Me in IT UNIX/Linux consultancy

I have an existing network at home, but would like to be able to connect to it using a VPN every now and then. This enables me to access the fileserver, printer and so on.

My network contains an Apple Time Capsule as a nat router, an ethernet modem provided by my cable company Ziggo and devices such as laptops, that use the network.

A Soekris box I had lying around meets all requirements perfectly for a VPN-server. Here is how to set it up.

1. Forward UDP port 1194 from your router to your soekris box.

This one is easy enough, on Apple Mac OS X and a Time Capsule (or Airport Express) open AirPort Utility on your Mac, select the Time Capsule, click Manual Setup.
Go to Internet - NAT
Select the box "Enable NAT Port Mapping Protocol" and click on "Configure Port Mappings..."

Click on the "+" to add a portmapping. OpenVPN uses UDP port 1194, so map it from the "Public UDP Port(s)" to the "Private UDP Port(s)" on the "Private IP Address" of your soekris box. Fill in "OpenVPN" in the next "Description" field.

Finish your router configuration by pressing "Update". N.B. The network connection will be gone for a minute or two.

2. Install OpenVPN

I assume OpenBSD is already running on your Soekris box, otherwise check out how to install your soekris box with OpenBSD.
Add the package "openvpn". A dependency "lzo" will be added automatically.

3. Configure OpenVPN

Create a directory /etc/openvpn/keys:

And create the file /etc/openvpn.conf with this content:

4. Create OpenSSL certificates

This is quite an abstract step. It boils down to this: on the server you will create a certificate authority (ca) key and certificate, also you will create a key and certificate for each client connecting and sign them using your newly create certificate authority. The certificate from the certificate authority (ca.crt) and client (client1.crt) and the key for the client (client1.key) will be distributed to all clients. That's a mouth full, but here is how to do it in steps:

N.b. Please change the KEY_ values to match your personal settings.

Now execute these steps, as stolen from The OpenVPN homepage.

Once again; send the newly created file /etc/openvpn/keys/ca.crt, /etc/openvpn/keys/client1.crt and /etc/openvpn/keys/client1.key to the machine using the vpn connection.

5. Configure the OpenBSD Packet Filter

This step enables client to reach your local network using network address translation. At the bare minimum, add this rule to your pf configuration in /etc/pf.conf

sis0 is a physical interface that connects the Soekris box to my local area network.

Also, make sure the packet filter is enabled and is using your pf.cofn

And finally make sure it works after a reboot:

6. Start OpenVPN on the server

Wow, almost there, let's start the software:

Some debugging information will scroll down your screen.

7. Make sure OpenVPN starts at boot time

Add these lines to your /etc/rc.local.

8. Configure the client(s)

I use Mac OS X to connect to OpenVPN. You will have to install some extra software, your choices are:

• Tunnelblick - (Free) Tunnelblick is a ready-to-use graphical OpenVPN client for Mac OS X
• Viscosity - is an OpenVPN client for Mac, providing a rich Cocoa graphical user interface for creating, editing, and controlling VPN connections.

For now I am using the trail version of Viscosity because it looks great. Check out the screenshots below.

When you have setup an LVS you will need to administer it. Here are the tools you can use.

Discover what machine is the master.

Log in to both boxes and issue the command:

A list of active services and it's IP-addresses will be printed on the active master.

Or, check /var/log/messages for a line like this:

This clearly shows you the machine is a backup.

Failover from one machine to another.

You could simple reboot the active machine. Otherwise, stop the service pulse for a moment on the active server. The backup will discover this and configure the floating IP.
On the active machine, issue:

Add/delete a Virtual Service or Real Server.

Use the piranha web interface, located on port 3636 of either one of the load balancers. Remember to copy /etc/sysconfig/ha/lvs.cf to the backup machine as well.
After you have altered the configuration, restart pulse on the active machine. (Be aware; this makes services unavailable for a couple of seconds.

There are quite a few howto's for LVS, but all of them are quite extensive. To be honest; you'll need to read them at some point, but for now let's try to make a very minimal howto for setting up LVS.

Step 1: Install and configure a few settings.

Configure the director/loadbalancer to have two NIC's. One side on a routable network, the other side connected to the machine running the services, called realservers.

If you want your realservers to be able to use the internet, execute these lines on the director. Replace YOURREALSERVERLAN for the network address of the network where the real servers are located, for example. 192.168.1.0

Step 2: Tell IPVS how to configure itself for HTTP.

Fill in the blanks for PUBLICIP and REALSERVERIP. If you would like to add more servers to this virtual server, just repeast the last line a few times, changing the REALSERVERIP every time.

Step 3: Test it.

From a machine other then the redirector and/or the realserver, visit the ipaddress of your virtual ip.

N.B. I have spent quite some time trying to access the loadbalancer from the loadbalancer; this does not work.

Installing and using the monitoring tool Zabbix on OpenBSD is quite simple. Take just these steps to get started.

Step 1: Install a few packages.

Use pkg_add to add these packages: (Versions could change over time.)

Follow all hints the package manager tells you.

Step 2: Configure some items.

Make sure the apache daemons is started at boot time. (/etc/rc.conf.local)

Modify PHP to allow longer execution times and set the timezone:

Step 3: Compile and install Zabbix.

Get the latest release of Zabbix, untar it and use these options to configure it:

Use "make install" to install all items. The binaries will be placed in /usr/local.

Import database schemes as described in the Zabbix documentation, chapter 2.4.3: "Zabbix Server"

Create /etc/zabbix/zabbix_agentd.conf and /etc/zabbix/zabbix_server.conf by copying them from the untarred zabbix release:

Set DBName DBUser and DBPassword in /etc/zabbix/zabbix_server.conf.

Step 4: Automatically start Zabbix items.

Step 5: Install the webfrontend.

You are practically done, now copy the php files and visit your zabbix installation:

That's it, not extremely difficult!

If your are using the Terminal application of your Apple computer running Mac OS X, try bash programmable completion. It allow you to use the TAB key more often, for example in scp: (If you are using ssh-keys.)

The steps to start using this great utility are these:

1. Download the bash programmable completion .tar.gz file.
2. In a Terminal on your Apple, untar it. (tar -xvf bash-completion-20060301.tar
3. Copy the bash_completion shell-script to /etc (sudo cp bash_completion/bash_completion /etc)
4. Add the bash complation to your login script. (echo ". /etc/bash_completion" >> ~/.profile)
5. Start a new terminal and see the result!

For everybody how has worked with Nagios; it logs (/var/log/nagios.log) the date in a timestamp! Quite annoying so here is how to convert it to a normal date format:

Apple iPhone OS 3.0 does not have crontab anymore. You are supposed to use launchd's facilities to execute something at a scheduled interval. Here is an example of a simple script to update the IP-address at DynDNS.org.

The script /var/mobile/update-dyndns.org contains:

The file /var/LaunchDaemons/org.dyndns.update.plist contains:

And execute:

Now your IP will be update every 3-rd minute. Have fun!

Here is a step by step guide to help you get online with your iPhone using OS 3.0.

1. Go to this page: http://www.iphone-notes.de/mobileconfig/ It will send you an email. Download that email on you iPhone. It contains a profile to enable Tethering.
   
2. Now go to your iPhone preferences, under Network you can enable tethering, activate it
   
3. On your Mac Book Pro, go to the bluetooth preferences. Add your iPhone. I had to press "continue" on my Mac Book pro after accepting the pairing request on the iPhone. Waiting here resulted in an error.
   
4. On you Mac Book Pro, connect to your iPhone using bluetooth
   
5. Now on your Mac Book Pro, under Network Preferences, add a connection: "Bluetooth PAN".
   

You can now tether using your iPhone!

For tethering, an extra network interface is added, in my case "en5". To see what the IP-address of your connection is, open a Terminal and type:

In my case I see that I am using a private class (192.168.20.0/24) IP address. That means that T-Mobile in the Netherlands is NAT-ing my connection. Not a problem, but connecting back to my laptop is not possible from the internet.

Dates can be quite challenging. Especially if you systematically want to use dates, for example to compare what date is older.

If you would like to convert this date into epoch, take these steps.

On Mac OS X you'd have to use this command:

I use a Soekris device, bought mine for € 70,- with a wireless network interface. (wi0)
Besides that interface, this "machine" has two other ports; sis0 going to the modem and sis1 is not used, but any computer may be connected.

How difficult would it be to use this machine as a router using OpenBSD? Not difficult at all!

First install your Soekris with OpenBSD.

Now login and configure a few things.

Configure named, the DNS server.

Now add all zones.

And setup the DHCP server.

Finally configure your PF in /etc/pf.conf:

Now beter reboot to activate all changes. (Sure you could start every daemon by hand...)