• Feb 15, 2018

    Cobbling Together a Home Automation System

    I was introduced to home automation at a young age when my father installed an X10 system hooked to our alarm system. The basic gist of the automation was to turn on lights when we were away and to have all the lights in the house turn on if the alarm system activated. This was more than 30 years ago and was pretty simple in what he wanted to accomplish. Since then I've dabbled with the X10 Firecacker hooked to a Linux box, but really didn't get serious about home automation until about four and a half years ago when we purchased our current house. We were remodeling the house we purchased, so I used the opportunity to design an automation system and briefly wrote about it.

    Many lights, several outlets, and the thermostat in our house are using the ZWave protocol. This only covers part of the automation. All of the sensors (motion, window, and door) are on a standard DSC security system hooked up with an Envisalink module. The brains of the system is a VeraEdge with several third party plugins. Out of the box, the VeraEdge won't talk to the sensors and has very basic decision making capability, so the Program Logic Event Generator plugin is needed. In addition, I put together a plugin for controlling my Russound audio distribution units that works by sending commands to a PortServer TS 4 MEI and then to the Russound's RS-232 serial ports.

    This whole system worked well for several years, but I wasn't happy with the iOS app, so I created my own app a few years ago.

    If this sounds like a lot of pieces and a lot of work, it has been a labor of love and an interesting hobby. Of course having a system working well isn't a lot of fun if you like tinkering! When I received my first Amazon Echo two years ago, I was intrigued by the ability to control things by voice. My Vera (at the time) had no integration with the Echo, so I turned to a third party solution called HA Bridge by BWS Systems. It required more setup, but exposed scenes and devices so that they could be controlled by the Echo. (Vera now has native Echo support, but the way it is setup creates a delay in the response so I continue to use HA Bridge.) The new Routines in the Amazon Echo like adding one for "Good night" are an excellent addition, but has me scratching my head on if I should set that kind of thing up on the Echo, use the Vera natively, or use HA Bridge.

    As an Apple fan, you'll probably notice that I haven't mentioned HomeKit, yet. HomeKit has been interesting, but due to the lack of interoperable components and hackability, I've pretty much ignored it. Some enterprising developers have created Homebridge which I've also setup. Why HomeKit and Echo support? Simple, with the HomeKit app on iOS 11 and the widget, I can easily turn lights on or off right from my iPad without switching to my app and without having to yell at the Echo. In addition, this allows me to control lights with my Apple Watch. I run HA Bridge and Homebridge on a Raspberry Pi so that it can easily sit on my IoT VLAN (I separate out IoT traffic from my main network).

    This automation setup has been about 5 years in the making and I'm sure I'm not completely done with it. I keep looking at ways to simplify it with different components like maybe a new hub or new switches. However, every time I start looking into it I realize that I'd lose functionality. My wife tolerates my hobby and kind of likes some of the aspects of it as she warms up to them. Changing anything would be a change for the worse.

    The more time and effort I put into my automation system, the more I realize that turnkey home automation is still a pipe dream. If someone has very simple needs then maybe he or she can get away with one system. The moment you want a choice in your components or want to do something that the major companies that do automation don't want you to do, you have to either give up or cobble together a system.

    Products used in my system:

    Hardware

    • VeraEdge - main automation hub
    • DSC alarm system
    • Envisalink - alarm system to network
    • PortServer TS 4 MEI
    • Russound audio distribution units (no longer made) with RS-232 ports
    • Squeezebox audio units (no longer made)
    • Raspberry Pi for running Homebridge and HA Bridge
    • Amazon Echo
    • iPad/iPhone/Apple Watch

    Software

    Feel free to ask questions about my system. I'm always open to ideas and will keep actively exploring ways to improve my life through automation!

  • Feb 9, 2018

    Setting up a UniFi Security Gateway for an On Demand iOS VPN

    [UPDATE - 18 May 2020] In some recent iOS update (not sure which), certificates are no longer required to have an on demand VPN work. So I switched to using the built in L2TP VPN in the USG which requires very little configuration. My VPN profile has also changed and can be found here. This profile does on demand like before, but also automatically connects if something on my phone tries to access certain internal resources (I have AdGuard setup to handle DNS on my network). I use this for connecting to Home Assistant without port forwarding or anything like that.

    [UPDATE - 06 Feb 2019] With the latest release of the OpenVPN app, the identifier has changed from net.openvpn.OpenVPN-Connect.vpnplugin to net.openvpn.connect.app. Without this change, the VPN profile will NOT work.

    Following up on my widely popular post about Setting up an EdgeRouter Lite for an On Demand iOS VPN, I've decided to write about the same procedure, but on a Ubiquiti UniFi Security Gateway. Much of the procedure is the same, but for completeness I'll include all the steps here.

    An on demand VPN will automatically fire up when you're on certain WiFi networks and under certain circumstances. This is quite useful if you use unknown WiFi networks and are concerned about security (you should be!).

    This is a really long setup, but it is straightforward. If you're intimidated by command lines and editing text files, this process is not for you!

    Certificate Setup

    1. SSH into the USG. You'll use the same username and password for connecting to the UniFi Controller.
    2. Setup a new certificate authority that will be used to create new client certificates for the VPN. Issue the following commands, one per line. Follow the prompts when you run the commands. 
      configure
sudo su
cd /usr/lib/ssl/misc/
./CA.sh -newca
    3. Create a new server certificate and sign it. Follow the prompts when you run the commands; you'll need to enter a password for the new request. We'll remove it in another step. 
      ./CA.sh -newreq
./CA.sh -sign
    4. Copy the certificate authority key and certificate to an area of the router that will survive a firmware upgrade. 
      cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
    5. Also copy the server certificate to the same place. 
      mv newcert.pem /config/auth/server.pem
    6. Display the certificate authority certificate using cat /config/auth/cacert.pem and then copy it into BBEdit or another text editor on your local computer; save it to your hard drive.

    7. Remove the password on the private key for the server so that the VPN server can start automatically.

      openssl pkcs8 -in newkey.pem -out /config/auth/server-pem.key
    8. Generate the Diffie-Hellman Paramters; this takes a long time. 
      openssl dhparam -out /config/auth/dhp.pem -2 1024
    9. The next part is generating the client certificates. The recommendation is to have 1 client certificate per client. However, this would require me to have 1 for my iPad and 1 for my iPhone complicating setup. While having 1 certificate for both may not be recommended, it is the route I chose. When prompted, enter a password for the new key and then the last line will remove it. Don't enter a challenge password. 
      ./CA.sh -newreq
./CA.sh -sign
mv newcert.pem client-cert.pem
openssl pkcs8 -in newkey.pem -out client-key.pem
    10. Display the certificate using cat client-cert.pem and past it into BBEdit and then saved it.

    11. Do the same thing with the key using cat client-key.pem and saved it to my Mac.

    12. On my Mac, do the following in Terminal (make sure you're in the same directory as where you saved the certificate and key). When exporting, set a password that you'll use later.

      openssl pkcs12 -export -out client1.p12 -inkey client-key.pem  -in client-cert.pem

    Note that the /config directory survives firmware upgrades. If you need to add client certificates later and the certificate authority you created is gone, you may have to start the setup over.

    OpenVPN Server Setup

    1. Create a file called config.gateway.json and place it in the data directory for your UniFi Controller. I run my controller on a Mac and the path is ~/Library/Application Support/UniFi/data/sites/default. It should basically be as shown below. You'll want to configure the OpenVPN network (10.0.5.0/24) if you use a different numbering scheme; this cannot be a network defined in the UniFi Controller. You should also change the DNS to servers you use. I don't know if the push-route commands are absolutely necessary, but I put them in anyway as they appear to work. 
      {
  "firewall": {
    "group": {
      "network-group": {
        "open_vpn_network": {
          "description": "OpenVPN Network",
          "network": [
            "10.0.5.0/24"
          ]
        }
      }
    }
  },
  "interfaces": {
    "openvpn": {
      "vtun0": {
        "local-port": "1194",
        "mode": "server",
        "openvpn-option": [
          "--comp-lzo",
          "--push redirect-gateway",
          "--push dhcp-option DNS 10.0.1.2",
          "--push dhcp-option DNS 10.0.1.1",
          "--duplicate-cn"
        ],
        "server": {
          "push-route": [
            "10.0.1.0/24",
            "10.0.5.0/24",
            "10.0.0.0/16"
          ],
          "subnet": "10.0.5.0/24"
        },
        "tls": {
          "ca-cert-file": "/config/auth/cacert.pem",
          "cert-file": "/config/auth/server.pem",
          "dh-file": "/config/auth/dhp.pem",
          "key-file": "/config/auth/server-pem.key"
        }
      }
    }
  },
  "service": {
    "nat": {
      "rule": {
        "7000": {
          "description": "OpenVPN to WAN",
          "log": "disable",
          "outbound-interface": "eth0",
          "protocol": "all",
          "source": {
            "group": {
              "network-group": "open_vpn_network"
            }
          },
          "type": "masquerade"
        }
      }
    }
  }
}
    2. Force a reprovision of the USG by selecting the USG, then clicking on the Config tab.

      Reprovision

    3. On the UniFi Controller, click on Settings and then Routing & Firewall.
    4. Click on Firewall at the top.
    5. Click Groups and add an OpenVPN port group.

      Screen Shot 2018 02 09 at 1 18 49 PM
    6. Switch over to Rules and setup an OpenVPN rule.

      OpenVPN Firewall
      Good work if you've followed along this far! Next up is the client setup which has a bunch of steps as well.

    iOS Client Setup

    1. Locate the p12 file that you created on your Mac.
    2. Download Apple Configurator from the Mac App Store.

    3. Select New Profile from the File menu.

      New Profile

    4. Fill out the General information for the profile. You can leave the Identifier as is.
      General

    5. Click on Certificates and then press Configure. Select the .p12 file you created way back in the first part of the instructions.
      Select Certificate
    6. Give the certificate a name and enter the password you used when exporting the p12 file.
      Certificate Selected

    7. Select the VPN section and click Configure.
      Configure VPN

    8. Enter a name for the connection.

    9. Select Custom SSL for the Connection Type.
    10. Enter net.openvpn.connect.app for Identifier.
    11. Enter the hostname for the Server. I recommend your Dynamic DNS hostname here.
    12. Enter some username for the account; it won't be used.
    13. Enter a placeholder key/value pair. You'll edit this by hand later.
    14. Select Certificate for User Authentication and then pick the certificate you added earlier.
    15. Enable VPN On Demand. You'll hand edit this later as well.
    16. Select a Disconnect on Idle value; I selected Never.
    17. Save the profile to your Desktop (or somewhere else). Don't sign it as signing it will prevent you from editing it by hand which is needed to properly setup the VPN On Demand. Configurator doesn't handle all the options present in current iOS versions.
      VPN Setup
    18. Open the .mobileconfig file in BBEdit. BTW, if you haven't bought BBEdit, you should definitely buy it. While the current version offers basic functionality for free, this is a tool that should always remain in your tool belt.

    19. Look at the section called VPN. Mine is basically below. You'll need to change a few entries.

          VPN
    
        AuthName
        scott
        AuthenticationMethod
        Certificate
        DisconnectOnIdle
        0
        OnDemandEnabled
        1
        OnDemandRules
        
            
                Action
                Disconnect
                SSIDMatch
                
                    My Network 5 GHz
                    My Network
                
            
            
                Action
                Disconnect
                InterfaceTypeMatch
                Cellular
            
            
                Action
                Connect
                InterfaceTypeMatch
                WiFi
            
            
                Action
                Ignore
            
        
        PayloadCertificateUUID
        SOME_IDENTIFER
        RemoteAddress
        vpn.example.com
    
    VPNSubType
    net.openvpn.OpenVPN-Connect.vpnplugin
    VPNType
    VPN
    VendorConfig
    
        dev
        tun
        proto
        udp
        remote
        vpn.example.com 1194
        cipher
        BF-CBC
        resolv-retry
        infinite
        nobind
        NOARGS
        persist-key
        NOARGS
        persist-tun
        NOARGS
        comp-lzo
        NOARGS
        link-mtu
        1542
        ca
        -----BEGIN CERTIFICATE-----\nMIID...bAqZZCQYgHwAh9bW\n-----END CERTIFICATE-----\n
    20. Change the vpn.example.com references to your VPN address.

    21. For the section that starts with BEGIN CERTIFICATE for the ca, find the cacert.pem that you saved to your hard drive. Open that in BBEdit and remove all the returns in the file. After the first line replace the return with \n. Before the last line put a \n and then another one after the line. You should end up with a big long line!
    22. The OnDemandRules are described in Apple's documentation. My setup basically says that if I'm on a trusted network, disconnect the VPN. When on cellular, also disconnect the VPN (I trust the cellular network for now). If I'm on any other network, connect the VPN. The last item just falls through, but I suspect it will never get there. In my example, change the names of the trusted SSIDs.
    23. The VendorConfig section are the OpenVPN options that should match the server.
    24. Save the file.
    25. Transfer the .mobileconfig file to your iOS device. I drop the file on AirDrop to my devices. If the formatting of the file is correct, the iOS device will ask you to install the file.
    26. In the VPN section in iOS Settings, Connect and cross your fingers. That's it! Now when you wonder onto an unknown WiFi network, the VPN should automatically connect. It may take a few seconds for the connection to come up.

    If you've made it this far, congratulations! I spent a few days working on this and hopefully I captured all the steps. Please send me corrections or feedback.

    Notes

    1. I've noticed that sometimes iOS connects to my VPN even when it is on my network. The On Demand connection is evaluated when the network changes and I suspect iOS gets confused and starts evaluating the On Demand rules prior to getting an SSID.
    2. The default certificates are good for 1 year. So you'll need to renew then after a year. I'll cross that bridge when I come to it.
    3. If the certificate is compromised, I don't know how to do certificate revocations.
    4. Treat the certificate and keys just as if they were passwords. This goes for the .mobileconfig file as well. The mobileconfig file has the password to the p12 file in clear text and anyone with that file can connect to your VPN and access your network.
    5. The OnDemand rules are evaluated when the device changes networks and may take a few seconds to bring up the VPN. I always wait for the VPN icon to come up before doing anything on my device.
    6. OpenVPN runs on UDP port 1194 by default. You can configure it for TCP 443, but I won't go into that because it seems like a pain and requires more changes.
    7. In the latest iOS version (11.2.x), if your VPN is on demand, you cannot manually connect with it. You have to go into iOS Settings->General->VPN, tap the Info button next to the VPN and turn off "Connect On Demand".
    8. Savvy readers will notice that I put the client certificate as a p12 file in the mobileconfig file and put it in the OpenVPN specific settings. There appears to have been a change to the OpenVPN client on iOS where the p12 certificate no longer works. You may be able to remove the certificate from the configuration, but I left it.
  • Dec 19, 2017

    Preserving Metadata in Photos

    During my recent task of scanning the rest of the photos that I had lying around, I found a CD that my parents had made with some photos on it. They burned it using iPhoto 6 (burning a CD was a feature of iPhoto years ago). I thought that I'd just be able to put the CD in and open the library in Photos with all the metadata preserved. Unfortunately Photos couldn't read the library, so I was stuck with a bunch of JPEGs that had no metadata on them and the file dates aren't the actual dates of the pictures. While I was able to drag all the pictures into Photos, I really would have preferred that the metadata be attached to the photos.

    Apple has taken the approach that the original photos should not be modified and that any changes like the date or metadata should be stored in a database. This is great as long as the database doesn't become corrupted and the application remains supported. I encountered the same type of issue when I was developing Paperless where I was allowing users to add a bunch of metadata to PDFs and I stored it in a database. Unlike Apple, I realized pretty quickly that if something happened to the database, I stopped supporting the application, or a user wanted to switch to another application, I wanted users to still have all the metadata associated with the PDFs. I discovered that PDFs can have keywords attached to them and I used this mechanism to write the data directly into the PDFs.

    With Photos, if you drag a photo out of it and into the Finder, you get a copy of the original photo with none of the metadata that you enter in Photos attached to it. However, if you choose to export the photo there is an option to include the metadata which writes it as EXIF to the photo.

    Screen Shot 2017 12 19 at 9 06 19 AM

    This was the key to my concern about having the metadata in the photos themselves. I created a smart album which contained all photos that didn't have a camera set on them (the assumption is that all photos that have the camera set in the EXIF have the correct photo date), exported all the photos, deleted the photos in Photos and re-imported them. Somewhat roundabout way to accomplish what I wanted, but my photos now have dates on them that will survive if Photos ever goes belly up.

  • Dec 18, 2017

    A year with my Impreza

    It's hard to believe that I bought my Subaru Impreza a year ago! My initial impressions of the car were pretty good. Now that I've put about 10,000 miles on it, I am convinced that I made the right choice with the car. We've taken it on a few road trips pushing, but mostly I've driven it around town.

    I've never owned a "sports car" and this may be the closest I come to one. This car is truly fun to drive. I've been playing a lot with the paddle shifters especially going down mountains. Also, being closer to the ground, I definitely feel the acceleration.

    Tech wise, CarPlay is now a requirement for every car I get. The interface is clean and Apple updates it periodically with new features, something car manufacturers are not known to do with the infotainment systems. Up-to-date maps and navigation alerts such as alternate routes and accidents are handy. My only problem with CarPlay is that I have to wait for the infotainment system to fully power up before I plug in my phone, otherwise CarPlay fails to start. However, I'm testing a theory that the Subaru STARLINK app crashes when I connect my phone to the car. The app is useless and I'm not sure why I left it on my phone until this week.

    I was concerned about the smaller cargo capacity especially going on trips and camping, but those concerns have so far been unfounded. I've managed to cram everything in the car without having to use the roof box I bought. The gas mileage has been pretty good with some trips giving me close to 38 mpg. Unfortunately most of my driving is city driving and a hybrid would have done much better in those circumstances. If Subaru had a hybrid Impreza, I'd definitely be interested in that.

    The car has had a few recalls which is expected on a new platform and I hope I get years of continued service out of it.

    Overall this car was a very good purchase. It may not be for everyone; it is the right car for me!