synology, security comments edit

A few months back Cory Doctorow stopped by the local library and did a great talk on security and copyright issues. Very cool stuff which inspired me to look into how to secure my public/open wifi usage.

I have a Synology DS1010+ with a ton of helpful packages and features on it, so that seemed like the best place to start. It took a while, but I got it. I’m going to show you how.

Truly, Synology has made this super easy. I’m not sure this would have been something I could have done nearly as easily without that device and the amazing Diskstation Manager “OS” they have on it. If you haven’t got one of their NAS devices, just go get one. I’ve loved mine since I got it and it just keeps getting more features with every DSM release they put out.

So, with that, the general steps are:

  • Set up user accounts on your Synology NAS.
  • Make your Synology NAS publicly accessible.
  • Add a proxy server to the NAS.
  • Add VPN support to the NAS.
  • Make sure the firewall and router allow the VPN to connect.
  • Configure your client (e.g., phone) to use the VPN and proxy.

I’ll walk you through each step.

Don’t skim and skip steps. I can’t stress this enough. Getting this up and running requires some virtual “planets to align” as it were, so if you skip something, the process will break down and it is kind of tough to troubleshoot.

You need to set up user accounts for people accessing the VPN. Chances are if you have your NAS set up already, you have these accounts - these are the same accounts you use to grant access to NAS files and other resources. There is a nice detailed walkthrough on the Synology site showing how to do this.

Now you need to set up your Synology NAS so you can access it from outside your home network. This is accomplished through a service called “dynamic DNS” or “DDNS.” But you don’t really need to know too much about that because, built right into the DSM interface, is a program called “EZ-Internet” that will do all the work for you. For the easiest solution, you’ll need to set up a user account with Synology, but that’s free… and if you use their DDNS system (a “synology.me” domain name) then that’s also free. They have a really super tutorial on getting this set up. Focus specifically on the EZ-Internet part of the tutorial - the QuickConnect stuff is neat and good to set up, but it won’t work for VPN usage.

It took me something like (seriously) five minutes to get this part working from start to finish. Some of the steps may seem “scary” if you’ve not set it up before, but Synology has made this really painless and if you don’t know what to do, accept the defaults. They’re good defaults.

When that’s done, you’ll see your DDNS setup in the Synology control panel under “External Access.”

The DDNS settings will show your NAS

Next, install the Proxy Server and VPN Server packages using the DSM Package Station package manager. Installing packages is a point-and-click sort of thing - just select them from the list of available packages and click “Install.” Make sure you set them as “Running” if they don’t automatically start up. Once they’re installed, you’ll see them in the list of installed packages.

Proxy Server and VPN Server packages installed

Let’s configure the proxy server. From the application manager (the top-left corner icon in the DSM admin panel) select the “Proxy Server” application. There isn’t much to this. Just go to the main “Settings” tab and…

  • Put your email address in the “Proxy server manager’s email” box.
  • Make a note of the “Proxy server port” value because you’ll need it later.

You can optionally disable caching on the proxy server if you’re not interested in your Synology doing caching for you. I didn’t want that - I wanted fresh data every time - so I unchecked that box. You can also optionally change the proxy server port but I left it as the default value provided.

Proxy server settings updated

Done with the proxy server! Close that out.

Now let’s configure the VPN server. This is a bit more complex than the proxy server, but not too bad.

Again from the application manager (the top-left corner icon in the DSM admin panel) select the “VPN Server” application.

On the “Overview” pane in the VPN server you you will start out showing no VPNs listed. Once you’ve finished configuring the VPN, you’ll see what I see - the NAS running the VPN and the VPN showing as enabled.

My overview tab after the VPN has been enabled

The VPN Server application offers several different VPN types to choose from. You can read about the differences on this article. I chose to use PPTP for my VPN for compatibility reasons - it was the easiest to get set up and running and I had some challenges trying to get different devices hooked up using the others. I am not specifically recommending you use PPTP, that’s just what I’m using. The steps here show how to set up PPTP but it isn’t too different to set up the other VPN types.

On the PPTP tab, check the “Enable PPTP VPN server” option. That’s pretty much it. That gets it working.

Check the PPTP enabled box

That’s it for the VPN configuration.

To allow people to connect to the VPN on the NAS, we need to set up the firewall on the NAS. In the Synology DSM control panel, go to the “Security” tab on the left, then select “Firewall” at the top. Click the “Create” button to create a new firewall rule.

Start creating a new firewall rule

When prompted, choose the “Select from a list of built-in applications” option on the “Create Firewall Rules” page. This makes it super easy - the DSM already knows which ports to open for the VPN server.

Select from a list of built-in applications

Scroll through the list of applications and check the box next to “VPN Server (PPTP)” to open the firewall ports for the VPN.

Select the VPN from the list of applications

The firewall settings will be applied and you’ll see it in the list of rules.

The last thing to do on the NAS is to set up the router port forwarding configuration. DSM can automatically configure your router right from the NAS to enable the VPN connection to come through.

In the DSM Control Panel, go to the “External Access” tab on the left and choose “Router Configuration” from the top. This is almost identical to the firewall configuration process. Click the “Create” button to add a new rule and you’ll be prompted to choose from a list of existing applications. Do that, and select the VPN server from the list.

Choose "Built-in application" and select the VPN

Once it’s configured, the DSM will issue some commands to your router and the rule will show up in the list.

The router rule in DSM control panel

That’s it for your server configuration! Now you have to connect your clients to it.

The rest of this walkthrough shows how I got my Android 4 phone connected to the VPN. I don’t have walkthroughs for other devices. Sorry.

Go to the main settings screen. From here, you’re going to choose “More settings.”

Choose "More settings"

Scroll down to the VPN settings and click that.

Choose "VPN"

For a PPTP VPN, select “Basic VPN” from the list.

Choose "Basic VPN"

Give your VPN a memorable name and put the DDNS name for your server in the “Server address” box.

Name your VPN and put the DDNS name as the server address

When you connect to the VPN you’ll be asked for a username and password. Use the username and password from your user account on the Synology NAS. (Remember that first step of setting up user accounts? This is why.)

The last configuration step is to set the proxy server. Android 4 has this hidden inside the wifi configuration for each wifi hotspot. For the hotspot you’re connected to, edit the settings and check the “Show advanced options” box. Fill in the proxy details using the local machine name of your NAS (not the DDNS name) and the proxy server port you have configured.

The proxy server configuration in the wifi hotspot

Now connect to the VPN and the wifi hotspot at the same time. Go back through the Settings => More settings => VPN path to find the VPN you configured. Connect to it and if you haven’t previously set up credentials you’ll be prompted. Connect to the wifi hotspot as well so it’s using the proxy server.

When you’re connected to both the VPN and the hotspot with the proxy settings, things work! You will see a little “key” at the top of the phone showing you’re connected to a VPN. You can pull up some VPN details from there.

The VPN details will show connection information

And here’s a screen shot of me surfing my blog through my VPN and proxy server, securely from an open wifi hotspot. Note the key at the top!

Secure browsing through VPN and proxy

I’m still working out a few things and may change my setup as time goes on, but this is the easiest DIY VPN/proxy setup I’ve seen.

Stuff I’d like to do next…

  • Switch from PPTP to a different VPN type (or maybe offer more than one VPN type so I can be compatible with devices requiring PPTP but offer better security for devices that can handle it).
  • Figure out if caching helps. I’ve found that some stuff is pretty fast, but other stuff is slow (or doesn’t flow quite right through the proxy). I’m not sure why that is. Maybe additional proxy settings I’m not aware of yet?

And, finally, again - thanks to Cory Doctorow for prodding me into researching this; and thanks to Synology for making it easy. Part of what Doctorow was saying at his visit is that Security is Hard, particularly the implementation of decent security for the lay person. Synology is as close to point-and-click easy setup as I’ve ever seen for this.

If you’re looking for one of these devices, the Synology DS214se is pretty budget-friendly right now, though the Synology DS414j might give you a little room to grow. I have the DS1010+, which is basically the previous model of the Synology DS1513+, which is more spendy but is super extensible. All of the Synology products run the DSM so you really can’t go wrong.

UPDATE 8/14/2015: I’ve moved to an OpenVPN-based VPN (still hosted by my Synology Diskstation) and no longer need the proxy. I’ve added some instructions on how to get that working as well as how to make your Android device auto-connect to it when not on a trusted network.

powershell, teamcity comments edit

We have a nice TeamCity build server at work and we somewhat-recently updated it to use a MySQL database instead of XML for the data storage (like for the VCS roots).

We have a number of service accounts we use for interacting with the version control systems and they periodically need their passwords changed. It used to be that we could modify the XML document search-and-replace style, but now it’s hidden in the database somewhere and is less straightforward to update.

Thankfully, TeamCity offers a REST API you can work with, so I decided to play with PowerShell and the Invoke-RestMethod command to automate the drudgery of going through the something-like-50 VCS roots we have defined and updating the passwords for selected accounts.

Here’s the code for a small one-function module:

<#
.Synopsis
   Updates the password for a user account in TeamCity associated with VCS root entries.
.DESCRIPTION
   Iterates through the VCS roots defined in TeamCity and updates the password associated with the specified user for all VCS roots.
.EXAMPLE
   $credential = Get-Credential
   Update-TeamCityVcsAccount -TeamCityUrl "http://your-teamcity-dash/" -TeamCityCredential $credential -VcsUserName "serviceaccount" -VcsPassword "TheNewPassword"
.NOTES
   This command uses the TeamCity REST API to iterate through the VCS roots and update the password for matching accounts.
#>
function Update-TeamCityVcsAccount
{
    [CmdletBinding()]
    Param
    (
        # The URL to the TeamCity dashboard.
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$false)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [Uri]
        $TeamCityUrl,

        # The credentials of the TeamCity administrator account to make changes.
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$false)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [PSCredential]
        $TeamCityCredential,

        # The username of the VCS user that should be updated.
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$false)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [String]
        $VcsUserName,

        # The new password for the VCS user.
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$false)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [String]
        $VcsPassword
    )

    Begin
    {
        $updated = @()
        $progressActivity = "Updating VCS root passwords for $VcsUserName..."
    }
    Process
    {
        $vcsRootsUri = New-Object -TypeName System.Uri -ArgumentList $TeamCityUrl, "/httpAuth/app/rest/vcs-roots"
        $allRoots = Invoke-RestMethod -Uri $vcsRootsUri -Method Get -Credential $credential
        foreach($href in $allRoots.'vcs-roots'.'vcs-root'.href)
        {
            $rootHref = New-Object -TypeName System.Uri -ArgumentList $TeamCityUrl, $href
            $vcsRoot = Invoke-RestMethod -Uri $rootHref -Method Get -Credential $credential
            $currentVcsUserName = $vcsRoot.'vcs-root'.properties.property | Where-Object { $_.name -eq "user" } | Select-Object -ExpandProperty "value"
            if($currentVcsUserName -ne $VcsUserName)
            {
                continue;
            }

            # secure:svn-password == Subversion Repo
            # secure:tfs-password == TFS Repo
            # Making the assumption all the password fields have this
            # name format...
            $propToChange = $vcsRoot.'vcs-root'.properties.property  | Where-Object { ($_.name -like 'secure:*') -and ($_.name -like '*-password') }  | Select-Object -ExpandProperty "name"
            $propHref = New-Object -TypeName System.Uri -ArgumentList $rootHref, "$href/properties/$propToChange"

            Write-Progress -Activity $progressActivity -Status "VCS root: $href"
            Invoke-RestMethod -Uri $propHref -Method Put -Credential $credential -Body $VcsPassword | Out-Null
            $updated += $propHref;
        }
    }
    End
    {
        Write-Progress -Activity $progressActivity -Completed -Status "VCS roots updated."
        return $updated
    }
}

Export-ModuleMember -Function Update-TeamCityVcsAccount

Save that as TeamCity.psm1 and then you can do this:

Import-Module .\TeamCity.psm1
$credential = Get-Credential
Update-TeamCityVcsAccount -TeamCityUrl "http://your-teamcity-dash/" -TeamCityCredential $credential -VcsUserName "serviceaccount" -VcsPassword "TheNewPassword"

When you run Get-Credential you’ll be prompted for some credentials. Enter your TeamCity username and password. Fill in the appropriate values for the parameters and you’ll see progress rolling by for the password updates. The return value is the list of VCS root URLs that got updated.

Now that I have a reasonably-working pattern for this, it should be easy enough to use the REST API on TeamCity to automate other common admin tasks we do. Neat!

vs, azure comments edit

I have an MSDN subscription at work which comes with some Azure services like virtual machines. I’m using one of these VMs to explore the VS 14 CTP.

The problem is… port 3389 isn’t open through the firewall at work, so using the default port for Terminal Services doesn’t work for me.

Luckily, you can change the port your VM uses for Terminal Services. Knowing I won’t be hosting a web site here, changing to port 80 makes it easy.

First, open up the VM in the Azure Portal and click the “Settings” button.

Click the Settings button on the VM

Now click the “Endpoints” entry on the list of settings.

Click Endpoints in the settings menu

We want the public port for Terminal Services to be port 80. Click the Terminal Services entry to edit it.

We want TS on port 80

Update the public port to 80 and click the Save button at the top.

Update the public port to 80

Now go back to the main VM dashboard and click the “Connect” button.

Click the Connect button

A small .rdp file will download. If you open it in a text editor it will look like this:

full address:s:yourmachine.cloudapp.net:3389
prompt for credentials:i:1

Change that port at the end to 80.

full address:s:yourmachine.cloudapp.net:80
prompt for credentials:i:1

Save that and double-click the file to start a Terminal Service session. Boom! Done.

autofac, github comments edit

All Autofac documentation has moved to our official documentation site at http://autofac.readthedocs.io/.

Since moving from Google Code to GitHub we’ve had documentation spread all over, some of which was getting pretty stale from not being maintained. We wanted to get control over that and set a good stage going forward, so we consolidated everything to our site on Read the Docs.

Doing this provides a lot of benefit:

  • Documentation is searchable.
  • You can get the docs in multiple formats (online, PDF, epub).
  • Docs are readable on a mobile browser.
  • We can start versioning the documentation.
  • We can update docs in one spot, inside the source tree, and not worry about wikis all spread out getting stale.

As part of this, you will see some changes to our wikis:

  • All of the pages in our GitHub wiki have been removed except for the release notes pages. We’ll only be maintaining release notes in the wiki. If you want docs, you need to go to the doc site. This may break some links in things like StackOverflow answers, but the other choice was to keep a bunch of placeholder redirect pages in place, which would be just painful to maintain. Instead we ripped the bandage off.
  • All of the pages in the Google Code wiki have been cleared out and replaced with some text pointing to the new documentation location. There are a substantially larger number of articles and answers linking to the old wiki and that wiki doesn’t change anymore so putting some pseudo-redirects in there was a simple one-time effort.

Apologies if this causes some issue with broken links.

It’s taken a long time to get here, but we think this will provide a better documentation experience for everyone now and going forward.

personal, tv, costumes, halloween comments edit

For Halloween this year I went as the Tenth Doctor from Doctor Who (originally played by David Tennant).

David Tennant as the Tenth Doctor

I make my costume every year (well, pretty much every year) and I enjoy sewing so it was fun to take this on. However, I don’t normally post “behind-the-scenes” stuff and there are folks who don’t really realize what goes into making a costume so I figured this year I’d do it. Oh, and if you want to see the pictures in a larger format, I have an annotated photo album on Google+.

Before doing anything else, I did some research. The Making My Tennant Suit blog was the best resource I found for info on the suit, the fabrics, and so forth. It has a really good fabric comparison showing different fabrics and sources that match/approximate the fabric from the suit. I also gathered a few pictures from the web to help me pick the right pieces.

I was due for some new glasses, so I picked some out that both look good on me (IMHO) and are close to the ones seen in the show.

My new Tennant-style glasses

I went to Jo-Ann Fabrics and searched for a pattern. None were exact, but I found that Vogue pattern 8890 was pretty close. I figured I could take “View A” jacket from the pattern, change it from a two-button jacket to four buttons, and add a custom breast pocket. The “View D” pants could be done unmodified.

Vogue Pattern 8890

The pattern was actually pretty ambitious. Given that it wasn’t a “costume pattern,” it was fully lined with all the extra stuff you’d find if you bought a suit - nicely finished pockets, extra give/pleats in the lining for movement… Definitely the most complex thing I’ve taken on to date.

The fabric I picked was ordered online from Hancock Fabrics. It’s item #3859071 “Brown and Teal Pinstripe Suiting.” I got it on sale half-off so I bought something like eight yards so I wouldn’t run out if I made a mistake or had to lengthen the pants/sleeves on the suit.

My Tenth Doctor fabric from Hancock

This particular fabric was a little challenging to work with because it was somewhat light and stretchy. When you work with cotton or wool, it’s not really stretchy so you can cut and pin it without worrying about it moving on you or changing shape. With this, I had to be really careful about pinning it, making sure I wasn’t stretching it while it was getting cut, and so on.

The buttons I used were some pretty standard tortoise shell ones off the shelf.

The buttons I used on the suit

Thread was Coats & Clark #8960. It was the perfect brown to match the fabric so hems and seams were nice and hidden. I think I went through three of these spools of thread.

Coats & Clark #8960

The pocket insides, waistband lining, and other strong internals was all done with some off-the-shelf brown cotton twill. You don’t really see this from the outside, but it is a nice shade to offset the suiting. Not that I had a lot of choice; there was only one color of brown twill available when I went shopping and I wasn’t feeling too picky.

My cotton twill

After I got all the materials together, I got down to work. I ironed the pattern (yes, ironed the pattern - on low heat, to make it easy to cut out and all flat), cut it out, and pinned the pattern to the fabric. There were something like 15 pieces to the pants and 30 pieces to the jacket.

Pinning the pattern

I did the pants first (though I didn’t get any pictures of the making of the pants). Normally I’ve found Vogue patterns run a little small, so I took my measurements and did the pants the next size up. This pattern seemed to run pretty true to size, so I had to take the pants in when they were done. I haven’t yet figured out how to fit a pattern on myself before it’s finished.

Doing the pants first helped me figure out that I needed to make the jacket true to size.

The first part of the jacket to be done is the main body outside. In this picture you can see I’ve replaced the breast pocket from the pattern with one of my own design so it matches the Tenth Doctor. I did that without a pattern, sort of taking an average measurement on width/height of pockets on other garments and fudging something together. This custom pocket is about 5.5” wide and 6” tall.

The outside jacket body

After the body of the jacket was done, it was time to sew the arms in. Putting arms in a jacket is always a real pain because the fabric at the top part of the arm is larger than the arm hole on the jacket body. They do that so you can move around, but it means you have to be really careful about putting the arm in and evenly distributing the extra fabric or you’ll get gathers along the seam where the fabric folds over onto itself. This is a particular problem with stretchy fabric, which likes to move around a lot. I had to rip out and redo a couple of areas to remove the gathering, but I got the arms in.

The right sleeve sewn in

Here’s the jacket with both sleeves sewn in but the lining not yet put in. The white stuff you see on the collar is interfacing - a sort of mesh-like fabric that you attach to make other fabric less flexible. You have interfacing in collars and cuffs, for example. I used “fusible interfacing” which is basically iron-on to attach. This pattern called for “hair canvas” interfacing, which is really expensive and much harder to work with. If I was making this as a suit and not as a costume, I probably would have tried to work with the hair canvas.

Both sleeves in, but no lining

With the outside done, it was time to do the lining. The first bit of lining was the inside front - the part with the inside pocket. Here’s the inside of the right front. You can see in the image a diagonal line where the collar is intended to fold over. You can also see a small, thin rectangle where the inside pocket will eventually go.

The inside right front, minus the inside pocket

Here’s the inside right front after getting the inside pocket in. You can see a small loop hanging down off the top of the pocket that will be used to button the pocket closed. The pattern called for 2” of ribbon (I used bias tape) for the loop, but that turned out to be too small to fold around the button that will be later attached below the pocket. If I were to do it again, I’d use 3” or 3.5” of ribbon. You can always move the button down a bit, but I had to sew my button right on the pocket welt (the twill “lip” lining the pocket).

The inside right front, this time with the inside pocket

Here’s what the lining looks like fully assembled - both inside front pieces, the back, and the sleeves. If you’ve never lined a coat before, it’s sort of like making a second copy of the coat, just inside-out. Then you take the lining, put it in the jacket, and sew along the edges. Basically.

In the picture on the left you see the inside pocket as you’ll view it when wearing the jacket; on the right is the other side - that brown square is the other inside pocket.

The lining, fully assembled

Once you put the lining in, you have to attach it. The back was able to be machine-sewn in, but the sleeves required hand sewing. Here you see I have the sleeve lining pinned in place so I can hand sew it in.

Sleeve lining pinned in place

Here’s the same sleeve lining after the hand sewing. I also have the sleeve buttons attached, so this sleeve is done.

The sleeve with the lining and buttons attached

Once the lining is in, the last thing to happen is the front buttons. Here’s the jacket entirely finished. You can see in the photo the white marks around the button holes on the front where I was sketching out the button locations.

Finished jacket with button hole markings

I did a little cleanup on the markings and here’s how it turned out.

First time wearing the complete jacket

And, once the whole costume was on, here’s how it looked. I think it turned out pretty well.

Travis as the Tenth Doctor

For those interested: The shoes are unbleached white Converse Chuck Taylors. The shirt is one I already had; any old white dress shirt will do. The sonic screwdriver is the toy version that’s been out for a while. The tie is a maroon polka dot tie by Chevalier.

I don’t know how much time it took exactly, but I know that I watch TV/Netflix while I’m working and I made it through three seasons of Kyle XY, the Jekyll miniseries, a couple of movies, and half a season of The Blacklist… and I wasn’t watching something the whole time. So… it took a while.

As far as cost, that’s another thing I didn’t really keep track of, but roughly (guessing on a few of these)…

  • Shoes: $45
  • Tie: $15
  • Pinstripe Suiting: $50
  • Lining: $10
  • Interfacing: $10
  • Felt (for the collar): $5
  • Twill: $10
  • Thread, buttons, zipper, notions: $30

So… uh… $175? Give or take. It’s not cheap. Even if you take out the cost for the shoes and tie, which I can wear elsewhere, you’re still looking at over $100. Plus the time.

This definitely increases my admiration and respect for folks who do this on a convention circuit.

Again, if you want to see the pictures in a larger format, I have an annotated photo album on Google+.