Chromebooks, VPNs, and You

Do you trust your Internet service provider? If you answer that question with a resounding “No!”, then you’re among friends here. While Internet connectivity is an essential need for many of us, there are a plethora of reasons to be wary of the company providing that connectivity to you. Especially in the United States, the recent repeal of net neutrality rules and erosion of privacy mean you may want to obscure exactly what you’re doing from your Internet provider, even if that activity is completely legal and innocuous. Just because I’m not doing anything illegal online doesn’t mean I want to allow my ISP to gather data on what I’m doing in order to sell it to advertisers; in my opinion they make plenty of money off of the monthly fee I pay them for Internet access.

This is where a VPN (virtual private network) can come in handy, as we discussed in Episode 8. VPNs are historically most common in the corporate world. They allow employees to create a secure tunnel between wherever they are and their internal company network in order to access resources that aren’t available to the outside world. In the consumer space, though, they’ve been gaining popularity as privacy-conscious consumers look for way to protect themselves from things like public WiFi and, increasingly, ISP data collection.

Note: This post is not going to cover the potential risks for a VPN or how to choose one. We recommend you check out guidance from sources like the EFF for that. Brandi and John personally recommend either Private Internet Access or TunnelBear. Check out Episode 8 for more details!

As we’ve discussed in a few podcast episodes, I happen to be a fan of Chromebooks as my personal laptop. While I have a beefy desktop to use as a gaming computer or when I need to do some heavy lifting, I like having a Chromebook as a cheap, fast, and easy computer for things like browsing Reddit, watching YouTube videos, and typing up blog posts. The addition of a Linux VM means I can even do some programming. VPNs get a little wonky on a Chromebook, though. Most VPNs offer applications for Windows, macOS, Android, and iOS. Many services will also support configurations with the OpenVPN Connect client in case you want to use something open source and/or are running some flavor of Linux. For example, Brandi subscribes to Private Internet Access. On her MacBook, she simply runs the PIA application, selects the endpoint she’d like to direct her traffic to, and is done.

The waters get murkier in Chromebook land since you don’t install traditional applications on them. You also have to consider the scope of where you’re working on a Chromebook and what it is you’re looking to protect. Are you just concerned about securing the data flowing through the Chrome browser? Do you need to cover system level networking? Are you doing anything online via your Linux VM that you want to secure? These all play a role, and hopefully this post will enlighten you as to the reach of the options at your disposal.

The first step to testing the scope of VPN clients on Chromebooks is to be able to figure out what your external IP is since that can tell you where the outside world sees your connection coming from, be it your home network or a VPN provider’s. I personally like I Can Haz IP for that. Simply going to the site will give you a web page with your public IP address. Here we can see the result I get from my Chromebook with no VPN solutions at play.

browser_none.png

The really cool part about this service is that if you bounce an HTTP request off of it from curl, it’ll reply with your public IP address. This easily allows testing of VPN providers from a command line. If you don’t have curl in your Linux VM, you can easily install it via:

sudo apt install curl

Here we can see what happens when I curl against I Can Haz IP from my Linux VM on my Chromebook. Note that it matches the public IP I get from my browser.

terminal_none.png

If you have an older Chromebook that doesn’t feature Google Play support, there are several VPN providers (including both PIA and TunnelBear) that offer Chrome extensions. These can be great for quickly proxying your traffic in a pinch. After flipping the switch on the TunnelBear extension, for example, I can see that the endpoint I’m seen as coming from via my browser has changed.

browser_extension.png

It’s important to keep in mind, though, that the VPN is operating at the application level rather than at the system level. Only traffic from my browser is going through the VPN. As a result, running curl again has no change; my Linux VM’s traffic is still going straight out through my ISP.

terminal_extension.png

This is what we refer to as a bummer. If you happen to have a Chromebook with Google Play support, though, there’s a better solution available. Updates to Chrome OS 75 in the spring of this year resulted in better integration between Android VPNs and Chrome OS as a whole. Installing an Android VPN client from the Play Store and connecting it will result in the WiFi icon in Chrome OS changing to display a tiny key icon, just like you’d see in the notification area of Android. After making this connection, I can verify that my browser shows my connection as coming from my VPN provider.

browser_android.png

Even better, though, checking from my Linux VM now shows the same thing; the VM’s traffic is now also going through my VPN provider instead of to the prying eyes of my ISP.

terminal_android.png

Suffice to say, this is much better. While the Chrome extensions are passable for older Chromebooks without Google Play access, the corresponding Android applications will offer far superior coverage if they’re an option on your particular device. Not that you shouldn’t have already been doing this anyway, but this should be an incentive to avoid purchasing the insanely cheap Chromebooks that so frequently go on sale; I’d recommend making sure you get a device that at least has Google Play and Linux support. Keep encrypting that traffic, and stay pink!

Note: In my testing, the Linux VM in Chrome OS would often struggle to reconnect properly after an Android VPN application was connected and/or disconnected. For the best results, I’d recommend launching the VM after connecting your VPN. If you forget and connect your VPN after the fact, shut down your VM and restart it.

Unusually Pink Impressions: Acer Chromebook 315

As we’ve mentioned in a few podcast episodes, I happen to be a fan of Chromebooks. I have a hulking desktop that I use for things like gaming, programming, and photo editing. That same desktop is also extremely loud and generates enough heat to warm my apartment, whether it needs to be warmed or not. As a result I tend to like having a cheap Chromebook handy when I just need to take care of some email, catch up on my RSS feeds, waste time look at memes on Reddit, or writing posts for our podcast. I’ve had a handful of Chromebooks over the years, and I’ve always been happy with them given that, for me at least, they serve as supplementary for my personal computing needs. I feel like I’d struggle more than a little if a Chromebook was my only computer.

That being said, my previous Chromebook, a Toshiba Chromebook 2, was getting fairly long in the tooth, and I was on the hunt for a new one to replace it. Chromebooks had been undergoing improvements since I purchased the Chromebook 2, but while the device tended to make the list of ones which were allegedly slated to gain access to the Google Play Store and Linux apps, that never seemed to manifest. I had been eyeing the Acer Chromebook 315 and the HP Chromebook 14, as these were the first two Chrome OS devices to feature AMD processors. That seemed pretty slick to me as I’ve long had AMD hardware over Intel and Nvidia; getting nearly the same performance for significantly less money always seemed like a win for me. Ultimately, I pulled the trigger on the Chromebook 315 when Brandi let me know that it was on sale for around $200 during Prime Day, down from the normal $279. $279 itself still isn’t much of a laptop, but again… it’s a Chromebook. I also don’t actually have Amazon Prime, so Brandi did me another solid by ordering it for me, and I just paid her back. She’s awesome, isn’t she?

At any rate, this isn’t titled as a review because I hate the idea of trying to numerically score things. Instead, I figured I’d just write up some thoughts on the device now that I’ve been using it for about a month. I figure I’ll make a similar post for my (relatively) new Pixel 3a XL sometime in the near future, too.

Hardware

Aside from the AMD A4 processor, the Chromebook 315 is pretty standard fare for a mid-range Chromebook. 4 GB of RAM and 32 GB of solid state storage get you up and running. The A4 processor seems to do a pretty solid job of handing most of what I’m using a Chromebook for, which is running a handful of tabs to browse the web, writing code in a text editor, or scrolling through endless memes and videos on Reddit. Even with around 10 tabs and a few PWAs running (the Spotify one kicks ass and takes names), I haven’t noticed any real slowdown or issue. The storage space could potentially be a sore spot, though, and I’ll discuss why in a little more detail when we get to the software section.

Build

The device itself is all plastic, as you’d expect for a laptop that’s only $279 dollars on a bad day. It at least feels solid, though, and isn’t creaky. As a 15” laptop, it weighs in at just under 4 lbs., which seems neither particularly bad or impressive. The hinge for the lid is extremely stiff and almost uncomfortable to pry open from a completely closed position; it would be damn-near impossible to do with a single hand. But the trade-off to that is the screen doesn’t wobble at all, even when quickly typing while the device wrests on an uneven surface like your lap.

The lid features a textured pattern, which concerned me a little bit since I wasn’t able to find any detailed photos or videos of it. I had been worried that, like the Toshiba Chromebook 2, the texture would actually keep me from applying stickers to it. Fortunately, that wasn’t the case at all. My sticker game remains firmly on point. Also, most of my stickers came from Brandi so don’t give me credit for my taste. Did I mention she’s awesome?

cb_closed.jpg

Battery

The battery is rated for 10 hours. To be honest, I’ve left the device sit for days and days at a time without touching it, so I can’t accurately judge the length. I can say that I’ve only had to charge it a handful of times since I got it, though. Running Android applications does seem to to drain the battery at a faster clip, though the screen is the biggest culprit as you’re all but required to have the brightness cranked up pretty high under all circumstances.

Display

Why does the brightness need to be turned up all the time? Because the display is absolute garbage. It may very well be the worst display I’ve ever used on a laptop in my entire life, and that’s no exaggeration from someone who has been using laptops for over a decade. You may be tempted to look at the baseline model and assume that’s because it’s running at 1366 x 768. It’s true that I had been hoping to get the 1920 x 1080 model, but that variant wasn’t on sale during Prime Day and at the time was $70 more. Paying $340 instead of $200 for a laptop just to get a higher resolution screen didn’t seem particularly worthwhile to me, especially when I already had to adjust the text scaling on my 13” 1080p Chromebook 2 so that my myopic ass could actually read anything without my face two inches from the screen. All-in-all, I wasn’t that bummed about the resolution.

The problem is just that the display is horribly washed out. It’s literally incapable of making a color that isn’t pastel. Gray text on an off-white background on a webpage is all but impossible to read with the brightness below 75%. Even when watching videos, the colors are all a lighter hue than you’d expect. While the hardware will easily push the pixels on a display of this low resolution, I’d recommend against this for a device aimed at video. At least the viewing angles are pretty good?

Enjoy some shameless plugs for friends of our podcast!

Enjoy some shameless plugs for friends of our podcast!

Speakers

The speakers are fine. They aren’t great, but being mounted facing up does make a massive difference when compared to other devices I’ve used where the speakers are pointing down underneath the device. I’ve been able to easily listen to Spotify on it without being irritated with the sound or any distortion or vibration.

Ports and Connectivity

Awesome enough, the device features two USB C ports and two USB A ports. Having a USB C port on either side of the device is pretty awesome. One of them will commonly be used for charging; it was nice to see that as the charging solution rather than yet another proprietary connector.

Keyboard

The keyboard is middling at best. I know, I know… for a $279 dollar device, are you expecting a good keyboard? Well… kind of? I’ve owned an Acer CB3-131 before, a device which retailed for $179 and which was made by the exact same company. The keyboard on it was actually significantly better than the one on the CB315. The spacing between the CB315’s keys are good, but typing on it just feels bad. The keys are extremely squishy; it’s very difficult to tell if you’ve actually pressed a key adequately or not while typing quickly, leaving me with a not-insignificant number of missed characters when I’m hammering out these posts. Admittedly, part of that stems from the fact that I’m used to spending most of my time typing on a mechanical keyboard, but I still expected something at least a tiny bit better. That being said, it works well enough for quick tweets and Reddit posts. For longer posts like this, though, I’m more likely to dock it in my work-from-home setup and type on a Razer Blackwidow Tournament Edition Quartz.

Touchpad

It’s a touchpad. It works. It’s exactly what you expect; it’s simultaneously:

  • The same as every other Chromebook trackpad

  • Better than every PC trackpad

  • Worse than every MacBook trackpad

Software

This is where things get interesting for me. I could very easily find from doing searches online prior to purchasing the device that it had Google Play support. This means you can access the Google Play Store just like you would from an Android phone and install any apps you may happen to want. They might look a little janky (because what phone display has a maximum vertical resolution of 768 pixels in 2019?) but they work and they tend to run pretty smoothly. I even tried out a couple of games and found them pretty pleasant. What I was really curious about, though, were Linux apps. On supported devices, you can essentially install a Linux VM and get access to a shell with a full Linux system running underneath it. For the most part, compatible devices depended upon having the appropriate processor architecture, so I wasn’t sure if an AMD processor would throw a wrench into things. Mercifully, that wasn’t the case. I was able to just search the settings for “Linux”, toggle it to on, wait a minute for a download, and then I was up an running.

As you can see here, the VM you get is (at the time of this writing) running Debian 9. You can treat it basically like any other Debian install, including installing the packages you need from the repository. Is the repo missing something you really need? Just download and run the .deb file. Linux aficionados like myself will immediately feel at home.

Screenshot 2019-08-29 at 8.31.57 PM.png

I was able to quickly configure Vim and Python3 along with using the lovely rustup toolchain to install the latest version of Rust. All of them work perfectly. This was huge for me because it means I can do some scripting and development on my Chromebook directly. This without having to use which I’d previously do, which was either sit at my loud, furnace of a desktop or use my Chromebook to SSH into a development server.

The one downside to all of this is that 32 GB hard drive. Getting Debian installed took about 2 GB on its own. When you start adding in some Android apps, copying over a few ebooks, and of course take into account Chrome OS itself, I’m looking at 16 GB of remaining space. 50% isn’t a huge issue for me right now, but if I start needing to add a lot of additional Linux packages or Android apps then things could get tight rather quickly. I may have to investigate swapping out the storage in the future if I start to bump my head.

Wrap-up

On the whole, I’m pretty happy with the CB315, especially considering that I paid around 70% of the normal price for it. If I had paid the full price I think I’d still be happy but I’d be slightly more disappointed with the display. It really is atrocious. Chrome OS has come a long way since when I first started using it in 2013, and as a Linux fan it now has so much more value than it did previously. I still don’t think I’d want to roll with a Chromebook as my only personal computer right now, but I can certainly do more with it now than I could before.

Fixing Let's Encrypt Certificates After You Delete Them Like An Idiot

In Episode 11, I had discussed how I run a couple of my websites on a Linux server running Nginx as the web server and encrypting connections to them via Let’s Encrypt certificates. Shortly after recording that episode, though, I realized I had messed up my certificate configuration via certbot. If you don’t recall the episode, I had taken my web server which was only running laifu.moe and added awk.ninja to it so that I had both sites running on the same server. When I added awk.ninja, I had to re-run certbot and get a certificate for it along with the certificate I had for laifu.moe. That’s where I messed up; I got tipped off when I received the following email from Let’s Encrypt letting me know that my certificate for laifu.moe was about to expire.

Your certificate (or certificates) for the names listed below will expire in 10 days (on 07 Jul 19 12:52 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

laifu.moe
www.laifu.moe

That seemed odd to me since I knew I had a cron job running to update the certificates. I checked the expiration for the certificate on laifu.moe and saw that it had nearly two months left on it. I checked the certificate applied to awk.ninja and saw the same thing. EXACTLY the same thing in fact. In double-checking the certificate on laifu.moe, I realized that the Common Name was for awk.ninja. I was using the awk.ninja certificate for both of my sites. Oops. What happened was that when I added awk.ninja and re-ran certbot, I got the following:

certbot.png

My thought at the time was that I needed to select ALL of the sites. In reality, this overwrote the configuration I already had on laifu.moe and applied the awk.ninja certificate to both sites. This is where I decided to be really stupid. I decided that I would delete the existing certificates, re-run certbot twice (one for laifu.moe and once for awk.ninja), and then be done. I started off by deleting the awk.ninja certificate that was applied to both sites:

sudo certbot delete --cert-name awk.ninja

I did the same to delete the laifu.moe certificate. Then I tried to do a vanilla run of certbot to get the menu in my screenshot above and individually configure each of my two sites. Instead of getting that menu, though, I received an error message that my sites were pointing to certificates that didn’t exist. certbot then exited without giving me any further options. The problem is that my configuration files below still referenced the certificates that I just nuked. Oops.

/etc/nginx/sites-available/awk.ninja
/etc/nginx/sites-available/laifu.moe

After thinking about it for a few seconds, it made sense; certbot can’t know what’s going on and is expecting me to do some cleanup on the mess I made instead of making assumptions about whether or not I should still have certificates. To keep my life simple, I decided to go back to a clean slate on my sites-available configurations since I knew that I could get certbot to redo the configuration again as long as I could get it to successfully run. As a result, I just set the configurations for both laifu.moe and awk.ninja back to a super vanilla setup. Just %s/laifu.moe/awk.ninja/g on the file below for what I configured on awk.ninja.

server {
        listen 80;
        listen [::]:80;

        root /var/www/laifu.moe/html;
        index index.html index.htm index.nginx-debian.html;

        server_name laifu.moe www.laifu.moe;

        location / {
                try_files $uri $uri/ =404;
        }
}

Once I had that done, I restarted nginx just to make sure it was working and I could hit port 80 for both sites.

sudo systemctl restart nginx

With that working, I was able to re-run certbot and finally get the menu from my initial screenshot. I first configured a certificate for awk.ninja and its www variant. Once that was done, I ran certbot one more time and walked through getting a certificate for laifu.moe and its www-variant. In both instances, I opted to have certbot reconfigure the files in sites-available to redirect all HTTP traffic for HTTPS. I restarted Nginx one more time and finally I had everything configured the way I wanted with each site using its own certificate.

The moral of the story is to actually troubleshoot the problem instead of just starting off by deleting shit from your server. Also, try staying pink!