Technical Guides
KeePass Password Manager Tutorial
Wireguard Ubuntu Deployment
SQM for 1 Gbps Lines With OpenWrt KeePass Password Manager Tutorial
Introduction
I don't trust online password managers because they are closed source and companies have been hacked in the past. If you look up "lastpass breached" in Google you can see my point. Keepass is open source and offline. Why put your trust in a company when you can create and access the database yourself?
An honorable mention is bitwarden. They are also open-source and you have the option of hosting your own bitwarden server at home as an option. If you want to pay and are willing to trust a company and have your passwords encrypted on their cloud they would be your best bet.
Downloading Keepass https://keepass.info/download.html
Get the Installer for Windows (2.45) aka KeePass-2.45-Setup.exe. After you get it install
Keepass.
Recommended plugins (.plgx) to download:
Keepass has a variety of useful plugins listed here: https://keepass.info/plugins.html
I recommend the following below for now. Plugins always have a .plgx file extension.
WebAutoType-v6.3.0.zip: https://sourceforge.net/projects/webautotype/files/
YetAnotherFaviconDownloader.plgx: https://github.com/navossoc/KeePass-Yet-Another-
Favicon-Downloader/releases After you downloaded the necessary .plgx plugins. Copy or move them into the Plugins folder at
C:\Program Files (x86)\KeePass Password Safe 2\Plugins.
1.1.1 Master Password
To start off you will be creating a master password which is the masterkey to access all your other passwords. This password should be long, easy remember, but difficult for a computer to guess. Please refer to the image below to see what I mean.
You can test theoretical passwords to see how strong they are here: https://howsecureismypassword.net/ These concepts are important to security so if you don't want to get pwned follow the advice above. Do not lose or forget your master password otherwise you will not be able to access your
Keepass database ever again.
1.1.2 Creating your first .kdbx database
There are two ways to do this.
Option 1: Create a .kdbx file only meaning you only need your master password to unlock the database.
Option 2: Create a .kdbx file + a .key file. When you do this you need your master password + the .key file in order to unlock the database.
Typically you can choose Option 1 if you're confident in your master password. This is the easiest and simplest option.
I personally opted for Option 2. I store my .kdbx database in the cloud such as, Google Drive or
Dropbox. I keep duplicates of my .key files locally (on my pc, on a usb stick, on a remote computer). That way if both my Google Drive and master password are compromised I am still safe because the hacker still needs the .key file to unlock it.
No matter the method do not lose your .kdbx and/or .key file!!!
If you lose these files your passwords are gone. Make copies and backups of your databases!
Besides your main computer save it on your phone, the cloud, a flash drive, or etc.
Video 1a: Option 1 creating .kdbx only
Please note where you saved the .kdbx file...
Video 2a: Option 1 opening database w/ password
Video 1b: Option 2 Creating .kdbx + .key file
Please note where you saved the .kdbx and .key files...
Video 2b: Option 2 Opening database w/ password + .key file 1.1.2 Adding your first password entry
Right-click anywhere near the big box and click on "Add Entry..." The shortcut to add an entry is also CTRL+ i if that is faster for you.
Give your entry a title. Fill out the username and login URL whenever possible. If you don't have a login URL or website URL to use then you can leave it blank. As you can see a password is already auto generated for you. You may use the generated password or manually enter in your own. And finally add any notes you need for reference.
In the video below I demonstrate how to play around with the password generator. Remember to
Save when done. If you forget, don't worry it will ask you if you would like to save the database when you try to close.
1.1.3 Using your password manager to login (Auto-Typing)
Double-click on the URL next to the entry you want, to load the login page from your default browser. Alternatively, right click the URL and choose your preferred browser. (This is the reason why you should enter in your URL entries).
There are 3 ways to sign in. First make sure the cursor is blinking in the username field. Then you have 3 ways to login.
1. Right-click and click on Perform Auto Type. Alternatively, press CTRL+V on keepass.
2. Double-click on the username on to copy it. Then paste manually. Double-click on the
password to copy. Then paste it manually. Note: copies stay in your clipboard for 12
seconds there's a bar that shows you how much time you have left.
3. The most convenient method. If you installed the WebAutoType plugin and had the URL
entry filled out. Simply press "CTRL+ALT+A" on the site you were trying to login.
A video below explains these 3 methods.
1.1.4 Modifying Auto-Type
Some websites have a different auto-typing sequence then the default of
{USERNAME}{TAB}{PASSWORD}{ENTER}.
One variation you can try is {USERNAME}{ENTER}{DELAY 2000}{PASSWORD}{ENTER}
Demonstration of this variation in the video below.
Other variations maybe {USERNAME}{TAB}{TAB}{TAB}{PASSWORD}{ENTER} it is situational.
Modify this sequence to your needs.
Congratulations you've mastered the basics!
2.1 Beyond the Basics and Customization! 2.1.1 Attaching a File
You can securely attach files to the database and keep it protected behind your master key!
This is basically done by creating / editing an entry and going to the advanced tab as shown below. You can store the file to your database then delete the original file. To retrieve it go back to your entry and the advanced tab. Then click on save and choose where to save it.
2.1.2 Groups and Recycle Bin
You can organize your database with groups! As for the recycle bin how it works is any entry you delete will end up in the recycle bin. It is only truly deleted when you delete it from the recycle bin.
If you want to view all groups at the same time just type an empty entry in the search bar.
Demonstration video below.
2.1.3 Password History
Keepass keeps a password history up to 10 revisions by default (you can change this). This video below demonstrates changing your password and retrieving your old passwords in case something went wrong.
2.1.4 Custom Icons
Lastly if you have the YetAnotherFaviconDownloader plugin you can customize your keepass icons! This only works on entries with URLs.
2.1.5 Advanced Auto SSH with Putty
WIP. Requires KeeAgent & Putty.
Temporary Tutorial Starts at 25m10s: https://www.youtube.com/watch?v=e6G8zHZlhv8&t=&t=25m10s
2.1.6 Cool Plugins
ReadablePassphrase.1.2.1.plgx:
https://github.com/ligos/readablepassphrasegenerator/releases Generates passwords like the correct horse battery staple principle mentioned in the
beginning!
3.1 Mobile Apps
Don't know much for Apple iOS but heard StrongBox was good.
For Android, you can choose between "KeePassDX" or "Keepass2Android Offline" from the play store. KeePassDX has a nicer UI, but I only have experience with Keepass2Android Offline so there will only be a tutorial for that one.
Keepass2Android Offline Quick Tutorial
Some phones have advanced features where some apps or browsers ask you if you want to use keepass to sign in which is very convenient and much faster if they ask you this accept it! Some also have fingerprint unlock as an option as well for convenience so you may accept that as well.
If your phone doesn't have these advanced features there are still one way you can "Auto-Type."
1. Search for entry you want to login to.
2. Go back to the login page or tap on URL to open browser to get there.
3. Swipe down to see notifications. Tap on "Your entry. Entry is available through KP2A Keyboard".
4. Choose the Keepass2Android Offline keyboard.
5. Don't worry this is temporary and your default keyboard will revert back when you lock your database.
6. Go back to page you are trying to login.
7. Tap User & Tap Password on the mini keyboard below. Then to switch back to your original keyboard press the lockpad on the bottom right.
8. Instead of doing step 3 you could also copied user / pass from the notification bar (less secure).
Video of steps 1-8 below. 4.1 Other KeePass Variants
This tutorial only covered Keepass for Windows, because this is what I know... KeepassXC is the nicer looking one with cross-platform support you might miss out on the CTRL+ALT+A for autotype mentioned in 1.1.3 because it's powered by a Keepass plugin.
/u/SeerLite on reddit also gave a mention of https://keeweb.info/ and primarily uses that. I have no experience with it so I don't have much say.
5.1 Final Thoughts
Backup your damn database (.kdbx) file. Backup your .key file too if you created one!
Follow the 3-2-1 rule to prevent data loss.
Have 3 backups.
2 local (like desktop and phone).
1 Remote (Google Cloud / Dropbox). Wireguard Ubuntu Deployment
Installation
sudo add-apt-repository ppa:wireguard/wireguard ### Not needed if you're using Ubuntu 20.04
or later
sudo apt install wireguard
Enabling IP Forwarding
sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
This equivalent to commenting the following 2 lines below in /etc/sysctl.conf file and then running sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1
Starting Wireguard & Making it a System Service
This is done so Wireguard always starts on system reboot
sudo systemctl enable wg-quick@wg0
Opening Ports
If you're using UFW for your firewall open up the necessary ports for Wireguard. 51820 is the standard Wireguard port but feel free to use a non-standard port. sudo ufw allow 22/tcp
sudo ufw allow 51820/udp
sudo ufw enable
sudo ufw status verbose
Server Configuration
Create a configuration file in /etc/wireguard/wg0.conf . An example configuration is below. If you need a private public key pair you can generate one in tunsafe (windows wireguard client).
[Interface]
Address = 10.xx.xx.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j
MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j
MASQUERADE
ListenPort = 51820
PrivateKey =
SaveConfig = true
[Peer]
PublicKey =
AllowedIPs = 10.xx.xx.2/32
[Peer]
PublicKey =
AllowedIPs = 10.xx.xx.3/32
Server Config Explanation for [Interface]
Be aware that these iptables entries in PostUp & PostDown are for a given interface. Make sure that your VM’s interface is captured on here you can check with ip a . In this above config example if you scroll right, you can see that the VM’s interface is eth0 . Additionally, and worth noting, also make sure that your wireguard interface also matches the reference on the
iptables entry. In this above config example, the wireguard interface is wg0 . For Address = 10.xx.xx.xx/xx create and choose an arbitrary “Private IP address” different from other subnets on this VM’s network to avoid IP conflict. Also specify the IP range you’re going to use like /24 or /20 etc. You can use a program line tunsafe (Windows) to generate these keys or you can use line 14+15 here.
SaveConfig = true / false. This setting when set to "true" will automatically save the current live config in standard format into your wg0.conf file whenever wireguard service is turned off.
Because it is in standard format any comments you made to the wg0.conf file while be gone. Set this to false if you don't want this to happen. Set this to true if you'd like to add clients while the server is live without turning it off.
Server Config Explanation for [Peer]
For peer just keep incrementing your arbitrary IP address by one & use /32 because it is one IP.
Then enter in their public key.
Finally start your wireguard service with...
sudo systemctl start wg-quick@wg0 ### to start wireguard server
sudo systemctl status wg-quick@wg0 ### to check wireguard server status
wg show ### alternative way to check wireguard server status
Adding Clients to Server
Use Method#1 if you're new. Method #2 and #3 are advanced.
Method #1: Editing After Turning Wireguard Off
sudo systemctl stop wg-quick@wg0
# Edit your /etc/wireguard/wg0.conf file and add the peers you need there
sudo systemctl start wg-quick@wg0
Method #2: While Wireguard Is Live (wg-quick save wg0)
Also requires SaveConfig = true in your config.
sudo wg set wg0 peer
sudo wg show sudo systemctl restart wg-quick@wg0
route 10.X.X.X/32 wg0
The difference with using a wg-quick save is that you have to do the 4th command of route add which is easy to fat finger and screw things up.
Method #3: While Wireguard Is Live (Restarting Interface)
This method requires SaveConfig = true in your config.
Adding a peer (Changes not saved yet)
sudo wg set wg0 peer
Check if new peer's public key and ip shows up with
sudo wg
Finally do a
sudo systemctl restart wg-quick@wg0
Generating Client Configurations For Users
Example configuration. Please read the gotchas for each OS.
[Interface]
PrivateKey = < Client Private Key Here >
Address = 10.X.X.0/24
DNS = 8.8.8.8
[Peer]
PublicKey = < Server Public Key Here >
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ServerPublicIPAdress:51820
PersistentKeepalive = 25 A couple of gotchas to note.
In Linux, the Address = line needs to end in /32.
In Mac OS & Windows the Address = lines needs to end in /24 or the subnet assigned.
Also in Linux the DNS = line cannot be there it has to be erased.
In Mac OS the DNS = line needs to be there otherwise client cannot browse Internet.
In Windows Tunsafe the DNS = line is optional. In Windows Wireguard the DNS = line is required.
Optional Configurations
Isolating Wireguard Clients From Each Other
This can be achieved with the following IP Tables command below assuming your wireguard interface is "wg0"
iptables -I FORWARD -i wg0 -o wg0 -j REJECT
Command References
sysctl net.ipv4.ip_forward ### Verifies if IP Forward is working
sudo systemctl enable wg-quick@wg0 ### Makes Wireguard auto-start on boot
sudo systemctl start wg-quick@wg0 #Turn on Wireguard Interface
sudo systemctl stop wg-quick@wg0 #Turn off Wireguard Interface
sudo wg show #Check if VPN tunnel is running
#command to remove client (peer)
wg set wg0 peer peer_pubkey remove
#Don't know if this command is needed after wg-quick save or removal of client
wg addconf wgnet0 <(wg-quick strip wgnet0)
### Generating Key Pairs ### umask 077 wg genkey | tee privatekey | wg pubkey > publickey
# Key pairs are saved in same path you typed this command in
### End Generating Key Pairs ### SQM for 1 Gbps Lines With OpenWrt
Pictured Gigabit Switch: TP-Link 8-Port Gigabit Ethernet Switch. Amazon Referral Link: https://www.amazon.com/gp/product/B00K4DS5KU/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B00K4DS5KU&linkCode=as2&tag=stopl02-
20&linkId=afa6ee32eda065c194d2a161f3799c99
Pictured Access Point: Ubiquiti Unifi 6 Lite. Official Link: https://store.ui.com/collections/unifi- network-access-points/products/unifi-ap-6-lite (The Unifi 6 seems to be in short supply. You may have to settle for a Unifi AP-AC-Lite for now) Pictured OpenWrt Device: NanoPi R4S. Official Link: https://www.friendlyarm.com/index.php?route=product/product&product_id=284 can also be found on aliexpress. Aliexpress Link: https://www.aliexpress.com/item/1005001941753177.html?spm=a2g0s.9042311.0.0.57064c4dsBfzcu
1.1 Introduction and Why?
The diagram above demonstrates how you would install a more powerful OpenWrt PC or ARM PC as a router into your network.
The reason why we would want to do this is so we can stop bufferbloat at higher bandwidths with
SQM (Smart Queue Management). Currently consumer routers usually can't push past 350 Mbps with luci-app-sqm on because the SQM algorithm cake, uses a lot of CPU processing power. The only way we can get close to 1 Gbits with SQM is by building our own router or using hardware like the NanoPi R4S.
Building your home network infrastructure like this, is more reliable and better than consumer routers which try to put the modem, routing, and wireless all in one.
What is Bufferbloat and why stop it?
It is lag or ping spikes in video games or zoom calls that is caused when you or someone else uses up all your bandwidth. It could be torrenting, 4k streaming, bulk downloads, or even a speedtest.
The SQM algorithm, which can be installed on OpenWrt, can completely mitigate these pings and ensures low latency even under full load. Overall, you do sacrifice a little max speed 5-10% for guaranteed low latencies.
1.2 What Hardware For The OpenWrt Router?
To be honest, I'm not 100% sure what can handle 1000 Mbps in the real world yet because I don't have a 1000mbps connection.
My current connection is 600Mbps. I used to use a SEEED ODYSSEY - X86J4105 which has a CPU
Mark Score of ~3000 and it handled 600Mbps DL with ease. The htop screenshot below tells me it uses at most 37% of my CPU under full load. In theory, we can guess that a CPU mark of 3000 should be able to work for 1000 Mbps connections, if 600 Mbps only uses 37% CPU at most.
TL;DR. It is safe to assume, any desktop PC with a CPU mark of around 3000 or more on cpubenchmark.net can handle SQM at 1000 Mbps.
Pictured: htop of SEEEd Odyssey X86J4105 PC running OpenWrt
Hardware Option 1: The NanoPi R4S (~$85 with accessories and case)
The predecessor, the R2S was known to handle ingress up to 465 Mbps, egress up to 750 Mbps (
Source). This R4S is more powerful with 6 cores and 1GB of RAM. R4S is also a low power device! I consider this the best bang for your money for Gigabit SQM.
My ISP gives me 600Mbps DL and 15Mbps UL. My NanoPi R4S running FriendlyWrt can do SQM with fq_codel at these speeds without any issue. Screenshot below shows a rough idea of CPU usage under ingress (DL) at 600 Mbps. (Edit 2021.08.13: I now have 800Mbps down from comcast and SQM still works great as expected.) Installation is easy. You just need to flash a microSD card with friendlyWrt. They have a tutorial here: https://wiki.friendlyarm.com/wiki/index.php/NanoPi_R4S#Install_OS
All you have to do to install is...
1. Plug in a microSD card to your computer.
2. Download rk3399-sd-friendlywrt-5.10-YYYYMMDD.img.zip
3. Get win32diskimager and launch it.
4. On win32diskimager select your image file that you downloaded and select your microSD drive letter. Then flash!
5. After flashing is done eject microSD and unplug.
6. Plug in microSD into NanoPi R4S.
7. Hook up WAN to your modem. Hook up LAN to either your switch which connects to a computer or hook up LAN directly to your computer.
8. Power on. Wait about 3 minutes.
9. On the computer that is connected to the switch or NanoPi's LAN port. Go to web browser and enter in http://192.168.2.1 to access your router.
That's it! All that is left is to configure SQM with fq_codel as shown here. There's no need to install luci-app-sqm because the FriendlyWrt image has everything already!
If you're interested in trying the OpenWrt Version this may be of interest to you: https://github.com/quintus-lab/OpenWRT-Rockchip Pictured: htop of the 6 core NanoPi R4S with SQM on under speedtest of 600Mbps
Hardware Option 2: x86 Desktop
Disadvantage of a regular desktop is power usage... Should you decide to use a PC there are a couple requirements.
1. Make sure it has two Gigabit Ethernet ports. If it has one already, you can add a second one with a Mini PCI-E Gigabit Network Adapter. (Amazon referral link).
2. You also want to make sure it has a CPU Mark of 3000 or more. You can check here: https://www.cpubenchmark.net/cpu_list.php
3. Preferably it would be a low power device around < 25 Watts. As for installation of software. OpenWrt has their own written guide here: https://openwrt.org/docs/guide-user/installation/openwrt_x86
4. After OpenWrt is setup and running you just need to enable SQM like so: https://www.stoplagging.com/openwrt-method-fq_codel-cake/
Hardware Option 2.1: Seed Odyssey x86 Mini PC (~$250- $300)
Should you decide to go with the pricey Seed Odyssey they did a write up about running OpenWrt on it thru a USB device: https://wiki.seeedstudio.com/ODYSSEY-X86J4105-Installing-openwrt/
Personally I ran mine on a 16GB M.2 SATA SSD since NVME isn't current supported in the base x86 OpenWrt Image. Instead of flashing a USB drive as instructed by SEEED. I flashed my M.2
SATA drive with balenaEtcher instead.
My current connection is 600Mbps. On the SEEED ODYSSEY - X86J4105 which has a CPU Mark
Score of ~3000 and it handles 600Mbps DL with ease. The htop screenshot below tells me it uses at most 37% of my CPU under full load. In theory, we can guess that a CPU mark of 3000 should be able to work for 1000 Mbps connections, if 600 Mbps only uses 37% CPU at most. Pictured: Seed Odyssey CPU Usage under load at 600Mbps Download
1.3 What Access Point?
I keep hearing raving reviews about the Ubiquiti APs and use one myself. I have extremely stable
WiFi with these and never have to reboot them. Ubiquiti also advertises up to 200 concurrent users as well! If you have a recommendation better than these I'd like to know.
Official Link: https://store.ui.com/collections/unifi-network-access-points/products/unifi-ap-6-lite (As of 2/24/2021 free shipping over $100. To get over $100 you can add a filler item.
If you plan on only having one Ubiquti AP I recommend installing via the phone so you don't have to bother with more complicated things like AP Controllers.
If you're on a budget and can't buy a dedicated AP. You can try turning your old router into an access point by putting it into AP mode instead of routing mode. This is important because you should be letting the OpenWrt device do the routing to prevent bufferbloat not your old router. Facts about WiFi
If you need more coverage you should get more APs not one single AP with a bunch of antennas, because those are marketing gimmicks.
WiFi has limited range due to the physics of their frequency bands.
5Ghz can handle more bandwidth, but will usually be about half the range of 2.4Ghz.
1.4 Contact
If you need help or consultation please join my rocket.chat server at https://chat.stoplagging.com/invite/zaMu6X you can message me @Starfroz by looking me up under the globe icon after registering and logging in.