Archive for November, 2009

A DohanyzoBuszsoforok.hu indulásakor küldtem egy levelet a bkvfigyelo.hu-nak, hogy megemlí­thetnék az oldalt egy posztban. Nem érkezett a levelemre válasz.

Aztán id?vel történt, hogy egy buszon utazva a sof?r dohányzott, én pedig szokásomhoz h?en másnap küldtem a panaszlevelet a BKV-nak, amelyben a sof?r nem ismerte el a tettét. Nem adtam fel és végs?soron megb?ntették a sof?rt, de nem ez az érdekes, hanem ez, hogy ez egy bulváros sztori.

A sztorit beküldve gondoltam, hogy megjelenik a bkvfigyel?n, de azt legszebb álmaimban sem gondoltam volna, hogy több mint ezer ember nézi meg a DohanyzoBuszsoforok.hu-t aznap. A hozzászólások többsége mocskológó, ami elég elszomorí­tó, de volt köztük olyan akinek ?szintén tetszett az oldal és azt í­rta, hogy a jöv?ben használni fogja és nekem csak ez számí­t mert ez pozití­v változáshoz vezet az ügyben.

Sokaknak szemmel láthatólag szúrta a szemét az eset. A legvokálisabb "rajongóm" szerint nincs életem ami elég érdekes megállapí­tás annak fényében, hogy arra ment el az illet? napja, hogy több tucat mocskolódó hozzászólást í­rjon.

Az eset kapcsán igencsak témába vág Seres Mária "Áldozat?" cí­m? í­rása. Borzasztóan tisztelem ?t azrét amit tesz. A jöv?ben próbálok több aláí­rást gy?jteni az általa indí­tott kezdeményezésekhez. Egyel?re kicsit több, mint egy tucatot gy?jtöttem.

cat >> /etc/firewall << END
iptables -t filter -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT   1 -i tun+ -j ACCEPT
iptables -I FORWARD 1 -i tun+ -j ACCEPT
iptables -I OUTPUT  1 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -o tun+ -j ACCEPT
END

/etc/init.d/firewall restart

opkg install openvpn
# I don't wanna convert my OpenVPN config to UCI-like format so I just replace the default init script.
mv /etc/init.d/openvpn /etc/init.d/openvpn.orig

cat >/etc/init.d/openvpn <<END
#!/bin/sh /etc/rc.common                                                                                                                                                                             

START=99                                                                                                                                                                                             

start() {                                                                                                                                                                                            
    openvpn --daemon --config /etc/openvpn/server.conf                                                                                                                                               
}                                                                                                                                                                                                    

restart() {                                                                                                                                                                                          
    stop                                                                                                                                                                                             
    sleep 3                                                                                                                                                                                          
    start                                                                                                                                                                                            
}                                                                                                                                                                                                    

reload() {                                                                                                                                                                                           
    killall -SIGHUP openvpn                                                                                                                                                                          
}                                                                                                                                                                                                    

stop() {                                                                                                                                                                                             
    killall openvpn                                                                                                                                                                                  
}
END

chmod 755 /etc/init.d/openvpn

# Here, I copy my OpenVPN config to /etc/openvpn
/etc/init.d/openvpn start

# Thanks the OpenVPN via TUN HowTo for the help. Enjoy!

I have a reoccuring task of setting up OpenVPN for the LANs of small enterprises and adding / removing users.  Usually they have a dumb little TP-Link or D-Link router facing the public Internet, we bring a relatively powerful PC to their office and my job is to configure the PC as an OpenVPN gateway (among other things).  OpenVPN traffic gets forwarded to our PC through the dumb little router using port forwarding.  Well, this is not particularly challenging to me but I was looking for a way to automate this process as much as I can because managing clients can be cumbersome.

Let's clarify a task at hand: An OpenVPN gateway has to be set up for a /24 LAN in order to provide access to all hosts on the LAN.  Privilege management will be implemented using PKI.  On top of that we'll use tls-auth so the HMAC firewall will only answer if the received packet signature is valid, thus effectively making the OpenVPN service undetectable by any scanning techniques.

The LAN should reside on a class A private subnet (10.x.y.0/24) where x and y should be randomly choosen because it'll minimize the probability of address collision with other subnets used with OpenVPN.

First of all, the PKI should not reside on the server on which the OpenVPN daemon runs for security reasons.  I store it on my home partition which is heavily encrypted and regularly backed up.  I create a directory under ~/openvpn for every OpenVPN installations where I store the server and client configuration files and the PKI.  Only the needed files will be transferred to the server or to the clients.

This post will describe the implementation of the above configuration and will provide a set of scripts to make the task very efficient.

1)  Set up the ~/openvpn infrastructure

mkdir ~/openvpn
cd ~/openvpn

# User credentials will be temporarily published under the directory below for user download.  This should be a trusted host.
# It's probably needless to say but I mention that $PUBLISH_URL should not under any circumstances be listable by the web server.
cat >config <<END
PUBLISH_PATH=yourhost:/var/www/pki
PUBLISH_URL=http://yourhost.com/pki
END

wget http://monda.hu/releases/openvpn-scripts.tar.bz2
tar xjf openvpn-scripts.tar.bz2 -C ~/bin
rm openvpn-scripts.tar.bz2

2) Set up the server directory

cd ~/openvpn
mkdir SERVERNAME
cd SERVERNAME

3) Set up the PKI

mkdir easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa
cd easy-rsa
# Edit the all the KEY_* variables in ./vars so you won't have to type them anymore.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd ..
mkdir ccd

4) Create server configuration

openvpn --genkey --secret ta.key

cat >server.conf << END
mode server
local 10.X.Y.Z
tls-server
dev tun
proto udp
port 1194
client-config-dir ccd
ifconfig 10.8.0.1 10.8.0.2
push "route 10.X.Y.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 10.8.0.0 255.255.255.0
keepalive 10 120
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
log server.log
verb 3
END

# This will be used by the synchronization script to rsync the configuration to the server through SSH.
echo SERVERHOSTNAME > server.hostname

5) Create general client configuration

# This is the client configuration from which the all individual client configurations will be generated.
# Don't touch "username" as it will be automatically replaced with the name of the relevant user during the generation process.

cat >client.conf << END
dev tun
proto udp
nobind
remote OPENVPN-GATEWAY-HOST 1194
client
ca server.crt
tls-auth server-ta.key 1
cert username.crt
key username.key
verb 3
END

6) Add users

openvpn-add-user username1
openvpn-add-user username2
...

# The configuration will be automatically transferred to the server.

7) Publish client credentials

openvpn-publish-user-credentials username1
openvpn-publish-user-credentials username2
...

# Which outputs something like this:
# User credentials are accessible from http://yourhost.com/pki/servername-username1-65378842373270.zip
# User credentials are accessible from http://yourhost.com/pki/servername-username2-10200344763221.zip
# ...

# These URLs are meant to be mailed to the relevant users and removed eventually.

8) Unpublish client credentials

openvpn-unpublish-user-credentials username1
openvpn-unpublish-user-credentials username2
...

# Which removes the relevant files from the server.

9) Revoke client credentials

openvpn-revoke-user-credentials username

# The configuration will be automatically transferred to the server.

I like this series.

geekhack has the best article every written on N-key rollover.  The issue is more complicated than one might think.

I've started Coder Keymaps a long time ago to create a special keyboard mapping that's the best for me.  That idea is to map Hungarian characters in a special way using the Windows key.  Take the standard US layout, keep a Windows key pressed and press an alphanumeric key which produces an accented character on Hungarian keyboards and voila: the key will produce the relevant Hungarian character.

That was the basic idea but I went further about two years ago when I realized that hand travel distance is much longer than it's supposed to be in many cases.  When writing code one's right hand must move often between the alphanumeric keypad and the navigational keypad.  To alleviate this problem I decided to map the whole navigational block to the alphanumeric block through the Windows key.

I've used the above configuration with great pleasure and it improved my efficiency for almost two years.  Unfortunately the X keyboard drivers must have been changed in the last two Ubuntu releases because my xmodmap keymaps stopped working.  I knew it in the beginning that xmodmap is outdated and XKB is the future but it wasn't really urgent to port Coder Keymaps to XKB so I didn't do that.

Due to the pressing need to use my beloved mapping I've made some efforts and had some online chat with Sergey Udaltsov who is very knowledgable about XKB.

Long story short, it seems that it's impossible to create such an exotic keymap on Linux.  Not that it's not possible to create it with XKB, but various GUI toolkits, such as GTK+ interpret the mappings in strange ways and the mapping wouldn't be consistent accross toolkits.  I'm sure that this can be solved by modifying the X keyboard driver or the toolkits but as you may suppose it's a heroic work.  Not only that, but this is an OS-specific problem and there are no standard solutions that truly work.

I finally decided to attack the problem differently by creating a keyboard hardware that has limitless power regarding remapping.  It's actually not a new idea of mine,  it's about two years old.  The prototype is in development and it's very innovative in many ways.  I've gathered a small, but knowledgable team and we're progressing rapidly.  I wanted to have a working prototype by the end of this year but I'm not sure we get there in time because rapid prototyping is expensive and the delivery of rare electronic components take time to arrive to Hungary.  But no matter how long it will take, we'll never give up.

As a result of the above I don't wanna devote any more time to Coder Keymaps.  The project has been closed.

Ezt a könyvet mindnekinek el kellene olvasnia aki a pénzügyi m?veltségén javí­tani szeretne.  Nekem rengeteget segí­tett, az biztos.

I've just found some fascinating resources regarding mechanical keyboards:

• Mechanical Key Switch Keyboards Demystified
• EliteKeyboards.com
• Mechanical Keyboard Guide
• The Story’s Story: Keyboards

Lately I've extended my HOWTO on supercharging the storage space of your ASUS WL500GPV2 with OpenWrt.

I'm so delighted to make this work because from now on:

• the whole root partition is able to store 8G - the size of the Kingston pendrive I've plugged in
• the extension is completely transparent and it doesn't break the router on restart when the pendrive is not plugged in
• everything is faster including package managment because the CPU doesn't need to do any compression on JFFS

First I wanted to use JFFS instead of ext2 but smart folks told me that wear levelling is integrated into pendrives.  (JFFS can only be used with MTDs anyways.)

This hack has dozens of practical uses such doing any logging on the router or SCPing backups from external hosts to the router on a timely basis.

As I dwelve more and more deeply into OpenWrt I start to realize how brilliant it is.  The use of SquashFS to store the image and the the mini_fo'ed JFFS on top of it as a copy-on-write file system is the most advanced solution one could ever devise to maximize filesystem storage space.  It makes me laugh when I compare OpenWrt to the official firmware of the typical SOHO router.

Thanks for all the documentation on the net, especially for the Packages on external media HowTo.