it very easy to scan for in-store prices.

The other exception is at home when I have apps that need to connect on the home wifi network to see local devices. My Sonos speaker is a good example of this. I want to stream Spotify to my Sonos, and so I can either make an exception rule for my home WiFi or just turn off the VPN.

Block Stuff

Windscribe offers a variety of blocking options. Turning some of these on will save on bandwidth and also keep you safe from malware. Windscribe describes this feature: R.O.B.E.R.T. as a customizable server-side domain and IP blocking tool.

Windscribe ROBERT Options

Turning on any of these options is account specific and will apply to your other devices as well. Note there is a link at the bottom of the screen that takes you to your account, where you can specify your own custom rules.

Final Notes

I recommend Windscribe as a VPN option for your iPhone. Overall it has worked well for me and my kids.

Error: There is no network connection right now

Disney Plus App IconSometimes the combination of technology results in a more complex difficulty than one would think. Recently I came across on annoying error message that displayed on my Sony TV from time to time when I was watching a movie. At first I thought it must be my AppleTV that is displaying this. The message was “There is no network connection right now” and after searching Apple’s forums there were people complaining of this same issue, but there did not appear to be a resolution. I then looked at Sony to see if the Google Android 8 software on the TV was to blame. For some reason unknown, Android 8 does not allow you to turn off IPV6 and I thought perhaps that was the issue. I spent some time troubleshooting my firewall and router settings and yet I could still not watch Eternals without this issue coming up.

I then noticed that the error was more common on Disney+ and not on Netflix. Last week, Apple released iOS 15.3 for the AppleTV. Before installing the new update, I deleted the Disney+ app and then rebooted the AppleTV. Next installed the iOS 15.3 update. Once the AppleTV was up and running, I reinstalled the Disney+ app and tried to duplicate the error with Star Wars movies and I could no longer get the annoying message.

In summary, I do not know what the actual cause of the error was. There are various posts stating that if you have your own DNS server on your LAN, that the Disney app does not like that. However, I tried changing this before and the message still appeared. The ease of use of all this software makes troubleshooting more difficult. Android TV 8, Apple iOS, and the Disney+ app all have limited options for turning off or customizing internet options. The combination leads to not really knowing where error messages are actually coming from. I wish Sony would just make a TV that would not come with any Google Android software. I don’t really need such complexity in a TV.

Update:

After some additional troubleshooting, I do think the error message was coming from the AppleTV itself. Disconnecting the ethernet cord from both the AppleTV and my switch, then restarting the switch and reconnecting to a different port on the switch seems to have resolved the issue.

pfSense UPS Widgets

APC BE550G UPSLast month I walked into my home office and heard the buzzing of a UPS. After switching it out with another smaller UPS, I wiped off the dust and found the model number on the bottom to be: BE550G. These older UPS models are no longer even supported by APC anymore. After doing a search online, I found BatteryPlus.com had a replacement battery and they have a store nearby. I ordered the Duracell Ultra 12V 9AH High Rate AGM SLA Battery with F2 Terminals [SLAHR12-9FR] and then picked it up the same day. After letting the battery charge overnight, I had to hook the UPS up to my Windows machine to set the Battery Date using the PowerChute software. For some reason this is not possible on other operating systems and open source software that I could find. Once I had this done, I moved the UPS over to my pfSense firewall and connected it directly to one of the USB ports on the firewall.

There are a couple of different packages for pfSense that you can install. pfSense is FreeBSD based, so you can install the software natively or use the pfSense packages to install. Once you configure the setup, the packages offer dashboard widgets that you can add to the pfSense dashboard. Here is what each one looks like.

Apcupsd

Developed for only APC UPS units, apcusd features a better looking widget.

pfSense Apcupsd dashboard widget

Network UPS Tools

Known as the NUT package, this open source software has a more simplistic dashboard, however Network UPS Tools supports more devices and has extensive features for UPS units directly connected or on the network.

pfSense UPS dashboard widget

Additional Notes

Setting up either package requires reading the setup documentation online. I was able to run both packages for a direct USB connected device.

For apcupsd set UPS Cable and UPS Type to “USB” and leave the Device field blank. If you are using NUT, set the UPS Type to Local USB and driver to usbhid.

Overall I am glad that I could salvage the UPS and keep it in service. This keeps perfectly good equipment working and prevents waste. The plus, is that my firewall and internet connection will run a bit longer and not reset during a power spike.

Spammers Lack Quality Control

Warning SignThis morning, I was going through emails, and looked at my spam folder and found something that made me laugh. I have been studying up on some development classes online and integer & string values came to mind.

This is what happens when a developer makes a mistake in their spamming scripts and does not have any quality control. I bolded the amount below for emphasis.

Note this e-mail is been directed to you because during our investigations, your email address was found in one of the scam Artists file and computer hard disk in our custody. In reference to this regards, you will be compensated with the sum of US$17, .500,000.00 (Seventeen Million five Hundred Thousand Dollars). Meanwhile, the Africa Union has requested for evidence to prove you are a victim of West Africa scam. In plight to this regards the USIS have appointed a United State base Attorney (Barrister Allen Adams) here in the State to advocate on your behalf and provide the requested evidence to process the payment approval for your fund to be release to you.

IMPORTANT NOTICE: The only fee you’re to pay to the Attorney is the processing fee $350 for procurment of legal evidence to prove to the West Africa Union that you are a victim of scam. Also kindly request him to direct you on how to submit the processing fee $350

It appears to me that for the amount of $350, I stand the chance of getting back $17.50. This does not appear to be much of bargain. Where you place a period matters.

Let’s Encrypt and VirtualMin

Let's Encrypt IconSecurity is now a central concern for technical people and I would argue for most consumers. It is now typical for criminals to target banks, hospitals, and other critical institutions. Privacy is also an issue that is central to a free and progressive society. One solution that gets thrown out is SSL encryption for websites and how we all now need to secure our sites with an SSL certificate. Due to the market though, SSL certificates are one of those things that companies have a hard time making money off of. Most people do not buy SSL certificates, so you wind up with a market that sells bare bones SSL certificates that range around $25 and extended validation certificates for large ecommerce websites that cost thousands of dollars. This is where Let’s Encrypt changes things. Their certificates are free and are recognized by the web browser as a valid secure certificate. This makes SSL encryption a zero cost option for millions of individual webmasters who run websites like WebKeyDesign. There is one other difference with Let’s Encrypt certificates: they are limited to 3 month intervals instead of yearly intervals. However what makes Let’s Encrypt more appealing to webmasters is that the software makes renewals automatic and there is now software integration with cPanel and Virtualmin control panels.

My personal project is a virtual machine that I keep for journal purposes. It allows me the ability to write some thoughts and archive information for later viewing. The virtual machine runs CentOS 7 Linux and can be controlled using Virtualmin. The SSL certificate that was originally setup was self-signed and so I would have to manually add the certificate to iOS, MacOS, and make exceptions in browsers in order to use the website.

Update:
Since writing this, a few things have changed. Let’s Encrypt now requires version 2 of their protocol and old clients are no longer supported. Virtualmin needs to be updated to support the new client. You can read more about the issue on this Virtualmin Forum post. To have this work, on Centos 7, do the following first and then it should work.

yum install certbot
certbot register

I followed TechJourney’s excellent guide: How to Use Let’s Encrypt SSL Certificate Automatically in Virtualmin & Webmin. There were a couple of issues I found out along the way.

Webmin Configuration

The tutorial did not specify the path to the client command. For CentOS, I found this to be:

/root/letsencrypt/letsencrypt-auto

Webmin Let's Encrypt command configuration

This may not be needed. I was able to let Virtualmin automatically find the new client.

Let’s Encrypt SSL for Webmin Login

A secondary problem that I ran into had to do with the separate subdomains. The Apache webserver will respond on your typical www.mydomain.net and mydomain.net, however the Webmin control panel is accessible by another prefix to mydomain.net. Under Virtualmin – Server Configuration – Manage SSL Certificate, the default will be Domains associated with this server. This setting will only pull in the domains that Apache is setup for. If you want to use the Let’s Encrypt SSL Certificate for other subdomains, you have to select Domain names listed here and manually type all your subdomains. You can then under the Current Certificate tab use the Copy to options and use the same certificate for Webmin, Usermin, etc.

Virtualmin Let's Encrypt Manage

If you went ahead and hit the Request Certificate button and then try to add domains, the process will error out. There is no way to reset the certificates from the Virtualmin interface. To resolve the problem, use secure shell and remove the letsencryt directory.

rm -rf /etc/letsencrypt

This allowed me to use the Request Certificate option again and have all my subdomains added to the certificate.

Fix SARG Reports in pfsense

torchSARG Reports are a good compliment to Squid Proxy and since there is a package that is available for installation in pfsense, it makes good sense to setup SARG Reports. The downsides to SARG Reports is that the reports do take up space and over time this can be significant. This posting is about a problem I encountered on pfsense 2.1 and the latest SARG package.

For some unknown reason the reports stopped generating. Upon checking my System Log this is the issue I found:

php: /pkg_edit.php: The command 'export LC_ALL=C && /usr/pbi/sarg-amd64/bin/sarg -d `date +%d/%m/%Y`-`date +%d/%m/%Y`' returned exit code '1', 
the output was 'SARG: Cannot get the modification time of input log file /var/log/squid/access.log (No such file or directory). Processing it anyway SARG: File not found: /var/log/squid/access.log'

I am using the 64-bit version of pfsense, so hence the sarg-amd64. If you are using 32-bit, it will state instead sarg-i386.

The solution is to edit the sarg.conf file that is located in one of these locations, depending on your pfsense build:

/usr/pbi/sarg-amd64/etc/sarg/sarg.conf
/usr/pbi/sarg-i386/etc/sarg/sarg.conf

You will need to verify that the access_log line is correct:

#access_log /usr/local/squid/var/logs/access.log

In my case, removing the # sign and specifying the correct path to my Squid access.log corrected the problem.

If you have issues with SARG Reports, it is best to do the following:

  1. Under the Status Menu – click SARG Reports.
  2. On the General tab click Save
  3. Next click on the Users tab and click Save
  4. Click Schedule and create your schedule or if you have one already open it up and click Save.
  5. You can go back to the Schedule and Force Update to see if SARG Reports are working now.

I also schedule SARG Reports in Cron to run at 11:50pm every night instead of midnight.

50  23  */1  *  *