Guest Wifi Setup DD-WRT Tutorial

This is a tutorial for setting up a DD-WRT router to have a separate isolated (virtual) guest wifi access point. At the end of the tutorial you will have two wifi networks, one private, and one public for the guests. Guests will not have access to the router or anything else on your network.

  1. Your build must be ≥ 23020. There should be a network already running and you can access the internet.0 network basic setup
  2. Create the virtual access point for your guests.
    1. Go to Wireless -> Basic Setup
    2. Click Add in Virtual Interfaces. Fill out the details as in the image.1 wireless settings
  3. Optional: Go to Wireless -> Wireless Security, choose your encryption for the guest wifi.
  4. Now enable DHCPD for the guest wifi so IP addresses can be assigned.
    1. Go to Setup->Networking and add another dhcp server for the guest network as shown.2 networking
  5. Optional: Setup Quality of service (QoS) to limit guest network bandwidth.
    1. Configure QoS as shown.3 qos
    2. Results from my speed test.4 speed test
  6. Restart the router. Important because I found sometimes changing settings they take a while to activate and you’re not sure if it has had any effect.

 

Links I found useful.

 

Guacamole Add User

Adding a user

https://gist.github.com/sunapi386/9dc6eb841f1454733e02

Create a user

Then create the user; remember setting to his password to “chessman123”

sudo adduser binsun

Modifying guacamole’s user login data

Edit the user mapping, unless you’re using a database to store user logins.

sudo vi /etc/guacamole/user-mapping.xml

Create the entry like below, one for vnc and one for ssh.

<!-- User for binsun -->
<authorize username="binsun" password="chessman123">
    <!-- First authorized connection -->
    <connection name="vnc">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5904</param>     <!-- Edit this -->
        <param name="password">qwe123</param> <!-- Password for vncserver -->
        <param name="encodings">zrle ultra copyrect hextile zlib corre rre raw</param>
    </connection>
    <!-- Second authorized connection -->
    <connection name="ssh">
        <protocol>ssh</protocol>
        <param name="hostname">localhost</param>
        <param name="port">22</param>
        <param name="username">binsun</param> <!-- Edit this -->
        <param name="password">chessman123</param> <!-- Edit this -->
    </connection>
</authorize>

SSH Service

I assume the SSH service is already running on port 22, so that should already work.

Relaunching service

We just need to start the VNC service listening in on port 5903.

sudo /etc/init.d/tomcat7 restart

Restart hosting service so it loads the updated user-mapping.xml.

Logging

If logging in fails, check the log for login attempts.

tail -f /var/log/tomcat7/catalina.out

Setting up VNC

In the newly created user’s home directory, create a file called xstartup. This file is a script that gets run when the vncserver starts. Guacamole starts the vncservice.

First we switch to that user.

su binsun

Then create the startup script

mkdir ~/.vnc
chmod 700 ~/.vnc
cd ~/.vnc
vi xstartup

Put these in.

#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
#x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#x-window-manager &
# Fix to make GNOME work
export XKL_XMODMAP_DISABLE=1
#/etc/X11/Xsession
startxfce4

And make this excutable.

chmod +x xstartup

While we’re still logged in as the user, start the vncserver

vncserver :4

This creates the service listening on 5904 port. You should be able to see it.

nmap -Pn localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-19 21:40 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00055s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
631/tcp  open  ipp
3306/tcp open  mysql
5902/tcp open  vnc-2
5903/tcp open  vnc-3
5904/tcp open  unknown <------- this is it
6002/tcp open  X11:2
6003/tcp open  X11:3
6004/tcp open  X11:4
6005/tcp open  X11:5
8080/tcp open  http-proxy

If you can’t get vnc started, look at this log.

tail -f /var/log/syslog

QR Authentication Tutorial

QR Authentication Tutorial

Tutorial on how to setup a QR Authentication web server and android app. This documents me trying to replicate the WeChat web login process, in two parts:

  1. An android application that reads a QR code and logs in
  2. Building a website that hosts this.

The tutorial is written in a sequential fashion, because I’ll add to this tutorial as I go. All my code is on https://github.com/sunapi386/qrauth.

Motivation

I came across an interesting way to authenticate users from WeChat Web. Their login process is as follows:

  1. The website has a QR image which the users scans with his WeChat app.
  2. User clicks “Log In” in the WeChat app to authenticate.
  3. User is now logged in.

The WeChat website looks like this. A unique QR code is generated each time the website is refreshed.

WeChat login process

Android QR scanner

First thing I want to do is see what this QR code is. I use a library which reads QR codes (https://github.com/dm77/barcodescanner)[1. This library recognizes different barcode formats, so instead of using a QR code, I could potentially do authentication using any of these: UPC_A, UPC_E, EAN_13, EAN_8, RSS_14, CODE_39, CODE_93, CODE_128, ITF, CODABAR, QR_CODE, DATA_MATRIX, PDF_417].I could have taken a screenshot of the QR code and fed it to an online QR code reader, but I wanted to make an app that lets me authenticate in a similar fashion WeChat does. I made a simple android activity that used the library, based on the tutorial. Here are two examples of the QR code content.

https://login.weixin.qq.com/l/oaW3V0XQpA==
https://login.weixin.qq.com/l/lZ-ez97Vdg==
https://login.weixin.qq.com/l/4YhG7Q3bBQ==
  • The format is QR_CODE.
  • Type is a URI.
  • Metadata type H.

Metadata type describes the amount of error correction embedded into the QR code. The 4 levels are:

  1. L – Approximately 7% error correction
  2. M – Approximately 15% error correction
  3. Q – Approximately 25% error correction
  4. H – Approximately 30% error correction

Approximately every 5 minutes a new weblink is generated. I tried generating these QR codes on this website to see if they’d look the same visually, but with no luck.

QR generated
WeChat QR

QR generated
Generated QR

Although these two images encode the same content, visually it looks different. I have no idea why.

Website

The website generates a new QR code each time the page is refreshed. Our first goal is to setup a web server. I’ll go with Rails, reason being I like Ruby and Rails is a good framework. May extend it to something more fun later without doing a rewrite.

Handshaking Process

I did some googling and didn’t find how the handshaking works. There is an article on an app called SQRL (Secure QR Login), which describes it as:

On your phone, a SQRL app would contain a secret 256-bit blob of data. This would be your randomly generated secret code, which is never divulged to anybody else. The QR code itself would contain a URL, including the domain name of the site you’re trying to connect to. When you scan the code, your app would create a public and private key pair from your master key and the domain name of the site, using an HMAC hashing function. Then, the app would communicate with the site directly, sending the public key as your identity (the equivalent of a username), and the encrypted QR code as your authentication (the equivalent of a password). Since your master code, the secret blob of data, never changes, the resulting public key wouldn’t change either. That means the website would know it’s you. And by encrypting the QR code of the site with your private key, the site can verify that you indeed possess the matching private key, without actually having it, thanks to the beauty of public key cryptography.

Keeping in mind how this works, I came up with the following authentication process.

  • Keep a secret in the phone app.
  • The QR encodes a link causes

Drawing graphs

https://askubuntu.com/questions/917030/how-to-install-pydot-and-graphviz

 

Notice how nice some of the graphs are in textbooks (for example, from AIMA 3rd ed.)?

Screen Shot 2015-07-09 at 3.56.52 PM

Well you could draw them too with graphviz (dot language).

network

Get dot here http://www.graphviz.org/Download..php

And generate the above graph by putting this in a file, e.g. simple_neural_network_diagram.dot

digraph G {
rankdir=LR
splines=line
node [fixedsize=true, label=""];
subgraph cluster_0 {
color=white;
node [style=solid,color=blue4, shape=circle];
x1 x2 x3;
label = "layer 1 (Input layer)";
}
subgraph cluster_1 {
color=white;
node [style=solid,color=red2, shape=circle];
a12 a22 a32;
label = "layer 2 (hidden layer)";
}
subgraph cluster_2 {
color=white;
node [style=solid,color=seagreen2, shape=circle];
O;
label="layer 3 (output layer)";
}
x1 -> a12;
x1 -> a22;
x1 -> a32;
x2 -> a12;
x2 -> a22;
x2 -> a32;
x3 -> a12;
x3 -> a22;
x3 -> a32;
a12 -> O
a22 -> O
a32 -> O
}

And generate it

dot -Tpng simple_neural_network_diagram.dot -o network.png