User Tools

Site Tools


haas:status:status_201005

STATUS updates

TODO

  • How to handle UNIX journal keywords?
  • Need to finish writing up HPC0 projects
  • the formular plugin is giving me errors, need to figure this out (email assignment form)
  • use include plugin to include a page containing various prior month status pages
  • can I install writer2latex on wildebeest herd without needing gcj??
  • update lair-nfs for new idmap Domain of “lair”
  • put UNIX course listing examples in public directory

URLs

Other Days

May 15th, 2010

Lab46 locked

Around 8:32PM, Lab46 locked up… we had a much longer stretch this time… some 22-24 days.

I restarted it.

May 10th, 2010

PPTP

I felt… possessed… to try and see how difficult it would be to establish VPN connectivity with something other than OpenVPN.

Specifically, one of the VPN protocols supported natively by Windows XP and many mobile devices.

PPTP seems to be oft-mentioned in terms of support, so I investigate. PoPToP seems to be THE one to use, so I grabbed it… there's an OpenBSD package for it, so I sucked it down and installed it:

jb:~$ wget http://ftp.eu.openbsd.org/pub/OpenBSD/4.0/packages/i386/poptop-1.1.4.b4p1.tgz
jb:~$ sudo pkg_add poptop-1.1.4.b4p1.tgz

I followed the blog post/tutorial here at techrepublic.com, and achieved success.

First up, I made the /etc/pptpd.conf file:

################################################################################
#
# PoPToP configuration file
#
# for PoPToP version 1.1.4-b3
#
################################################################################

option /etc/ppp/ppp.conf
localip 10.80.1.250
remoteip 10.80.1.248-249
listen 72.43.34.89
pidfile /var/run/pptpd.pid

Next, /etc/ppp/ppp.conf:

loop:
      set timeout 0
      set log phase chat connect lcp ipcp command
      set device localhost:pptp
      set dial
      set login
      set mppe * stateful
      # Server (local) IP address, Range for Clients, and Netmask
      # Use the same IP addresses you specified in /etc/pppd.conf :
      set ifaddr 10.80.1.250 10.80.1.248-10.80.1.249 255.255.255.255
      set server /tmp/loop "" 0177
loop-in:
     set timeout 0
     set log phase lcp ipcp command
     allow mode direct
pptp:
     load loop
     # Disable unsecured auth
     disable pap
     disable chap
     enable mschapv2
     disable deflate pred1
     deny deflate pred1
     disable ipv6
     accept mppe
     enable proxy
     accept dns
    # DNS Servers to assign client
     # Use your own DNS server IP address :
     set dns 10.80.1.1
     # NetBIOS/WINS Servers to assign client
     # Use your own WINS server IP address :
     #set nbns 20.1.1.100
     set device !/etc/ppp/secure

Next up we needed /etc/ppp/secure:

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

(chmod u+x this file… others are chmod 400).

Finally on the PPTP front is the /etc/ppp/ppp.secret file, where you break out all the users who can authenticate… format is as follows:

username     password     *
username2    otherpassword     10.80.x.y

If you provide *, IP is dynamically assigned; if you specify an IP, that gets assigned.

Also need to perform changes to /etc/pf.conf:

set skip on { lo re0 bridge0 tun0 tun1 }    # tun1 gets used (tun0 already in use for OpenVPN)
...
# LAIR PPTP VPN experiment (mth)
pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state
#pass in quick log on tun0 all
#pass out quick log on tun0 all
#pass in quick log on tun1 all
#pass out quick log on tun1 all

Reload pf rules (initially, I forgot to skip on tun1— so it would connect, but you couldn't ping or anything, skipping on tun1 and the whole thing lit up).

I commented out the “pass in/out” on tun0/tun1, because we're already ignoring them… although I suppose it is more secure to do it this way. For now, just experimenting.

Now, let's LAUNCH [over] IT!

jb:~$ sudo /usr/local/bin/pptpd -d

*NOTE: if it matters, I also did a “ifconfig gre0 create” … not sure if this is getting utilized specifically or not.

tailing /var/log/daemon will stream beautiful messages of connectivity.

In short: that was dead easy.

Pros:

  • Works with XP as a client! (verified with my XP VM)
  • Works with OpenBSD 4.0 as a server
  • per-user access control
  • per-user IP allocation
  • Upon connecting, ALL traffic gets routed through the connection

Cons:

  • Upon connecting, ALL traffic gets routed through the connection

Upon further looking- routes are established that make the client PREFER the VPN connection for ALL traffic

So obviously it would be nice to know how to set it up to NOT route everything… but in some respects, it is nice to know the option exists to route ALL traffic (ie if you're on a restricted or untrusted network).

OpenWRT wireless

http://josefsson.org/openwrt/wlan.html

<html><center></html>

<html></center></html>

haas/status/status_201005.txt · Last modified: 2010/09/16 22:33 by 127.0.0.1