gRPC between Rust and Node.js

I recently wanted to rewrite parts of an existing Node.js application in Rust. A complete rewrite would take a lot of time, so I was browsing through ways to rewrite some parts in Rust. While it seems possible to call Rust from Node by compiling Rust into a Node js module using FFI, it felt a bit messy. Instead I opted to look into gRPC, which I’ve been wanting to look into anyway.

Yubikey TLS Client Certificate in Firefox on Arch Linux

In this post I’ll use a Yubikey, running the PIV application, to store a keypair and certificate to be used for mutual TLS. The Yubikey will generate the private key on the device, and the private key will never leave the device. Nice for security! I’ll also configure Firefox to discover the certificate stored on the device, so it can be used when browsing to a site requiring a client certificate.

Split tunnel VPN with Wireguard between OpenBSD and Arch Linux

I’ve traditionally used only SSH to connect to my home network while being away, but recently I got tired of using only SSH tunnels and SOCKS proxies, and decided to actually fix a working Wireguard configuration. My router is running OpenBSD, and I want Wireguard clients to be able to reach several different internal subnets. However, I don’t want to route all traffic through the VPN tunnel, only traffic to my internal network.

Automatically run script when USB drive is inserted

My goal here is to automatically launch a script when a certain USB stick is connected to the system. When plugging in the stick, the partition should be automatically mounted, a script should be executed, and some notifications should be shown on the screen. Identifying and automounting the drive My USB stick is a simple FAT32 drive, so to identify it I set a filesystem label. This allows me to distinguish this drive from other ones.

Secure Boot when dual-booting Arch Linux and Windows

I recently got a new laptop, and wanted to setup a dual-boot solution. To do this, most guides simply tell you to disable Secure Boot and then leave it that way. I wanted to keep Secure Boot enabled. Secure Boot basics I will construct a PKI according to the image below. There are three types of keys in a Secure Boot PKI. Platform Key (PK): A single root key, used to sign the Key Exchange Keys below it.

RADIUS authentication with SQLite user management

This is a continuation of my previous article regarding FreeRADIUS with SQlite as storage backend. I recently came to think that it sometimes would be nice to be able to temporarily disable (or enable) accounts. For example, consider a scenario where you have some friends who does not come and visit you very often. Why keep their accounts activated all the time? Wouldn’t it be convenient (and more secure) just to enable their accounts when they are visiting, and then disable the accounts again?

RADIUS authentication and dynamic VLAN assignment for WPA2 Enterprise using SQLite in FreeRADIUS

I recently bought a UniFI AP AC Pro [1] access point to replace my old useless AP. For obvious geeky reasons I wanted to use WPA2 Enterprise instead of WPA2 Personal. In that way, I can have different accounts for accessing my wireless network, which means I can easily revoke access to someone using my WiFi. Using WPA2 Enterprise requires the use of a RADIUS server, so I have written down the steps I used to configure this together with RADIUS assigned VLANs, so that different accounts gets different VLANs.

HTTPS Kerberos authentication with Apache 2.4

So I wanted to put my shiny Kerberos server to some use on my network, and decided that I want some web services protected by Kerberos authentication. By doing so, I will automatically have access to those services on my local machine (because I get a Kerberos ticket upon local login, see my previous post). My web server will run Apache 2.4, and run on FreeBSD. I start by installing Apache 2.

Network boot (PXE) of HTPC

I recently bought an Intel NUC (NUC5i3RYK to be precise). I have equipped it with 8 GB of RAM, but with no storage. My goal is to make the HTPC boot completely over the network using PXE. This should load Kodi (XBMC) and be able to access all shared files located on my file server. Since I want the network boot and HTPC root filesystem separated from the rest of the network, so that it won’t interfere with my regular DHCP server, I have located them on an separate VLAN.

Validating server certificates signed by own CA in Swift

In one of my recent apps I wanted to download data from an internal server, which had a certificate signed by an in-house certificate authority. To avoid hard-coding fingerprints in the application, I would rather validate the certificate to ensure that it was signed by any trusted CA, including my own. To download files I have used NSUrlConnection asynchronously, thus my class needs to implement the protocol NSURLConnectionDataDelegate. The function which handles server certificate validation (together with for example HTTP Basic authentication) is connection:willSendRequestForAuthenticationChallenge.