You are such a geek...

OpenVPN Install Ubuntu 9.10

admin — Sat, 27 Feb 2010 19:13:18 +0000

A good buddy of mine, Trevor, had mentioned wanting to bridge his Brother’s and his networks. Having done an OpenVPN install many moons ago it had resonated with the “I need to do that again” list in my head. When the N900 arrived it seemed like the perfect opportunity to have the n900 use a VPN tunnel to secure traffic while on open AP. Here is my config:

The first step was to get a current version of OpenVPN installed on the Ubuntu 9.10 server. I decided to go with the bridge setup rather than a routed so that I could play more easily with my VMware clusters at the house and the lab with my BeOS and OpenBSD boxes.

sudo apt-get install openvpn bridge-utils

Next I setup a bridged adapter to use on the Ubuntu 9.10 box that would give me transparent access. Open the /etc/network/interfaces file in vi

auto lo br0
iface lo inet loopback

iface br0 inet static
address 172.16.1.102
network 172.16.1.0
broadcast 172.16.1.255
netmask 255.255.255.0
gateway 172.16.1.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Afterward you need to restart the network interfaces

sudo /etc/init.d/networking restart

Since I was using the desktop edition of Ubuntu rather than Server (this machine was a pseudo desktop for a little bit) I had to enable ip forwarding by editing /etc/sysctl.conf with vi and adding

net.ipv4.ip_forward=1

Next few steps are to setup the CA you need for certificate generation. Easy-rsa is pretty sweet for quick and dirty CA for these type of things. You can also use the openvpn tools to do static keys, but where is the fun in that?

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo vi /etc/openvpn/easy-rsa/vars

Change these lines at the bottom so that they reflect your new CA.

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”VA”
export KEY_CITY=”Alexandria”
export KEY_ORG=”oneguynick”
export KEY_EMAIL=”nick@notlikelytopostinanopenwebsite.com”

Now to generate your root

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool –initca ## creates ca cert and key
./pkitool –server server ## creates a server cert and key
cd keys
openvpn –genkey –secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

These next two up/down scripts setup the bridge when the server starts. This is the magic in not having to perform the routing you used to be required to do in OpenVPN1

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

Now, we’ll create a “down” script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

Below is my example /etc/openvpn/server.conf Customize as you see fit

mode server
tls-server

local 172.16.1.102
port 443 ## i am running on 443 rather than the default for firewall bypassing
proto udp

#bridging directive
dev tap0
up “/etc/openvpn/up.sh br0″
down “/etc/openvpn/down.sh br0″

persist-key
persist-tun

#certs
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

#cipher and compression
cipher BF-CBC # Blowfish (default)
comp-lzo

#DHCP
ifconfig-pool-persist ipp.txt
server-bridge 172.16.1.102 255.255.255.0 172.16.1.50 172.16.1.60
push “dhcp-option DNS 172.16.1.1″
push “dhcp-option DOMAIN geekyschmidt.com”
max-clients 10

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Afterward restart the OpenVPN Server

sudo /etc/init.d/openvpn restart

Now it is time to generate your client certs that you will need to copy to each device. I use n900 as the name here, but you can replace with whatever you wish. I try to keep names and machines close for my poor memory

cd /etc/openvpn/easy-rsa/
source ./vars
./pkitool n900

You will be left with a few files in your /etc/openvpn/easy-rsa/keys directory you need to copy to the device. In my case I copied them to the MyDocs/openvpn area of my N900 to be sure the applet could see them. Most linux machines store them in /etc/openvpn. The list of files to copy is below. Keep in mind that mine are named n900 due to the above pkitool n900 command.

ca.crt
ta.key
n900.key
n900.crt

Once those are on the machine you need to generate a config file. Here is mine from the n900.

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote notlikelytopostinanopenwebsite.com 443

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters – files created previously
ca ca.crt
cert n900.crt
key n900.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

On the n900 you will need to install from extras-testing the openvpn packages

sudo gainroot
apt-get install openvpn openvpn-applet

Thats it! Click in your status bar with the n900 and import the config file stored in MyDocs/openvpn from earlier. It will import the keys into the correct locations and allow you to test the connection.

N900 Banshee Fix

admin — Thu, 25 Feb 2010 00:00:23 +0000

You can compile the latest builds from Banshee if you’d like, but for those of you on older non-bleeding edge machines here is the .is_audio_player needed for HAL. Save on the root of your N900 device. This will place the files in the correct locations:

playback_mime_types=video/mp4-generic, video/quicktime, video/mp4, video/mpeg4, video/3gp, video/3gpp2, application/sdp, audio/3gpp, audio/3ga, audio/3gpp2, audio/amr, audio/x-amr, audio/mpa, audio/mp3, audio/x-mp3, audio/x-mpg, audio/mpeg, audio/mpeg3, audio/mpg3, audio/mpg, audio/mp4, audio/m4a, audio/aac, audio/x-aac, audio/mp4a-latm, audio/wav
playlist_formats=audio/x-scpls, audio/mpegurl, audio/x-mpegurl
audio_folders=.sounds/, .videos/, Music/
video_folders=.videos/, Video/
icon_names=phone-nokia-n900
folder_depth=2
coverartfilename=cover.jpg
coverartfiletype=jpeg
coverartsize=200

is_audio_player

Tomboy SSH Fix on Ubuntu 10.1 Lucid

admin — Wed, 24 Feb 2010 03:39:38 +0000

I was getting the following error when trying to sync:

The keyring daemon is not available

FIX:

Install sshfs sudo apt-get install sshfs

Modify your tomboy start to:

eval `gnome-keyring-daemon` && export GNOME_KEYRING_SOCKET && export GNOME_KEYRING_PID && tomboy –search

Test from n900

admin — Tue, 23 Feb 2010 22:35:48 +0000

MaStory is a nice little blogging app. Testing xmlrpc with it

DoD eases ban on thumb drive use for US military, our enemies rejoice

admin — Mon, 22 Feb 2010 12:20:04 +0000

Engadget

via DoD eases ban on thumb drive use for US military, our enemies rejoice.

Media is the least of your concerns…If you are really concerned than goober up the USB ports with super glue. If you are running SNARE with USB monitoring it is very easy to add approved USB to a list and anyone NOT in that list that is plugged in can make monkeys dance on your face or lights flash. This is not complicated people!

Google Reader Share for Monday

admin — Mon, 22 Feb 2010 12:12:25 +0000

Cisco To Unveil News that Will 'Forever Change the Internet'
Published: March 10, 2010
Source: OSNews
My Note: These types of announcements are stupid. I hate PR
Cisco Systems says it will make a major announcement on Tuesday, news that the technology giant says "will forever change the Internet". Shares of Cisco gained 3.65% to close at $26.13 Monday, hitting a new 52...
Single Ladies
Published: March 10, 2010
Source: xkcd.com
My Note: A joke that is funny for 10 people in the world. Love it. Can't wait for his new book to drop. The artist lives in Richmond near Becca and I always want to meet up with the guy
Dell slips out OptiPlex 980 desktop, FX100 Zero Client
Published: March 4, 2010
Source: Engadget
My Note: Wow Dell, looks a lot like a IBM CP20/Devon ThinClient
Dell may be branching out with exciting new products like the Mini 5, but it still has to keep its base of business users well stocked with nondescript desktops, and it now has a new pair for them in the form...
See all shared items

Running Comic

admin — Mon, 22 Feb 2010 10:49:04 +0000

I am up at the crack of dawn and off to run. Found this quote and made me giggle.

Tweets from the week of 2010-02-21

admin — Sun, 21 Feb 2010 21:01:00 +0000

@sonny_h Ease and quickness of a GUI with the power of UNIX. Most of the UNIX admins I work with are Mac users now. Not a toy! in reply to sonny_h #
@beccadesigns made an amazing dinner for friends of ours last night. She is amazing hostess and cook. I am an amazing dish washer :) #
You can't believe a thing you see on TV. Green room video is AWESOME http://bit.ly/98aSuU #
** Great feeling – finding your lost bluetooth headset ** Bad Feeling – finding it in the dryer #
Despite having a full PIM available, I still find myself using webapps on my machine. Other than offline, whats the point anymore? #web #2.0 #
Empathy finally supports OTR encryption – bye pidgin and ekiga #security #otr #gnome #linux #
I might get a demo n900 unit from Nokia. Having owned the n800 and n810 I am excited to see the new capabilities for home and work #
@chuckshaw Living in the cloud is the a security nightmare. I wonder if we should just become "security nudists" and bare it all #security in reply to chuckshaw #
WOOT WOOT! #nokia is shipping me a demo #n900 for a few weeks. I have high hopes for OSS. Will compare with my BB, Android, iPhone, s60 #
@chuckshaw Not sure, but I am pretty stoked. Looking forward to dropping the ol' SIM and playing in reply to chuckshaw #
@gezika The green wave! in reply to gezika #
meebo vs. beejive = meebo…desktop/iphone sync of chats is awesome. Until AOL/MSN/Yahoo stops sucking with multi-login. Meebo FTW #
@sonny_h Cheesy. Quality engineering builds confidence, not advertising. eg Linux. Also they fill my hulu feed EVERY SHOW :) in reply to sonny_h #
#followfriday @sonny_h @grecs @danphilpott @popplemusic @PoppleKyle @chuckshaw #
@beccadesigns mailman must hate me in old town :) in reply to beccadesigns #
My social usage is Twitter=quick, Facebook=medium, Blog=long form…no facebook means more blog action. Expect some on http://bit.ly/bgnJfJ #
@beccadesigns no since people have to come find me, I can't push it to them in reply to beccadesigns #
@popplemusic Bring your dog to test in your place in reply to popplemusic #
http://bit.ly/aXlWMC #n900 first post. The device shipped! #
@beccadesigns A little big, but your head isn't football shaped in reply to beccadesigns #
When do you start working so hard you become a tourist? http://bit.ly/crcGc1 #work #life #tourist #slowdown #

Tourist in my Life

admin — Sat, 20 Feb 2010 17:20:44 +0000

I love Parks and Recreation. What started as Office knockoff has really grown into its own. A clip on last week’s episode made me stop and go hmmmm….

What struck me is I hear some of those same things from my beloved friends and family. Deep down I know the missed holidays and dinners must make it appear that I am just leisurely exploring their lives. I am hoping that with the change in jobs that I will have the opportunity to be a part of this world and not simply a tourist.

Nokia N900 Demo Unit

admin — Fri, 19 Feb 2010 18:47:26 +0000

I think in part to my tweets of N900 lust and desire, Nokia contacted me to see if I was interested in a demo unit. After validating the email was NOT from Nigeria I quickly responded with a “YES PLZ SEND MEZ FONE!”

Why the gadget lust when I have a top-of-the-line iPhone? Easy, I am a geek. While I enjoy the hell out of having nice and easy to use devices, deep down I want to tinker. My original move to Mac was because I didn’t trust myself to have a Linux or BSD machine with me on the road. Every waking moment would be spent tweaking the kernel or compiler options for just a little bit more speed. Bleeding Edge, you betcha.

Linux though has become a lot easier to use as of late. My days of Debian 1.3 are long gone and it has evolved to grandma levels. Can the same happen on a phone? The n700/800/810 I once owned were not able to.

The geeky things I care about:

SDK that allows for quick-n-easy cross compiling of code
Active user community
nmap/kismet/libpcap based tools available
IM client with encryption
Terminal
Multiplatform support

The shiny-side things I care about:

Skype support
Syncable media player
Browser that can surf standard web
Google Voice Support
App support
Multi-touch
Maps
Sync with the cloud

Things that annoy me:

Steve Jobs
iTunes
DRM
No published spec

When the device arrives I plan on walking through the device with each of those areas. I will pop the SIM card from my iPhone and turn it off for the period of time I have the demo unit. Results to follow in the coming weeks.