Securing WiFi with OpenVPN 4

Posted by alex on December 11, 2002

Ever since I set up my wireless LAN at home, I’ve been looking into how to make it more secure. Because WEP is not really secure, I was looking into setting up a VPN. But all the solutions I found (FreeS/WAN, CIPE), were way too complicated for the simple act of creating a secure tunnel between my desktop machine and my laptop.
Enter OpenVPN, a real quick VPN solution. (don’t worry, it can also be made much more complicated)

So, let’s cut straight to how I set things up:

The OpenVPN tarball contains a spec file, so you can build an RPM with a simple rpm -ta openvpn-VERSION.tar.gz. But the spec file links OpenVPN with the LZO compression library. Querying RPMfind finds a prepackaged RPM for Red Hat, which works.

After installing OpenVPN, we need to generate a secret key. The command for that is openvpn --genkey --secret static.key, which will create a file called static.key. This gets copied into the /etc/openvpn directory on both the laptop and the desktop.

The next step is to write the configuration files. First, the configuration for the laptop (laptop.conf):

#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
dev tun

# Our remote peer
remote 192.168.1.1

# 10.4.0.1 is our local VPN endpoint
# 10.4.0.2 is our remote VPN endpoint
ifconfig 10.4.0.2 10.4.0.1

up /etc/openvpn/laptop.up
# Our pre-shared static key
secret /etc/openvpn/static.key

Important is the line up /etc/openvpn/laptop.up, this tells OpenVPN to call this script, after the tunnel has been established. This script gets called with all kinds of parameters, best check the manpage for details.
We just need one parameter, the correct tun-device. That’s $1, so laptop.up looks like this:

#!/bin/sh

route add default $1

Don’t forget to chmod 755 it.

The desktop configuration looks almost the same, just some changes and switches concerning the IPs:

#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
dev tun1

# Our remote peer
remote 192.168.1.131

# 10.4.0.1 is our local VPN endpoint
# 10.4.0.2 is our remote VPN endpoint
ifconfig 10.4.0.1 10.4.0.2

# Our pre-shared static key
secret /etc/openvpn/static.key

So, what does all this do?

It creates an encrpyted tunnel between 192.168.1.1 (desktop) and 192.168.1.131 (laptop), using the IPs 10.4.0.1 (desktop) and 10.4.0.2 (laptop). Then on the laptop, it adds a default route to the tunneling device, so all external connections are going through the encrypted link.
Since this is the first time I did this, there might be some kinks in it, so if anybody finds some faults or improvements, please let me know, so I can incorporate them.

Quicktime on Linux 1

Posted by alex on December 08, 2002

Over at Mplayer HQ, there’s a new HOWTO on watching Sorenson-encoded QuickTime movies on Linux without having to use Wine.
I tried it out by downloading all the required files, and it works really good, I was able to watch all those trailer downloads I had lying around on my windows partition.
So except for some games (Total Annihilation, Ascendancy, Dark Reign), I can now do almost anything I need in Linux. Yay!

Case Closed

Posted by alex on November 19, 2002

Lately, I had trouble burning audio CDs. What was curious about it was, that I had the same problems at home and at work, and I didn’t have them a while ago, on neither computer.
After some sleuthing, I found the solution, and here it is, in case anyone has the same problem: At work, I used to have an Adaptec SCSI card, that got put into out backup server, and as a replacement I put in a DawiControl 2974 card.
And at home, I used to have an Adaptec, too, which got exchanged for a Tekram DC390 card. And both the DawiControl and the Tekram card use the same driver (tmscsim). When I switched to an older driver for the card, the burning worked like a charm.
So, if you have a CD burner (in my case a HP 9200), and a SCSI card using the tmscsim driver, expect cdrdao to abort after 3 Megabytes with an error. Short term solution: Use the (old and unmaintained) AM53C974 driver, or get another SCSI card.

Wireless, baby

Posted by alex on October 31, 2002

My WLAN card came in the mail today, and since you can’t do much with just the card, I went into town after work to get an access point to.
I was hoping to pick up one from Netgear, but I couldn’t find any, so I settled for a LG one.
After some problems setting up the AP (they managed to print the wrong default password in the Quickstart manual), I am now surfing wireless with my notebook on my bed, and streaming my MP3s via NFS. I love this technology.
I can finally say goodbye to that ugly CAT5 cable in my living room.

Grokking TrackBack

Posted by alex on October 27, 2002

I think I finally understand the TrackBack system now.
I mean, I understood the basics, but after trying for about 30 minutes to have the TrackBack option appear in the MT Bookmarklet, I was surprised to find out, that if there’s only one TrackBack item, then it’s automatically pinged.
D’oh!

I might have to retract my previous statement

Posted by alex on October 27, 2002

After seeing Phils Red Hat 8.0 screenshot, I think I should spend some more time on frobnicating my Psyche installation at work.
And since I have now found out some new configuration tips for screen, I might be able to whip it into usable shape. Especially, since I have now a 19″ monitor at word, running 1152*864. Schmooove!

Cutting loose

Posted by alex on October 27, 2002

Not to be left behind the technology curve, I decided to scrounge ebay for a “cheap” WLAN card. I mean, if they start selling this technology at the supermarket, it’s time to catch up, especially if you’re kinda geeky. :-)
And I did find one, an Enterasys RoamAbout. It’s an Orinoco Silver card, so it works with Linux. With only the card, I won’t be able to do much, but at least I can start war driving. Well, since I would have to use public transportation for that, I better rethink that….

Stupid weblogs.com

Posted by alex on October 06, 2002

Somehow, weblogs.com is unable to resolve my hostname (slackerbit.ch), so my blog doesn’t show up on their recently updated list.
Not that I am expecting huge amounts of visitors via weblogs.com, but I use it to check out interesting-sounding blogs (for example, I just had to check out a site called iwilldare, and lo and behold, it was a Mats fan), and maybe someone would find this bunch of text interesting.

A very brief review of RedHat 8.0 1

Posted by alex on October 05, 2002

I installed the new RedHat version 8.0 (codename Psyche) on my laptop today. The install is the smoothest I have seen so far, really slick.
But much more important than the install is the actual product. The default X11 desktop looks really great, mostly Gnome2 with OpenOffice and Mozilla. The icons look friendly and the menus are trimmed down to only show one app for each category.
That said, I didn’t like it.
First, I don’t really like Gnome2, maybe because of the AA fonts, which to me just look washed out.
And second, it’s now a very newbie-friendly desktop, and I would install it ony mother’s PC in a flash, but to me, it’s too friendly. I like my arcane setup with loads of Xterms all over the place.
I also noticed that gnome-terminal still fucks up screen sessions, that’s why I am now using rxvt on my desktop.
I know, I can configure all that, but frankly, instead of de-n00bieing 8.0, I’ll stick with my trusted 7.3 setup.

Welcome on the new server 1

Posted by alex on October 02, 2002

If you can read this, then you are already seeing the new server.
Congratulations.

Next Entries »