March 2, 2019

How to set up a VPN server for iOS on UniFi USG

There are countless tutorials on how to do all sorts of funky things with the UniFi USG, many of which involve command line sorcery and an engineering degree. What I wasn’t able to find was a simple walkthrough of how to set up a VPN server that would allow me to connect remotely from my iPhone or iPad to my home network, providing an extra layer of security when using public wifi, and allowing me to access local resources while out and about.

After some reading and lots of experimenting, this is what worked for me:

Set up a RADIUS authentication server and user account

The RADIUS functionality basically centralizes remote access to your USG for a variety of things, For now, we just need it for VPN.

  1. In the UniFi Controller, navigate to Settings, Services
  2. Select RADIUS from the horizontal menu across the top, then Server

  3. Toggle Enable RADIUS Server ON

  4. Populate a strong password in the Secret field. Note: iOS really doesn’t like it when you get fancy here, so stick to lowercase letters and/or numbers, but you can use something fairly long. For clarity, we are going to refer to this as PASSWORD 1
  5. Leave the other fields as they are, and apply changes
  6. Select Users from the horizontal menu at the top

  7. Choose a user name

  8. Choose a strong password. iOS seems to be ok with more options, so go ahead and try some special characters here. We are going to refer to this as PASSWORD 2
  9. Save

Set up a VPN server

  1. In the UniFi Controller, navigate to Settings, Networks
  2. Create New Network

  3. Give your VPN a name

  4. Select ‘Remote User VPN’ as purpose
  5. Select L2TP as the VPN Type (iOS supports this natively, so it will be easy to set up)
  6. In ‘Pre-Shared Key’, paste the password you chose as the Secret for the RADIUS server above (aka PASSWORD 1)
  7. In Gateway/Subnet, specify the IP address range that will be provided to VPN clients. This should not conflict with your existing IPs, so – for example, if your existing internal IPs look like 192.168.1.114, you could choose something like 192.168.2.111 by populating 192.168.2.1/24. The ‘/24’ simply provides for up to 254 VPN IPs to be assigned.
  8. Leave the remaining fields at their defaults
  9. Save

You’ve now set up your VPN server. Next, you need to make sure you’ll be able to easily reach it from the Internet. You can use your WAN IP for this, but for most people, this will change frequently and it’s hard to keep track of. Instead, we’re going to set up a dynamic dns service so that we have a constant host address to connect to.

Dynamic DNS setup

There are countless dynamic DNS providers out there (DynDNS, No-IP…). You’re free to use whichever best suits your needs – note that the exact configuration may differ from service to service.

I’m going to use Duck DNS here, because basic service is free and it’s worked well for me so far.

  1. Go to Duck DNS and sign in using one of the supported authentication services
  2. Select a subdomain, and click the ‘add domain’ button

  3. In the UniFi Dashboard, navigate to services, and select Dynamic DNS from the horizontal menu at the top

  4. Create new Dynamic DNS

  5. Select ‘dyndns’ as the service
  6. Enter the Duck DNS subdomain you chose as the hostname – only the subdomain you chose (e.g. ‘bob’)
  7. Enter ‘nouser’ as the username
  8. Enter the token shown on your Duck DNS page as your password
  9. Enter ‘www.duckdns.org’ as the server
  10. Save

Set up VPN connectivity on iPhone or iPad

Now that your server is up and running and has a fixed hostname for access, let’s set up an iPhone to connect to it.

  1. Go to Settings, VPN
  2. Add VPN Configuration…

  3. Change the Type to L2TP

  4. Give it a Description
  5. Server: Your Dynamic DNS hostname
  6. Account: The user name of the RADIUS account you set up above
  7. RSA SecurID: leave this off
  8. Password: The password for the RADIUS user account you set up above
  9. Secret: The password you used for both the RADIUS server and the VPN
  10. Toggle Send All Traffic on
  11. Tap ‘Done’ in the top right

That’s it – you’re all set.

In iPhone Settings, VPN, select your new VPN configuration and toggle the Status switch to connected. In a few moments, you should see the VPN icon appear in the menubar of your iPhone. Whenever you need an added layer of security or access to home network resources, just toggle the connection on from here.

Note that this will not connect from inside your home network. You have to be on cellular or connected to an outside network to connect to your home via VPN.

Set up VPN connectivity on Mac

You can benefit from the same security perks on your Mac.

  1. Open System Preferences (from the Apple Logo menu at the top left of the screen)
  2. Click the Network icon
  3. Click the ‘+’ at the bottom left of the window

  4. Select ‘VPN’ as the interface

  5. VPN Type should be ‘L2TP over IPsec’
  6. Give your VPN a recognizable name
  7. Click ‘Create’

  8. Configuration can stay as ‘default’

  9. Server Address is your Duck DNS domain name set up earlier
  10. Account Name is your RADIUS user name set up earlier
  11. Click ‘Authentication Settings’

  12. Under ‘User Authentication’, select the Password option and fill in PASSWORD 2

  13. Under ‘Machine Authentication’, select the Shared Secret option and fill in PASSWORD 1
  14. OK

When you click ‘Connect’, your Mac should log you in to your VPN server.

Note: as with the iOS setup, this will not work from inside your home network.

April 22, 2014

Super Hembach Bros.

My brother maintains an Instagram feed (@pushatojump) where he shares photos of his Nintendo collection. Browsing through some of the comments a while back, I discovered @JangoSnow, a really talented artist that posts a lot of his work on Instagram, including among a variety of other things some awesome pixel portraits. Sven and I have been talking about how cool it would be to have us rendered as a Super Mario Bros style 8-bit duo, but we always failed at our own attempts. I reached out to @JangoSnow, and for a very reasonable price he created this fantastic little portrait and logo for us – I absolutely love it.

Super Hembach Bros.

April 15, 2014

Using MailRoute.net with Dynadot

I recently switched my hosting and a number of domain names to Dynadot with the intent of saving a few dollars, consolidating with one vendor, and moving somewhere that provided better support than my last two hosts (who shall remain nameless, but rhyme with Screamghost and RunAndRun).

I’ve been using Mailroute.net for spam filtering and some other e-mail related functions and want to continue to do so. After a bit of trial-and-error and a few exchanges with Dynadot’s support staff, I found that this configuration works as intended:

  1. Log into Mailroute.net and navitage to All Domains -> Delivery & MailServers -> Inbound Servers
  2. Delete any existing MailServer entries (with the red ‘x’ on the right)
  3. Click ‘Add Mail Server’, and enter mail.yourdomain.com, and a priority of 0, where you need to use the actual domain name hosted at Dynadot. In my case, it was mail.hembach.com
  4. Log into Dynadot.com and navigate to Your Account -> Summary
  5. Click on the cPanel login at the bottom of the page, under ‘Dynadot Hosting’, and log in to cPanel
  6. In the ‘Mail’ section, click on ‘MX Entry’
  7. Select the domain name that’s associated with the e-mail accounts you want to filter
  8. Delete any existing MX Records
  9. Add a new record with priority 0 and destination mail.mailroute.net

That’s it. Enjoy freedom from spam.

December 7, 2011

Reznor plays the tambourine for Gary Numan

With the 3-hour soundtrack to The Girl With The Dragon Tattoo being released on Friday, I’m obsessing a little over old Nine Inch Nails recordings.

Here’s a gem I’d never seen before.

(via Alan Cross – A Journal of Musical Things)

The ninofficial YouTube channel is full of more awesome HD concert footage.

November 11, 2011

Going (mostly) Flashless in OS X Lion

With Adobe itself signalling the end of Flash, now is as good a time as any to free yourself of the resource-devouring plugin.

A year ago, John Gruber posted a solution for completely removing Flash while retaining the ability to pull up content should the need arise.

This is a great fix for two reasons. First, it will increase the overall performance of your system by increasing battery life, running cooler and loading pages faster. Second, it will provide passive feedback (via analytics) to the site owners that you are not running Flash, and ideally push those sites to transition to web standards HTML5 more quickly.

Since that post, a few key things have changed.

Starting with the latest generation MacBook Air, new Macs that ship with Lion no longer include Flash pre-installed. While this means that owners of new Macs no longer have to manually uninstall Flash, they still need a suitable way of accessing Flash content when required.

Also, Chrome has since added a feature that automatically updates the browser to the newest version. Unfortunately, this breaks the keyboard shortcut documented in Gruber’s tutorial by constantly changing the application name listed in Safari’s developer menu. This feature cannot be disabled from within the application, enter the following workaround.

First, if your Mac still has Flash player installed, uninstall it using Gruber’s original instructions:

Flash Player was in the default location: /Library/Internet Plug-Ins/. I moved “Flash Player.plugin”, “flashplayer.xpt”, and “NP-PPC-Dir-Shockwave” out of that folder and into a new folder I created next to it named “Internet Plug-Ins (Disabled)”. All you need to do to disable them is move them out of /Library/Internet Plug-Ins/.

Next, disable auto-updates in Chrome by executing the following command in Terminal.

defaults write com.google.Keystone.Agent checkInterval 0

Finally, create a custom keyboard shortcut to open the current page in Chrome, which has its own self-contained Flash runtime. Gruber’s instructions still apply here as well:

I’ve also added a shortcut for opening the current Safari page in Chrome quickly. First, if you haven’t done so already, enable Safari’s Develop menu. (It’s a checkbox in the “Advanced” panel of Safari’s preferences window.) The Develop menu contains an “Open Page With” sub-menu, which lists all the web browsers you have installed on your system. Using the Keyboard Shortcuts section in System Preferences, I set a custom menu key shortcut for the command to open the current page in Google Chrome. Whenever I’m on a page in Safari with Flash content I wish to view, I hit that shortcut, and boom, Chrome launches and loads that page. (Hint: when you create the custom shortcut, and are asked for the name of the menu item, just use “Google Chrome” or “Google Chrome.app” (whichever appears in your Open Page With sub-menu).)

That’s it. You’ve now rid your system of an ever-present Flash installation, but still left a way out for those pesky restaurant menus and auto manufacturers that just can’t take a hint.