Archive for the Unix Category

Zeroshell: Part 2 – VPN & NAT

Posted in Unix on November 9, 2009 by lucywitdiam0nds

Firstly let me just say thank you to everyone who’s been reading! 3 days and 8,330 hits! I really didn’t know so many people cared about what I have to say!

(In the time it took me to write this article my hits jumped up to 11,114 hits! Holy crap!)

So coming back to my previous post:

Getting DDWRT to play nice with Zeroshell

After getting everything working properly with routing set between interfaces, we can utilize one of the coolest functions of Zeroshell, VPN access (almost) out of the box.

Getting VPN to work:

title

For those of you who don’t know what VPNs are, it stands for Virtual Private Networking. It is simply a method of securely connecting to your home network, as if you were physically wired into it, when in fact you are connecting over the internet. This particular method wraps the VPN in 2 layers of security – X.509 Cert and a Kerberos server. Plenty of encryption for an enterprise solution (small scale of course). Keep in mind that you can set this VPN server’s authentication in one of 3 ways: X.509 certificate, Username/Password, or both. In this case, we’re using both.

You need to make a couple decisions though at first.

  • Do you want to have just one user on your VPN?
  • Do you want multiple users with the same username? (not necessarily recommended)
  • What authentication do you want to set up? (credentials + X509 is what i’m using in this)

To start go into the users section on the left, select the admin user and click the X509 tab at the top, which will give you lots of information about that particular user (and any subsequent users as well)

admin

We need to export this certificate and place it in a good location. You should name it to admin.pem if it isn’t already.

This is only one of the certs we need though. We need to the something called the “Trusted CA”. CA stands for Certificate Authority. In the world of certificates, this is a trusted source. The administrative entity that is considered ‘always valid and all knowing’, which in our case is our Zeroshell install. As long as the CA says its fine, any services using it will trust it, much like SSL certs.

Now we need get a copy of our trusted CA and enable the actual VPN functionality of our Zeroshell. What you want to do is click on the Trusted CAs button under the X.509 Configuration, which will spawn a window. Export it as a .pem, and put it somewhere safe.

CANow to enable VPN functionality we need to click the ‘enable’ box, and click save. Complicated, right?

vpn1

Next we need to get a copy of the OpenVPN client. Since I’m using Windows 7 i had to get a RC, with a proper signed driver (shakes fist at microsoft). Also make sure you run the installer in compatibility mode for windows vista and run it as administrator (what a pain in the ass):

http://openvpn.net/release/openvpn-2.1_rc19-install.exe

The newest installer can be found here, but it didn’t seem to work for me when I installed it :(

http://openvpn.net/release/openvpn-2.1_rc20-install.exe

After getting it all installed and whatnot, move CA.pem and admin.pem to:

C:\Program Files\OpenVPN\config

or in my case (64 bit machines)

C:\Program Files (x86)\OpenVPN\config

Now get into that directory and create a file named config.ovpn and copy my config from:

http://pastebin.com/f6c913fcd (edited from the Zeroshell OpenVPN configuration – thanks guys!)

Now just edit the first line to hold whatever your server’s IP is, and proper port if necessary. You probably want to decrease the verbosity to 3 after you’re sure everything works as well. You should now be able to start the OpenVPN gui, which will start a taskbar icon.

Right click and go to connect, and it should prompt you for a username and password, log in with the admin user, unless you have other users to use.

openvpn

You should now be successfully connected to your VPN in a very secure manner!

Getting NAT working:

Alright, for those of you who don’t know what NAT is, it stands for Network Address Translation. This is a fancy way of saying port forwarding, which does exactly what it sounds like it’s doing. It forwards a port on one of your clients to the outside world, so that anyone looking at your router from the internet will ‘see’ into your network.

First about my interfaces:

ETH00 is my internal network 10.0.0.0/24

ETH01 is my WAN port, connecting me to the internet

So the first entry in my nat table:

I have an FTP server running on port 21 of my laptop which I want to be able to access from anywhere. In order for me to make it so I can connect to my external IP on some port and talk to my laptop, I need to tell my router what to do.

If you go into the router section on the left, and click the virtual servers tab at the top after that, which will spawn a window for you.

For whatever reason you need to specify your internal interface (the one that takes care of your internal network), which in my case is ETH00 to any IP address (you can restrict services like remote desktop to a single ip, or a range of IP’s if you want.

The local port box specifys the port you want to connect to from the outside

The remote IP is the local IP address of the machine you want to forward to the outside

The remote port is the local port running on said ip address

In this example I have an FTP server running on port 21 on my local network, which is getting forwarded to port 65534, so in order for me to connect to my laptop I need to connect to my.external.ip.address:65534 to talk to my laptop properly

virtserver

The same goes for all other services, for bittorrent use the same port for local and remote ports, and it’ll be a 1:1 portmap to your local client. Tis truly handy :)

The proofs in the pudding:

C:\Users\P0rT_Smoke>nmap -T4 -sV -p65534 71.xx.222.63

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-09 22:12 Pacific Standard Time

Interesting ports on 71-xx-222-63.dhcp.mrqt.mi.charter.com (71.xx.222.63):
PORT      STATE SERVICE VERSION
65534/tcp open  ftp     FileZilla ftpd 0.9.31 beta
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds

So hopefully now you have an awesome network setup allowing you to securly access any local resources you may  need, as well as foward services you can afford to have ‘on the wire’.

Nmap is your friend!

See, even Trinity used nMap to save all of humanity. It can work for you too!

Fiber optic…circuts?

Posted in Unix on November 9, 2009 by lucywitdiam0nds

Today I was leaving class, and I started a conversation with someone who was in quite a hurry to get to a team meeting, so I inquired what about.

He said fiber optics, and I figured, you know alright, just another fiber optic whatever. So I dug a bit deeper, and it turns out he’s working on getting fiber optic integrated circuts to work. Let me say that again FIBER OPTIC CIRCUTS!!!

As soon as he said that I immediatly had 10 ideas in my head, and we branching into our seperate directions, and this interested me so much that I walked away from the elevator that I was waiting for just to talk with him about it.

As any EE major knows, the reason that we use serial communication as opposed to parallel communication is because of the fact that we don’t have to worry about syncing the clock (the force telling your circuts on what interval to do something).

 

Data used to be transmitted like this:

0-=============-0

1-=============-1

2-=============-2

3-=============-3

4-=============-4

5-=============-5

6-=============-6

7-=============-7

This is known as a parallel transfer because, as you can see data lines travels in parallel with one another.

 

As IC’s get smaller and more efficient, the distance of the copper wire starts  to effect the latency of copper wiring. In short, the minuscule length differences between 6 and 7 would cause their signal to be just the slightest bit off.

This used to be fine when we had a long clock period, but when you turn the clock frequency up (and thus increasing the speed of your circuit) there is a major problem of getting the signals to sync properly.

Then someone figured out that you could multiply your speed much past that with parallel connectors using a serial connector with an embeded clock signal.

This allows for us to turn the clock WAY up and get a major performance boost, as we no longer have to deal with different length connectors throwing our main clock off.

Essentially what this boils down to is the fact that we can now take all these super-fast serial lines, and run them in parallel again, giving us a multiplaction of throughput, thus shattering yet another bottleneck in the computing industry. Amongst other things.

How about not having to worry about your circut “shorting out”? We can literally take this theoretical circit and have it water-proof in nature, because we’re using lasers (which still conduct under water, not to say they won’t be refracted though)

Needless to say, I’ve been thinking about this for a while now, and I am still just stunned at the implications.

Imagine your next iPod having a few million of these in it :-P

fiber-optic-fiber

Then the internet will REALLY be made of tubes

I just can’t wait to see how they actually implament this into circuts. Interesting!

Nodes mysteriously dying?

Posted in Unix on November 9, 2009 by lucywitdiam0nds

So i’ve got 3 nodes that have randomly decided to crash over the past few days, and it seems like a daily occurrence now, waking up to have 70 emails in my inbox (I have nagios email me every 5 min there’s a problem until its fixed). Now I just need to find the time to actually sit down and diagnose these things. I am half-tempted to just re-image everything as there should be nothing on the computational nodes themselves, just the NFS share of /home, which obviously won’t be active when I PXE boot it.

Id like to figure out what exactly is going on with them before I just nuke everything, although for time’s sake, I might end up doing just that.

Oh well, its probably just someone’s crappy code breaking each node. At least its only been one at a time, and it doesn’t look like there have been any jobs submitted in a while.

I’ll probably end up pulling that apart tonight (if I find time between editing my first and second posts), although the biggest pain is the fact that I almost have to be there to see what exactly is going on.

::shrugs:: time for some learnin!

nagios

Stopping in to check on the nodes, I saw the following two screens for dmesg | more :

IMG_0202

It looks as though eth0 is having a hardware fault, and gets stuck with MAC_TX_MODE=fffffff although i’m not sure what that status means exactly, i’ll figure it out though, as this problem is whats been affecting all of my nodes, and if people can’t connect to them, obviously they can’t be used for computations :(

IMG_0203

I’ll post more when I actually know what’s going on. Open to suggestions though!

Hopefully I’ll be able to figure this out without wiping all my nodes clean. That would be kind of a pain in the butt.

This is a pretty bitchin rendition of panic.c (kernel panic)

So it seems like a bug in the tg3 driver, which drives the NIC. Although my money is still on a hardware failure that is tiny but there. I sincerely hope I’m wrong, but I’ve diagnosed a lot of failures like this in the past, and its generally turned out to be something that is just going to get worse :(.

Getting DDWRT to play nice with Zeroshell

Posted in Networking, Unix on November 9, 2009 by lucywitdiam0nds

So I borked a bridge on my zeroshell router tonight, and I had to re-do it. I figured this guide would be useful for anyone who has a wrt54g (or any other ) that’s crapping out, and want to replace it with something unix based, or just for people who are trying to configure Zeroshell for the first time.

I’ve got ideas to expand this article, so check back in a few days and it should be fully finished :)

This is my network infrastructure.

topology

Click for a bigger picture (small formatting space :( )

So now you see exactly what it is I want to do. I had everything running off of my DDWRT on my WRG54G, but my roommates and I use quite a bit of bandwidth and with 8 mb on onboard memory, needless to say it was the equivalent of a one armed retard trying to take on an army of ninjas, even with overclocking enabled.

I’d been looking for a computer to turn into a router for a while, and I finally found one at work last week :)

So I grabbed a copy of zeroshell, and started it up and I was greeted by the main screen. It sets a static IP on eth00 (their naming convention is a bit wonky) to 192.168.0.75, so I plugged into it with my main ethernet port, and set a static ip to the same subnet (google it if you don’t know how).

When I could finally connect I was greeted by the sign I page (of course after the SCARY self signed cert warning)

login

Default U:P == admin:zeroshell

Time to create a new profile, on the top bar, there is a ‘profiles’ tab. Its a good place to start so we can actually save all our settings :)

In this case, there was a WIN95 formatted drive in there, which zeroshell couldn’t read. What I ended up doing I just plugged it into an ide reader and formatted it, which worked fine.

Either way after creating a new database with all of my info, including hostname, Kerberos, and LDAP stuff.

profile

Now in the ‘Network’ tab we need to set our IP addresses. The dynamic IP won’t stick until theres actually an address to get, so I just set the static IP to 10.0.0.1

It was at this point that I realized that I needed to disable all DHCP/routing functionality on my DDWRT

Logging in I had to change a few things

  • WAN Connection type = disabled
  • Local IP address = 10.0.0.2/24
  • Assign WAN port to swtich
  • DHCP Fowarder (as opposed to server) – followed by the ip of the dhcp server

ddwrtsettings

Since I wasn’t going to be changing anything on my wireless side (I still wanted to use the AP functionality of my DDWRT) there was no need to fiddle with any of those settings.

Finally all we have to do is disable routing. Go to the administration tab and at the bottom hit the Routing button to disable.

routeingdisable

Now we can actually put our machine into place, but you may want to enable the dhcp server first (or you have to assign yourself a static address):

On the left in the ‘network’ subsection theres a DHCP link, after you click it you need to create a new subnet. Choose the proper interface to broadcast on (eth00 in my case) and set the dhcp pool specifications. I did 10.0.0.10-10.0.0.25 and put in OpenDNS for my primary and secondary DNS.

DHCPNow you want to get a dynamic address for your ‘outside’ interface (eth01 in my case)

Dynamic

Now we need to click on the Router section, and click the NAT tab, so we can route between interfaces properly.

NATThats about it as far as what needs to happen to get routing, DHCP, and dns properly set up so you can now do pretty much anything you want.

The important lesson here? Before you start messing with things that could break the world, which in turn causes you to mess up your hard drive containing your configuration, BACKUP YOUR CONFIGURATION. Do it now. Seriously. Although I wouldn’t have written this article if I would’ve done that now would I :)

I apologize for the crappy formatting. I just started this thing, so I’m still trying to find a theme that supports the architecture of my writing, and still looks good.

Like I said, tomorrow I’ll put in my OpenVPN how-to on the end of this article, as it can be a bit complicated if you don’t know anything about certificates.

After that I’ll be putting in how to get NAT working properly, as it can be a bit weird. Took me a while to figure out anyway.

dwight

Identity theft is not a joke, Jim!

EDIT: So instead of putting the VPN & NAT stuff down here, I’m going to just do another post about it, tie them both together and make a page for it.

Hope you enjoy it!

Bash-shortcuts

Posted in Unix on November 8, 2009 by lucywitdiam0nds

I have just finished my preliminary summary of the crap written on my wall! I hope it helps whomever is reading this!

 

https://talesofacoldadmin.wordpress.com/bash-shortcuts/

 

The begining words

Posted in Random, Unix, Windows on November 7, 2009 by lucywitdiam0nds

Hello cyberspace.

I peruse you as a (big) part of my daily life, and for a time now I’ve wanted a place to rant and rave about the ongoing plethora of computer nerdom that I’m exposed to on a daily basis.

I will use this space to retroactively delve into my prior projects/jobs and a place to divulge what I find in the future. I feel as though this is a bit overdue, as I’ve got lots of things rattling around in my brain and no where to properly put them.

My true niche is security, both in the cyber-world as well as the physical world. I like dealing with the failures of  systems and the like, especially when the system was designed explicitly *not* to fail.

As I sit here contemplating on what I could write about a world of possibilities are opening up. Some of my posts might hold some music-related things, although I’m not sure about that. I’m a lot more knowledgeable about computers than I am about music.

There are many many things that I will write about, although i’m not sure how much time I will have to do it. I work a lot, and a lot of my job is pretty much all the time.

I’m a bit new to wordpress, so I’m going to use this post to get acclimated with the tools as well.

BOLD

Italic

Strikethrough

  • Hey look!
  • I found some bullets :)
  1. I think I also found
  2. Some numbers :)

Blockquotes? I have a feeling I know what this does, but I could be wrong

 

Randal Graves

This is Randal, he is a slacker