Archive for September, 2010

Simple ISO Image Creator For OS X

| September 28th, 2010

I needed to convert CDs to ISO for use on my VirtualBox VMs. There are many tutorials and applications out there to do just this, but none I found was as simple as ISOlater. I originally tried using hdiutil (like this guy), but the ISO image would not mount for me after I created the file. ISOlater is a nice simple drag and drop solution and worked for me without any issues. The program is written in applescript with a wrapper application and calls dd and hdiutil. Check it out here:

Masquerade NAT OpenVPN

| September 23rd, 2010

Not a full tutorial, but pointers to how I set up Masquerade NAT OpenVPN.

Primary Reading:

OpenVPN Host: has a network that needs to NAT into OpenVPN client network. Internal IP:; VPN IP:
OpenVPN Client: NAT to internal network(s). VPN IP:; Internal network:

You HAVE to use client/server – no static or bridging! So you have to use TUN (makes sense since you’re doing routing here).

Start simple – Try to get the host talking with the client’s internal network before attempting, then add the rest of the network. Remember to diagnose the small pieces before trying to make sure the whole thing works.

Ok, finally commands needed:

You definitely need to set ccd and iroute. In the example, set in the server.conf:

push “route″

In ccd/client, place:

iroute # let’s openvpn know to route packets to this client

That’s all you should have to do on openvpn. The rest is routing… Let’s start on the client…

enable net.ipv4.ip_forward=1 in /etc/sysctl.conf (and if you don’t want to restart, echo 1 > /proc/sys/net/ipv4/ip_forward)

Add the masquerading rule to the iptables:

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface eth1 -j ACCEPT

Ping a client internal IP address from the openvpn host such as troubleshoot troubleshoot troubleshoot…

After you get that going, let’s allow the whole openvpn host network to communicate to the client network. Enable IP forwarding on the openvpn host computer  with the same enable net.ipv4.ip_forward=1 in /etc/sysctl.conf (and if you don’t want to restart, echo 1 > /proc/sys/net/ipv4/ip_forward).

On your router (in network), add a routing table such as:

network: netmask: gateway:

Test from another computer and that should conclude the setup…. It annoying took me several hours to come to these very simple commands.

Of course, don’t use 192.168.x.x – it’s just too crowded and you risk having overlaps unless you know for sure no one will ever connect remotely from a public network that is using one of these IPs. You are better off with a seldom used private block such as

Such a pity (and no wonder they disbanded), I was working with opensolaris sendmail trying to configure it to work with a smarthost that required authentication. I found out there is no SASL auth support on the default sendmail binary. Looks like you have to compile it yourself… I didn’t do so, but this guy seems to have made it work.

OpenVPN TAP Bridge

| September 4th, 2010

Again, we assume you have the initial config working

We’ll be creating a bridge from the client to the local network.

First make sure bridge-utils is installed:

sudo apt-get install bridge-utils
Let's get that default config file out again:
sudo bash -c 'gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/bridge-vpn.conf'
sudo cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-* /etc/openvpn/

Like the other site to client (Road warrior) config, you need to enable ip_forward, refer to my previous post.

Configure bridge-vpn.conf and change the following:

#vim syntax :-)
:%s/dev tun/dev tap0/cg
# for example, server-bridge

Edit bridge-start editing the same VPNSERVERIP, netmask, and broadcast address in this file. I had to add to the end of the script:

route del $gw
route del default gw $gw $eth
route add default gw $gw $br

because my routing tables was empty when br0 would come online, I don’t know why.

I also added service network-manager restart in bridge-stop to restore my eth0 settings.

After this, I created a client.conf and the appropriate client keys and set dev tun too. I connected to the system and wala! pinging other computers in the local network works.

Original Reference: OpenVPN Ethernet Bridging

This post assumes you have a working vpn connection as outlined in my last post and you are using a TUN device. A properly set TAP VPN automatically has access to whatever network the host VPN server has access to.

Site to Client (Road Warrior) Setup:

First thing to do is make sure ip_forwarding is enabled on the server.

grep ip_forward /etc/sysctl.conf # ubuntu (maybe debian specific?), it’s somewhere else on redhat and other distros

If it is not enabled, enable it and do a

echo 1 > /proc/sys/net/ipv4/ip_forward

If not, you’ll have to restart your system for the /etc/sysctl.conf settings to take effect.

Next, add push “route MYNETWORK MYSUBMASK” on the server.conf, for example push “route″ if you are using PKI.

This will NOT work if you’re using a static key because static key clients do not honor push commands. If you’re using static, you have to add route MYNETWORK  MYSUBMASK to the client.conf.

You’re done if the vpn server happens to also be your default gateway/router for your network such as a DD-WRT, IPCop, or PFSense. If you’re like me, and your VPN server is different from your router, go into your router and add a route so that traffic can go back to your client. The interfaces are different, but you effectively have to add:

route add -net VPNNETWORK netmask VPNSUBMASK gw VPNSERVERIP dev lan0

Ping an internal lan ip address from a vpn client and it should work… If not, double check your routes and make sure you established a path to the internal network and back to the client. Remember, even if a connection starts from a client, it still is a 2 way connection! There needs to exist a path for packets to be sent back to the client (usually… =P unless you want to only send ping requests and get no replies!).

OpenVPN Installation

| September 3rd, 2010

UPDATE: I realize I cannot cover everything in one post, so I’m breaking my openvpn discussions into several sessions as I work on openvpn. This first session will just be about installing and connecting client(s) to one server without any routing.

I keep forgetting how to configure OpenVPN and it’s so annoying reading the same HOWTO a dozen times! The problem is I only setup VPN once a year and I forget it afterwards, so this post is partially for my own personal reference.

sudo apt-get install openvpn

Decision #1 (out of many!) – PKI (Public Key Infrastructure) or Static keys..

PKI:  More complex to setup, but more secure, supports multiple clients
Static: Very simple to setup (1 command), insecure (all traffic could be decrypted if the static.key file is lost), only supports 1 client

Static Keys Setup:

The openVPN tutorial is simple enough to follow so I am just going to link it here. You can add commands such as port 443 or proto tcp-server and route, but be warned! Push commands do not work from the server! You need some tls-mode which is not available using a static key. I wasted some time trying to debug this and wondered why my push commands were not being honored until I explicitly placed pull in the client config and found out:

Options error: Parameter –pull can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.

Public Key Infrastructure (PKI) Setup:

# setup CA & key-generating server
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown bashusr: /etc/openvpn/easy-rsa

# create keys
vi /etc/openvpn/easy-rsa/vars # set defaults for state, country, email, etc.
source vars

./build-key-server server

./build-key no_password_client
./build-key-pass client_with_password

cd keys
cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

scp ca.crt no_password_client.crt no_password_client.key remoteclient:/etc/openvpn/

# you can find this configuration file online here too
sudo bash -c ‘gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf’

Choices choices… At this point, you (or I?) have to decide whether to do ethernet bridging or routing, here’s a simple rundown:

TUN: Ethernet Routing (different networks), good for site to site, client to site, or site to client connections

TAP: Ethernet Bridging (same network), good for client to site – simplified setup (setup instructions)

(Note to self, you’ll need to use TUN if you want to do any routing!)

Go through the config file reading the descriptions to each line. Remember, this is just a reference… you should have a general idea what you want to do with the IP addresses, if not… read the full howto! You shouldn’t be here! After you’re done, create a corresponding client.conf and install it on the client. Then test the configuration using:

openvpn –config CONFIGFILE.conf

If the connection establishes, you’re all set! Now, make sure if you’re behind a router, that you forward the appropriate ports so you can connect from outside your network. Also, setup the service (on ubuntu, you don’t have to do anything) so it runs automatically on startup.

/etc/init.d/openvpn start

Stay tuned for future posts on VPN routing…

I was annoyed that my solaris system was not registering the hostname I set in /etc/nodename when getting a DHCP address. Turns out nodename is only used locally and not for DHCP (which really doesn’t make sense to me). You have to enable DHCP to register the hostname and set the hostname in a different file. I would expect this task to be an easy thing to find on google, but it took me a while to find it! Maybe my search engine skills aren’t as good as they used to be, but I’ll post this here so others can find it more easily.

Registering a Hostname through DHCP from Solaris

Quick howto to setup ntp service on solaris 10:

vi /etc/inet/ntp.client

remove the server line and add servers (or your own):


:wq /etc/inet/ntp.conf

svcadm enable ntp


If your system says maintenance, check /var/svc/log/network-ntp* to see what went wrong and fix it. After that, run:

svcadm clear ntp

and that should make you up and running…

After 10-15 minutes, run

ntpq -p

and make sure that one of the entries has a * in front of it. If so, your clock is being synchronized to that server and you’re all set.

Debugging SMTP Servers

| September 2nd, 2010

I had to setup some postfix and sendmail servers today and I needed to manually debug them to see if it worked.

If you’re using sendmail, you can use sendmail -v, it gives a nice output of all the raw SMTP communication.

Postfix doesn’t have this unfortunately so I had to test it out manually. This tutorial proved to be useful to test my relayhost using AUTH PLAIN.

I used these two howtos on setting up postfix and sendmail with a mail relay using an AUTH method. For the postfix tutorial, I don’t know if you need to add smtp_always_send_ehlo = yes or smtp_sasl_security_options = noanonymous, but I could be wrong.

Updating MacPorts

| September 2nd, 2010

Save me time from reading the man page again… To update all macports programs, do the following:

sudo port -v selfupdate
port list outdated # get a list of what is outdated (just for curiosity sake – not necessary)
sudo port upgrade -v outdated

Why couldn’t they just make this into one simple command like port upgradeall I do not know.