admin

Oct 282010
 
 October 28, 2010  Posted by at 12:20 pm documentation, Tutorial, vpn Tagged with: , ,  No Responses »

These are the manual instructions for installing and configuring OpenVPN client.

After having many problems over the years with openvpn gui breaking, I have devised a reliable work around. Create the following batch script, name it something like ovpnConnect.bat, and right click to “Run as Administrator”. This does require the openvpn gui from openvpn.net to be installed. It calls the openvpn.exe. You can also add multiple vpn client connections!

@echo off

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Please right click and "Run as administrator"
pause
exit 0
 )

cd "c:\Program Files\OpenVPN\config\" && "c:\Program Files\OpenVPN\bin\openvpn.exe" [userconfig].ovpn

Download openvpn gui at http://openvpn.net/index.php/open-source/downloads.html#latest-stable

Run installer

Leave the components section as default.

Accept the TAP driver install

Right click on OpenVPN GUI and select properties

Go to Compatibility tab and select “run this program as administrator”
(It requires admin priviledges because it needs to write routes for the new VPN tunnel. Without, it will connect but won’t know how to reach the other network.)

Get your OpenVPN configuration files from the system administrator. Copy and paste them into C:\Program Files\OpenVPN\config


ca.crt (certificate authority)
jason.crt (client certificate)
jason.key (client secret key)
jason.ovpn (client configuration). Here are the contents of jason.ovpn:

client
dev tun0
cert jason.crt
key jason.key
ca ca.crt
remote vpn.server 1194

Now you can launch OpenVPN GUI by double clicking the icon on the desktop (the one we just set to run as admin). This will launch the OpenVPN GUI into the system tray.

Click on system tray, right click on OpenVPN GUI, left click “Connect”.

If all goes well, you will successfully connect. The OpenVPN GUI systray icon turns green. Now you are on the Virtual Private Network!

Dec 192009
 
 December 19, 2009  Posted by at 4:50 pm documentation Tagged with: , , , , , ,  No Responses »

.
Automatic email setup add-on: Gmail IMAP Account Setup THUNDERBIRD VERSION 3 HAS NATIVE SUPPORT FOR GMAIL.

Manual email instructions: Setup Thunderbird according to gmail’s imap instructions

At the bottom of gmail’s instructions you will see “recommended settings“. Don’t follow the first recommendation, regarding deleting. Instead of actually (permanently) deleting email we can have it moved to the Trash folder, as if you were using the gmail web interface. Gmail has strange folders structure in imap. Here are a few steps to work with gmail folders (Of course, they call them labels :-)

Under Account settings -> Copies and Folders
1. un-check “place a copy in… sent”
2. change  “drafts and templates” to Other -> [your gmail address] -> [Gmail] -> Drafts
Note: Sent and Drafts will automatically show up in their respective folders, as long as you send mail through smtp.gmail.com.
3. Go to Options/Preferences (under tools or edit menu). Go to Advanced -> Config Editor. In the Filter box, type “mail.server.server” and look for the gmail address. Whichever number is in the X place of mail.server.serverX, is what you want to use for the new value.
Right click New -> String “enter mail.server.serverX.trash_folder_name” (X is the number that correlates to your gmail account, from above). Next enter “[Gmail]/Trash”. Restart Thunderbird. Delete something, if it does not go into the [Gmail]/Trash folder restart again. It should work after that. Now you can delete the Trash folder (represented as [Imap]/Trash in gmail)

Contact syncing: A few options.
A very popular and stable add-on Zindus Its great but does not support the address field syncing. (Enter your user/pass under Tools -> Zindus)
gContactSync has support for the address field but is very early in development. If any contacts have an empty email field it adds a @nowhere.invalid email address in Tbird. Thankfully this is not synced to your gmail account!
Also, This looks promising but does not work with Tbird3 Google Contacts.
BACKUP CONTACTS BEFORE SYNCING!

Calendar Sharing: Use the add-on Lightning (aka sunbird as a Tbird add on).  Lightning 1.0b1 does not integrate with Thunderbird 3 toolbar layout very well. It messed up the “file” “edit” and “view” menus. Although, they aren’t really missed by anyone and are sort of accessible if you really need them. Try it for yourself, its not too bad.
For native support follow the Google sunbird instructions for CalDav (recommended)
There is also another plugin called Provider for Google Calendar that can be used..

Oct 102009
 
 October 10, 2009  Posted by at 2:43 pm Content Control Tagged with: , , ,  No Responses »

Moonlight is a Free implementation of Microsoft Silverlight. Its a Mono project, http://www.mono-project.com/Moonlight. I have read rumors that 2.0 will have support for Netflix. I went to install the 2.0 dev (currently 1.99.5). Logged into netflix and was denied. I was confused because moonlights dev website says that 1.99.5 is complete except for bug testing and a security audit. I did more reading and found that its not a limitation of moonlight at all, its the DRM (Digital Restrictions Management) that Netflix licenses from Microsoft called Play Ready. This is why we can’t watch Netflix with Moonlight. Another case where the end user suffers at the hands of DRM. The industry again is trying to control the user and hope no one cares. So what, if people save the movie streams from Netflix, you can copy as many dvd’s as you want when they show up in the mail! What happened to Fair Use? The move to hosted content is highly desireable by these industries. Now they can tell you what, how and when. Since its hosted on their servers, you can’t do a thing about it (other than not use it). Ugghh. I am disappointed…

Oct 072009
 
 October 7, 2009  Posted by at 7:14 pm firewall, wireless Tagged with: , , ,  No Responses »

A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:

         "secured office wifi"
                /
ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" 
(clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)

check if the following is in /etc/config/firewall otherwise, add it

config include
option path /etc/firewall.user

and in /etc/firewall.user we put:

#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24.
#This rule gets repeated by the setup script /etc/init.d/firewall.
iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*)
iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP

If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.

config 'zone'
  option 'name' 'wan'
  option 'input' 'REJECT' #

or if you just want to allow remote ssh access

config rule
  option target 'ACCEPT'
  option src 'wan'
  option proto 'tcp'
  option dest_port '22'
  option name 'ssh'