#15 | More networking

Now that I turned my desktop into a wireless access point, it's time to play a bit with it. I wanted to do something like the Upside-Down-Ternet and gathered most relevant information to do so from g0tmi1k.

First the DHCP part. My AP is still unsecured, which means that we can play around with freeloaders. I want to make sure that my own laptop connection is steady, however. To accomplish that, I'll create two subnets, both running on the same interface. One of them will be the 'secure' network, the other one will be the funny one. The /etc/dhcp3/dhcpd.conf listed below does exactly this (10.0.0.0/24 being the 'secure' subnet, providing only one fixed IP-address (10.0.0.20) for one known host, 192.168.0.0 being the 'funny' one, providing IP-addresses in the range of 192.168.0.10-192.168.0.100).
default-lease-time 3600;
max-lease-time 86400;

log-facility local7;

shared-network local {
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.10 10.0.0.100;
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers x.x.x.x, x.x.x.x;
deny unknown-clients;

host D430 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.0.20;
}
}
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.100;
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers x.x.x.x, x.x.x.x;
allow unknown-clients;
}
}
For each subnet, DHCP will now search for an interface which has an IP-address on that subnet. Since we're using a single access point, build on wlan0, we'll need to assign two IP-address to this interface:
sudo ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
sudo ifconfig wlan0:0 192.168.0.1 netmask 255.255.255.0
Note that the log-facility local7; line in the above dhcpd.conf forces syslog to use local7 as output log. If we edit /etc/rsyslog.conf and add the line local7.debug /var/log/dhcpd.log to it, then DHCP logs will be written to /var/log/dhcpd.log instead of the general syslog file. If you do this, make sure to restart the syslog daemon after updating its configuration: sudo service rsyslog restart.
We can now (re)start the DHCP server with sudo /etc/init.d/dhcp3 restart (or sudo /etc/init.d/isc-dhcp-server restart on newer Ubuntu releases)

After all above, clients should still be able to connect. Trusted clients, however, should be placed on the 'trusted' network, while unknown clients will be on the 'funny' subnet :)

Now that we can distinguish the two networks, it is time to play a bit. You could, for example, redirect all web traffic towards a single IP-address (xkcd.com) using IP-tables:
sudo iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 72.26.203.99

We'll be having more fun when we redirect everything through a squid proxy. Download and extract these scripts into (e.g.) /scripts and chmod them 755. Note that you probably have to update the $ourIP variable in those scripts (into 192.168.0.1 in this situation).
Then remove the just created iptables rule and install squid3, apache2 (yeah, we also need apache) and some more tools:
sudo iptables -t nat -D PREROUTING 1
sudo apt-get install squid3 apache2 imagemagick ghostscript jp2a
As shown on g0tmi1k, the things we need to change in /etc/squid3/squid.conf are the following:

• change "http_port 3128" into "http_port 3128 transparent"
  
• Add "acl localnet src 10.0.0.0/24" after the "#acl localnet src ..." lines
  
• Add "http_access allow localnet" near the "http_access" statements
  
• (at EOF) add "url_rewrite_program /scripts/blurImages.pl" (or any other script)
  

We are almost there:
sudo mkdir /var/www/tmp
sudo chown nobody:nogroup /var/www/tmp
sudo chmod 777 /var/www/tmp
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/squid3 restart
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#14 | Linux (Ubuntu) as Wireless Access Point

This used to be a lot harder, but thanks the work on Linux wireless drivers, turning your desktop PC into an Wireless Access Point is only a few clicks away. Check this out to learn more about the Linux wireless 'community' (?)
Setting up an access point involves some different steps:

1. Setup the access point
   
2. Enable a DHCP server
   
3. Enable IP forwarding and NAT on the host
   

I'm assuming an Ubuntu installation with a direct Internet connection via eth0 and a wireless device doing nothing on wlan0.

(pre)

We first need to be sure that the device actually supports being an AP at all. This was discussed before, but comes down to

1. Do a lspci -nn | grep -i wireless to find the ID (%4x:%4x) pair of your device.
   
2. Search cateee.net/lkddb/ for this particular ID. In my case the Google search query was "168c 0029" site:cateee.net/lkddb/. If there is a hit, this will allow you to learn which driver to use for your device. If there is no, the device is most probably unsupported.
   
3. Now, look up your driver on this list and see if it supports AP mode.

Now that we know that our device is supported, we can install the required packages: sudo apt-get install hostapd dhcp3-server

(Setting up the access point)

For this, we'll be using hostapd. A very simple first configuration is shown below.
interface=wlan0
driver=nl80211
ssid=test
hw_mode=g
channel=1
This should be enough to get things up and running. Save this configuration to /etc/hostapd/hostapd.conf and give it a try afterwards: sudo hostapd /etc/hostapd/hostapd.conf. You should be able to see your freshly created network now on other computers when searching for wireless networks in range. Since we have no DHCP server running yet, it will be a bit harder to connect to it.

(Enable the DHCP server)

Let's keep hostapd running in your terminal and setup the DHCP server. Something like the following should be sufficient for your /etc/dhcp3/dhcpd.conf:
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.111.255;
option routers 192.168.111.151;
option domain-name-servers {YOUR DNS1 HERE},{YOUR DNS2 HERE};

subnet 192.168.111.0 netmask 255.255.255.0 {
range 192.168.111.1 192.168.111.100;
}
Make sure to replace {YOUR DNSx HERE} with the appropriate IP addresses of your DNS servers.
Before starting the DHCP server, we need to set the wlan0 device to the correct IP address. I already assumed that this would be 192.168.111.151. So a simple sudo ifconfig wlan0 192.168.111.151 will do. We can now start the DHCP server: sudo /etc/init.d/dhcp3-server start.
It should now be possible to connect to the new AP and ping the host (192.168.111.151). Browsing the web won't work: the host is still dropping IP packets which have a different destination than its own IP address.

(Setup the routing programme)

To let clients browse the web, the host needs to forward IP packets that are destined to one of the clients instead of just dropping them (default reaction). For this, we first enable IP forwarding in the kernel: sudo sysctl net.ipv4.ip_forward=1, which is saying something to the kernel like "Forward all IP packets towards iptables (which we'll set next)".
I'm using three (copied) iptables rules to enable NAT.
iptables -A FORWARD -i $RECEIVE -o $BROADCAST -s 192.168.111.151/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
As far as I can understand, the first rule says "Forward packets from the 192.168.111.151/24 subnet that are trying to setup a new connection" (wireless clients are allowed to setup connections). The second rule is short for "Forward packets that are part of an existing connection" (once a connection is setup, both wireless clients and server they are communicating with are allowed to send data). The last rule enables IP masquerading so that packets are actually routed the way the should be.

That's all for now, more fun about this later!

#13 | MINIX 3 voting machine implementation

I was assigned an Individual Programming Assignment concerning the implementation of a voting machine in MINIX 3. We never managed to get it working, but it was quite fun to find out how to implement CD-Write support.
I've uploaded the final document.

#12 | openvpn on ubuntu

This was also shown before, but to get things working 'in real life', I had to make some changes...

Indeed, you better start with installing OpenVPN:
sudo apt-get install openvpn

Then we need to create some server and client certificates. For this, we use tools provided by OpenVPN.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

If we want to do things nicely, we also modify /etc/openvpn/easy-rsa/vars for our own needs:
export KEY_COUNTRY="NL"
export KEY_PROVINCE="NH"
export KEY_CITY="Amsterdam"
export KEY_ORG="Vrije Universiteit"
export KEY_EMAIL="cs@vu.nl"

Now we can create the certificates:
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client
Note that these last steps that generate a certificate for a client normally should be repeated for each client again. By enabling the duplicate-cn option in server.conf, however, we ignore this restriction.

Clients need the following files to connect. We place them in /etc/openvpn/client for now.
cd /etc/openvpn/
sudo mkdir client
cd easy-rsa/keys
sudo cp ca.crt client.crt client.key ta.key ../../client/

It is now time to setup the server and client configuration files. First consider server.conf. You might want to use one of the sample-config-files and edit this.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

The server.conf that I am using looks a bit like this.
# No need for setting local.
# Let OpenVPN listen on every IP.
;local a.b.c.d
# These are default. Be sure to forward
# UDP port 1194 if you're behind a NAT.
port 1194
proto udp

# We set up a routed IP tunnel instead
# of a bridged ethernet tunnel. For
# differences, checkout this and
# that.
dev tun

# These are our certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

# OpenVPN server will take 192.168.0.1.
# Everything else will be for the
# clients. Be sure that this is network
# is not used on your LAN already.
server 192.168.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

# Push these routes to the client so
# that it can reach other private subnets
push "route 10.40.40.1 255.255.255.255"
push "route 10.40.40.17 255.255.255.255"
push "route 10.42.42.0 255.255.255.0"

# We generated only one client certificate,
# which multiple clients will use. Note
# that this is only allowed in testing
# environments :)
duplicate-cn

keepalive 10 120
comp-lzo

# More secure
user nobody
group nogroup

persist-key
persist-tun

# Log settings
verb 3
status status.log
log openvpn.log
log-append openvpn.log

This should be enough to start the server:
sudo /etc/init.d/openvpn restart

Our last configuration will be client.conf:
# This is the client configuration
client

# This should be similar to server.conf
dev tun
proto udp
# Replace with the IP address
# of your OpenVPN server.
remote 1.1.1.1 1194

# Keep trying idefinitely to resolve the host.
# Useful on laptops.
resolv-retry infinite

nobind

# More security
user nobody
group nogroup

persist-key
persist-tun

# Silence duplicate packet warnings
mute-replay-warnings

# Our certificates
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

ns-cert-type server

comp-lzo

# Log settings
verb 3
log rc-logs/red-cross.log
log-append rc-logs/red-cross.log
mute 20

Now move above client.conf to /etc/openvpn/client/
sudo mv client.conf ./client/

To let clients connect to your OpenVPN server, simply let them copy the contents of your /etc/openvpn/client/ directory into their /etc/openvpn/ directory, followed by restarting OpenVPN via sudo /etc/init.d/openvpn restart and they should be good to go.

Note that server.key, ta.key and client.key are secret files. Do not send them over in plain text.

In my situation, my OpenVPN server also acted as an OpenVPN client, connecting through the 10.42.42.0/24 tunnel. I wanted to give others access to this tunnel as well, for which I needed to set up a OpenVPN server. In order to forward packets coming from the one tunnel through the other tunnel, I had to hit the following commands as well:
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Where tun1 is the tunnel that connects to the other OpenVPN environment.

#11 | screen, tor, irssi, freenode.org & ubuntu

This is not new. Setting this up was done before, but I still like to have it here so that I can read it again when needed.
I assume that nick is already registered on freenode.

sudo apt-get install tor irssi screen
sudo apt-get install libcrypt-dh-perl libcrypt-blowfish-perl libcrypt-openssl-bignum-perl

echo "mapaddress 10.99.99.99 p4fsi4ockecnea7l.onion" | sudo tee -a /etc/tor/torrc

mkdir ~/.irssi/scripts
mkdir ~/.irssi/scripts/autorun
cd ~/.irssi/scripts
wget http://freenode.net/sasl/cap_sasl.pl

cd ~/.irssi/autorun
ln -s ../cap_sasl.pl

Now, append
{
address = "10.99.99.99";
chatnet = "freenode";
port = "6667";
}
to the servers section in ~/.irssi/config

Now, simply run
screen torify irssi

And type
/sasl set freenode nick pass DH-BLOWFISH
/sasl save
/save

/server freenode

Hit CTRL-A D to detach the screen. Close your ssh session and play outside. Whenever you come back: type screen -r to reattach the screen.