Wednesday, March 29, 2017

PrivateInternetAccess VPN on a Ubiquiti USG (Unifi Security Gateway)


Big news this week, as the Republicans in Congress decided to scrap an FCC rule known as the Broadband Consumer Privacy Proposal which required broadband providers to get permission from subscribers before collecting and selling data collected about their users.

Since I am very interested in my online privacy, or at least, I like to have the option to choose when to share my information for myself, and since I recently upgraded my home router to a Unifi Security Gateway from Ubiquiti Networks, I wanted to know if the VPN client would be compatible with the Private Internet Access VPN that I use to protect my privacy, thereby putting my entire house behind the VPN all the time.

Posts in the UBNT Community Forums seem to have a lot of confusion, or are just outdated.

It turns out the setup for a PIA VPN configuration is very easy.

The only thing that posed any challenge was calculating all the routes for all the subnets outside my house, to route that traffic over the VPN. In my case, since I use RFC1918 space, here is the list of routes I needed to add to the USG, via the "subnets" menu item in the USG settings app:

  • 0.0.0.0/1
  • 192.169.0.0/16
  • 192.170.0.0/15
  • 192.172.0.0/14
  • 192.176.0.0/12
  • 193.0.0.0/8
  • 194.0.0.0/7
  • 196.0.0.0/6
  • 200.0.0.0/5
  • 208.0.0.0/4
  • 224.0.0.0/3

Since hosts have a default route to the USG (192.168.1.1), all traffic will make it to the USG just fine. Now... the USG has a default route to the internet via my ISP. The default route is 0.0.0.0/0, which is the least specific route possible to have in a routing table... a route to every IP possible. In routing, more specific routes always win. So the USG also has a local route to 192.168.0.0/22, which prevents my internal traffic from following the default route. And the USG has a more specific route to it's gateway than default as well, due to it being a connected network so it won't get lost in the routes above.

The list of subnets above provides a more specific route than the default route for every possible IP that is not in my house, which forces everything to be sent across the VPN, but they are still the least specific possible routes to everything, which means they're pretty easy to override if I don't want something going over the VPN. After all, the VPN is pretty limited on bandwidth compared to going directly out FiOS.

This list is everything that I don't use in my house, and ensures that any traffic to anywhere outside my house will be routed over the VPN. And, Yes, I am aware that there are other blocks of RFC1918 and RFC5737 space, but since ISPs don't route those networks, I'm not worried about them, because the VPN essentially acts as a sink for any traffic to those destinations.

Here is how the settings go into the USG configuration in the Unifi controller application:

Specifically:

  • Purpose: VPN Client
  • VPN Client: PPTP
  • Enabled: check this when you want the VPN to go live
  • Remote Subnets: one entry for each of the subnets in the list above (modified for your own use, if you don't use 192.168.x.x in your house/business)
  • Server IP: get this from PIA, I used `nslookup us-east.privateinternetaccess.com`
  • Username: your PIA username
  • Password: your PIA password
  • MPPE: Yes. You definitely want to have your VPN connection encrypted.


Enjoy your ISP not selling your internet activities to advertisers.

Sunday, March 19, 2017

Waking up gently with Sonos and Sirius XM and a Fade-In Alarm.


We (my wife and I) have been using LIFX lights in our bedroom to simulate a sunrise.  They come on at sunrise, and slowly increase brightness for 30 minutes, allowing us to get used to the light, and wake up pretty gently, as opposed to being jarred out of a deep sleep by a more traditional alarm clock.

My wife asked if there was any way we could do the same with Sonos.  Specifically, she wants to pick a Sirius XM channel like "15 - The Pulse" to wake up to.  Have the volume start at 0, and over the same 30 minute period as the lights, ramp the volume up slowly until it's a reasonable level coinciding with the maximum brightness of our lights.

Her ideal solution would have the following features:

  • Pick any Sirius, Pandora, or Calm Radio station that Sonos can regularly access.
  • Choose a maximum volume for the alarm
  • Choose a length of time over which to go from 0 to Max volume
  • Orchestrate the details via an iOS app on iPhone or iPad.

For Extra Credit:

  • Do the same thing in reverse, allowing from from X - 0 over time, like a slow ramp down sleep timer.

We first tried the Alarms available in the Sonos App.  These are time and content alarms, meaning I can set it to play a Sirius XM channel, at a specific time, at a specific volume.  There is a fade-in, but it's only 15 seconds long.  Not exactly what we're looking for.  We want something more along the lines of a 30 minute fade in.

Google seems to indicate that this is a common request from Sonos users:

I did end up finding https://github.com/SoCo/SoCo, a Python library for interacting and controlling Sonos speakers.

This library would allow me to hit about 2.5 of the ideal features, and possibly the extra credit as well, if I wrote a little program to run from cron on a Linux server.  

Easy to do in cron:

  • Run a program at a specific time 

Can do with SoCo:

  • Set volume of a Sonos speaker, or a group of speakers
  • Pick a channel to play

Can't easily do with Soco/Cron/Linux:

  • Control via an iOS app on iPhone/iPad.

Added Feature:

  • Supports a file in the same directory called 'holidays.txt', where I can put dates in the format YYYY-MM-DD (one per line), to not run the alarm. (like Work holidays)
  • I can also log in to the server and `touch /tmp/holiday` if I want the alarm to not go off tomorrow. (example: sick day, or unplanned day off)


So, I'm still on the look out for an iOS app that will let me orchestrate all this, at least until Sonos adds this kind of feature or one of the other home automation apps adds it. Here's a link to my alarm script: https://github.com/tksunw/IoT/tree/master/SONOS