Uncategorized- gnegg

Lots of fun with OpenVPN

OpenVPN may seem to you as being “just another VPN solution”. And maybe you are right.

However, OpenVPN has some distinct advantages over other VPN-solution that makes it quite interesting for deployment:

NAT traversal. OpenVPN uses plain old UDP-Packages as a transport medium. Every NAT router on this world can forward them correctly out-of-the-box. If not, create the usual port-forwarding rule and be done with it. If that fails too (whyever it could fail), use the TCP-protocol.
Ease-of-use: Install, create two certificates, use the VPN. It’s as easy as 1-2-3
Designed with small installations in mind. OpenVPN is not a big slow beast like IPSec for example. While it may not be as secure, it does not have all the problems associated with IPSec.
User-Space. OpenVPN runs completely in userspace (while using the TUN device provided by the kernel). This way the installation is non-critical and does require no reboots. Updates in case of security problems do not require reboots either.

So after this unexpected praise: What brings me to writing this posting?

Well. I’ve just deployed one of the coolest things on earth: Using OpenVPN, I have connected my home network to the network in the office. Both ends see each other and allow for direct connections. I’m not only able to print on the offices printers from home (which admittedly is as useless as it is cool), but I’m also able to – for example – stream music from home to the office over a secured channel. All using straight IP connections without any NAT-trickery or other things.

Actually not even one port is forwarded through my NAT-gateway (a ZyAir B-2000 – as the Airport-Basestation does not allow for static routes (see below), I was forced to cross-grade).

I already had some of this functionality using my previously deployed PPTP-setup, though this had some disadvantages:

Flacky support in Linux. Maintaining the beast across windows- and mac versions was not easy as something always broke on new versions.
Suboptimal security. You know: PPTP has flaws – quite like WEP. Though I’ve tried to work around them by using very very long passwords.
Suboptimal usability: When I wanted to connec to the office, I had to dial into the VPN, so user interaction was needed. Additionally, the default-gateway was redirected (I could have turned that off), so all open TCP connections got disconnected when I dialled.

My current solution does not have any of those problems (I don’t know about the security of course – no one does. For now, OpenVPN is said to be secure): No dialling is required, no problems with changing software-versions are to be expected (as it runs on a dedicated router which I don’t intend on changing), and I don’t have to dial in. The default gateway is not changed either of course, so the usual internet-connections go out directly. This way I’m unaffected from the office’s suboptimal upstream of 65KBytes/s (unless I use services from the office of course – but this is unavoidable).

So. What did I do?

At the very first, I had to recompile the kernel on the server side once. I have not included TUN-support when I created my .config last year. After this, emerge openvpn was all that was needed. I kept the default configuration-file somewhat intact (install with the “examples” USE-flag and use the example-server.conf), but made some minor adjustments:

local x.x.x.x
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
route 192.168.3.0 255.255.255.0
#push "redirect-gateway"

(just the changed lines)

and the /etc/openvpn/ccd/Philip_Hofstetter:

iroute 192.168.3.0 255.255.255.0

Now, what does this configuration do?

Bind to the external interface only. This has only cosmetical reasons
Push the route to the internal network to the client. Using the default configuration, all OpenVPN-Addresses are in the 10.8.0.0 network which allows me for nice firewall-settings on the server-side. The 192.168.2.0/24 network is our office-network
Tell OpenVPN that there are some client-specific configuration options to reach the 192.168.3.0/24 net which is my home network
Comment out the option to let OpenVPN set the default gateway. We really don’t want all the traffic in my home net going through the office

Then we create this client-configuration file. It’s named after the CN you use in the SSL-certificate, while replacing spaces with underscores. You can see the correct value by setting up everything and then connecting to the server while watching the logfile.

In the client specific configuration-file we confirm the additional route we want to create.

The configuration file on the client router is unchanged from the default.

The only thing you need now is the SSL-certificate. Create one for the server and more for each client. I won’t go into this in this article as it’s somewhat complicated on itself, but you’ll find lots of guides out there.

I used our companies CA to create the certificates for both the server and the client.

After this, it’s just a matter of /etc/init.d/openvpn start on both machines (the path to the certificates/keys in the configuration files must match your created files of course).

Just watch out for the routing: On the server I had to change nothing as the server was already entered as default gateway on all the clients in the office network.

In the client network, I had to do some tweaking as the default-gateway was set to the Airport Basestation, which (understandably) knew nothing about the 192.168.2.0/24 network, so was unable to route the IP-packets to the VPN-gateway in the internal network (my Mac Mini).

Usually you solve that by installing a static route on the default gateway in your network. Unfortunately, this is not possible on an airport basestation. A problem I have solved by replacing it with a ZyAir B-2000 from Zyxel which allows for setting static routes.

On that new access-point I created a route equivalent to this unix-command:

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.3.240

Where 192.168.3.240 is the address of my Mac Mini on which OpenVPN was running as client.

Then I issued “echo 1 > /proc/sys/net/ipv4/ip_forward” on the Mac Mini to allow the packets to be forwarded.

So whenever I send packets to one of the offices computers – let’s say 192.168.2.98, this is what happens:

The client uses it’s IP and netmask to find out that the packet cannot be delivered directly. It sends it to the default gateway (my ZyAir)
The ZyAir consults its routing table to watch for the route to 192.168.2.0/24 and finds 192.168.3.240 as gateway for that network (every other address would have been routed thorugh my cable modem)
192.168.3.240, shion, watches it’s own roting table where OpenVPN has created a route thorugh the VPN-interfaces (10.8.0.x) to the 192.168.2.0/24 network. It delivers the packet there.
On the other end of the tunnel, the OpenVPN-Server delivers the packet to the destination server.

The path of the reply-packets is the same – just from the bottom to the top.

After getting the routing as I wanted it (verifyable by pinging petween computers in both networks), the next step was pure cosmetics:

Create an internal DNS-server. Use it as a slave for the office’s DNS-server to allow for DNS-lookups to work without crossing the VPN each time
Use said DNS-server to create entries for the computers in my home network
Make the office DNS-server a slave for that home-zone (to reach my computers by name)

All of this was most interesting to implement and went much more smootly than anything else I’ve tried so far VPN-wise. Finally, I have the optimum solution concering connectivity to my office.

And besides that: It was fun to implement. Just worthy of a “Supreme nerd” – the title I got here for my 92 points.

FreeNX

FreeNX is the GPLed variant of NoMachines NX product.

While exporting X-Sessions never has been a problem, it was kind of slow especially on connections with limited bandwidth. NX tries to solve this by using some tricks at the X11-protocol level, a little proxy-server and a big local bitmap cache. They promise fluently working X-Sessions even over a 56K modem.

Well. I have installed KDE and now FreeNX on my Mac Mini, which I bought for the sole purpose of being a little home-server/VPN-Gateway. My NSLU2 while being a really nice little thing, does not work with OpenVPN due to the kernel lacking TUN-support.

Installation was easy and flawless – besides forcing me to forward port 5000 to the NATed mac mini as the commercial (freeware) windows-client seems to have problems with the FreeNX-server when tunneling the X-Session over ssh.

The client works very well too. And I can say: It’s fast. Very, very fast.

Some more things to note about the screenshot:

While I usually had the policy to name servers after persons and then locations from “lord of the rings”, I somewhat run out of names, so I began using names from RPGs. My Mac Mini is called Shion, after Shion Uzuki of Xenosaga.
I’m running Gentoo, of course.
Installing FreeNX is as easy as emerge nxserver-freenx on Gentoo.
The screenshot is of a session exported at 800×600 pixels. Using more pixels does not slow down the session siginficantly, but those 800×600 where comfortable to use on my current display so I can have other things besides the session.

Very small file?

Can anyone please tell me what went wrong here?

Snom 190

The Snom 190 is a SIP hardware phone which I have ordered recently to continue my asterisk experiment.

Yesterday it arrrived.

I have to say: I love that device. Contrary to those proprietary PBX phones, the Snom 190 is easy to use, provides a big heap of features (complete remote managability, web interface, dialing over http-request (outlook-plugin – here I come)) and does not cost more than what the other companies ask for their lowest entry level phones. The Snom even looks good!

Like many other devices today, the Snom 190 runs Linux (2.4), though this time I have not tried to hack it yet. All the sources including the developement environement are available at the website of snom.

Contrary to the somewhat crappy ZyXel 2000W which I have tested too, the Snom 190 is ready for productive business.

This makes implementing VoIP at our company seem more and more likely every day.

The greatest gadget ever

Recently I though: “well… having this iMac as server is all nice and well, but what about having all that a little more like embedded? What about not having to have this iMac running all the time? After all, it is not always as silent as I would have whished it to be. And I really wanted to have something more “hackish”

So I went after the Linksys WRT54G. There are two ROM’s you can flash on it: On one hand the more or less proprietary ROM by Sveasoft and on the other hand the ROM by OpenWRT, the last one being the only one actually allowing to install packages.

I bought myself one of those linksys-thingies and I was less then pleased. The ROM by Sveasoft worked well by adding some extended features to the device, but not allowing me to install anything (or even change configuration files). OpenWRT fixed that readonly-thing, but I could not get WPA to work.

After all, the device is of limited use as a home-server. The storage you have at your disposal is just too limited, so I went out to fix that problem.

The fist thing that came to my mind is one of those “Network Harddrives” – poor mans NAS.

I went to one of those big retailers and found the Linksys NSLU2, which enables externally plugged USB-drives to be exported via CIFS (or SMB or SAMBA or whatever you call it).

Before doing anything with the device – having in mind Linksys’ relation to Linux, I googled around a bit and found NSLU2 Linux

After getting it installed (the root-password thing was a bit tricky, but consequent RTFM helped here), I was slowly getting very, very impressed.

What you get is the usual down-stripped linux-distribution, but the root-fs is writable, so you can change the configuration in-place. Then, you can use the attached harddrive as storage for additional software, thus working around the single problem I’ve had with the wrt54g: In-extensibility

After you install the basic distribution, there’s little more than 1 MByte of free space on the flash-rom of the device itself. But there’s this script, unslug that enables the device plugged to the first USB-port as storage for additional software. And additional software, there’s plenty of.

After installing the package unslug-feeds (with ipkg install unslug-feeds) you gain access to this repository containing software like Apache, PHP, Postgresql, a bittorrent-client, cups, perl (for Slimp3),… just all you need on a decent linux distribution (and more less-useful stuff like OpenLDAP). You even get asterisk – and there’s a way to install additional USB-drivers. If only AVM would provide kernel modules for the ARM-kernel running on the device. Then, the NSLU2 would be the smallest PBX on this planet.

The best thing is: While the firmware by linksys does not allow it, with the improved version, you can plug an USB-Stick into the first USB-port and use that as target for additional software installation.

This allows for installing a complete linux distribution on a device with no mechanical parts whatsoever. No PC you’re going to build yourself will even be so silent. Neither is my iMac. Finally a home-server not making any sound at all. This is great.

Because I have no USB-stick at hand, I have not run unslug yet, but I will tomorrow.

Then I’m going to plug my newly bought external 250GB harddisk to the second USB-port and use that for storage for a bittorrent client I’m eventually going to install on the USB stick. And for my MP3’s which a Squeezebox-Server installed on the USB-Stick will serve. So, when I’m not asleep, I turn on the HDD to serve MP3’s to the Squeezebox. When I’m going to sleep, I just turn the HD off, keeping the rest of the server running.

This little device is so extremely great. I really really like it so far and I can’t wait to see it to work at it’s fullest potential.

This is the best CHF 150.- I’ve ever spent in my whole live.

Praise to ZSH

Jochen Maes talks about zsh today. (I found that blog via planet.gentoo.org)

I wholeheartly agree with Jochen here.

Finally someone else writing good stuff about zsh.

I’m using this shell since 2000 where I did my first serious steps with Unix. This mainly has three reasons:

One is the “User Friendly Users Guide” available here. Besides this being an excellent introduction to zsh it is one to unix shells in general. When you’re learning unix shells using this guide, you’ll somewhat automatically stay with zsh.

The other reason is the great flexibility and expandibility. Zsh had a programmable autocomplete-feature long before bash had (or at least long before it was generally known) and even better: It came with some autocompletition functions already enabled for some tools (like tar or even scp). Programmable autocompletition allows you create special autocompletitions depending on the context you are hitting tab.

So let’s say if you are beginning to type

$ scp gnegg.dat pilif@server.example.com:~/gn

and then hit tab, zsh will actually autocomplete on the remote server(!) and create

$ scp gnegg.dat pilif@server.example.com:~/gnegg

for you (assuming that directory exists)

The same goes for tar (even with .gz or .bz2 compressed ones). Or cvs or svn

While gentoo provides bash-completition-config which does the same for bash, zsh was there first. And it provides many senseful completitions.

The third reason for me going with zsh is the syntax of the shell-scripts which can be configured to be much more intuitive to a C-programmer than the default-syntax, while still being more like ksh/bash than (t)csh.

So for me, switching from bash to zsh was a no-brainer back in 2000. And as with the text-editors: Once you use a certain tool, you will not change it afterwards.

I strongly recommend you to take a look at zsh too.

Asterisk – it’s getting real

Last week I talked about me and Christoph installing Asterisk on my thinkpad to do a little VoIP-Experiment.

While we were able to create a should-be-working configuration, actually calling to the outside PSTN network did not work. Read the details in my other article.

Last saturday, we fixed that.

There seems to be a problem somehwere between the AVM CAPI Driver and the CAPI layer of the 2.6.11 kernel. After we downgraded to 2.6.10, the problem solved itself without we doing anything more.

So… this was getting interesting…

The first thing I did was to annoy my wonderful girlfriend:



exten => s,1,Wait,1                     ; Wait a second, just for fun

exten => s,2,Answer

exten => s,3,MP3Player(/home/pilif/mp3/3.mp3)

(included into or used as the default context)

Where 3.mp3 is that endlessly stupid song “Tell me” (or whatever it’s called) by britney spears (this is an insider-joke – both of us just hate that song). Then I told her to call that number…

While this example is completely pointless, it was fun to watch my girlfriend connecting and listening to the song (which soon ended in a disconnection log entry)



exten => s,1,Wait,1

exten => s,2,Dial(SIP/12345,60,tr)

exten => s,3,Congestion

This makes much more sense and directs all incoming calls to the SIP-Phone 12345 as configured in sip.conf. After 60 seconds, it sends back a congestion signal. The first entry would not be necessary, but I hate it when I call somewhere and the phone is answered just at the first ring. So in my PBX, the answering party will wait one second before directing to the sip-phone.

In musiconhold.conf I’ve configured madplay as my MP3-Player for music on hold:



default => custom:/home/pilif/mp3/,/usr/bin/madplay --mono -R 8000 --output=raw:-

madplay is much better than mpg123 used per default as it accepts VBR encoded input and bitrates > 128 kbit which is what nearly all of my MP3’s are encoded with.

In zapata.conf enable music on hold with musiconhold=default in [channels]

The next thing was an optimization of the SIP-Phone used…

X-Lite is nice, but in the end it’s just a demo for other products by the same vendor. Call transferring is not possible for example, which is what we wanted to try next.

The best soft phone we’ve seen so far is SJPhone. A configuration guide is here

But the real clou is the Zyxel 2000W phone that’s currently on my desk: The phone has a WLAN interface (unfortunately no WPA support) and can perfectly well speak with asterisk.

The phone has some problems though: it’s slow, it has no support for call transferring, nor holding, neraly every configuration change causes it to reboot,… In the end I really hope Zyxel will further improve the firmware, which is what they seem to be doing – the current release is from the end of february, so quite current.

The next thing will be trying to install a webbased frontend to asterisk and creating a real dialplan with voice mail. Then, our experiment will be over and we’ll see how it can be put into practical use (like finally getting rid of the old, proprietary PBX from alcatel of our landlords)

Fun with VoIP

When I read for then n-th time about Asterisk, an Open Source PBX solution, I deceided to team up with Christoph and tame the beast.

I have actually two problems with asterisk as it stands now:

There’s not much really useful newbie-documentation or tutorials. There are some sample configurations, but they are not very useful because…
the tool has a incredibly intransparent and difficult to understand syntax for it’s main configuration file (extension.conf). I’t just like it’s with sendmail: Many extremely low-level things to care of for getting complex high-level results.

I thought, that teamed up with Christoph, we’ll more likely to see some results.

The first thing was defining the parameters of our experiment. Here’s what we wanted to do:

Act as a SIP-Proxy, so two softphones (we did not want to buy too much actual hardware yet) could talk to each other.
Provide a gateway to the ISDN-Network, so both SIP-Phones can dial out to the rest of the world.
The same gateway should be able to receive incoming calls and direct them to one of the Phones (just one for now).

In the next session, we want more advanced features, like voicemail and waiting music. A third session should provide us with a webbased frontend (I know there are some). But for now, we wanted to concentrate on the basics.

The next step was to get the required hardware. I already have Gentoo running on my Thinkpad, so that was a good base. Furthermore, we needed any ISDN-Solution being supported by Asterisk. As we had a plain old BRI interface and a very limited budget (it was just an experiment after all), we went with the Fritz Card USB by AVM which has Linux CAPI drivers, albeit only binary ones (we could also have used the PCMCIA-version, but this is three times as expensive as the USB one).

Said piece of hardware proved to be a real pearl: It’s very compact, does not need a power adaptor and was very easily installed under Linux. I would not be using this for a real-world solution (which most likely requires PRI support and absolutely would require open sourced drivers), but for our test, this was very, very nice.

Installing the needed software is where gentoo really shined as everything needed was already in the distribution: After hooking up all the stuff, we emerged net-dialup/fritzcapi, net-misc/asterisk and net-misc/asterisk-chan_capi which suked in some more dependencies.

The next step is to reconfigure the kernel for the CAPI-stuff to work. Just include everything you find under “Device Drivers / ISDN Support / CAPI” – even the one option marked as Experimental (as the CAPIFS is needed and only available when enabling “CAPI2.0 Middleware support”)

Then, we made sure that CAPI (a common ISDN access API) was running by issuing capiinit start.

Then we went on to asterisk.

The fist thing, you have to do is to set up the phones you’re using. As we worked with SIP-Phones, we used sip.conf:

[general]
port = 5060
bindaddr = 0.0.0.0
tos = none
realm = sen.work
srvlookup = yes

[12345]
context = theflintstones
dtmfmode = rfc2833
disallow = all
allow = gsm
callerid = "Fred Flintstone" <12345>
secret = blah
auth = md5
host = dynamic
reinvite = no
canreinvite = no
nat = no
qualify = 1000
type = friend

[12346]
accountcode = 12346
dmtfmode = rfc2833
host = dynamic
auth = md5
secret = blah
canreinvite = no
context = theflintstones
qualify = 2000
type = friend
disallow = all
allow = gsm

This worked with our two test-phones running X-Lite

Interesting are the following settings:

realm	The realm. I used our internal domain here. The default is asterisk. Your VoIP-Address will be identifier@[realm].
accountcode	This is the username you’re going to use on the phone
context	The context will be used when we create the dial plan in the feared `extension.conf`

Then, we configured CAPI in capi.conf

[general]
nationalprefix=0
internationalprefix=00
rxgain=0.8
txgain=0.8

[interfaces]
msn=44260XXXX
incomingmsn=*
controller=1
softdtmf=1
accountcode=
context=demo
devices=2

Those settings are said to work in Switzerland. Interesting is the setting for msn. This is where you enter the MSNs (phone numbers) assigned to your NT. I somewhat X-ed it out. Just don’t use any leading zeroes in most countries. You can enter up to five using commas as separator.

The next thing is to update modules.conf. In the [modules]-Section, add load => chan_capi.so, in the [global]-section, add chan_capi.so=yes.

Without those entries, asterisk will complain about unresolved symbols when loading the CAPI modules and will finally terminate with a “broken pipe”-Error. Thrust us. We tried. ;-)

The best thing now is that you can already test your setup so far. Launch asterisk with asterisk -vvvvvc (each v adds a bit of verbosity, while -c tells it not to detach from the console). If it works well, you’ll end up at a console. If not, make sure, that capiinit did not report any error and that you’ve really added those lines to module.conf.

Now for the fun of it, call one of your MSNs with any phone.

Asterisk should answer and provide you with a demo-menu

The next step is configuring extensions.conf. This is somewhat complex and I will go into more detail, as soon as I’ve figured out, what’s wrong with our test-configuration. We’ve added this to the end:

[ch-fest-netz]
exten => _0[1-9].,1,Dial(CAPI/44260XXXX:b${EXTEN},30)
exten => _0[1-9].,2,Hangup

[theflintstones]
include => ch-fest-netz

Just look that you enter one of the MSNs you have configured in capi.conf.

Now what this configuration should do is to allow those SIP-phones (recognize the “context” we used in sip.conf?) to dial out via CAPI.

You best learn how to configure this beast by calling the demo-voicebox and then comparing the log output of Asterisk with the entries in extension.conf. Basically, exten => defines a dial plan to execute. Then comes the pattern of numbers dialed to recognize. After that comes a (BASIC-like) sequence-number, followed by the action to execute.

The format of the number-pattern is explained in one of the comments in extension.conf

Now, this configuration does not work for us: When I dial on the SIP-Phone, Asterisk notices this, actually connects the ISDN-line (the target phone actually rings), but does not seem to notice when the target phone is answered.

If I answer the phone, it’s just silence in the line. The SIP-phone is still in the “trying to connect”-state.

This stays this way until I cancel the dial attempt in the SIP-phone. After that, asterisk prints more log entries – one of them the notice that the connection was successfully established.

A question in the malinglist was promptly answered: My configuration is correct, but maybe I’m running into a bug of Kernel 2.6.11. I was told to downgrade to 2.6.10, which is what I’m going to do next.

After this, I will extend the dial plan so I can call the internal SIP-phones both from another softphone or from a real phone over the ISDN

It’s hacky, it’s just somewhat working, but it’s a lot of fun!

I’ll keep you updated.

World Of Warcraft – A little Newbie-Guide

I just had three of the most pleasant hours I’ve ever had with gaming. As you can imagine, the game was World of Warcraft (I hereby promise not to post any more WoW-related stuff in the near future, but bear with me one last time ;-)

I’m playing as a human mage and I’ve now reached level 17 (looking forward to 18 to get more spells)

For some time, I had problems getting along, but it’s really better now, so I though I maybe give you some advice if you too play as a human mage:

When you’re first sent to westfall, you may be completely under-leveled. It began being fun for me about at level 15 or so, but when you get there, you’re usually at 9 to 11. You can do two things to remedy that:
- Join groups (use the /4 chat-command). As a group you’re so much more efficient
- Use the underground railroad (it’s in the dwarven destrict) in Stormwind to go to the dwarven capital city Ironforge and from there take some quests outside and in Loch Modan (east of the region around Ironforge). Those are easy to do for you and the scenery is much nicer than in Westfall
Never hesitate to talk to people. So far, I never had problems getting along with other players. Don’t be afraid and talk to them. You have so much better chance of accomplishing something if you work in groups.
Try to meet with people you’ve already met. Once you know them better, it becomes even more fun
As a mage, never… I repeat… never try to attack a group of enemies. Wait till they separate. Or Sheep them and attack just one.

I really think, the balance of difficulty is way off in westfall and maybe, the guys at Blizzard fix that in the future. Until then, you will have much fun in the dwarfen lands. Return to Westfall after reaching level 15 or so and do the easier quests first. Talk to people. You’ll see: It will get fun. Much fun..

World Of Warcraft Patch

Today, when I wanted to login with my somewhat tweaked installation of WoW, I was greeted with an error message telling me something about not being able to verify my version.

This was fixed by temporarily using the US login-servers so that the new patch could be installed.

During installation of said patch I found this note here:

– Reduced the respawn rate of the troggs on the islands in Loch Modan.

This is nice – just yesterday I’ve had some serious problems with those troggs there. Too bad, the patch was released only today when I don’t have to go back there.