After handing in my MacBook Pro at the end of my last job, I needed a new setup to code on. I had an old Lenovo IdeaPad that I had repurposed as a home server. I also had an HP Chromebook 11 that I hadn’t used much in a while.
I spent a bit of time trying to make the Lenovo usable as a “desktop” again, but I found it was too much work to configure an environment minimal enough for my tastes. Instead, I slid it back on the shelf and started exploring other options. What I’ve settled on for now is a stack of OpenVPN, SSH and tmux.
Chrome Secure Shell
The built-in crosh shell of Chrome OS includes an SSH client, but it is very tedious to make connections with, since it requires entering the user, host, and SSH key every time.
Luckily, there is a Chrome app named Secure Shell, which exposes a much nicer interface. It saves connection information and remembers your SSH keys, although you still have to generate them beforehand. It is still in beta, but the only thing that seems to be missing is a more usable settings page.
Generating Keys
Generating SSH keys for Secure Shell works much the same way as usual:
ssh-keygen -t rsa -C 'comment' -f chromebook.id_rsa
This will write the private key
to chromebook.id_rsa
and the public key
to chromebook.id_rsa.pub.
I then served these files over local HTTP and downloaded them on my Chromebook. They can then be imported from the Secure Shell connection dialog.
Colours
Secure Shell works great,
but the default colour scheme
isn’t exactly pretty to look at.
Since there isn’t much of a settings interface,
you have to enter a JSON object
in the color-pallete-overrides field.
I based mine on the Gruvbox Generalized
XResources file:
{
"0": "#282828", "8": "#928374",
"1": "#cc241d", "9": "#fb4934",
"2": "#98971a", "10": "#b8bb26",
"3": "#d79921", "11": "#fadb2f",
"4": "#458588", "12": "#83a598",
"5": "#b16286", "13": "#d3869b",
"6": "#689d6a", "14": "#8ec07c",
"7": "#a89984", "15": "#ebdbb2"
}
I also set background-color to #1d2021 (hard contrast),
and foreground-color and cursor-color both to #ebdbb2.
Dynamic DNS
In order to easily access my home server from anywhere, I need a domain pointing to my home connection. The Arch Wiki lists many options for Dynamic DNS. I use CloudFlare for my domains, so I use wimpunk’s ddclient fork (AUR), which has support for CloudFlare and other services.
The relevant part of
my ddclient configuration (/etc/ddclient/ddclient.conf)
looks like this:
protocol=cloudflare, \
zone=cmcenroe.me, \
server=www.cloudflare.com, \
login=redacted, \
password=redacted, \
home.cmcenroe.me
Note that it was necessary
to manually create an A record
for home.cmcenroe.me before
ddclient could update it.
On Arch,
it is then as simple as
enabling and starting ddclient
I found a guide
for creating .onc files
for OpenVPN connections,
which covers creation pretty well.
with systemd:
sudo systemctl enable ddclient
sudo systemctl start ddclient
OpenVPN Server
In order to access my home server securely from anywhere, I decided to set up a VPN using OpenVPN. Arch Wiki has an excellent page page on OpenVPN, with thorough setup instructions.
I did, however,
run into one problem
with the server configuration.
When connecting to the VPN
from my Chromebook
on another wifi connection,
the DNS configuration would break.
I fixed this by having the server
send DNS configuration to the client explicitly,
using this option in /etc/openvpn/server.conf:
push "dhcp-option DNS 8.8.8.8"
Chrome OS & OpenVPN
Although the Chrome OS “Private Network” interface
in Settings supports OpenVPN,
it does not support using
an HMAC secret key (ta.key),
which greatly enhances security.
There is also a misinterpretation of the OpenVPN protocol on the part of Chrome OS, which causes breakage when not tunneling all traffic through the VPN. A flag needs to be used, which is not available from the interface, to prevent this behaviour.
As an alternative to the interface,
Chrome OS supports “Open Network Config” files (.onc)
in JSON format,
which can be imported
through chrome://net-internals/#chromeos.
I found a guide
for importing certificates
and creating and importing .onc files
for OpenVPN.
I would suggest
using the uuidgen command line utility
(from util-linux)
to generate UUIDs.
The other,
more important change,
is the addition
of the IgnoreDefaultRoute flag.
This prevents the buggy behaviour
mentioned above.
In the end, my home.onc file ended up looking like this:
{
"Type": "UnencryptedConfiguration",
"Certificates": [
{
"GUID": "{0fac9c63-a364-407a-b680-5525b19437ab}",
"Type": "Authority",
"X509": "redacted"
}
],
"NetworkConfigurations": [
{
"GUID": "{c3be34ff-94f5-43cb-bc42-99d19a0ae307}",
"Name": "Home",
"Type": "VPN",
"VPN": {
"Type": "OpenVPN",
"Host": "home.cmcenroe.me",
"OpenVPN": {
"ServerCARef": "{0fac9c63-a364-407a-b680-5525b19437ab}",
"AuthRetry": "interact",
"ClientCertType": "Pattern",
"ClientCertPattern": {
"IssuerCARef": ["{0fac9c63-a364-407a-b680-5525b19437ab}"]
},
"CompLZO": true,
"Port": 1194,
"Proto": "udp",
"RemoteCertTLS": "server",
"RemoteCertEKU": "TLS Web Server Authentication",
"SaveCredentials": true,
"ServerPollTimeout": 10,
"Username": "june",
"KeyDirection": 1,
"IgnoreDefaultRoute": true,
"TLSAuthContents": "redacted"
}
}
}
]
}
After importing this .onc file,
I could select the “Home” private connection
from the interface.
When prompted,
I entered a fake password
and checked “Save identity and password”.
To check that I was properly connected,
I used Secure Shell
to SSH to 10.8.0.1.
I also made sure I could connect
to everything else
as normal.
tmux
I had never used tmux before, but it quickly became clear that it is an invaluable tool when doing work over SSH. I created a configuration that very closely mimics VIM window management, which can be found in my dotfiles repository.
I also wrote some shell functions for quickly getting into tmux:
tn() { [ -n "$1" ] && tmux new -s "$1" || tmux new }
ta() { [ -n "$1" ] && tmux attach -t "$1" || tmux attach }
End Result
Here is me editing this post on my Chromebook, with OpenVPN, SSH, tmux, VIM and zsh:
Bonus: OpenVPN & iPhone
I also wanted to be able to SSH into my home server from my phone if I ever needed to. I use the ServerAuditor SSH client on iOS. It can generate its own keys and export them.
For VPN, there is the OpenVPN Connect app.
This app uses .ovpn files
for client configuration.
These files are just regular OpenVPN .conf files
with a different extension.
The only complicated part
of creating one is
adding the certificates and keys inline,
using HTML-like tags.
After generating a new certificate for my phone,
my .ovpn file looked like this:
client
dev tun
proto udp
remote home.cmcenroe.me 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
redacted
-----END PRIVATE KEY-----
</ca>
<key>
-----BEGIN CERTIFICATE-----
redacted
-----END PRIVATE KEY-----
</key>
remote-cert-tls server
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
redacted
-----END OpenVPN Static key V1-----
</tls-auth>
comp-lzo
I then imported the .ovpn
by emailing it to myself
and opening it in OpenVPN Connect
from the Mail app.
This is what the end result looks like on iPhone:
