Archive for the 'My HOWTOs' Category

I'm using Oracle 10g, but you're free to download any other versions that you want.

wget http://prdownloads.sourceforge.net/cx-oracle/cx_Oracle-5.0.2-10g-py26-1.x86_64.rpm?download
# We should use alien but it didn't work for me.
rpm2cpio cx_Oracle-5.0.2-10g-py26-1.x86_64.rpm | cpio -id
sudo cp usr/lib64/python2.6/site-packages/cx_Oracle.so /usr/lib/python2.6
# Go to the Oracle Instant Client download page and accept their fucking license, then download Instant Client Package - Basic for version 10.2.0.3, that is instantclient-basic-linux-x86-64-10.2.0.3-20070103.zip
unzip instantclient-basic-linux-x86-64-10.2.0.3-20070103.zip
sudo cp instantclient_10_2/{libclntsh.so.10.1,libnnz10.so} /usr/local/lib
sudo ldconfig

Installing such proprietary shit like Oracle (related software) is a bad experience too many times.

cat >> /etc/firewall << END
iptables -t filter -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT   1 -i tun+ -j ACCEPT
iptables -I FORWARD 1 -i tun+ -j ACCEPT
iptables -I OUTPUT  1 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -o tun+ -j ACCEPT
END

/etc/init.d/firewall restart

opkg install openvpn
# I don't wanna convert my OpenVPN config to UCI-like format so I just replace the default init script.
mv /etc/init.d/openvpn /etc/init.d/openvpn.orig

cat >/etc/init.d/openvpn <<END
#!/bin/sh /etc/rc.common                                                                                                                                                                             

START=99                                                                                                                                                                                             

start() {                                                                                                                                                                                            
    openvpn --daemon --config /etc/openvpn/server.conf                                                                                                                                               
}                                                                                                                                                                                                    

restart() {                                                                                                                                                                                          
    stop                                                                                                                                                                                             
    sleep 3                                                                                                                                                                                          
    start                                                                                                                                                                                            
}                                                                                                                                                                                                    

reload() {                                                                                                                                                                                           
    killall -SIGHUP openvpn                                                                                                                                                                          
}                                                                                                                                                                                                    

stop() {                                                                                                                                                                                             
    killall openvpn                                                                                                                                                                                  
}
END

chmod 755 /etc/init.d/openvpn

# Here, I copy my OpenVPN config to /etc/openvpn
/etc/init.d/openvpn start

# Thanks the OpenVPN via TUN HowTo for the help. Enjoy!

I have a reoccuring task of setting up OpenVPN for the LANs of small enterprises and adding / removing users.  Usually they have a dumb little TP-Link or D-Link router facing the public Internet, we bring a relatively powerful PC to their office and my job is to configure the PC as an OpenVPN gateway (among other things).  OpenVPN traffic gets forwarded to our PC through the dumb little router using port forwarding.  Well, this is not particularly challenging to me but I was looking for a way to automate this process as much as I can because managing clients can be cumbersome.

Let's clarify a task at hand: An OpenVPN gateway has to be set up for a /24 LAN in order to provide access to all hosts on the LAN.  Privilege management will be implemented using PKI.  On top of that we'll use tls-auth so the HMAC firewall will only answer if the received packet signature is valid, thus effectively making the OpenVPN service undetectable by any scanning techniques.

The LAN should reside on a class A private subnet (10.x.y.0/24) where x and y should be randomly choosen because it'll minimize the probability of address collision with other subnets used with OpenVPN.

First of all, the PKI should not reside on the server on which the OpenVPN daemon runs for security reasons.  I store it on my home partition which is heavily encrypted and regularly backed up.  I create a directory under ~/openvpn for every OpenVPN installations where I store the server and client configuration files and the PKI.  Only the needed files will be transferred to the server or to the clients.

This post will describe the implementation of the above configuration and will provide a set of scripts to make the task very efficient.

1)  Set up the ~/openvpn infrastructure

mkdir ~/openvpn
cd ~/openvpn

# User credentials will be temporarily published under the directory below for user download.  This should be a trusted host.
# It's probably needless to say but I mention that $PUBLISH_URL should not under any circumstances be listable by the web server.
cat >config <<END
PUBLISH_PATH=yourhost:/var/www/pki
PUBLISH_URL=http://yourhost.com/pki
END

wget http://monda.hu/releases/openvpn-scripts.tar.bz2
tar xjf openvpn-scripts.tar.bz2 -C ~/bin
rm openvpn-scripts.tar.bz2

2) Set up the server directory

cd ~/openvpn
mkdir SERVERNAME
cd SERVERNAME

3) Set up the PKI

mkdir easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa
cd easy-rsa
# Edit the all the KEY_* variables in ./vars so you won't have to type them anymore.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd ..
mkdir ccd

4) Create server configuration

openvpn --genkey --secret ta.key

cat >server.conf << END
mode server
local 10.X.Y.Z
tls-server
dev tun
proto udp
port 1194
client-config-dir ccd
ifconfig 10.8.0.1 10.8.0.2
push "route 10.X.Y.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 10.8.0.0 255.255.255.0
keepalive 10 120
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
log server.log
verb 3
END

# This will be used by the synchronization script to rsync the configuration to the server through SSH.
echo SERVERHOSTNAME > server.hostname

5) Create general client configuration

# This is the client configuration from which the all individual client configurations will be generated.
# Don't touch "username" as it will be automatically replaced with the name of the relevant user during the generation process.

cat >client.conf << END
dev tun
proto udp
nobind
remote OPENVPN-GATEWAY-HOST 1194
client
ca server.crt
tls-auth server-ta.key 1
cert username.crt
key username.key
verb 3
END

6) Add users

openvpn-add-user username1
openvpn-add-user username2
...

# The configuration will be automatically transferred to the server.

7) Publish client credentials

openvpn-publish-user-credentials username1
openvpn-publish-user-credentials username2
...

# Which outputs something like this:
# User credentials are accessible from http://yourhost.com/pki/servername-username1-65378842373270.zip
# User credentials are accessible from http://yourhost.com/pki/servername-username2-10200344763221.zip
# ...

# These URLs are meant to be mailed to the relevant users and removed eventually.

8) Unpublish client credentials

openvpn-unpublish-user-credentials username1
openvpn-unpublish-user-credentials username2
...

# Which removes the relevant files from the server.

9) Revoke client credentials

openvpn-revoke-user-credentials username

# The configuration will be automatically transferred to the server.

Apple has recently made some countermeasures to block users who are not using the official QuickTime player to watch their movie trailers, such as Linux users. This bothered me deeply since I watch those trailers for more than a year and would like to do so in the future.

I presumed that correctly downloading movies required some user agent related masturbation and Wireshark proved me right when monitoring HTTP on a Windows host. After that it wasn't a big deal to play an Apple trailer:

mplayer -cache 4048 -user-agent QuickTime/7.5 http://movies.apple.com/movies/disney/achristmascarol/achristmascarol-fte1_480p.mov

This is really nice but I wanted to make it work out of the box. Though adding the user-agent option to an MPlayer or mplayerplug-in config file seemed like a viable option, unfortunately mplayerplug-in didn't respect this option in any config files.

Fortunately I realized that the Quicktime user agent string is hardcoded in mplayerplug-in for apple.com as of 2009-09-23 CVS.

Since the latest official release is very old, one has to build it from the CVS:

sudo apt-get remove mozilla-mplayer
cvs -z3 -d:pserver:anonymous@mplayerplug-in.cvs.sourceforge.net:/cvsroot/mplayerplug-in co -P mplayerplug-in
cd mplayerplug-in
sudo apt-get install libxul-dev
GECKO_XPIDL=/usr/lib/xulrunner/xpidl ./configure
make
sudo cp mplayerplug-in*.so /usr/lib/mozilla/plugins
sudo mkdir -p /usr/lib/mozilla/components
sudo cp mplayerplug-in*.xpt /usr/lib/mozilla/components

You also need to set the cache size of MPlayer so you won't only see the first few secs of the movies but the rest also.  Have this line in /etc/mplayerplug-in.conf :

cachesize=4092

Now restart Firefox and use my Greasemonkey script to make the Apple Trailer pages work with mplayerplug-in.

Enjoy the movies and have fun!

There are some text formatting misfeatures of WordPress that I'm sure many people like, but some techie folks hate it like the plague, me included.

Here is how to get rid of them:

• The Unfancy Quote plugin lets you override WordPress' quote fancification.
• The Disable wptexturize plugin prevents WordPress to replace "--" with &ndash; and does some similar transformations.

Let's make WordPress not suck!

I have two Logitech MouseMan Dual mice which I bought almost 10 years ago. This model was far more expensive and provided a vastly superior usability than its competitors and I still love it, but time went by and its mechanics failed.

What do I mean by "mechanics"?  Well, considering that every recent mice use purely light (either optical or laser) for motion tracking, the only mechanics left in mice are microswitches.  These switches are usually provided by OMRON and most of their switches can endure about 10 million operations which may sound much but I guarantee you that it won't last more than several years of intensive usage.  What I want to conclude is that the current design of mice is potentially incredibly durable, except the microswitches.

Given the kind of green person I am and considering how much I hate planned obsolescence, I was thinking on how is it possible to maximize the lifetime of a mouse with minimal resources.  The operations below require a soldering station and a modest amount of soldering skills (or a friend who has the equipment and is willing to do the work for a beer).

1) Switch swap

Switches do not completely die from one moment to another in my experience.  Usually you notice that drag and drop operations are hard to make because the switch cannot operate correctly during sustained action.  Once you think about drag and drop and you realize that only the left mouse button is used for it and others are not used for sustained operations you immediately ask the question: why not swap them?

The middle and right buttons are very rarely used compared to the left button so they can last about 10x (right button) to 100x (middle button) longer.  First, you can swap the left and middle buttons and several years later you can swap the (then) left and right buttons.  This should give you alone a 3x durability for no money!

2) Buying a new switch

Once it gets inevitable you have to buy a new microswitch eventually.  The challenge is that the exact switch model you need is probably not in the market by that time because the manufacturer have obsoleted it.  However, it's probably possible to find another switch with almost identical dimensional and mechanical characteristics, so keep looking!  I'd really love to see a site listing all the microswitches that are on the market for various mouse models.

3) Designing a mice for durability

Even though mouse manufacturers have no financial incentive to design a mouse for a lifetime, it's worthwile to think about the issue.  Putting the microswitches into sockets for easy replaceability and providing replacement switches for sale and/or bundling a dozen of them with the mouse itself would solve the issue.

Enjoy and make your mouse last forever!

cat << END >> /etc/postfix/main.cf
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = smtp.gmail.com
END

echo "smtp.gmail.com youraccount@gmail.com:yourpassword" >> /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
/etc/init.d/postfix restart

openssl req -new -nodes -out yourdomain.com.csr -keyout yourdomain.com.pem
# Type your domain name to the Common Name field.

# Log in to CAcert, go to Server Certificates > New, select "Sign by class 3 root certificate", hand the CSR and get the CRT which you should place to your server as /etc/apache2/ssl/yourdomain.com.crt

cat << END > /etc/apache2/sites-available/yourdomain.com
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www
Options FollowSymLinks
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/obconsulting.hu.crt
SSLCertificateKeyFile /etc/apache2/ssl/obconsulting.hu.pem
</VirtualHost>
END

a2ensite yourdomain.com
a2enmod ssl
apache2ctl restart

opkg update
opkg install etherwake
opkg remove wol
echo '#!/bin/sh'$'\n'"etherwake \`grep \" \$1\\$\" /etc/ethers | awk '{print \$1}'\`" > /usr/bin/wol
chmod 755 /usr/bin/wol
wol yourhostname

I'm a big fan of OpenWrt for more than a year when I got to know it.  I daydreamed about a powerful router that is fully controllable and runs Linux.  Little did I know in those times about specialized Linux distributions running on routers. I can remember when I started to chat with my good friend, Dömi about this topic and he immediately mentioned OpenWrt. Fast forward one month and an ASUS WL500GPV2 was sitting on my desk running OpenWrt Kamikaze.

I'd like to mention that although I'll talk about the V2, I wish I would have bought the V1 because that's much more hackable. You can upgrade its memory and/or replace its Mini PCI WiFi card, but you can't do that with the V2, unfortunately.

The reason I put this guide together is that I wanted a detailed configuration guide on the topic because it's quite demanding to rebuild my mental model of how things work after some months. Be aware that that this HOWTO is not for the faint of heart. I assume you know what you're doing.

1) Download the firmware

wget http://downloads.openwrt.org/snapshots/trunk/brcm-2.4/openwrt-brcm-2.4-squashfs.trx

2) Set up localhost to hang on the 192.168.1.x subnet

sudo ifconfig br0 down  # in case you use VirtualBox host networking
sudo brctl delbr br0  # also for VirtualBox
sudo ifconfig eth1 192.168.1.2

3) Flash the router firmware

# Boot the router into diagnostic mode by pressing the reset button right after restart. Wait until the power LED starts blinking.
atftp --trace --option "timeout 1" --option "mode octet" --put --local-file openwrt-brcm-2.4-squashfs.trx 192.168.1.1
# Wait at least half a minute otherwise the router won't get flashed properly and boots into diagnostic mode.

4) Set up SSH public key authentification

# Disable and enable router and wait for the boot that takes about half minutes.
telnet 192.168.1.1
passwd
# At this point telnetd gets stopped and the dropbear sshd gets started.
exit
scp ~/.ssh/id_rsa.pub root@192.168.1.1:/etc/dropbear/authorized_keys
ssh root@192.168.1.1

5) Set up WAN connection

# Use this for cable modem connections:
uci set network.wan.proto=dhcp

# Use this for ADSL connections:
uci set network.wan.proto=pppoe
uci set network.wan.username=yourusername
uci set network.wan.password=yourpassword

# Let's commit the changes finally:
uci commit network
ifup wan
reboot  # If the WAN connection is still down at this point.

6) Set up WiFi connection

uci set wireless.wl0.disabled=0
uci set wireless.@wifi-iface[0].ssid=yourssid
uci set wireless.@wifi-iface[0].encryption=psk2
uci set wireless.@wifi-iface[0].key=yourpassword
uci commit wireless
wifi

7) Install packages

opkg update
opkg install mc ndyndns etherwake ntpclient openvpn kmod-fs-ext2 fdisk e2fsprogs kmod-usb2 kmod-usb-storage nmap
# Here you can remove every luci related packages if you don't need the web interface.

8) Restore configuration

# It's pretty easy to restore configuration from a backup once you made a backup like this:
ssh your-router 'tar czf - /etc /root' > kamikaze-backup-`date +%Y-%m-%d_%H-%M-%S`.tar.gz

9) Supercharge storage space

# Plug in the pendrive.
mkfs.ext2 /dev/scsi/host0/bus0/target0/lun0/part1
mount /dev/scsi/host0/bus0/target0/lun0/part1 /mnt
cp -a /bin /etc /home /lib /root /sbin /usr /www /mnt
mkdir /mnt/dev /mnt/jffs /mnt/mnt /mnt/proc /mnt/rom /mnt/sys /mnt/tmp /mnt/var
umount /mnt

cat <<END >/etc/config/bootfromexternalmedia
config bootfromexternalmedia
    option target   '/mnt'
    option device   '/dev/scsi/host0/bus0/target0/lun0/part1'
    option modules  'usbcore ehci-hcd scsi_mod sd_mod usb-storage jbd ext2'
    option enabled  '1'
END

cat <<END >/sbin/init.new
#!/bin/sh
. /etc/functions.sh
config_load "bootfromexternalmedia"
local section=\$CONFIG_SECTION
config_get      "target"   "\$section" "target"
config_get      "device"   "\$section" "device"
config_get      "gpiomask" "\$section" "gpiomask"
config_get      "modules"  "\$section" "modules"
config_get_bool "enabled"  "\$section" "enabled" '1'
[ "\$enabled" -gt 0 ] && {
    [ -n "\$gpiomask" ] && {
        echo "\$gpiomask" > /proc/diag/gpiomask
    }
    for module in \$modules; do {
        insmod \$module
    }; done
    sleep 5s
    mount -o rw "\$device" \$target
    [ -x \$target/sbin/init ] && {
        . /bin/firstboot
        pivot \$target \$target
    }
}
exec /bin/busybox init
END

chmod a+x /sbin/init.new
ln -f -s /sbin/init.new /sbin/init
reboot