OpenVPN: Update Client DNS Servers on Mac OS X Using the Command Line.
There's a bit of a debate on how best to update your DNS resolver on Mac OS X when connecting to an OpenVPN Server. For whatever reason, even if use DHCP on the VPN server, OS X won't use the assigned DNS server(s). It's been recommended to use scutil, but the scripts are crazy long and I've read the resolver order sometimes gets reset anyway.
The usual route of using /etc/resolv.conf does not work on OS X but specifying DNS servers in your Network Preferences does. If you use public network servers like 8.8.8.8 or 4.2.2.2, you're already set. Move along 
But if you rely on DHCP assigned DNS servers, the the script below will do the trick. This script specifies or clears (sets back to DHCP default) the DNS servers on each of the adapters listed in networksetup.
#!/bin/bash
# Set bash delimeter to be line break
IFS=$'\n'
# VPN DNS Server
vpndns='172.20.0.1'
# Get adapter list
adapters=`networksetup -listallnetworkservices |grep -v denotes`
for adapter in $adapters
do
echo updating dns for $adapter
dnssvr=(`networksetup -getdnsservers $adapter`)
if [ $dnssvr != $vpndns ]; then
# set dns server to the vpn dns server
networksetup -setdnsservers $adapter $vpndns
else
# revert back to DHCP assigned DNS Servers
networksetup -setdnsservers $adapter empty
fi
doneAgain, if you already set your DNS servers, your OpenVPN connection will use those. This script is effective for people who use DHCP assigned DNS servers by default and would like to tunnel their DNS requests when connecting to an OpenVPN server.
OpenWRT & PPTPD: A Love Story
Firesheep got me thinkin' that I should probably do a little more to beef up the security of my Internet connection on public networks. PPTP has always been a favorite of mine, because it hides traffic well enough to deter most people and it's easy to setup on both Linux and Windows. I ran a Windows PPTP server for years, but recently decided to just host the service my WRT54GS v3 router running OpenWRT. Three hours later, I've got it running smoothly. Here's how I did it:
First, I installed and setup OpenWrt Backfire 10.03 and set my internal IP pool to be on the 172.16.x net, with the gateway (OpenWRT router being 172.16.1.1). Then, I headed over to OpenWRT's PPTPD HOW-TO.
opkg update
opkg install pptpd
opkg install kmod-crypto
opkg install kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start
I believe my /etc/ppp/options file doesn't have any modifications, but just in case, this is what it looks like:
#debug
logfile /dev/null
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1
Now that I think about it, very few modifications were ultimately made to /etc/ppp/options.pptpd
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
chapms-strip-domain
# Otherwise, your chap-secret file will have to include "DOMAIN\\user" instead of user.
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf
If you compare this to the original file, you'll notice I deleted the entry "172.16.1.1:" at the top of the file, and added the entry: ms-dns 172.16.1.1. I don't know why, but DNS didn't work well when the the client's defaults were used so I forced them to use the router's LAN DNS server.
Then I added some users to the /etc/ppp/chap-secrets file. I'll paste the contents, then go over the details. Oh, and don't forget to chmod 600 /etc/chap-secrets because the file's perms are insecure by default:
#USERNAME PROVIDER PASSWORD IPADDRESS
iphone pptp-server suprAdv4ncedPwd! 192.168.80.1
ipad pptp-server rlyAdv4ncedPwd! 192.168.80.11
hackbook pptp-server megaAdv4ncedPwd! 191.68.80.3
windows pptp-server ttllyAdv4ncedPwd! 192.168.80.2
extra pptp-server megaAdv4ncedPwd! 192.68.80.4
The chap-secrets file alone suggests that OpenWRT/PPTP is not an enterprise solution. I wouldn't propose it for any company with a decent budget, but times are tough and ghetto is looking better than ever to many companies.
I would actually have fewer entries in this file if the IPADDRESS field was not such a big issue. Unfortunately, it seems that the DHCP pool has been compiled into the service. It sets up the router's pppN to be 192.168.0.x and assigns the clients a 192.168.1.x address by default. Which is unfortunate, because SO DOES EVER OTHER RESIDENTIAL ROUTER, EVER. So routing issues keep pop up. Because of that, I force PPTPD to assign each user a specific IP, in the 192.168.80.x range because I've never seen any router use that subnet.
The usernames are whatever you'd like them to be (I made them the name of my devices) but if you are dialing-in from a Windows machine, you will have to preface the username with the Windows domain name or the name of your workstation if you are not on a domain UPDATE: adding chapms-strip-domain to options.pptpd fixes this. The "pptp-server" is what the service was named in options.pptd, the password is just that, and the IPADDRESS is the IP that the given client will be assigned.
Initially, my /etc/firewall.user didn't have all the proper entries, so my client was able to authenticate and all that, but no traffic was being routed to the 172.16.x subnet, nor was it being routed to the Internet. Here's what worked:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables -A input_wan -p gre -j ACCEPT
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
The first block allows clients to connect to the PPTP service and the second one allows it to communicate with both the Internet and the local network. And viola, you are done. I know it seems straightforward and doesn't deviate much for the default install, but it took over three hours of trial and error to get here. I've logged in successfully with an iPhone (over 3G, EDGE and wifi), an iPad, a Windows 7 machine and Mac OS X. The iPhone is of special importance to me -- after connecting to a local coffee shop's unsecured network on my laptop and my iPhone, I successfully hijacked my iPhone's Facebook app session using FireSheep. So, now I'll be encapsulating all of my traffic by sending it over to the fiber connection at my office, what what.
Next up, I'll probably start playing around with the RADIUS plugin. Stay tuned.
HOWTO: Simply Connect Mac OSX to a dd-wrt OpenVPN Server on TCP Port 443
If you find yourself on a really restrictive network but still want to connect to a remote VPN, consider this solution. It allows you to connect a Mac OS X OpenVPN client to an OpenVPN server using a static key. I figured it out using a combination of webistes, including dd-wrt's OpenVPN wiki, OpenVPN's documentation, and tinyapps.org.
This solution can probably be way more automated using tunnelblick, but I'm alright with running a couple scripts (for now) to get my VPN going. Here's what you'll need:
Network
- No web proxy or a proxy that allows persistent connections.
Server
- A Linksys WRT54GL router
- dd-wrt.v24_vpn_generic.bin (follow instructions on the website to flash from scratch.)
Client
- MacOS X Snow Leopard
- OpenVPN v2.1.3
- tuntap_20090913.tar.gz
- lzo 2.02
I downloaded all of these then compiled and installed them myself. Not because I'm leet, but because the network I was on blocked sync and I couldn't use MacPorts. So go download and compile these or use MacPorts.
First thing is first, I changed the subnet on my wireless router. I hate the 192.168 subnet; it's aesthetically unappealing and overused. Now 172.20.0.x is something pretty. Let's go with that.
We will not be using dd-wrt's GUI to enable or configure OpenVPN, but rather startup and firewall scripts in the /tmp directory. I also avoid using the default protocol and port (udp, 1194) and go with tcp port 443.
Here's a step by step
Server
- Generate the static key: openvpn --genkey --secret static.key
- Cat that key and place it in your clipboard
- Open up dd-wrt's admin webpage, and go to Administration -> Commands. Paste the following:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
[Insert your static key here]
-----END OpenVPN Static key V1-----
"> /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 443 --proto tcp-server --verb 3 --daemon
- Save that to Startup Scripts
- Next, back in the blank box, we'll place the code for the firewall and NAT:
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEClient
You will be creating 2 scripts and one key: openvpn.conf, startvpn.sh and secret.key. Place them in ~/Library/openvpn.
For your key, copy/paste your static.key from the dd-wrt router into a file named secret.key. Save the following two scripts as openvpn.conf and startvpn.sh, respectively. Don't forget to make startvpn.sh executable.
#openvpn.conf
remote my.vpn.external.ip
port 443
dev tap0
secret static.key
proto tcp-client
comp-lzo
Now this part is kinda ghetto. I want to route all my traffic through the VPN but I was unable to get route-gateway and redirect-gateway to work inside of openvpn.conf. I decided to save time and just do it through the startup script instead.
kill -9 `ps aux | grep openvpn.conf |grep config| awk '{ print $2 }'`
openvpn2 --config openvpn.conf --script-security 2 &
sleep 3
# Change your vpn server and internal subnet here
vpnserver='my.external.vpn.ip'
vpngw='172.20.0.1'
# If you use DHCP supplied DNS Servers, leave this as true
changedns=true
previousgw=`cat ./gateway 2> /dev/null`
currentgw=`netstat -nr | grep '^default' | awk '{ print $2 }'`
if [ -f ./gateway ]
then
# Set it back to the regular gateway
route delete default
route delete $vpnserver $previousgw
route add default $previousgw
rm ./gateway
echo gateway set back
if [ $changedns ]; then
networksetup -setdnsservers Ethernet empty
networksetup -setdnsservers Airport empty
echo dns reset
fi
else
# Set it to the VPN gw
route add $vpnserver $currentgw
sleep 7
route delete default
route add default $vpngw
echo $currentgw > ./gateway
# Tunnel your DNS Requests too.
if [ $changdns ]; then
networksetup -setdnsservers Ethernet $vpngw
networksetup -setdnsservers Airport $vpngw
echo new dns set
fi
fiCheck out this post on updating client-side DNS servers if you'd like to update all of your adapters instead of the ones most often used (Ethernet and Airport.)
Or something like that... Simple, right? 
SCO UNIX: Permanently Change a Static IP Address in SCO
If you need to temporarily add an IP address in SCO, you can use ifconfig
ifconfig net0 inet 172.16.1.10 netmask 255.255.255.0
But really, that just creates an alias that will disappear once the server has been rebooted. In order to permanently change an IP address on a SCO OpenServer Release 5, I used SCO's menu driven tcp configuration tool, netconfig.
My version of SCO was so fonky and old, though, that I didn't even have the option to use DHCP. And I was told by my client that the color completely left my face when I saw the following screen once I exited netconfig:
The UNIX Operating System will now be rebuilt. This will take a few minutes. Please wait.
Root for this system build is /
The UNIX Kernel has been rebuilt.
That's right.. SCO's kernel has to be completely recompiled in order to make a change to TCP! Ridiculous. Thankfully, the kernel recompiled, and the system rebooted with the desired changes. Oh, and here's a nice resource for SCO on VMware that I found while researching for this blog post.
VMware ESXi 4.0: Create Virtual Machine Error Caused by NSF File on Western Digital MyBook WE
Such an awkward title, I know. It's just hard to encapsulate the following error message into a blog post title:
Create virtual machine 172.16.1.129 Error caused by file /vmfs/volumes/0-cb8d2a5-20-f15722/win-2k8.vmdk
Basically, I'm taking ghetto to the next level by using my Dell Optiplex 745 workstation as an ESXi 4.0 server, and using a Western Digital MyBook World Edition as an NFS server which will store the VM images. The MyBook is actually very cool; it's a quiet, visually appealing mirrored 1TB NAS. After manually enabling the NFS server, I was able to mount the shares in VMware but was unable to write to it. Attempting to create a VM would error out with the following in the messages log:
Hostd: [2010-01-22 19:45:36.384 5AA03B90 verbose 'ha-host'] ModeMgr::Begin: op = normal, current = normal, count = 0
Hostd: [2010-01-22 19:45:36.385 5AA03B90 info 'ha-eventmgr'] Event 18 : Creating win2k8 on host whateves.lan in ha-datacenter
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'HostsvcPlugin'] CreateEntry '64'
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'ResourcePool ha-root-pool'] Added child 64 to pool
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'Vmsvc'] Create VM initiated [64]: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: [2010-01-22 19:45:36.387 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory with _file = [N7Vmacore6System8FileImplE:0x5af0ae58]
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory for /vmfs/volumes/0cb8d2a5-20f15722/win2k8
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'.
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as superuser) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.390 5AA03B90 warning 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create failed with given spec: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: (vim.vm.ConfigSpec) { dynamicType = <unset>, changeVersion = <unset>, name = "win2k8", version = "vmx-07", uuid = <unset>, instanceUuid = <unset>, npivWorldWideNameType = <unset>, npivDesiredNodeW
wns = <unset>, npivDesiredPortWwns = <unset>, npivTemporaryDisabled = <unset>, npivOnNonRdmDisks = <unset>, npivWorldWideNameOp = <unset>, locationId = <unset>, guestId = "winLonghorn64Guest", alternateGuestName = "Microsoft Wi
ndows Server 2008 (64-bit)", annotation = <unset>, files = (vim.vm.FileInfo) { dynamicType = <unset>, vmPathName = "[VMs]", snapshotDirectory = "[VMs]", suspendDirectory = <unset>, logDirectory = <unset>, },
tools = (vim.vm.ToolsConfigInfo) { dynamicType = <unset>, toolsVersion = <unset>, afterPowerOn = true, afterResume = true, beforeGuestStandby = true, beforeGuestShutdown = true, beforeGuestReboot = true,
toolsUpgradePolicy = <unset>, pendingCustomization = <unset>, syncTimeWithHost = <unset>, }, flags = (vim.vm.FlagInfo) null, consolePreferences = (
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Exception thrown vim.fault.FileFault
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'TaskManager'] Task Completed : haTask-ha-folder-vm-vim.Folder.createVm-172 Status error
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'ha-host'] ModeMgr::End: op = normal, current = normal, count = 1
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] RemoveFromAutoStart
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Request spec is (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefaults) null, powerInfo
= (vim.host.AutoStartManager.AutoPowerInfo) [ (vim.host.AutoStartManager.AutoPowerInfo) { dynamicType = <unset>, key = 'vim.VirtualMachine:64', startOrder = -1, startDelay = -1, waitForHeartbeat = "n
o", startAction = "none", stopDelay = -1, stopAction = "none", } ], }
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Updated AutoStart sequence.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Autostart info after reconfiguration: (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefault
s) { dynamicType = <unset>, enabled = <unset>, startDelay = 120, stopDelay = 120, waitForHeartbeat = false, stopAction = "PowerOff", }, }
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Vmsvc'] Released Vm Id: 64.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry '64'
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry succeeded
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'ResourcePool ha-root-pool'] Removed child 64 from pool
Hostd: [2010-01-22 19:45:36.392 5A9C2B90 verbose 'App'] Looking up object with name = "64" failed.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create worker thread failed
Hostd: [2010-01-22 19:45:36.393 5AA03B90 verbose 'Statssvc'] EntityRemovedListener: Deleting stats for entity 64
Hostd: [2010-01-22 19:45:36.565 5AA44B90 verbose 'DvsTracker'] FetchDVPortgroups: added 0 items
Hostd: [2010-01-22 19:45:41.690 5AA03B90 verbose 'App'] Looking up object with name = "haTask-ha-host-vim.host.DatastoreSystem.removeDatastore-114" failed.
After searching the 'nets for about an hour, I found a post on MyBook World that addressed my issue. By default the MyBook mounts NFS shares as read-only. To change that, I modified the /etc/exports file, changing all instances of "ro" to "rw."
/nfs/Public *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
/nfs/Download *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
Then, I restarted the service by issuing /etc/init.d/S80nfsd restart. Once the restart was complete, my VM creation was successful
OpenWRT: iptables-based Firewall Rules for PPTP and IPsec
Just a handy little reference for myself.
#Internal PPTP Server
vpnserver="172.16.1.10"
iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
iptables -A pptp -p gre --dst $vpnserver -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i $WAN -p tcp --dport 1723 -j DNAT --to $vpnserver
iptables -t nat -A pptp -i $WAN -p 47 -j DNAT --to $vpnserver
iptables -t nat -A PREROUTING -j pptp
### Gateway Router-based IPSEC VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPTSetting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS
After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn't get it to actually work until tonight.
Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.
The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.
Setting up a tunnel is actually easier than I expected -- I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here's what my network looks like:
| OpenWRT (LFT) | RV082 (ATX) | |
| External IP | 24.0.175.222 | 4.2.2.2 |
| External Gateway | 24.0.175.221 | 4.2.2.1 |
| Internal IP | 172.16.1.1 | 172.16.0.1 |
| Internal Subnet | 172.16.1.0 | 172.16.0.0 |
| Internal Subnet Mask | 255.255.255.0 | 255.255.255.0 |
File 1: /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="none"
klipsdebug="none"
nat_traversal=no
interfaces=%defaultroute
# Add connections here
conn LFT-to-ATX
authby=secret
keyexchange=ike
ikelifetime=480m
keylife=60m
pfs=yes
left=24.0.175.222
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.1
leftnexthop=24.0.175.221
right=4.2.2.2
rightsubnet=172.16.0.0/24
rightnexthop=4.2.2.1
auto=start
dpddelay=10
dpdtimeout=30
dpdaction=hold
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
File 2: /etc/ipsec.secrets
: PSK "mybigolsecret"
I appended the following on file 3: /etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | ipsec0 |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | vlan1 |
| 172.16.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | br0 |
| 172.16.0.0 | 24.0.175.221 | 255.255.255.0 | UG | 0 | 0 | 0 | ipsec0 |
| 0.0.0.0 | 24.0.175.221 | 0.0.0.0 | UG | 0 | 0 | 0 | vlan1 |
As for the configuration on the RV082 side, it looks like this:
Click
The RV082's routing table looks like so:
| Destination IP Address | Subnet Mask | Default Gateway | Hop Count | Interface |
| 4.2.2.0 | 255.255.255.248 | * | 40 | ixp1 |
| 4.2.2.0 | 255.255.255.248 | * | 45 | ipsec0 |
| 172.16.1.0 | 255.255.255.0 | 4.2.2.1 | 10 | ipsec0 |
| 172.16.0.0 | 255.255.255.0 | * | 50 | ixp0 |
| default | 0.0.0.0 | 4.2.2.1 | 40 | ixp1 |
And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe's fab post fills in much of that if you need it.
Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)
Recently, I used my Windows-based domain's Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast -- especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:
ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................
...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********Next, I used the key to create a certificate signing request
ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:postmaster@netnerds.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----I then opened up my domain's CA @ http://windowsCA/certsrv and went to
- Request a certificate
Or, submit an advanced certificate request. - Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Saved Request:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----Certificate Template: Web Server
Note: Be sure to decline when prompted by the browser to install the certificate locally.
I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.
openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.keyNext, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:
SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.keyFinally, I restarted the apache service and then partied to Wayne Toups.
Windows 7: Disable Unnecessary Services on a Domain Workstation
I finally took the plunge and installed Windows 7 on my Dell Netbook (Inspiron mini iM10-008B). I originally bought the Dell to make it into a Hackbook but after I realized how time-intensive the initial setup may be, I looked to installing Win 7 for instant newness gratification.
Initially, I was going to install the Enterprise version of Win 7 like I had done with Vista, but I decided on Ultimate since Ultimate is essentially the "Enterprise version for consumers" and I didn't have to have a local Key server around to validate my install.
The Netbook I purchased came with only 1GB RAM so it's especially important that I keep it running as efficiently as possible. I performed the basic tweak of setting Win 7 for Best Performance and then began checking out which services I could disable. I found Black Viper's Service Configurations page and used that as a guide to modifying my own services. His recommendations appeared more geared towards machines that are not on a domain, so my setup is a bit different from his. I have a Windows 2008-based domain and, while I know it offers a lot of Vista/7 specific features, I don't have time to explore them right all so my setup is geared towards a basic domain membership.
Ultimately, I was able to reduce initial memory usage to 480 MB. That's a lot, but better than the ~600MB or so used by default. There are 144 services that I reviewed, including the AVG firewall service. So without further ado...
Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache
Some things just belong on Linux. Like Subversion and Apache, for instance. I've seen the ghetto workarounds for Windows-based Apache installs and no thanks -- I'd much rather waste my time on ghetto SharePoint workarounds.
But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.
I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you'll run into a variety of pam and krb5 key issues.
Here are the following steps and tutorials I used to accomplish my goal of SSO
- Install and configure Likewise Open.
- Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.
- Setup Apache to support SSL
- Setup Apache to support Kerberos-based SSO
- My ktpass, for example, looks like this:
ktpass /out http.ktb /princ HTTP/ariel.corp.netnerds.net@CORP.NETNERDS.NET /pass SkiAlta2009 /mapuser corp\linuxweb
- My ktpass, for example, looks like this:
- Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
- yast -i yast2-metapackage-handler
- Add the subversion packages to the local repository.
- OCICLI http://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp
- Go into YaST and install the necessary subversion packages.
- Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
- Throw a party! Just turn up Pandora's Cajun station and DANCE.
I recommend using your domain's own Certificate Authority to generate the SSL cert that Apache will use. That way, users won't be prompted to accept an untrusted self-signed SSL certificate.
Have fun!
About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Categories
