A quick Citrix microapp hack to get notifications when there’s a Citrix Security Bulletin

Credit to Gabe Carrejo and the Patrick Quinlan for their work on this.

It’s possible to use the Citrix Support Security Bulletin RSS feed with Citrix microapps to notify you (or a group) when there’s a new Security Bulletin from Citrix

Rough Steps:

  1. Copy this RSS URL: https://support.citrix.com/feed/products/all/securitybulletins.rss
  2. If you want to narrow the feed down to a specific product or category, look for the category tags in the RSS feed and add them when you add the RSS integration in step 3
    • Some examples, in case they help:
  3. Follow the RSS microapp guide here and replace the blogs RSS URL with the Security Bulletin URL: https://kabri.uk/2019/12/18/building-a-simple-citrix-microapp-that-shows-blog-posts-from-a-wordpress-rss-feed/

Of course, you don’t need to use microapps to get Security Bulletins (you could just use an RSS reader) but it’s a very neat use case – and combined with Push Notification with Workspace, means you get a notification to your phone when there’s a new Bulletin. Great idea, Gabe!

A full list of feeds available from Citrix Support are here: https://support.citrix.com/feeds

Creating a Site to Site Routed VPN using DD-WRT and OpenVPN

Scenario

I needed to setup a site-to-site VPN between my home and my parent’s home, so that we can back up our stuff offsite – mostly documents and precious digital photos.

Requirements

  • I wanted it to be a proper routed VPN network, not a bridged one. By that I mean an OpenVPN tun setup, not an OpenVPN tap setup.
  • I did not want to force the client to use the OpenVPN server as the gateway: I want both homes to use their own ISP for internet traffic. This is often referred to as split-tunnelling.
  • Must run both OpenVPN client and server on same DD-WRT router: For maximum flexibility I wanted to run both an OpenVPN server and client on the same DD-WRT router/gateway.

Equipment

1 x DD-WRT router at my place, acting as an openvpn server
1 x DD-WRT (technically an ASUSWRT) router at the remote location, acting as an openvpn client

Conceptual setup

Local LAN: 192.168.1.0/24
Remote LAN: 192.168.0.0/24
OpenVPN network: 10.8.0.0/24

  • DD-WRT router acts as OpenVPN Server.
    • LAN IP: 192.168.1.1/24. OpenVPN IP: 10.8.0.1/24
  • Remote DD-WRT router acts as an OpenVPN client.
    • LAN IP: 192.168.0.1/24. OpenVPN IP: 10.8.0.2/24.

If your LAN/IP setup is different, you should be able to operate a Find/Replace to change all these.

Some technical details

DD-WRT version: DD-WRT v3 – DD-WRT v3.0-r33679 std (11/04/17)

DD-WRT server assigns tunnel device as tun2
DD-WRT client assigns tunnel device as tun1
DD-WRT bridges ethernet and WLAN devices into br0

Considerations and gotchas

Most guides will get you *nearly* there

Most guides I found online for setting up DD-WRT for a site to site VPN with OpenVPN got me almost there, but didn’t quite finish the job. Many were also written over a year ago, and it seems DD-WRT has changed a bit since they were written. In addition, some threads where people were having issues seemed to give up on tun (routed) and switched to using tap (bridged) which wasn’t ideal for me.

Guides I found which may be useful to you include:

  1. Happydaddy post: https://www.dd-wrt.com/phpBB2/viewtopic.php?t=304754
  2. D0ug has an interesting setup, including kill switches. https://www.dd-wrt.com/phpBB2/viewtopic.php?t=311904
  3. Boogalooz guide: https://dd-wrt.com/phpBB2/viewtopic.php?t=312064

Note that you’ll need to register for the DD-WRT forums to see the images/attachments alluded to in the posts.

Open the frontdoor

If your DD-WRT device is also your gateway (that is, it has a modem connected to it, and it acts as your internet gateway) you’ll need to open up the port for the OpenVPN server using IPTABLES. Some guides seemed to skip this.

You don’t really need to mess around with IPTABLES with the latest builds of DD-WRT

It looks like in the past you had to do a lot of messing around with IPTABLES on DD-WRT to get OpenVPNs to work – mostly to pass traffic between the OpenVPN tun+ devices and the Bridged device (br0) on the router. Now you can just use the GUI, as it seems to autoconfigure everything for you.

OpenVPN client with PBR and OpenVPN server don’t play nice

If you have a VPN client, using Policy Based Routing (PBR) on the same DDWRT router as your OpenVPN server, you’ll hit this issue: http://svn.dd-wrt.com/ticket/5690. Put the suggested script from pastebin into your Startup Script and all will be well.

Symptoms for this issue are that you can ping from the Client network to computers inside the OpenVPN server’s local network, but not all IPs respond. It’ll turn out that the IPs that don’t respond will be in the PBR list for your OpenVPN client setup.

iroutes are important

One of the most common things I found was this symptom: You can ping from the client network to computers on the server’s network. But you cannot ping from the Server network back through to the Client’s LAN network. You can ping from the server network to the OpenVPN IP on the remote network (10.8.0.2 in my case) but not the IP on the other side of the router on the LAN interface (192.168.0.1 in my case).

The problem is that some of the guides you’ll find strewn around the internet don’t cover adding iroutes. Without adding an iroute to the OpenVPN client, you won’t be able to ping from the Server LAN to the Client LAN.

General setup

Create server and client keys

Sorting out the keys for the server and client is covered well in this post: https://openvpn.net/index.php/open-source/documentation/howto.html#pki. This part of the setup is outside the scope of this blog post.

Configure the OpenVPN server

OpenVPN server setup in the DD-WRT GUI

Here’s how my OpenVPN Server config looks [images below]

  1. I’m using WAN up, and configuring as a Server instead of Daemon.
  2. Also using Router server mode instead of Bridge.
  3. Don’t forget to enable “Allow client to client” so that the clients can talk to each other.
  4. In additional config add:

Here’s the server conf file in case it’s useful:

Example Client config ovpn file:

Putting the contents of the ca, cert and key files into the ovpn files makes it much easier to import into an OpenVPN client. In my case, the ASUSWRT openvpn client wouldn’t accept these files individually, so I had to combine them in the ovpn profile file as above.

Additional configuration to make it all work as expected

Below are all the things I had to do in addition to general setup to make things work. That is, that both sides of the VPN could contact each other as expected in a site-to-site VPN.

Open the OpenVPN Port

Administration > Commands > Firewall Script

Add the following to the Firewall Script in DD-WRT.

Startup script to fix routing with OpenVPN client and PBR

Administration > Commands > Startup Script

Go here for the overview: http://svn.dd-wrt.com/ticket/5690 and use the script in the pastebin link to fix the issue. Add it to startup via Administration > Commands.

Client config to provide iroute

Administration > Commands > Startup Script

Add this to the bottom of the PBR fix script text in the Startup Script section

This is what enables you to ping from server network to client network. Without this, you’ll be able to ping from client LAN to server LAN, but not from Server LAN to Client LAN. The script ensures that on each boot of the router, it re-creates the client configuration file in the /tmp/ directory on the DD-WRT router and adds the iroute command to the config file. When the remote client connects, it’ll pick up this iroute.

There’s some really good information on why this works here: http://backreference.org/2009/11/15/openvpn-and-iroute/ but basically, openvpn doesn’t quite behave like it should, so even though you may have all the right routes setup, it won’t work unless you’ve configured an iroute for the client.

Put this in your Startup Script, just after the PBR fix text:

Source

Finally, a management tool for Bitlocker

I first deployed Bitlocker and AD integration with Windows 7 Enterprise back before it was publicly released (that gap between when it gets released to Volume Licence customers, but not to the public). It wasn’t easy, and I had to use some interesting hacks and self-discovered cludges gleaned from old Vista documentation, as the Win 7 documentation hadn’t been released by Microsoft at the time. I had meant to document and release it as a quick-fix blog entry but the time passed and everything can be done properly now.

Since deployment, Bitlocker has been fantastic. The only issue we’ve had with Bitlocker since we deployed it is that of ensuring that end-users don’t suspend it or disable it, and that we most definitely have a good backup of the recovery key.

Effectively, without a management tool, you fly a bit blind until a problem comes up, or a Bitlockered laptop ends up in your lap with it disabled. Ignorance shouldn’t be bliss when it comes to full disk encryption and protecting your company’s data.

The AD backup of keys is a particular pain, as we’ve found that sometimes, Bitlocker just forgets to back itself up to AD when it’s enabled. To mitigate this, we’ve just instructed Bitlocker to also copy the key to a secure fileshare when it’s enabled during the MDT task, as well as backing it up to AD.

Fortunately, Microsoft have started to build a Bitlocker management tool called Microsoft Bitlocker Administration and Management. You can read more about it on the Windows Team Blog.

It’s still in Beta, but I’m looking forward to trying this out!

Logging in through Facial Recognition…

On reading about the new Asus N10J, it seems that it allows you to log in using your face:

Smart Technology – Quick Logons through Facial Recognition

Continuing with the tradition of breaking tradition, ASUS introduces a whole new way in which users logon to their computers—through facial recognition. The SmartLogon system detects the user’s face and logs on without any intervention from the user. This system is designed to learn the variations of the user’s facial features, and is capable of performing detection in different lighting conditions.

Maybe I’m a cynic, but I wonder what happens if you take a photo of the target user, print it out life-size and show it to the camera? It might even work with a high-res passport photo scan. Hmmmm, curious…

If you buy a Mac because you think they can’t be infected…

Think again:

Two pieces of malicious software affecting Apple’s Mac OS X appeared this week: a Trojan horse with the ability to download and install malicious code of an attacker’s choice, and a hacker tool for creating backdoors, according to security vendors.

The Trojan — called ‘OSX.RSPlug.D’ by Intego, the Mac security specialist that discovered the threat — is a variant on an older piece of malicious code but with a new installer, Intego said.

Naturally, it targets users in a traditional way:

The Trojan is found on porn websites posing as a codec needed to play video files, a technique used to trick the user into downloading and installing it.

I find myself saying this a fair bit: Mac OS X is not necessarily more secure than any other OS. At the present time, given their lower market share, they’re just not as sweet a target as the Windows install base. As Macs reach a critical mass, they’ll become just as desirable to infect as any other computer.